Table_of_Contents
2.1 Ability to Manage Domain MX Records
3 Free LetsEncrypt SSL Certificates
3.2 Wildcard Certificate Compatibility
4 Select Dynamic Domain Name Service
List of Tables
Table 1: Free SMTP SmartHosts
Table 2: Email Reception Services
Table 3: DDNS Providers
The terms Dynamic DNS (DDNS) and DNS (Domain Name Service) are used interchangeably since a DDNS service is just a DNS service which allows IP addresses to be dynamically updated by clients. The service may be free or paid, depending on provider and plan.
If not hosting internet services or a domain name and Dynamic DNS provider service is already active, this step can be omitted.
A domain name is a human readable text string that is an alias (another name) for the numeric IP address used to uniquely identify a particular computer on the internet.
It is assumed your SecureOffice installation will provide publicly accessible services such as websites, email, file sharing, telephony, IOT, etc. services for the internet. If this is not the case, SecureOffice is being used as a (free) high performance router / gateway and choosing a domain name and the following DNS Provider selection can be omitted.
An active domain name is required to access the premium package repository for any packages not provided by basic OpenWrt / SecureOffice such as ZoneMinder (IP camera security system), Home-Assistant (home automation), docker containers, virtual machine hosting (Vmware), Xorg, NxServer and custom scripts such as RAID, easy VPN creation, etc.
There are two options for domain names:
Whether you choose a free or paid domain name, DNS service providers allow you to setup, manage and renew your domain registration.
Prior to next step, the following preferences have been established:
If you do not intend to have a local email server for your domain, the requirements of this section can be omitted.
MX (Mail eXchange) records are used to uniquely identify email servers on the internet. They translate email addresses (you@yourdomain) to the domain of the email server which handles email reception for a domain.
DNS services usually provide the ability to manage your domain Mail eXchange (MX) records. The requirement is the ability to modify the real domain name that your emails are forwarded to. Ensure the chosen DNS provider allows you to manage your MX records.
Mailgun has an excellent overview of email ports, protocols and security considerations. Mailtrap has an excellent overview of SMTP security.
The most secure client (Outlook, Thundbird, etc) email configuration is to use SSL / TLS encryption for client email transmission / reception from / to email servers. SMTP (Simple Messaging Transport Protocol) uses port 465 (legacy) or 587 (current standard) for email transmission. For email reception, POP3 (Post Office Protocol, version 3) uses port 995 and IMAP (Internet Message Access Protocol) uses port 993.
SMTP port 25 is used primarily for SMTP relaying. SMTP relaying is the transmission of email between email servers.
Unfortunately, for spam control reasons, most ISP's block SMTP outgoing port 25, preventing mail servers from directly sending email. Many ISP's provide alternate ports or a proxy for email transmission. If an alternate port is not available from your ISP and, they cannot / will not open the required ports for email transmission, the alternatives are to change ISP or use a third-party email transmission service with unblocked ports.
For email servers it is good practice to confirm that encryption is used for sent and received emails. MxToolbox provides a free online tool for this. To test a server, enter the email server <domain_name>:<port> for the sending (or proxy) and receiving servers. If the test results contain "OK - Supports TLS" for both servers then sent / received emails are encrypted. This does not mean that all of your emails are end to end encrypted, since that depends on intermediate servers. Further, any server in the chain may be compromised allowing for third parties to monitor your emails and perform MITM attacks. For complete email security, some form of end to end encryption is required, where only the sender and recipients can read the contents.
Some ISP's block SMTP port 25 incoming. Many will unblock this port at customer request. If port 25 incoming is blocked and cannot be unblocked, alternatives are to change ISP or use a third-party email service which receives your domain emails on port 25 and forwards using an alternate port, which SecureOffice firewall forwards to your email server.
In preparation for running an email server, the best (most secure) scenario is to ensure that your ISP does not block port 25 incoming and either does not block port 25 outgoing or provides an alternate port for email transmission.
An additional email security consideration is determining whether your ISP or email provider intercepts or stores incoming / outgoing emails and logs. They may lie about this and, ISP's in many jurisdictions are legally compelled to keep copies of your emails should snoops with guns become interested. To work around this, find an ISP or email provider with a no logs, no storage policy or consider end to end email encryption.
If your ISP does not meet the above requirements, third party email send and / or receive email services are required, negating some of the security benefits of point-to-point email.
Spam (junk email) is a serious problem, clogging user inboxes, wasting mail server resources and, in general, reducing the quality of email service. To deal with spam, email servers rely on blacklists containing the domains of known spammers. If your domain gets on a blacklist, many mail servers will reject your emails and many email clients will classify your emails as spam.
It is possible to get on a blacklist by no fault of your own because your ISP or DNS provider's entire domain has been blacklisted due to spamming by other customers or, you have a virus sending spam. If you have a dynamic IP address, you may end up blacklisted due to previous spamming by a previous user of the same IP address.
If your emails are not being delivered, after confirming that it is not a configuration problem, there are tools available to check whether your domain has been blacklisted. Blacklist status of your domain can be checked using MX Toolbox.
If your domain ends up on a blacklist, it must be determined why, the problem corrected and a request must be made for removal from whichever blacklist you are on.
The Composite Blocking List is one central repository of blacklisted domains / IP addresses. Their website contains information regarding how to fix the problems that got you blacklisted and how to be removed from the blacklist. Use the MX Toolbox link above to determine which blacklists(s) you are on and follow the removal procedures for the blacklist.
SMTP SmartHosts are intermediate email servers which accept emails from senders and forward them to recipients. Sending an email using a SmartHost requires authentication, generating a higher level of trust (reducing spam rejection) by recipient email servers. If your ISP provides an alternate port for email transmission, this is a SMTP SmartHost.
SMTP SmartHosts are used for the following purposes:
If your ISP blocks port 25 outgoing and does not provide an alternate port for email transmission, you will have to choose and use a SMTP SmartHost.
Below are several free SMTP SmartHost service providers. None have been tested with SecureOffice. Users will have to research and choose one that meets their requirements.
Provider | Free | Port Redirection | Notes |
|
|
|
|
Yes | 25, 2525, 587, and 465 (SSL) | Free plan is limited to 2000 emails / month. No credit card required. | |
Yes | 25, 2525, or 587, TLS all ports | Free for first 25000 emails. | |
Yes | 25, 587, or 465 (SMTPS) | Free for first 10,000 emails / month | |
Yes | 25, 587, 2525 or 465 (SMTPS) | Free for first 10,000 emails / month. Also provides free domain email reception service. |
Table 1: Free SMTP SmartHosts
Some DNS service providers also provide SMTP SmartHost services.
Third-party email services may be required for the following reasons:
Below are several options for mostly free email reception services. Search the internet for more.
Provider | Free | Features | Port Redirection | Notes |
|
|
|
|
|
Can Be | Anti spam, virus, daily spam blocked email report. Receipients can be removed from spam list. | Yes, choose any email receive port | Tested. Free if link is included on your website. Buy credits until your site is up. | |
Yes | Anti spam, smart routing | ? | Free for first 10,000 emails / month. | |
No | Anti spam, virus | Yes, choose any email receive port. |
| |
|
|
|
|
|
Table 2: Email Reception Services
Some DNS service providers also provide Email Reception services.
If you plan on using free SSL certificates from LetsEncrypt with a subdomain of a DDNS provider, a problem to watch out for is "Too Many Certificates Issued".
This is an indication you are using a subdomain of a DNS provider who is not on the "Public Suffix List", meaning that an alternate method of acquiring SSL certificates or a LetsEncrypt compatible DNS provider must be chosen. While you are at it, send a support request to the DNS provider requesting they get on the "Public Suffix List".
The SecureOffice team uses a subdomain of dynu.com (which is not on the "Public Suffix List") and luci-app-nginx certificates for testing SecureOffice. In practice, it appears that LetsEncrypt periodically resets their certificate counter per domain, and, if you keep trying (luci-app-nginx certificates automatically retries periodically), eventually your certificates will be updated.
The point is that DDNS provider LetsEncrypt compatibility may be a trial-and-error thing and it may take a day or so for certificates to be issued.
Further information regarding SSL certificates, LetsEncrypt, luci-app-nginx-certificates (automatic certificate renewal) is available here.
LetsEncrypt wildcard certificates required for subdomain addressing requires support from your DNS provider. Usage of subdomain addressing is strongly recommended due to reduced SSL certificate and Nginx configuration management, allowing easy expansion of site services without impacting SSL certificates. When choosing a DDNS provider, ensure that they are LetsEncrypt DNS-01 Challenge compatible. Do an internet search "Letsencrypt DNS-01 Challenge DNS providers" to select a DNS provider or use dynu.com (free and paid DNS verified and used by SecureOffice team).
For users who already have a DNS provider chosen and configured, assuming the provider meets the following selection criteria, this step can be omitted.
For the purpose of quickly getting up and running, it is suggested that a DDNS service provider meeting your requirements be selected from the following list, which is far from exhaustive. It is also suggested to use a free subdomain (you.ddnsprovider) for testing your services. Then, once SecureOffice and your internet services are verified, if desired a unique (paid) domain name and various DDNS service providers can be tested and qualified until a final choice is made.
The ability to manage MX records allows redirecting email to another, existing email address. This is a crucial DDNS feature if you intend to host your own email server.
The ability to relay / proxy email on another port, if available from DNS providers is an extra cost, or, requires a third-party service provider for email store and forward.
DDNS Provider | Free Subdomains | Email Store & Forward | Manage MX Records | Notes |
|
|
|
|
|
Yes | Yes, $ | Yes, Proxy port 25 requires store and forward service, $. | Tested. Recommended, Reasonable cost for unique domain registration. | |
Yes | Yes, $ | Yes, Paid Feature |
| |
No, requires registered, unique domain name | Yes, $ | Yes. Proxy port 25 requires store and forward service, $. |
| |
Yes | No | No | Auto MX Records, point to your domain. No mail port or mail domain redirection. | |
No | Yes, $ | Yes, Proxy port 25 requires store and forward service, $ |
| |
Yes | Yes, $ | Yes, Proxy port 25 requires store and forward service, $ |
| |
|
|
|
|
|
Table 3: DDNS Providers
The OpenWrt DDNS Wiki provides further information which may aid in final selection of DDNS provider and name registrar for your final domain name choice.
It is expected (hint: requested) that users will add to this DDNS provider list by posting their successes in the forum.
It is requested, for DDNS providers that do not support or allow altering MX records that users submit support requests to non-compliant DDNS providers requesting these features.
It is quite possible that some DDNS providers will ignore these support requests for business reasons (want to charge for email redirection) and, not be added to the above list.
|
Technologies Used: