Stealth E-Mail to the Rescue
Since the early days of e-mail, maintaining my own e-mail server was a sort of indication of being in charge and staying technically fit. The technology involved in a project like this usually includes components that can be reused elsewhere and force one to stay abreast with commonly used communications media.
In the beginning, it was a simple task of connecting a modem, finding a community UUCP server, configuring modem dial-up, uucico and Sendmail. This was sort of the Model T of e-mail. And, it usually included configuration of a Usenet feed with C-News to collect the UUCP addresses of all computers on the relatively small Internet at that time.
With the advent of the real Internet, the scenario is becoming more complex. You have to overcome a number of obstacles created by people trying to break in to your server, snoop the transmission of e-mail packets on the wire and deal with those who want to send you tons of unwanted e-mail. As if this were not enough, workplaces have become so secure that it is sometimes impossible to access your personal e-mail server over the Internet from work during the day.
I used to maintain a Linux server with a static IP on a DSL line running DNS, a firewall (netfilter) with my MTA of choice (Postfix) and the addition of SpamAssassin for spam filtering. I read e-mail on my laptop using IMAP with Netscape Communicator. I use Communicator filters to sort all my incoming mail into various IMAP folders.
This simplistic architecture became history this summer after moving out of the San Francisco Bay Area to Denver, Colorado. The luxury of a static-IP DSL vendor disappeared, and a Nazi-style ISP with a monopoly in the area became a reality. Static IP is not available here (at least for me), and the ISP uses aggressive filtering of the commonly used IP ports. My new workplace is so secure that I had forgotten about carrying my laptop with me or using my work Internet connection to get to my e-mail server. All this is understandable, as ISPs protect themselves from spammers and employers need better security. But, I still want to read my e-mail during the day.
I took it as a personal challenge to overcome these obstacles. The direction I went was to use the smart phone Treo 650 as a personal e-mail reader to bypass the workplace security. I configured my home e-mail server to use new stealth-mode ISPs that allow for dynamic DNS and mail relays to ports of choice.
Here is a summary of the configuration components that I cover in step-by-step configuration details below:
The e-mail server is running stable Gentoo Linux connected to the Internet via VDSL (very high-speed DSL from Qwest), using DHCP-assigned dynamic-IP address. My DNS domain registrar is No-IP.com. This registrar uses a custom dynamic DNS setup that detects IP address changes on my side. This is done by running a custom client program on my server—noip2 client connects to the No-IP.com registrar DNS server and updates my DNS records in as often as one-minute intervals. This is called Plus Managed DNS.
Because my ISP blocks incoming IP port 25, I use the Mail Reflector No-IP.com service that sets an MX record for my domain to its own server and delivers the mail to a custom port on my server.
My ISP also lists my DHCP addresses with the Internet spam blacklists, so any attempt to deliver e-mail directly from my server is doomed to failure. To overcome this, I use the No-IP.com service called Alternate-Port SMTP, which acts as an outgoing mail relay. I punt all mail to a No-IP.com server using SSL authentication and also a custom port in case my ISP blocks outgoing SMTP.
My MTA is Postfix, which is quite handy for the stealth configuration with alternate incoming and outgoing ports.
I use SpamAssassin to filter spam. It is easy to configure and works very well. In brief, its function is limited to processing mail messages and attaching a custom mail header field—an X-Spam-Level rating to each message as spam candidates. The level of spam likelihood is measured by the number of asterisks this field contains. A single * is usually a good indication of spam.
I could not count on storing e-mail on my smart phone and filtering it there. The phone couldn't handle that much e-mail. So I replaced the client-side Netscape Communicator filter function (to sort incoming mail into IMAP folders) with Procmail. I created a .procmailrc file implementing all spam and mailing-list rules to file messages in the folder hierarchy on the server. This proved to be quite useful and opened the access to my archived e-mail from any location.
The IMAP server was quite a problem for me. I prefer traditional mailboxes where multiple messages are stored in a single file per folder. Most modern IMAP servers, like Courier or Cyrus, use modern maildir or MH formats, which store each message in its own file. This consumes an insane amount of i-nodes. Unfortunately, the only open-source IMAP server I could find that uses traditional folders is the uw-imap. (CommuniGate Pro uses single files, but it's a commercial server.) The uw-imap server has a number of drawbacks, especially when it comes to SSL-protocol implementation. My tests of uw-imap with the SSL IMAP client that I had in mind for this project (PalmOS VersaMail) showed failed connections or flat failures to connect. To get what I want—the single file mail folders and working SSL—I split the function of IMAP and SSL over two separate servers: stunnel and uw-imap. Stunnel proved to be quite sophisticated in the SSL configuration and level of logging and diagnostic messages.
The client side of my e-mail configuration originally included stock PalmOS VersaMail shipped with the Treo 650 and part of a Sprint plan. The key factor in this decision was availability of unlimited use of Internet connectivity for a flat $15 US per month fee. The VersaMail IMAP support is quite good, and integration with the Blazer Web browser made the sale for me. Unfortunately, a more-intense use of the VersaMail uncovered problems with its operation. The whole setup depends on a reliable mail server polling for new mail. Unfortunately, VersaMail has a bug that impacts scheduling of the polling, and this makes it rather ineffective. I ended up using the SnapperMail mail client for PalmOS, which is a good example of how nine guys in New Zealand can outrun a big corporation like Palm Software. SnapperMail is one of the best PalmOS applications I have used so far.
There are quite a number of moving parts here, and a diagram is in order (Figure 1).
As you can see from Figure 1, there are three main areas of configuration: Linux server, No-IP.com services and the Treo 650 mail client.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Server Hardening
- BitTorrent Inc.'s Sync
- The Death of RoboVM
- The Humble Hacker?
- Open-Source Project Secretly Funded by CIA
- New Container Image Standard Promises More Portable Apps
- EnterpriseDB's EDB Postgres Advanced Server and EDB Postgres Enterprise Manager
- The US Government and Open-Source Software
- ACI Worldwide's UP Retail Payments
- AdaCore's SPARK Pro
In modern computer systems, privacy and security are mandatory. However, connections from the outside over public networks automatically imply risks. One easily available solution to avoid eavesdroppers’ attempts is SSH. But, its wide adoption during the past 21 years has made it a target for attackers, so hardening your system properly is a must.
Additionally, in highly regulated markets, you must comply with specific operational requirements, proving that you conform to standards and even that you have included new mandatory authentication methods, such as two-factor authentication. In this ebook, I discuss SSH and how to configure and manage it to guarantee that your network is safe, your data is secure and that you comply with relevant regulations.Get the Guide