/tech/ - Technology★

Welcome back.

- I think Postfix + Dovecot is the most popular combination today. Among debianfags exim is popular while OpenBSD is rolling their own right now called opensmtpd.

- Protocol for sending is SMTP and for receiving it's IMAP. No one uses POP3 any more.

- For storage, maildir is popular because it's fastest when it comes to write performance. Filesystems and disk latencies have become a lot better.

- For webmail roundcube is popular.

- You should learn about DANE, DKIM, and DNSSEC.

- Some e-mail servers require ssl for incoming mail. Use ssl by default and whenever you can. Free SSL certificates are available at letsencrypt. Their software is cancer, use an alternative client.

- Mailinglist software still sucks, but there are a few nice projects on the horizon.

>>924695 (OP)

>How does one encrypt mail like Protonmail or Tutanota?

It's encrypted on disk (but note that they can still read the message before they save it to disk).

Email traffic over the internet is mostly end to end encrypted between each mail server that passes the message along, but some servers aren't end to end encrypted.

If you actually want your emails encrypted use PGP.

>>924695 (OP)

Almost everyone moved to webmail and Google hired a lot of the people who were working on the standalone services so that infrastructure is pretty rickety today.

>new in server-to-server protocols

Nope.

>POP/IMAP

POP is dead, IMAP is garbage but it's what we've got.

>mbox/maildir

Both are garbage but maildir is the only real option.

>encrypt mail

For user to user, S/MIME or OpenPGP. All the tooling around this is a poorly maintained mess and probably 99% of all encrypted/signed emails in the world are sent by Debian developers.

For server to server, there's now TLS support in the protocol via STARTTLS. Note that many end-user ISPs block outbound port 25.

>spam

DNS blacklists run by shady groups that misuse power, SPF, DKIM. DNSSEC remains a total clusterfuck and I expect it to be deprecated.

>Is anyone still on [USENET]

It's pretty much dead.

>What else should a techie know about email today?

Everything's fucked.

>>924708

>>924734

My ISP offers pop3s, so I use it. I don't need imap, since I just want all my mail delivered to one computer at home.

I use plain old mbox to store the messages. In the past I used qmail and maildir on servers, but that's not my job anymore.

I also use my ISP's smtp server for sending mail. I guess you might have to tunnel over ssh or something if you want to use smtp to another server and your ISP is blocking outbound 25.

My ISP still has a Usenet feed, and the alt.binaries.* and some tech groups are still active. There's various others that people post to, but not much that I'm interested in.

>>924708

>Free SSL certificates are available at letsencrypt. Their software is cancer, use an alternative client.

i've used them for a while now. they fucked their system 6 months ago with the way they verify things and then forced everyone into an alternative verification mode which the versions of the clients that got shipped to distros (debian you lazy updating mother fuckers) did not update/support.

the only way to update and keep your ssl certs from letsencrypt now is to write a script yourself that shuts down you apache or nginx or whatever is running on your port 80/443, run this updater they give you, and then re-enable apache/etc.

they supposedly have some hooks or some shit to have their client do it for you but i don't trust it anymore so i write a script myself that does it, it's been working for the past year.

they need to unfuck their shit, but it's free so it's hard to complain.

>>924965

also with let's encrypt you must update / verify your ip is the domain name by running this abomination of an update script every 3 months, sooner preferably, the cancer hybrid of your own script plus their shitty updater recommends once a day, it just checks and nothing happens if it isn't time to update.

also if you hit their service more than like twice a week requesting more certs they'll ban your ass. this is not necessarily a problem except for their massive verification fuckup which forces people to write their own scripts and interact with their shitty client in just the right way. they really really fucked up on that one, but like i said, nobody complains because it's free, nobody wants to pay for the $100-$1000 for the jew SSL racket that is HTTPS

>>924754

IMAP also offers push notifications for new messages, which is nice.

If your client connects to port 25, you're doing it wrong. Use TLS.

>>924976

Why though? I only send my username/password over pop3s.

>>924985

Your smtp server supports unauthenticated sending? Sounds like a spam or fraud desaster waiting to happen.

You transmit your e-mails as plain text? I mean, there are people who prefer to go outside naked. Why not.

Is there an email app on Android that would show full text of an email (with headers, etc) like old fags used to see?

I've never been able to find one, and these 'advanced' mail programs are backward and make you more susceptible to phishing attacks.

In the past I could look at the email headers and raw text and tell the email was a spoof in under 5 seconds, now I have to export, save, decode from b64, view, and probably more shit I've forgotten - just to work out if the link points to what it says, all because the email program thinks hiding it is a good idea.

>>924989

The smtp server knows who I am, since they're my ISP and they assign me an IP address and route my packets.

Yeah I send emails in the clear. Why not? Hardly anyone uses PGP, and the protocol doesn't enforce encryption. I guess you could use "openssl s_client" to connect directly to the desination mail server but they might refuse you (to avoid acting as a spam relay).

>>925010

>The smtp server knows who I am, since they're my ISP and they assign me an IP address and route my packets.

So their smtp server accesses their dhcp database? Ewww.

Also you could still spoof mail of family members or room mates.

>Yeah I send emails in the clear. Why not? Hardly anyone uses PGP, and the protocol doesn't enforce encryption. I guess you could use "openssl s_client" to connect directly to the desination mail server but they might refuse you (to avoid acting as a spam relay).

Mail servers talk TLS to each other. Mine refuses to connect to connect to servers that don't offer TLS. I've never had an issue in many years except once when I tried to contact some chink ISP.

>>925023

Well if it's so easy, then go read all the emails I'm sending. All hops are within my ISP's network, so you'll have to hack into one of their routers or the mail server (I don't use wifi, so scratch that out). And then you'll have some emails with nohting useful in them, because I don't send secret stuff via email without PGP.

>>925056

Don't you ever take one of your devices outside of your ISP's network? I guess many people do. Will the mail server then refuse to accept mail? This would be unexpected for most users.

>>925061

No, my computer stays home, and my phone is voice/SMS only.

The ISP does in fact give the option to use their mail server from outisde the network. Then you have to authenticate yourself first, but I didn't read all the details since I'll never use that option.

>>924965

No. You can simply have the updater run like usual overwriting the old certificate. Then fu just have to reload nginx. You don't have to restart it.

>>925114

No, you have to stop apache or nginx completely from serving sites on yourdomain.com, so it can host it's own verification on port 80/443, once it does that you can bring your sites up.

>>925114

the let's encrypt updater must be able to claim ports 80/443 and if it can't it fails, which means apache or nginx can't be running on those ports. this is just one of the verification modes, but it's the only one that works since their other primary verification mode had some security problem.

Is running a mail server on a VPS an extremely stupid idea?

>>925136

>>925139

No.

<Can I issue a certificate without bringing down my web server?

>Yes, the ACME protocol is designed to perform server validation without any downtime. You can use the webroot mode in the Certbot client, which places a validation file at a specific location on your web server, or the Apache mode, which configures a temporary self-signed certificate for validation and gracefully reloads Apache.

https://certbot.eff.org/faq/

>>925400

>spamhaus, uceprotect and spamcop

>ClamAV

Wow, what a bunch of placebos.

You not only blocked lots of legitimate email servers, but also read your email in a dangerous way instead of downloading and decrypting it on client.

>>925415

It's not placebo it works well and blocks legitimately shit servers that either can't be bothered to secure their relays or are openly hostile. Sometimes those belong to well known corporations but that doesn't make them more legitimate or less hostile. Of course I do use a mail client, a couple of them but primarily Sylpheed. The ClamAV is there primarily for Windows clients, which I also support but generally not for my personal use. Did I imply otherwise?

Most ot this configuration has worked for decades now. Actually stable since the 1990's. Trying to patch security as an afterthought onto email is the stupid. While my server supports SSL/TLS I'm also aware of its well eatablished weakness. For secure comms it's out of band preshared keys or nothing.

Tell me, how much did you pay to spamhaus before you fixed your shit?

>>924976

>If your client connects to port 25, you're doing it wrong. Use TLS.

You can use TLS and use port 25. That's how it was designed to be used. The alternate ports exist because ISPs fucked the internet with mandatory firewalls on user-class internet but not business-class internet. Don't see neutrality faggots over on reddit crying about that one, though. Strange.

>>925139

Don't use that shitty botnet updater. Use acme-client from the OpenBSD guys. You can set up your existing webserver to publish a directory it can write to and it can take care of the rest without fucking everything or requiring stupid permissions.

>>925489

>implying

I can see how this passes for net neutrality supporters as long as ISPs are fucking with all mail providers equally. Also I'd like a source on the claim that ISP firewalling caused alternate ports.

>>925155

>without bringing down my web server

>gracefully reloads Apache.

this is still a webserver restart.

this also forces you to modify your apache configuration to support a static directory that this can use.

i'm not totally against this approach but the last time i tried it when they had their security fuckup i for some reason abandoned this approach in favor of a script that brings down apache, gives runs certbot, and then brings it back up, because this webroot mode was throwing errors and giving me shit.

it might be the best way to do it though

>>925534

>they're selling two tiers of the same internet by instructing your modem to break your outgoing connections to servers not owned by the ISP if you paid them less

>but I don't see how this is a neutrality issue

>>925489

this, and it's not just port 25, try running some shit on 80,443 or openvpn common ports. if they aren't outright blocked you'll be getting a notice from your ISP that you better pay up for a business line or your shit's getting canceled asap

>>925668

They're also selling slow and fast internet. That's also multiple tiers. I think you don't understand the argument behind net neutrality.

Protonmail is pozzed

>>930744

ur mom is pozzed

>>925545

>this is still a webserver restart.

No retard, reloading != restarting. The webserver will still serve requests while it's reloading.

>>925153

yes, if you don't have any experience or if you aren't willing to do a lot of homework.

>>930744

But you can compose your mail with an editor, use GnuPG to encrypt it and then just copypasta the ciphertext into your webmail

>>925153

Speaking from experience, you'll have to read a FUCK TON of documentation. Maybe mailinabox is easier to setup, I did postfix+dovecot and I needed to read a lot of things. MTAs are really complicated pieces of software.