Hi!
I'm starting to evaluate the Mail Gateway for personal use and perhaps later on for some customers.
The mailgateways is running on a Hetzner Cloud-Server, my (old) mailserver is running on a physical server at Hetzner. Since there is no trusted network between those servers, right now I'm not sure if I'm configuring everything correctly from a security perspective. That's why I'd like to ask, if somebody sees a flaw in my considerations or has some better best practices.
1) I've set up an iptables rule, which allows Port 8006 access only from my on premise Edge Router
2) Ive added an iptables rule to allow port 26 access only from my (old) mailserver
3) Since the Host has a /32 or a 64 bit prefix, there should be no problem of other cloud host using the mail gateway as relay.
4) on my old mail host (running exim4) I have a rule that denies all unauthenticated relaying and also unauthenticated local delivery, if the host is not my mail gateway host (To prevent some spammers to get through to my mailboxes by avoiding the mailgateway)
5) disabled ssh root login, ....
Some questions:
a) do I have to add my mailserver to the trusted networks (if it uses port 26)?
b) I'd like to encrypt all traffic between the mail gateway and my mailserver, so on the exim4 side I'm forcing outgoing connections to be TLS, and on the mailgateway (for sending to my mailserver I guess I should add on the TLS tab Destination: my mailserver with policy encrypt. Is a wildcard certificate okay or does it have to be a certificate only for the mailserver host?
c) In recent month I had the problem, that some companies are not able to receive my emails, because there spam filter rejected my mails with the reason, that the mail host domain specified in the HELO/EHLO command did not match the domain of the sender. Is it possible for outgoing mail routed via the mail gateway to set a specific mail name depending on the sender domain
Best regards
I'm starting to evaluate the Mail Gateway for personal use and perhaps later on for some customers.
The mailgateways is running on a Hetzner Cloud-Server, my (old) mailserver is running on a physical server at Hetzner. Since there is no trusted network between those servers, right now I'm not sure if I'm configuring everything correctly from a security perspective. That's why I'd like to ask, if somebody sees a flaw in my considerations or has some better best practices.
1) I've set up an iptables rule, which allows Port 8006 access only from my on premise Edge Router
2) Ive added an iptables rule to allow port 26 access only from my (old) mailserver
3) Since the Host has a /32 or a 64 bit prefix, there should be no problem of other cloud host using the mail gateway as relay.
4) on my old mail host (running exim4) I have a rule that denies all unauthenticated relaying and also unauthenticated local delivery, if the host is not my mail gateway host (To prevent some spammers to get through to my mailboxes by avoiding the mailgateway)
5) disabled ssh root login, ....
Some questions:
a) do I have to add my mailserver to the trusted networks (if it uses port 26)?
b) I'd like to encrypt all traffic between the mail gateway and my mailserver, so on the exim4 side I'm forcing outgoing connections to be TLS, and on the mailgateway (for sending to my mailserver I guess I should add on the TLS tab Destination: my mailserver with policy encrypt. Is a wildcard certificate okay or does it have to be a certificate only for the mailserver host?
c) In recent month I had the problem, that some companies are not able to receive my emails, because there spam filter rejected my mails with the reason, that the mail host domain specified in the HELO/EHLO command did not match the domain of the sender. Is it possible for outgoing mail routed via the mail gateway to set a specific mail name depending on the sender domain
Best regards
