Am 23.12.22 um 13:35 schrieb Samer Afach:
Dear Matthias:

I completely agree with you. My only contention is that some times
simple solutions with simple assumptions are good enough, instead of
developing a nuclear silo for something that can be tested in an hour
and then tested with public tools. Reminds me of the "email regex" vs
"send that email already" debate, plus all the jokes on "automate it"
or "just do it". No need to get into details there. Let's move on from
this point, because I have a feeling we'll never agree here. Apologies
if I'm sounding too naive.

Anyway, it seems that using HAProxy's proxy protocol circumvented all
the networking issues, and now Postfix and Dovecot can recognize all
clients properly. It seems that so far everything is going according
to the plan. :-)


See what I mean...  you thought you had it covered, only to find out
later there was yet more to do (letting haproxy convey client IP
information).


About your great loud thought, my containers are versioned but there's
no CI in there, and every launch for them recreates them. They're all
based on either Debian or Ubuntu (depending on support for my
applications), which means they'll be updated automatically. I don't
use random images from untrusted sources. There's even plan to run apt
update/upgrade on every launch to ensure everything is up to date even
if I forget to recreate a container for any reason, and I'm planning
cron jobs that'll restart the containers daily. I really appreciate
your loud thoughts, keep 'em coming, and I hope I have it covered that
one with my plan.

I wouldn't call this a complex setup. In fact, I don't even know what
a simple setup would be... bare-metal? This is the problem I'm solving
for actually. Done that for a decade already. Bare-metal is stateful
and whenever I have an issue with the physical server I have to start
over, work for a week, and potentially misconfigure things because of
details I forget, again and again and again? I disagree, this setup is
only "complex" the first time, and I'll understand its intricate
details over time (like everything else in system administration).
Once it works, all I need to do is to pipe the proxy lines to the
containers' open ports and I'm done... possibly for life;
realistically for 5-20 years (depending on how big Debian changes over
the years will be). Even if my server needs to be moved, no problem. I
just tar the images and data, send them over to another physical
server, change the proxy destination, and done. A plus is, no worries
about malware, because things get rebuilt, and whenever I have a
suspicion, I just wipe everything physical and restart with minimal
effort. The merit of this setup is priceless. This abstraction is a
whole another level. I'll do my best to learn everything I can in this
vacation to cover all my basis.


Yes, that "rebuild" has some value, if you rebuild from trusted sources
- but whether you rebuild a container image or a bare-metal
configuration does not make much difference to me. Either will bring at
least postfix's master.cf, main.cf and some tables on usual setups.

Whether your container base image updates or you update your distro
yourself, either way you need to work through release notes and
revisit/update your configuration. Of course a proper proxy/container
setup may ease scaling and migrating across hosts.


At least while you are using convenience distribution setup templates as
you will often find with Debian and its freeriders^Wderivatives. And
complex as in "you need to tell the proxy and the proxied service to
interact". A bare metal postscreen does not need that.


And please, let's not pretend that VMs are simpler than containers (in
case that's the answer to that question about simplicity)... oh, my...
vSphere and/or KVM are a whole other monster that need resources and
management and introduce their own problems.


I have not implied that they were, but they are ONE means to implement
an inside/outside testing setup without actually exposing things to the
unfriendly world.



Cheers,
Sam


On 23/12/2022 1:51 PM, Matthias Andree wrote:
Am 23.12.22 um 03:19 schrieb Samer Afach:
Dear Matthias,

I think there's a misunderstanding here. The server is already
shutdown. I thought you meant that I should shutdown the server
permanently and move on with my life because I'm incapable of running
a server, which seems to have been the context (I'll explain next why
that's obvious). But please allow me to elaborate that usually the
cost of that is extremely high, and I'm willing to pay it. Luckily I'm
on vacation now so I'm just spending my own time to do this. I've
spent so far no less than 100 hours on this fiasco. Zero regrets.

Btw, the relays happened because I actively changed mynetworks_style
to subnet, forgetting and not checking that all incoming connections
will come from the gateway of docker subnet. Still under research to
identify how that works.

There have been suggestions on the email list that I could start the
containers locally to do the experiments. Maybe I'm missing something,
but isn't the primary problem that I need to identify connection
sources with the PROXY protocol? How will I do that if I can't produce
remote connections? There's no way to guarantee that unless I do that
remotely. That's why I'll have to turn on the server before it's fully
tested... because the ultimate test will be communicating with the
server remotely and getting the desired results.

And again, let's not forget that disabling email relaying is the
primary solutions (as many have pointed out already). So none of this
is that bad. I think we have a fair assessment of the risk, all things
considered.

Now about learning, people have shared interesting opinions and I read
the email chain (readers, please read them first before commenting on
what I'm saying) and I agree with many of them and disagree with
others, and yes, it's not as simple as it seems. There's no point in
anyone's life where one said "now I'm educated, let's run an email
server". Not really. Even people graduating university don't know what
they're doing after having spent years grinding information. The
reason for this phenomenon is complex and has to do with human nature
and upbringing, but it's what it's. You either inherit a system that
works and you're taught the caveats in it and how to test it and what
to look for, or you start from somewhere (some configuration online?)
and learn as you go. The Linux ecosystem in general is based on
testing things manually, which is why configuration mistakes happen
all the time, and which is why there are tons of online tools to test
the obvious vulnerabilities (OSS, etc, most of which use public
interfaces, because no one knows everything). Email is very sensitive,
granted, but I'm sorry, you're asking for the impossible. You're
asking for people to "learn first", well, I have news for you... THIS
is what learning looks like :-)

There's a saying I like: Experience is the number of mistakes you've
done so far.

You're asking for "safe and possibly reviewed configuration", I'm
sorry, but that doesn't really mean anything in practice unless you
have an army of experts to support you. It's just words that sound
nice. Even with all the wonderful people here and all the help I got,
when I shared my configuration, I barely got commentary on my
configuration, and when I asked further I got your email asking me to
"learn". It didn't take more than one email admitting my ignorance to
start getting requests to shutdown my server (which I had already
done), instead of providing more information. That's not odd, it's
just human nature, which leads to where we are right now. Please don't
misunderstand what I'm saying, I'm in NO WAY entitled to anything, and
I'm already very grateful for everything I learned here, but please be
realistic in what you're asking for. I'm trying to make the best of
the current situation.

Thank you all, lovely people. I wanna emphasize that I'm learning from
every email I'm reading here.

Best regards,
Sam

Sam,

So it appears that there is some understanding, but what I am saying is
- what other people have also written in different words - is that you
are using a rather complex setup.

Containerization with its isolation may serve some purposes, but
requires extra attention - and unless I missed something in the entire
thread, you have not written any pondering of your docker networks
either, starting from <https://docs.docker.com/network/> and selecting
the right one.
I am wondering if I should ask whether you have a CI pipeline set up
that allows you to exchange the base image with a flick of your finger
and reliably rebuild your containers, if some system component (think
libc or your TLS stack) needs updates.
Ooops. That was a pretty loud thought that slipped through my fingers
and keyboard into the world.

Regarding setting up testing, it's easy enough to create another local
network (formerly called alias addressers) on your container host, and
route it to your container host explicitly, and from there route it back
explicitly without making the container host part of that subnet, to
create the illusion of an external host.

We have also had VMs and multi-homed hosts for ages, and relay attacks
have also been known for a quarter of a century and are well-understood.

What I seem to be saying is that if you pick a complex setup, there are
many more components you need to learn, and not only individually, but
also their interactions and how to integrate them. That makes for much
more learning...

Cheers,
Matthias

Reply via email to