email grief

I spent the last few days trying to work out why my new email server kept cutting out.

As I said at the Brighton conference (an old Brit joke), I’m moving my domains, including dylanharris.org, thuis. There are many advantages to doing so, but a disadvantage is that, unlike my old hosts at Powweb, my new domain supplier, euroDNS, offers very limited email facilities.

image: a concrete cast

That’s why I have to set up my own email server.

Actually, I’ve been running them for a long time, but have never allowed any to be visible to the internet. This is because there are a large number of organisations out there who commit the social offence of marketing. I want to minimise the risks of my falling for one their scams. I can partially do so by making it difficult for them to contact me in the first place.

Worse, a badly configured email server will allow itself to be abused by criminals seeking victims. If the spammers can see my servers, they’ll try and abuse them.

That’s why my existing emails servers were hidden from the net. Now, though, with my new domain arrangements, I have to change approach. I decided to set up a new OpenBSD email server as properly as I could. I followed Michał Krzysztofowicz’s guidelines, taking into account the official OpenSMTPD examples.

I set it up, I put it in place, it seemed to work — except that, unfortunately, every so often, connections were cut. I was working on it, then I couldn’t see it. I couldn’t reconnect. I concluded the operating system was crashing; if it were a particular daemon, I thought, surely I’d be able to see the others?

I suspected the email daemon itself, smtpd, was crashing the OS; then the client email distributor, dovecot; the spam ban daemon, spamd; etc., etc., etc.. I stopped them, I started them: the problem went away, and came back again, but never in sync with the tests. I spent days looking in the wrong place.

Eventually, I realised that the problem always occurred when outlook on my workstation connected to the server. Now, I want outlook, despite my earlier concerns, because it’s one of the few email clients that’s relatively secure against the EFAIL exploit. But how was it causing the server to die?

Well, actually, it wasn’t. The email server was behaving as instructed.

It turns out the protections against abusers were too enthusiastic. The firewall configuration include instructions to block computers that attempted too many connections too quickly, an essential protection against denial of service attacks. Unfortunately, outlook, which clearly likes to make lots of connections, was triggering the protection. It probably didn’t help that I’d set up half a dozen test email addresses.

So I changed the settings. Now I can connect reliably, and stay connected. Mind you, I still need to further refine the abuse protection. As I write, the search engines have triggered the blocks, so are currently blocked from the web server. That is not useful.

What on Earth, you might think: how could one email client, outlook, blow up a whole email server? Well, the server’s not exactly a grand black box of internet superpowers. It’s really a spare wee server, not much bigger than a kitten, and no better at identifying tasty creepy crawlies.