Greetings all!
I hope your new year is starting off well! I am new to the Mailcow community. This is going to be a semi-long read, however, I wanted to reach out to all of you veterans for advice/guidance.
As part of my new years resolution to become more privacy conscious,I decided it is time to learn Linux (server – command line) and to ditch Gmail! My thought process is to learn Linux so I can stand up my own email and chat server on a virtual private server (VPS). I want to be in control of who has access to see and read my email vs Big Tech data mining my stuff!
I am a novice when it comes to servers and more importantly Linux. I have read numerous of articles, reddit posts, and forums on how to deploy and harden a Linux server. Before configuring my own email server, I want to make sure I have taken the necessary steps/precautions to secure myself from any intrusions/hackers. Now I know that I cannot make it 100% secure where it will never be hacked (as even the top companies in the world are hacked), but I want to be as safe and secure as possible.
Background
Prior to deciding to creating my own Mailcow server, I planned on signing up with MXroute.com. I have read many great reviews and people even stated the owner is to work with. However, as I continued to read about MXroute, I came across a post where someone asked the owner about encryption. Based on the response, I decided to hold off and look into hosting my own. Below is an excerpt of the post and replies.
Question: “Does MXRoute encrypt emails at rest? If so who has access to the keys?”
Answer from the owner:
"Great question!
They are not stored in such a way, rather they are stored in default Dovecot maildir format.
Edit: To add to this, it does mean that your email is completely exposed to our admins (this is a standard practice,
and should be assumed the same for any service that does not express otherwise). However, it would wrong of me
to say this without expressing “why” we do not want to read your email. Reading your email makes us legally liable
for their contents, and this is not a sound business practice. We prefer money over knowledge of that which is not
ours to know, and the liability that is coupled with it."
Apparently the owner could technically look at anyone’s email at any time since they are not encrypted at rest. Even though he say’s “we do not want to read your email” I still feel uncomfortable know that he (or anyone that works for him) has that ability.
Overview of what I have done
So far this year, I purchased my own domain and VPS. Many of the Linux recommendations I have read suggested Ubuntu for newer people getting into Linux as it is easier/more user friendly. The OS versions I went with is 20.04, although, I do have the option to use 18.04 or 16.04 LTS.
One of my biggest concerns is hardening the server/OS and keeping everything up-to-day – i.e., security patches, application updates, and any maintenance that may be needed. I really do not know how often I would need to update Docker, Mailcow or any of the applications that come with it.
I spent many nights searching the internet and reading reddit posts, forums, and tons of websites. For someone who is new to Linux, I can definitely say I found it to be overwhelming and really confusing on where to start. I probably bookmarked over 20+ websites! Having bits of good information scattered across many different websites is not really helpful. To make life easier for me, as I performed each function to harden my VPS I made notes to create a step-by-step guide. I compiled all the best practices I found while scouring the internet on how to configuring and securing a Linux server into one document. This way, I can reference it as needed.
Here is what I have done so far to harden my VPS:
- Immediately changed the Root password
- Updated the repositories and upgrade system
- Changed the default SSH port to help deter against drive-by scans
- Configured SSH protocol 2 and verified a user could not connect with protocol version 1
- Configured SSH connection timeout idle value
- Created a new user
- Added the new user to the sudo group and verified I could login and perform administrative functions with the user
- Disabled Root user login
- Modified the sshd config file to only allow connection from the new users
- Setup SSH public/private key login
- Securely stored and associated my private key with Windows login account
- Copied the public key to the VPS
- Setup, configured, and enabled automatic security updates (Unattended Upgrades) and reboot
- Installed, configured, and enabled UFW – all ports are set to deny except SSH and the ports needed for Mailcow
- Installed Fail2Ban
Present day and going forward
This is where I would like to request help from the community. I am open to all and/or any advice! I have dove head first into uncharted water; learning how to swim and stay afloat, but don’t want to get eaten alive! 😃
What are you thoughts on the OS? Should I stay with Ubuntu 20.04, or downgrade to 18.04 or 16.04 LTS, or switch the OS to a different Linux type all together?
Based on the steps I have taken to secure/harden my server, do you think my server is secure enough to run Mailcow or are there additional actions I need to further address?
Does Mailcow provide the ability to encrypted the emails at rest? If not, is there something I can do to secure the emails on the server in the event it was ever compromised?
Thank you for taking the time to read my long post! I know I will have more questions! 😃