Technical Changes Behind the Scene …

by Michael Urspringer - 05.11.2016

Long time ago since I posted something here. The reason for that is, that I did some massive technical changes in the background.

First, all my stuff is now running on a plain Linux virtual server (based on Debian Jessie) instead of a Linux server manged via Plesk. It was simply too much overhead and very hard to figure out where to do changes which will not be overwritten by Plesk later again. So adding new stuff or configuring existing things is much easier now.

I also improved my internal mail system. In the past I used already my own mail server but forwarded all mails to Google Mail as I really like the Gmail front end and especially the archive and search functionality. Antispam had also been outsourced to Spamfence. Both worked very well for me but all my mails were sent and stored to third party providers. So changed that and now everything is done on my own server. I reconfigured Postfix so that most of the spamming attempts is now already blocked on the SMTP level and never reaches my system. The very few spammers, who are successful in delivering mails, are filtered out by SpamAssassin which now works very well. Same is true for dangerous mails like viruses, executables etc. I added also support for SPF and DKIM both for incoming and outgoing mails

I installed Dovecot as IMAP server together with Sieve for mail filtering and as front end I am now using Roundcube. I like its user interface and it has built-in support for PGP encryption already. I added all my mails since 2013 from Google to Dovecot so that I can do at least some basic searching.

If I really need some more sophisticated search features I have all mails archived to my local computer via MailStore Home. I tried to implement Solr to search within my IMAP account but that was not yet successful as it always chrashes while searching virtual folders. So there is still something to improve in future 🙂

I am now also hosting my own DNS server, which was in the past something my provider did for me. The main reason for that is, that I wanted to implement DNSSEC (secure DNS) together with DANE for verifiying my SSL certificates and my provider was not yet supporting DNSSEC. So I switched all my domains to INWX and installed my own DNS server which now work as the primary and the INWX servers work as secondary.

In addition, I needed to switch all my SSL certificates from StartSSL to something else because of  a security issue. As I needed something where I can get several certificates with no or very low cost I have choosen LetsEncrypt as my new SSL provider.

This works pretty well (I am using this script as basis) and has only one disadvantage: All certificates need to be refreshed every 90 days. Although this normally is not really a problem it could lead to problems because all my certificates are now protected by DANE and the certificate’s fingerprint needs to be updated in my DNS as soon as the certificate changes. So this will still be a challenge in the next weeks.

Last but not least, I decided to have a backup server for SMTP and DNS so I needed to built and configure that as well. My main hosting provider is still Host Europe (I have very good experience with them in the last years) but for a backup server (which is not really needed ;-)) it was to expensive. So my backup server is a small virtual machine hosted by IP Interactive, a small provider near by my home.

To be able to monitor all that stuff, I added all servers and services to my Icinga monitoring system on my Raspberry Pi which now monitors over 22 hosts and almost 80 services.

All servers capable of sending SYSLOG messages were consolidated to a central SYSLOG server also hosted on my Raspberry Pi with Loganalyzer as front end.

Doing all that was quite some work but I have again learned very much about Linux, SMTP, DNS and other stuff. So it was worth the effort. But I guess that now explains that I did not have much time to write blog entries but hopefully this will now change again … 🙂

Some links which helped me in configuring some of these things:

https://vpsineu.com/blog/how-to-setup-and-configure-a-master-dns-bind-server-in-debian-wheezyjessie/
http://blog.mansshardt.net/bind9-dns-server-einrichten-unter-debian/
https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-an-authoritative-only-dns-server-on-ubuntu-14-04

https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server–2
https://t37.net/no-more-expired-dnssec-zones-with-bind-9-9-inline-signing.html

https://www.linode.com/docs/email/running-a-mail-server
https://www.linode.com/docs/email/postfix/email-with-postfix-dovecot-and-mysql
https://www.debinux.de/2015/05/mailserver-from-scratch-debian-8/
https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/

 

Tagged with:  

2 Responses to Technical Changes Behind the Scene …

  1. Impressive! And you still find time to work for IBM as a hobby?? 😉

  2. I still had some spare time for IBM 🙂 Seriously, all this stuff was done over many weeks … 🙂

Leave a Reply

© 2000-2015 Michael Urspringer