Mailing List ecs-isp@2rosenthals.com Archived Message #548

Fra: "Peter Moylan" <ecs-isp@2rosenthals.com> Full Headers
Undecoded message
Emne: Re: [eCS-ISP] stunnel 5.58 help
Dato: Thu, 14 Sep 2023 18:22:19 +1000
Til: eCS ISP Mailing List <ecs-isp@2rosenthals.com>



On 14/09/23 17:33, Massimo S. wrote:


Il 14/09/2023 03:21, Steven Levine ha scritto:
In <list-7891460@2rosenthals.com>, on 09/13/23
    at 08:46 PM, "Massimo S." <ecs-isp@2rosenthals.com> said:

Hi,

i don't want to buy a certificate SSL

There's always Let's Encrypt.  The only downside is the expire relatively
quickly so you need to refresh the script more often than a purchased
script.

i use LE on apache, but a cert. that expire each 3 months don't put thunderbird or other mail clients (outlook, smartphones etc.) out of work?
i mean the user don't receive new mails and have to do something to accept the new cert.?

should i use IJ fw to port fwd the 587 to something like 33333 :) do i
will allways reach 587 port from the inside LAN here?

I'm not sure I understand how you envision your setup or the full scope of
your problem.  The user's are going to submit via 587.  Are you saying you
want to port forward to 33333 internaally have have Weasel list to 33333.
That can work, but what's the downside of passing port 587 through to the
server running the weasel instance?

Steven

no, i don't want to expose port 587 to the world
i want to use another "strange" port like 33333, 44444, 55555 etc.

in about 20 years that i manage servers over the internet i've learned that moving ports
reduce the possibilities of hackers' attacks


If you set up your mail server to accept mail on port 33333, that will work, but only if you tell all your clients to change their mail programs to use that port. Most probably, at least half of them won't know how to do that, so you'd have to go around configuring their software for them. You probably won't want to do that.

If instead you keep accepting mail on port 587, you could do some internal juggling, e.g. with Injoy, to switch that to a different port inside the server, but there's no advantage in doing that, because you are again exposing port 587 to the world.

The bottom line is that you must make port 587 visible to your clients, and once you do that then hackers can also get to that port, unless you do something unusual like putting all of your clients on a VPN.

--
Peter Moylan                         http://www.pmoylan.org


Abboner: Feed, Digest, Index.
Stopp abbonement
E-post til ListMaster