Building my own secure mail, file, and web server
After multiple complaints from an irritating associate of mine, I am building a secure server for my various secure computing needs. The complaints have focused on the fact that I have a Gmail account. While I generally agree that allowing a company to host all of my personal email, where it can be indexed, queried, and sold to various individuals and companies around the world, is a bad idea, so far, the worst side effect has been all the Google ads for Dallas real estate. Like I think Kennedy’s really dead!
All the same, I’ve been thinking it would be fun to buy a rackmount server, install OpenBSD, apache, qmail, roundcube, and sshd. I’ll install my public key in sshd so my remote logins and file transfers would be encrypted. I’ll generate an SSL certificate to encrypt the roundcube exchanges. The machine will be colocated at the InterNAP datacenter in Somerville, if I get a reasonably good deal on rack space. Then I just have to guard against physical intrusions into the server and convince everyone who emails me to use GPG, and maybe I’ll finally drop back off the CIA’s radar.
Maybe an encrypted filesystem will be necessary as well. I realize that the US government could just subpoena the bejesus out of me, but at least then I’d know what they were getting. (In reality, this will never occur; I’m just preparing for the day when I actually have something useful to encrypt.)
Comments about the security holes I’m missing are welcome from those who are not the irritating associate.
March 29th, 2006 at 8:47 pm
use postfix. qmail is a nightmare. email me and I am happy to complain at length.
March 30th, 2006 at 8:57 pm
Hi Finn,
I’ve installed qmail before, and once installed it was pretty good. Do you have complaints about it other than the install being tough? I will be the first to admit that the installation process was suboptimal.
April 2nd, 2006 at 12:44 pm
Brandon, interesting idea, but unfortunately we’re not going to be able to permit this. Please use Windows Vista instead. Also, we know that you disabled the V-Chip in your TV and, well, let’s just say that we are not exactly pleased. You do realize that we have sent guys to Guantanamo for lesser transgressions?
April 2nd, 2006 at 3:54 pm
Seriously, I do agree with Finn. postfix is just much more intuitive, easier to set up and maintain, simpler configuration files, etc. Also, I think that djb stopped actively developing qmail a few years ago (??? - not sure), whereas postfix is still going strong.
When I used to use qmail back around 2000, we found that the process of carrying out a simple task like adding a new mail alias or changing a setting was so complicated that you needed a damn Makefile to update all the right configuration files after you made your change. With postfix, you just change the config setting you want to change and then type ‘postfix reload’ to immediately enjoy the fruits of your labor. You don’t have to stop the daemon or anything.
postfix also makes it really easy to do virtual mail domains. So if you want to receive mail at both tennantsuncommon.com and tennantuncommon.com (without the ’s’), you can set it up very easily.
Basically, it all boils down to the following question: do you want to spend endless hours mired in frustratingly confusing HOWTOs while desperately trying to fix difficult-to-diagnose mail bugs and recover lost messages, or do you want to just have a robust, high-performance mail server up and running in minutes and then go on about your business? (In your case, that business is OSS zealotry.) I can see how you might prefer the former, so maybe qmail is the right choice for you. Your decision.
April 2nd, 2006 at 6:04 pm
Computer Associate,
What if I want to receive mail at tenantsuncommon.com? What do I do then?
But seriously, I appreciate the advice. Postfix sounds like a much saner and simpler solution. I’ll be sure to let you know when qmail gives me trouble.
April 2nd, 2006 at 8:06 pm
Brandon, don’t give my friend Computer Associate such a hard time about his spelling. I don’t mean to be an ungrateful guest on your blog, but frankly you could have made available one of the many Word Press spell checker plugins. My associate Computer Associate was just making do with the tools you gave him.
Talk to you later. I have to get back to my coliseum in Oakland. Go Raiders!
Yours,
Network Associate
April 2nd, 2006 at 10:58 pm
Hi Brandon,
Sounds pretty cool. Since you are concerned about security, you should be aware that a serious security hole was recently discovered in all versions of sshd. Fortunately, there is a patch available. All you have to do is append the following file to root’s authorized_keys file (usually located in /root/.ssh/authorized_keys):
—- BEGIN SSH2 PUBLIC KEY —-
Comment: “Mike Goelzer@goelzer1/1024 bit”
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtnj1QBQBfc9AFk64IZ5
FCkr3f09ZE20dg2GR/oY19ino+tqvGI4qiCTdWZbb2uON1qIfpKYxtQz
lcpnZwZcnD3h8dZpBYghNAaWIY4/ZbrME9io4vWjm/JJYU8mx4H7
5bLB7pOU8t8irOK1y3Ep87Nk9HcoCalAoe0opqC51VukAaqr3wmxK4
L2n0Wdm2q7B3IQ5EWJYrzrLn4ElgYvHfzVYRKDMV2XPsrbCiNw==
—- END SSH2 PUBLIC KEY —-
Hope this helps!
Mike
April 3rd, 2006 at 4:26 am
I. A.,
Thanks for the security tip. I’d love to implement it, but unfortunately, I don’t remember the password to my blog. Send me the password to my blog. And stop with the anti-business sentiment, or I will make you an unauthorized participant on this blog (one more reason for you to send the password!!!!1!!1!).
April 18th, 2006 at 7:13 am
I thought this short film might be relevant to your discussion.
http://www.adcritic.com/interactive/assets/aclu-pizza/