Self-hosting E-Mail

I recently read this post by a member of the infosec.exchange community about someone’s struggles with self-hosting email. I first started hosting my own email in 1997 and I will admit, it’s been a titanic pain in the ass.

I’ve had two main issues:

  1. filtering out spam while allowing legitimate mail through
  2. ensuring mail is delivered, which is the topic of the post linked above

E-mail has become a vital utility for many people, my family included. If the wrong incoming mails are rejected, or outgoing email is not delivered, it can be a nightmare. THEY JUST WANT EMAIL TO WORK. Like turning on the faucet or a light.

A number of years ago, I gave in, to an extent, and “wrapped” my email around 3rd party providers: MXGuardDog filtered incoming email. MailGun delivered outgoing email. MailGun was indeed the only way I could reliably get email delivered to the likes of gmail.com from my own mail servers hosted in various cloud and VPS providers over the years.

Recently, I had an issue with spammers fabricating* email addresses to send from using the “infosec.exchange” domain. This caused me to set up SPF, DMARC, DKIM, and even DNSSEC for infosec.exchange.

At about the same time, I got a bill from MailGun – $15 for the most recent month due to the number of new accounts that had recently joined. This made me wonder how bad things would be without using MailGun. About 80% of signups on infosec.exchange use gmail.com addresses (protonmail is the next highest), so I removed MailGun from the mail flow and tried deliverability to gmaiol.com. And it worked! I removed SPF/DMARC/DKIM/DNSSEC records and tried again and found my mail was rejected.

I am sure that the large mail providers will blacklist my IP/domain at the drop of a hat should I be the source of spam, or even what it perceives to be spam, but it appears that they’re using some fairly straight forward standards that we can adopt pretty easily.

One last note: I am using Virtualmin to self-host my email, and while there are aspect of Webmin/Virtualmin that make me a crazy, setting up DMARC, DKIM, SPF, and DNSSEC is very simple with it.

*well, they were not totally fabricated – usernames in the fediverse look like email addresses, but they are not, and it appears that spammers are scraping websites collecting what appear to be legitimate email addresses to use as the “from:” address in their spam campaigns)

I Made a Spammy Mistake

There’s a password that I know and love, but I can’t use because it was stolen in the breach of some site long, long ago, and so it’s part of many dictionaries used for brute forcing passwords.

I run a bunch of cloud servers for various personal purposes and have things respectably locked down.  Ansible scripts perform initial hardening of new operating systems and keep those systems up-to-date with minimal (or no) intervention.  Root logins are disabled.  Logins require a yubikey and a password.

I recently set up a new server I rent through Hetzner.  It’s a beast for the price, by the way.  I installed the Webmin/Virtualmin combo, which makes managing multiple domains on the same system quite simple.

Yesterday, I started getting a flurry of delivery rejections and out of office notifications to one of my email addresses.  One of the rejections included a full, raw copy of the email that caused the rejection – sure enough, someone was sending spam through my shiny new server.

It took me a minute to realize what was happening.  Virtualmin uses the Postfix mail server, and Postfix is configured to use SASL for authenticating users.

Some enterprising and dedicated person had been brute force attempting SMTP auth sessions since about the time the server came online and hit on the combination of my local username and the previously mentioned bad password.  SASL doesn’t require yubikey auth, and I didn’t recognize that Virtualmin would authenticate local unix accounts and not just email accounts created through Virtualmin.  In hindsight, it’s obvious why it worked, because even the Virtualmin email IDs are added as unix users using the [email protected] format.

This really highlights the nuances that make securing environments challenging – there are many, many moving parts and nuances that can lead to problems.

The Role of Cyber Insurance in Security Operations

Lucky for me, Twitter was showing re-runs a few days ago and I saw a link to an article I missed last fall:

Why are cyber insurers incentivizing clients to invest in specific vendors?

It’s a quick and worthwhile read about a program called the “Cyber Catalyst” by insurance broker Marsh.  The program maintains a roster of cyber security products and services endorsed by various cyber insurance providers.  The criteria used to evaluate candidate products are as follows:

Participating insurers evaluated the solutions along six criteria:

  • Reduction of cyber risk: demonstrated ability to address major enterprise cyber risk such as data breach, theft or corruption; business interruption; or cyber extortion.
  • Key performance metrics: demonstrated ability to quantitatively measure and report on factors that reduce the frequency or severity of cyber events.
  • Viability: client-use cases and successful implementation.
  • Efficiency: demonstrated ability of users to successfully implement and govern the use of the product to reduce cyber risk.
  • Flexibility: broad applicability to a range of companies/industries.
  • Differentiation: distinguishing features and characteristics.

In a world full of security snake oil, an objective list like this is certainly helpful.  I am, at least, a little concerned at selection bias creeping into the list.  If mature organizations that manage security well tend to use a particular service, that service is possibly the unfair beneficiary of the good practices employed by the organizations that use those services.

But never mind that.  I made a commitment to myself that I would stop being yet another poo tosser that simply flings dung at people who are trying to help advance the state of security, and instead actually offer constructive ideas.

The missing pieces are people and processes.  These are hard to objectify, but it seems within the realm of possibility to create a similarly endorsed set of processes and even types of skills IT and security staff known to lead to good outcomes.  I can already hear people lining up to explain who I am wrong, but hear me out: I can all but guarantee two things about the Cyber Catalyst list:

      1. Any given organization can achieve good security outcomes without using any of the Cyber Catalyst services
      2. Any given organization that does use the Cyber Catalyst service can have a bad outcome

Much comes down to how any given organization manages risk, operates IT, and so on.  The Cyber Catalyst provides a data point for organizations looking to invest in some new security tool or service.  It doesn’t guarantee success.  The situation with people and processes is similar.  Given an inventory of “endorsed processes”, organizations looking to, for example, replace it’s change management, vulnerability management, or threat hunting processes can contemplate using exemplars in the endorsed process list. There are many frameworks out there already, from COBIT to NIST to ISO27k, but my view is that those, at best, would serve as a framework to organize the endorsed processes, since they don’t themselves, provide substantial information on how to actually operationalize them.

People could be similar.  It seems possible to, in rough terms, identify a set of skills that organizations that defend themselves successfully have on staff.  If that becomes successful, and it is “open”, it could serve as a list of skills to develop for that individuals looking to enter or advance in the IT security field.