posted Sep 16, 2012, 10:55 AM by Sami Lehtinen
updated Mar 28, 2014, 11:26 PM
- After some tuning I found out current RoundCube version being incompatible even with SQLite2. It would be great time to upgrade RoundCube to support SQLite3. Because SQLite3 didn't work out too well, I installed MySQL. Because I now had MySQL installed on server, I also configured it to be used for mail storage instead of maildir format which I opted for earlier. I would have preferred maildir and sqlite3, but this option is way better if there's much traffic. Which there isn't. Now I have completely independed and personal mail server with all features I need. IMAPS (Dovecot), SMTP/SMTPS (Postfix), and secured WebMail.
- I wasn't happy yet, I still felt like fine tuning my system. I decided to spend it to improve security.
- First of all security means that I can survive any crash situations. Therefore my server data is backed up daily to off-site location and history is kept for three months. What ever happens to my server, I'm sure I can restore required data from backup. Yes, backup is encrypted using public key cryptography (RSA/4096) and CAMELLIA-256 bit symmetric cipher. That pretty much guarantees anyone can't abuse my backups. Backup data is transferred using FTPS to server in safe location. Backup server is also well protected. First of all it allows only connections with right SSL client certificate and password and all connections to it are strictly IP filtered on hardware firewall level. All data on backup server is moved to alternate location daily from FTPS access path, so even if someone could hack into my server and try to delete backups, it's impossible because there's no way to delete those backups from backup server even if hacker would have full FTPS access to it with my backup credentials. I naturally also made full restore process tests to confirm that I wouldn't find my self in very classical situation. Yes, we do have backups, but we can't restore those properly.
- Configured port knocking server (knockd). Without proper port knocking sequence, key services required to gainaccess to my server (SSH) aren't available on my server at all.
- Configured TOTP OTP for SSH and for RoundCube, so 8 digit time based one time password security code is required before access is granted.
- Configured SSH to use client certificates which means that even with previous security features having the token and password is not enough, you also have to have private key.
- Configured my server to use full disk encryption with early ssh access, which allows my to start operating system from secured partition. (Btw, getting previous security features to work with this required quite much tuning!)
- Configured RoundCube login page to use HTTP basic authentication, so there aren't any PHP scripts that could be run without first giving some kind of authentication. This is also one way to reduce risk of resource consumption attacks.
- Now I feel my mails are stored pretty safely. It might be bit overkill, but you have to try everything to learn how things work out.
- Confirmed that all in and out going email is encrypted, if remote server just supports STARTSSL / TLS.
- Did some basic IT Management tasks: disaster recovery plan (DRP) and business contingency plan.
- Studied Raima RDM Server (Wikipedia) Raima RDM (raima.com) documentation thoroughly. Including all supported SQL commands and database internal design details, indexing, free page (uni-diretional) linked lists (first in first out), transactions (begin, mark, rollback, commit, read repeatability, transaction isolation), file & index formats & datasets. Of course I also had to test performance optimization, like extending SQL optimizer history size (default:25), and expanding in memory page cache size (default:5000) for disk mapped tables/databases. I mostly do read tasks, so increasing MaxCheckPointSize doesn't really help me with my tasks. It turned out that adding page cache doesn't help too much, because operating system is already cahing data read from disk. Especially with servers which do other stuff too and do not have too much memory, operating systems disk cache does better work than allocating memory to Raima exclusively. Performance optimizations, RDM manual, Server parameters.