Mailing List ecs-isp@2rosenthals.com Archived Message #549

Fra: "Massimo S." <ecs-isp@2rosenthals.com> Full Headers
Undecoded message
Emne: Re: [eCS-ISP] stunnel 5.58 help
Dato: Thu, 14 Sep 2023 11:38:29 +0200
Til: eCS ISP Mailing List <ecs-isp@2rosenthals.com>



Il 14/09/2023 10:22, Peter Moylan ha scritto:


On 14/09/23 17:33, Massimo S. wrote:


Il 14/09/2023 03:21, Steven Levine ha scritto:
In <list-7891460@2rosenthals.com>, on 09/13/23
    at 08:46 PM, "Massimo S." <ecs-isp@2rosenthals.com> said:

Hi,

i don't want to buy a certificate SSL

There's always Let's Encrypt.  The only downside is the expire relatively
quickly so you need to refresh the script more often than a purchased
script.

i use LE on apache, but a cert. that expire each 3 months don't put thunderbird or other mail clients (outlook, smartphones etc.) out of work?
i mean the user don't receive new mails and have to do something to accept the new cert.?

should i use IJ fw to port fwd the 587 to something like 33333 :) do i
will allways reach 587 port from the inside LAN here?

I'm not sure I understand how you envision your setup or the full scope of
your problem.  The user's are going to submit via 587.  Are you saying you
want to port forward to 33333 internaally have have Weasel list to 33333.
That can work, but what's the downside of passing port 587 through to the
server running the weasel instance?

Steven

no, i don't want to expose port 587 to the world
i want to use another "strange" port like 33333, 44444, 55555 etc.

in about 20 years that i manage servers over the internet i've learned that moving ports
reduce the possibilities of hackers' attacks


If you set up your mail server to accept mail on port 33333, that will work, but only if you tell all your clients to change their mail programs to use that port. Most probably, at least half of them won't know how to do that, so you'd have to go around configuring their software for them. You probably won't want to do that.

If instead you keep accepting mail on port 587, you could do some internal juggling, e.g. with Injoy, to switch that to a different port inside the server, but there's no advantage in doing that, because you are again exposing port 587 to the world.

The bottom line is that you must make port 587 visible to your clients, and once you do that then hackers can also get to that port, unless you do something unusual like putting all of your clients on a VPN.

No, my clients at the moment are using an external authenticated SMTP that i'm going to
remove due to costs issue.

So "installing" the new settings is not a problem, it will be mandatory soon.

The question is only one, since i don't want to run another software (eg. mlink) on that server (threads are quite high and we know what happens when threads are hing on /2) to
do port fwd from 587 to something like 44444 or 55555..

If i use IF, the 587 will still be visibile from my internal LAN?

At the moment 587 is also used with STUNNEL for SMTPS (submission), but it's still
visible from my LAN.


massimo


Abboner: Feed, Digest, Index.
Stopp abbonement
E-post til ListMaster