TCB13

TCB13 , 3 months ago (edited 3 months ago) to selfhosted in What to be aware of before opening port 25 on a postfix Raspberry Pi?

If you follow the ISPMail guide at workaround.org you’ll be safe.

I heard there are scaries online which someone could potentially send emails from your server without consent

That’s called an open relay and websites like mxtoolbox.com/diagnostic.aspx can test for it.

Either way your biggest issue won’t be that, if you’re running on a residential internet connection the IP is already flagged as such and will have a very low reputation with other e-mail providers causing Microsoft, Google and any other large provider will simply refuse your email. You’ll also need reverse DNS for your IP pointing at the domain you’re using that your ISP is most likely not going to provide.

TCB13 , 3 months ago to linux in Thunderbird's New Rust Integration: The Future of Email Clients?

It apparently happens with other email sources as well

I deal with a lot of mailboxes and a ton of people using Thunderbird with ridiculous amounts of emails like 50-100GB accounts and even on the few times I saw Thunderbird failing it wasn’t loosing anything.

I don’t trust Owl very much, the good news is that we will soon get an official and decent support for Exchange. :)

TCB13 , 3 months ago (edited 3 months ago) to linux in Thunderbird's New Rust Integration: The Future of Email Clients?

I don’t yet… but a few months ago nobody believed they could take on a sponsorship from Anduril. Nor that they would enact a somewhat vague policy guide pushing the ideia that the community is all that matters and that all further important decisions will be community driven without actually specifically defining “who” is the community.

TCB13 , 3 months ago to linux in Flathub new home page

Yet, we still don’t have a proper way to mirror the parts (or the entire) repository and/or have useful offline archives of flatpaks for certain cases.

TCB13 , 3 months ago to linux in Thunderbird's New Rust Integration: The Future of Email Clients?

NixOS is just another attempt at changing the way fundamental things are done so one day they can introduce some orchestration / repository / xyz payed solution. Yet another step in the commoditization of software development.

TCB13 , 3 months ago to linux in Thunderbird's New Rust Integration: The Future of Email Clients?

just more difficult to connect when the provider wants to keep things secure.

Proton could’ve just implemented everything they did with IMAP/SMTP on Thunderbird + OpenPGP with the same level of security, but they decided not to. Yes, their solution is convenient but also close to everything else.

TCB13 , 3 months ago to linux in Thunderbird's New Rust Integration: The Future of Email Clients?

Only annoying thing is not supporting ProtonMail out of the box.

That’s Protons fault, they’re the ones that decided to ignore all the open and standard e-mail, contacts and calendar protocols out there and built their custom-everything stack to keep you vendor-locked into their interfaces.

TCB13 , 3 months ago to linux in Thunderbird's New Rust Integration: The Future of Email Clients?

^ Boils down to not being hostage to a single provider and whatever it offers.

TCB13 , 3 months ago to linux in Thunderbird's New Rust Integration: The Future of Email Clients?

Not a single screenshot was provided.

TCB13 , 3 months ago to linux in Thunderbird's New Rust Integration: The Future of Email Clients?

Maybe the issue was that you were using it to access some kind of Microsoft service and their improper IMAP implementation.

TCB13 , 3 months ago to selfhosted in Reaching service through domain from local network

But even if you don’t fully control the device, you can usually change DHCP DNS so that LAN clients will use your local DNS servers.

Not all ISPs allow this. Mine for instance doesn’t allow changing any LAN DHCP setting… fortunately they have an option to configure one of the ports as “bridge” and you’ll get a public IP there so I can just plug my own equipment and do whatever I want.

TCB13 , 3 months ago to linux in [Noob] Is it worth getting a LTS kernel?

If you want stability use the latest Debian. The point of those LTS kernels is more and more supporting IoT and other devices you can’t simply upgrade, but you want to keep secure… regular use cases can just usa a stable disto like Debian and you’ll never notice any kernel related issues.

TCB13 , 3 months ago to selfhosted in Reaching service through domain from local network

is using a public domain effective way to do it or should i always use server’s IP when configuring something inside LAN? Is my traffic routed through the internet somehow when using domain even in LAN or does my router know to not do this?

It depends.

If you control your router (not ISP provided) you can just go into the router settings and tell it to always resolve your public domain to the local machine IP. This will make it so any computer on the network running a DNS query will get a local IP for that domain instead of the public one. Quick and easy fix.

If you don’t control it / don’t apply the fix above, most likely your traffic is not routed through the internet because routers are usually configured for hairpinning / NAT loopback and they’ll simply forward the traffic internally.

You can test what’s going on by using the traceroute (or tracert on Windows) to find where the traffic is going. It will give you a line for each host your traffic has to go through in order to reach the destination. If you need help reading the output, just post it public IPs redacted.

TCB13 , 3 months ago to selfhosted in Self hosted remote storage for VPS?

You can also configure your server to only accept traffic on the VPN port coming from your home IP address if you’ve a static one. Or… only allow incoming connection from your country (wiki.nftables.org/wiki-nftables/…/GeoIP_matching). This will provide you an extra layer of security.

Either way don’t be afraid to expose the Wireguard port because an attacker won’t even know there’s something listening on that port as it will ignore any piece of traffic that isn’t properly encrypted with your keys;

TCB13 , 3 months ago (edited 3 months ago) to selfhosted in VPN into Homenetwork Security

Does creating a VPN into my home network using my router increase my attack surface?

Yes, but it also provides the ability to access any resource in your network in a secure way.

It is typically less safe to expose 3 or 4 different services you want remote access than a single VPN daemon that is actually designed for that specific scenario and has mitigations for common attacks built in.

To make your setup secure you can consider a few steps:

• Use Wireguard: don’t be afraid to expose the Wireguard port because if someone tries to connect and they don’t authenticate with the right key the server will silently drop the packets. An attacker won’t even know there’s something listening on that port / it will be invisible to typical IP scans / / will ignore any piece of traffic that isn’t properly encrypted with your keys;
• Use a 5-digit port for your VPN - something like 23901 (up to 65535) will be way harder to find than typical ports like the default 51820 or 443;
• Go full paranoid and use a firewall to restrict what countries or even days, hours access your server is allowed. Eg. only allow incoming connection from your country (wiki.nftables.org/wiki-nftables/…/GeoIP_matching). Be aware of what happens when you’re abroad;
• Don’t port forward IPv6 if you don’t need it. Might be easier than dealing with a dual stack firewall and/or other complexities.

In a side note: a VPN doesn’t mean full access to your network either. You can setup a VPN endpoint that only allows access to a few specified services running on specific machines instead of the entire network. This will give you extra security if you’re into that.

• digitalocean.com/…/how-to-set-up-wireguard-on-deb… (skip IPv6)
• github.com/ngoduykhanh/wireguard-ui - good UI to manage wg
• wiki.nftables.org/…/Quick_reference-nftables_in_1…
• tadeubento.com/…/nftables-country-geo-blocking/