this post was submitted on 02 Sep 2024

433 points (98.0% liked)

Linux

47952 readers

1293 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago

MODERATORS

[email protected]

433

Our family mail server quit working today. Maybe it's a bit long in the tooth... (lemmy.sdf.org)

submitted 2 months ago* (last edited 2 months ago) by [email protected] to c/[email protected]

72 comments fedilink hide all child comments

Apparently I installed that thing in 2006 and I last updated it in 2016, then I quit updating it for some reason that I totally forgot. Probably laziness...

It's been running for quite some time and we kind of forgot about it in the closet, until the SSH tunnel we use to get our mail outside our home stopped working because modern openssh clients refuse to use the antiquated key cipher I setup client machines with way back when any longer.

I just generated new keys with a more modern cipher that it understands (ecdsa-sha2-nistp256) and left it running. Because why not 🙂

top 50 comments

sorted by: hot top controversial new old

[–] [email protected] 140 points 2 months ago (10 children)

Because why not 🙂

Because security.

[–] [email protected] 36 points 2 months ago* (last edited 2 months ago) (8 children)

It's behind a firewall. The only thing exposed to the outside is port 22 - and only pubkey login too.

And gee dude... It's been running for 18 years without being pwned 🙂

[–] [email protected] 100 points 2 months ago (1 children)

It hasnt been pwned so far

[–] [email protected] 12 points 2 months ago

For that matter, it hasn't been ransomwared. There are so many ways to hide a compromise.

[–] [email protected] 77 points 2 months ago (1 children)

without being pwned

How do you know?

[–] [email protected] 33 points 2 months ago (1 children)

There's a file called /pwnedornot and it contains "no, you're safe bro"

load more comments (1 replies)

[–] [email protected] 64 points 2 months ago

And it's not like it contains any sensitive information. I'm sure all your emails are just friendly correspondence with your pen pal.

[–] [email protected] 33 points 2 months ago (1 children)

I'd still maybe build a modern OpenSSH package.

There's been an awful lot of RCEs in the past two decades and uh, if that's rawdogging the internet, I'm honestly shocked you haven't been hit with any by now.

load more comments (1 replies)

[–] [email protected] 24 points 2 months ago

How do you know? Do you constantly monitor running processes, performance and network connections?

[–] [email protected] 18 points 2 months ago (1 children)

sorry, but what kind of email server listens only on SSH?

load more comments (1 replies)

[–] [email protected] 8 points 2 months ago

How do you know? OpenSSH is pretty good but it isn't impenetrable. Especially for almost 10 years.

[–] [email protected] 6 points 2 months ago (8 children)

Did you really only use it when you were home? If you used it outside the firewall then port 25 must have been open also.

I used to run my own server and this was in the early 90s. Then one day, perusing the logs I realized I was not smart enough on the security front to even attempt such a thing. It was quickly shut down and the MX record moved to an outsourced mail provider.

load more comments (8 replies)

load more comments (9 replies)

[–] [email protected] 107 points 2 months ago (1 children)

Good thing there hasn't been any remotely exploitable security bugs in any of the mail system components in the 6 years since Debian 7 went EoL

[–] [email protected] 18 points 2 months ago (1 children)

https://security-tracker.debian.org/tracker/

Depending on how it was configured it may or not be have been compromised. Probably better to go the nuclear option.

load more comments (1 replies)

[–] [email protected] 65 points 2 months ago (1 children)

That was a good test run. I think it's time to put it into production.

[–] [email protected] 18 points 2 months ago

Everyone has a test environment. Some people also have production environments

[–] [email protected] 44 points 2 months ago (1 children)

I'm fairly certain that SSH and whatever else you're exposing has had vulnerabilities fixed since then, especially if modern distros refuse to use the ssh key you were using, this screams of "we found something so critical here we don't want to touch it". If your server exposes anything in a standard port, e.g. SSH on 22, you probably should do a fresh install (although I would definitely not know how to rebuild a system I built almost 20 years ago).

That being said, it's amazing that an almost 20 year old system can work for almost 10 years without touching anything.

[–] [email protected] 11 points 2 months ago (3 children)

The amount of dos systems I have seen powering critical infrastructure in banks and hospitals is quite frankly nightmare fuel.

[–] [email protected] 13 points 1 month ago

A basic DOS system has zero networking or open ports

[–] [email protected] 7 points 2 months ago

They normally are isolated systems with controlled access. Same with shipping and any other critical industry.

Not to say that there aren't exceptions but these days there is a required level of compliance

[–] [email protected] 4 points 1 month ago

Remember its what the market determined is the best course of action.

[–] [email protected] 42 points 2 months ago (1 children)

You send mail to Gmail and Hotmail and it's actually accepted? How?

[–] [email protected] 40 points 2 months ago (1 children)

Patience. It really helps to have all the latest set up: SPF, DKIM, DMARC. Then after that it's a matter of IP reputation, you can email the various blocklists and you wait for the rest of them to clear on their own.

I've had that IP for 10 years and it has never sent spam, and I've sent enough emails that people open that it actually does get through fine. I haven't had to think about it for a long time, it just keeps on working. Barely had to even adjust my Postfix config through the upgrades.

[–] [email protected] 6 points 2 months ago

This is true. If you have DMARC and your RUA set up (with a working email (or one that doesn't bounce at least)) along with SPF and DKIM, Google and MS will accept your mail. The only time it won't at that point is if your IP is in the same /24 as a known spammer but so long as the spam stops, you'll fall off the list. Some of the common spamlists allow you to request your IP be removed by request and I can only recall one list that almost nobody uses that makes you pay for the removal though there may be more I don't recall.

[–] [email protected] 38 points 2 months ago (3 children)

Genuinely surprised when I see people running mail servers without issue. I suppose getting in relatively early means you're not immediately sent to junk mail lists by the big players.

[–] [email protected] 36 points 2 months ago (2 children)

Unfortunately that's not true. I've been running mail servers under my domain since around 2000, almost as long as Microsoft has been running Hotmail, and I was certainly following good standards like SPF and DKIM well before they considered such a thing... and yet Microsoft is the bane of my mail server's existence. Despite no compromises resulting in spam blasts, MS still regularly shuts me out with no reason given and no hits showing on their monitors. If I can find their email address to ask what the problem is, I get a generic "your domain has been cleared" sort of reply but never any reason why they blocked me in the first place.

[–] [email protected] 6 points 2 months ago (1 children)

Do you have a "spammy" TLD?

[–] [email protected] 6 points 2 months ago

My primary domain is something that people have blacklisted because four letters happen to partially match a word that could be spammy (how ridiculous is that?), however the mail servers (the ones they keep blocking) are attached to my computer business name which I registered in 2006, so there's really no reason why they should block it for that reason.

load more comments (1 replies)

[–] [email protected] 7 points 2 months ago

I've started up new domains and never had an issue getting mail accepted.

There's a right way to do it, and most people that complain that hosting email is impossible don't know how to configure it correctly.

load more comments (1 replies)

[–] [email protected] 33 points 1 month ago (2 children)

Family email server? Your family have an email server to themselves? You managed to deal with block lists over 2 decades and more?

My utmost respect to your dedication

[–] [email protected] 8 points 1 month ago

It takes a special kind to run and maintain a mail server. More so for doing it for such a long time.

load more comments (1 replies)

[–] [email protected] 20 points 2 months ago

It's had a good run. Let the little guy have a rest. Whatever you replace it with will consume less electricity.

[–] [email protected] 18 points 2 months ago (1 children)

you name your servers with nuclear subs names?

[–] [email protected] 18 points 2 months ago

I'm a kid of the cold war.

[–] [email protected] 18 points 2 months ago (2 children)

I gave up running an email server long ago - I thought it was basically impossible because too many spammers were doing it for nefarious purposes.

load more comments (2 replies)

[–] [email protected] 14 points 2 months ago (1 children)

Please tell you to at least have Freexian patches installed...

[–] [email protected] 14 points 2 months ago

This is how massive botnets form

[–] [email protected] 14 points 2 months ago

Believe it or not I've come into contact with Microsoft Exchange 2010 running on Server 2008 for 2000 days once. The company had ransomware.

[–] [email protected] 14 points 2 months ago (1 children)

Not to be that guy but why not use Curve25519?

I still remember all the conspiracies surrounding NIST and now 25519 is the default standard.

In 2013, interest began to increase considerably when it was discovered that the NSA had potentially implemented a backdoor into the P-256 curve based Dual_EC_DRBG algorithm.[11] While not directly related,[12] suspicious aspects of the NIST's P curve constants[13] led to concerns[14] that the NSA had chosen values that gave them an advantage in breaking the encryption.[15][16]

[–] [email protected] 6 points 2 months ago (1 children)

If you are worried that the NSA might be reading your email maybe it’ll be better for society if you don’t update … just saying.

[–] [email protected] 4 points 2 months ago

It took me a while to get this

[–] [email protected] 11 points 2 months ago

I hope you get your data off and then burn it and everything around it. It could be easily compromised you knowing. It could easily be used for spamming

[–] [email protected] 10 points 2 months ago (6 children)

That's the power of Linux. It can work for decades without issues.

load more comments (6 replies)

load more comments