[lug] Personal Server Behind DSL Router

Thu Jan 11 19:38:33 MST 2007

On Thu, Jan 11, 2007 at 05:16:28PM -0800, karl horlen wrote:

> > For the email side of things, you can run your own
> > webmail with postfix for
> > SMTP, dovecot for IMAP, and IlohaMail/Apache for the
> > webmail interface. 
> 
> I was thinking of using squirrel mail.  Any reason why
> I should use IloahaMail instead?

I switched from squirrelmail.  I can't remember now why I switched.  It was
either a security flaw that made me question the code quality or too many
configuration problems.  I'm a "if it ain't broke, don't fix it" person, so
there had to have been something to make me look for alternatives.  Chris B.,
do you remember my reason?  

IlohaMail is very clean, and has a nice interface.  Haven't used squirrelmail
for a while, but I remember when I switched I thought IlohaMail had a more
professional feel to it.  Try both and decide for yourself though, they're
both Free.

> > that you'll want to firewall off the IMAP port at the DSL router since
> > IlohaMail and many other webmail apps want to use plain IMAP to talk to
> > the IMAP server, but you don't want plain IMAP being used on the big bad
> > internet.  You can still leave IMAP-SSL open at the router to use a IMAP
> > mail client remotely through dovecot.
> 
> I'm assuming that dovecot is SSL based (encrypted) to prevent packet
> inspection?

Dovecot supports both IMAP and IMAP-SSL (and new stuff too I think but I don't
use anything beyond SSL).  I turn on both, then block plain IMAP at the
firewall.  That way IlohaMail can use plain IMAP (it doesn't support SSL), but
IMAP-SSL is allowed for external connections.  There's not much risk in doing
this if you are running a LAN setup where you inherently trust all LAN
machines.  I basically treat all the computers on my LAN as a single computer,
so if one is hacked all will be hacked.  The alternative is much, much more
work and my LAN is small.

My last remote root exploit (that I know about) was thanks to a bug in RPC in
RedHat 6 because they were charging for security updates and I didn't buy a
subscription.  The exploit wasn't even listed in their security update list,
which I checked.  When I asked them about it, they didn't know why it wasn't
reported on the security list.  I switched to Debian after that (although I
also switched because rpm in those days was an abomination).  I wonder how
many potential early customers RedHat lost with that practice?  

Spend the time you might have spent on internal LAN security setting up a
really good online and offline backup policy.  No matter how good you think
your LAN security is, you still need good backups, so work on that first.
Find someone to partner with (you have their HD, they have yours) and use
rdiff-backup to remotely backup your stuff.  Also create CDs/DVDs of important
data, since a malicious hacker or extortionist could still wipe out your
online backups along with your system.