User Login      + Register  

Table_of_Contents

1      Choose a Domain Name

2      Email Server Considerations

2.1                Ability to Manage Domain MX Records

2.2                Maximum Email Security

2.3                Email Blacklisting

2.4                Send Email Services

2.5                Receive Email Services

3      Free LetsEncrypt SSL Certificates

4      Select Dynamic Domain Name Service

List of Tables

Table 1:       Free SMTP SmartHosts

Table 2:       Email Reception Services

Table 3:       DDNS Providers

1      Choose a Domain Name

If a domain name is already available, this step can be omitted.

A domain name is a human readable text string that is an alias (another name) for the numeric IP address used to uniquely identify a particular computer on the internet.

It is assumed your SecureOffice installation will provide publicly accessible services such as websites, email, file, and telephony, etc. services for the internet. If this is not the case, SecureOffice is being used as a (free) high performance router / gateway and choosing a domain and the following DDNS Provider selection can be omitted.

An active domain name is also required to access the premium package repository for any packages not provided by basic OpenWrt such as zoneminder (IP camera security system), home-assistant (home automation), xorg, nxserver and custom scripts such as RAID, easy VPN creation, etc.

There are two options for domain names:

  • A free domain name, a subdomain of a Dynamic Domain Name Service (DDNS) provider. For example "you.dynu.com". Your domain name will be of the form "yoursite_name" dot "provider_name" dot "(com, org, etc.)". It is recommended that users initially choose a free domain name until SecureOffice configuration is nearly complete (except for Securing Your Site section) and then decide whether or not a paid domain name is required.
  • A paid (yearly cost) domain name. For example "you.com". Your domain name will be of the form "yoursite_name" dot "(com, org, etc.)". Note that if you have a static IP address from your ISP (Internet Service Provider), they may already provide domain name and DNS services as part of your internet plan.
  • Securely hosting internet services (encrypted) requires SSL certificates for your site, discussed here.

Whether you choose a free or paid domain name, DDNS service providers allow you to setup, manage and renew your domain registration.

Prior to next step, the following preferences have been established:

  • Free or paid domain name.
  • Unique portion of domain name, for example "my_really_cool_domain"
  • Domain Suffix: ".com", ".org", etc.

2      Email Server Considerations

If you do not intend to have a local email server for your domain, the requirements of this section can be omitted.

2.1                Ability to Manage Domain MX Records

MX (Mail eXchange) records are used to uniquely identify email servers on the internet. They are used to provide instructions to translate email addresses (you@yourdomain) to the domain of the email server which handles email reception for a domain.

DDNS services usually provides the ability to manage your domain Mail eXchange (MX) records. The requirement is the ability to modify the real domain name that your emails are forwarded to. Insure the chosen DDNS provider allows you to manage your MX records.

2.2                Maximum Email Security

The most secure email configuration is to use SSL / TLS encryption using the SMTP port provided by your ISP (25 or alternate port) for email transmission and have your email server listening to the ports required for email reception: SMTP: port 25 and 587 and Secure SMTP (SSL / TLS): port 465. This means that sent and received emails go point to point, with no third-party servers (snoops) involved, intercepting your email.

Unfortunately, for spam control reasons, most ISP's block SMTP port 25 outgoing, preventing mail servers from sending email. Many ISP's provide an alternate port for email transmission. If an alternate port is not available from your ISP and, they cannot open port 25, alternatives are to change ISP or use a third-party email transmission service.

Some ISP's block SMTP port 25 incoming. Many will unblock this port at customer request. If port 25 incoming is blocked and cannot be unblocked, alternatives are to change ISP or use a third-party email service which receives your domain emails on port 25 and forwards using an alternate port, which SecureOffice firewall forwards to your email server on port 25.

In preparation for running an email server, best case (most secure) scenario is to ensure that your ISP does not block port 25 incoming and either does not block port 25 outgoing or provides an alternate port for email transmission.

An additional email security consideration is determining whether your ISP intercepts or stores incoming / outgoing emails and logs. They may lie about this and, ISP's in many jurisdictions are legally obligated to keep copies of your emails should snoops with guns become interested. To work around this, find an ISP or email provider with a no logs, no storage policy or consider PGP email encryption.

If your ISP does not meet the above requirements, third party email send and / or receive email services are required, negating some of the security benefits of point to point email.

2.3                Email Blacklisting

Spam (junk email) is a serious problem, clogging user inboxes, wasting mail server resources and, in general, reducing the quality of email service. To deal with spam, email servers rely on blacklists containing the domains of known spammers. If your domain gets on a blacklist, many mail servers will reject your emails and many email clients will classify your emails as spam.

It is possible to get on a blacklist by no fault of your own because your ISP or DDNS provider's entire domain has been blacklisted due to spamming by other customers or, you have a virus sending spam. If you have a dynamic IP address, you may end up blacklisted due to previous spamming by a previous user of the same IP address.

If your emails are not being delivered, after confirming that it is not a configuration problem, there are tools available to check whether your domain has been blacklisted. Blacklist status of your domain can be checked using MX Toolbox.

If your domain ends up on a blacklist, it must be determined why, the problem corrected and then a request must be made for removal from whichever blacklist you are on.

The Composite Blocking List is one central repository of blacklisted domains / IP addresses. Their website contains information regarding how to fix the problems that got you blacklisted and how to be removed from the blacklist. Use the MX Toolbox link above to determine which blacklists(s) you are on and follow the removal procedures for the blacklist.

2.4                Send Email Services

SMTP SmartHosts are intermediate email servers which accept emails from senders and forward them to recipients. Sending an email using a SmartHost requires authentication, generating a higher level of trust (reducing spam rejection) by recipient email servers. If your ISP provides an alternate port for email transmission, this is a SMTP SmartHost.

SMTP SmartHosts are used for the following purposes:

  • By ISP's to spam filter sent emails, to control spam and avoid getting on blacklists which results in emails being rejected by mail servers.
  • Provide an alternate port for email transmission; to work around ISP's which block port 25 outgoing.
  • To have a third party to deal with email blacklisting, keeping your domain / IP address off blacklists and managing removal from blacklists.
  • Offload bulk email transmission from your local email server.

If your ISP blocks port 25 outgoing and does not provide an alternate port for email transmission, you will have to choose and use a SMTP SmartHost.

Below are several free SMTP SmartHost service providers. None have been tested with SecureOffice. Users will have to research and choose one that meets their requirements.

Provider

Free

Port Redirection

Notes

 

 

 

 

Socket Labs

Yes

25, 2525, 587, and 465 (SSL)

Free plan is limited to 2000 emails / month. No credit card required.

Postmark

Yes

25, 2525, or 587, TLS all ports

Free for first 25000 emails.

Easy SMTP

Yes

25, 587, or 465 (SMTPS)

Free for first 10,000 emails / month

MailGun

Yes

25, 587, 2525 or 465 (SMTPS)

Free for first 10,000 emails / month. Also provides free domain email reception service.

Table 1: Free SMTP SmartHosts

Some DDNS service providers also provide SMTP SmartHost services.

2.5                Receive Email Services

Third-party email services may be required for the following reasons:

  • The receive port (25) required for email is blocked by your ISP. Choose a service which provides port redirection to ports not blocked by your ISP.
  • You want third-party spam / virus filtering service for emails.
  • You do not want to miss emails when your server is down. Most email senders retry for at least several days if delivery is unsuccessful, meaning a sever can be down for several days before missing emails. Store and forward services (with longer rejection time-outs) delay sending emails until your server is back up.

Below are several options for mostly free email reception services. Search the internet for more.

Provider

Free

Features

Port Redirection

Notes

 

 

 

 

 

MxGuardDog

Can Be

Anti spam, virus, daily spam blocked email report. Receipients can be removed from spam list.

Yes, choose any email receive port

Tested. Free if link is included on your website. Buy credits until your site is up.

MailGun

Yes

Anti spam, smart routing

?

Free for first 10,000 emails / month.

dynu.com

No

Anti spam, virus

Yes, choose any email receive port.

 

 

 

 

 

 

Table 2: Email Reception Services

Some DDNS service providers also provide Email Reception services.

 

3      Free LetsEncrypt SSL Certificates

If you plan on using free SSL certificates from LetsEncrypt with a subdomain of a DDNS provider, a problem to watch out for is "Too Many Certificates Issued".

This is an indication you are using a subdomain of a DDNS provider who is not on the "Public Suffix List", meaning that an alternate method of acquiring SSL certificates or a LetsEncrypt compatible DDNS provider must be chosen. While you are at it, send a support request to the DDNS provider requesting they get on the "Public Suffix List".

The SecureOffice team uses a subdomain of dynu.com (which is not on the "Public Suffix List") and luci-app-nginx certificates for testing SecureOffice. In practice, it appears that LetsEncrypt periodically resets their certificate counter per domain, and, if you keep trying (luci-app-nginx certificates retries periodically), eventually your certificates will be updated.

The point is that DDNS provider LetsEncrypt compatibility may be a trial and error thing.

Further information regarding SSL certificates, LetsEncrypt, luci-app-nginx-certificates (automatic certificate renewal) is available here.

4      Select Dynamic Domain Name Service

For users who already have a DDNS provider chosen and configured, assuming the provider meets the following selection criteria, this step can be omitted.

For the purpose of quickly getting up and running, it is suggested that a DDNS service provider meeting your requirements be selected from the following list, which is far from exhaustive. It is also suggested to use a free subdomain (you.ddnsprovider) for testing your services. Then, once SecureOffice and your internet services are tested, if desired a unique (paid) domain name and various DDNS service providers can be tested and qualified until a final choice is made.

The ability to manage MX records allows redirecting email to another, existing email address. This is a crucial DDNS feature if you intend to host your own email server.

The ability to relay / proxy email on another port, if available from DDNS providers is an extra cost, or, requires a third-party service provider for email store and forward.

 

DDNS Provider

Free Subdomains

Email Store & Forward

Manage MX Records

Notes

 

 

 

 

 

dynu.com

Yes

Yes, $

Yes, Proxy port 25 requires store and forward service, $.

Tested. Recommended, Reasonable cost for unique domain registration.

no-ip.com

Yes

Yes, $

Yes, Paid Feature

 

namecheap.com

No, requires registered, unique domain name

Yes, $

Yes. Proxy port 25 requires store and forward service, $.

 

DuckDNS

Yes

No

No

Auto MX Records, point to your domain. No mail port or mail domain redirection.

Google Domains

No

Yes, $

Yes, Proxy port 25 requires store and forward service, $

 

cloudns.net

Yes

Yes, $

Yes, Proxy port 25 requires store and forward service, $

 

 

 

 

 

 

Table 3: DDNS Providers

The OpenWrt DDNS Wiki provides further information which may aid in final selection of DDNS provider and name registrar for your final domain name choice.

It is expected (hint: requested) that users will add to this DDNS provider list by posting their successes in the forum.

It is requested, for DDNS providers that do not support or allow altering MX records that users submit support requests to non-compliant DDNS providers requesting these features.

It is quite possible that some DDNS providers will ignore these support requests for business reasons (want to charge for email redirection) and, not be added to the above list.

Technologies Used:

Design by: XOOPS UI/UX Team