Видео

You should find the bits about SPF records are still useful to you, since that applies whether you're running an SMTP server or setting up an SMTP relay. I don't have any information about hmail specifically. But it looks like that's an actual server. I'm not clear on whether you're attempting to send directly from that machine (from the SMTP server), or whether you're setting up a Windows 10 machine to send outbound email via the server (SMTP relay, from sending machine to server to Internet). If you're doing relay, then there's nothing special for Windows 10. Just point it at your SMTP server, and as long as you've configured the server correctly to allow relay from that machine, you should be able to send outbound. :)

@@NextDoorNetAdmin hmail is the mailserver I have running on a windows 10 machine. I'd need a relay service to actually enable the server to send mail. Receiving works perfectly. I found that it isn't maintained anymore since 2021, so I'm going to look for a complete solution. Might as well go for a linux server for everything, since I'll need web hosting, file server, chat server etc. anyway. And I have an old HP proliant lying around anyway. Thank you for your quick reply! I'll definitely watch the entire video too. There's no such thing as learning too much after all ;)

I'm not sure I would agree that Heartbleed disproved the aphorism you mention. If anything, I think Heartbleed proved the general point that those who use a product commercially should contribute to its development. Crypto in general is a hard subject to do well, and the OpenSSL devs were chronically short on money and people who were both skilled enough and had sufficient free time to contribute. They didn't have the "many eyes" they needed to make the bugs shallow, nor did they have the resources to hire more. I don't think Itanium created any sort of a monoculture. Other RISC lines (including SPARC, ARM, and the IBM Power series) continued for decades after Itanium's introduction. They may not be especially common (certainly not as common as the x86-64 CISC microarchitecture), but they're still out there, and many are still being actively developed and sold today. Itanium, on the other hand, has itself been discontinued.

That's a great tip, thanks! :D

@@NextDoorNetAdmin You are very welcome! I appreciate your video, it assisted me today!

I would leave it enabled. Certainly won't hurt anything! Then if something tries to use multicast and you happen to have a router which supports it, and all the stars align... it should work! If you disable IGMP snooping, that might end up being the piece which breaks it.

I do! Use a business connection. :) Not to be glib about it, but residential connections often have port 25 blocked in order to combat spam being sent from unaware customers infected with malware. Customers accessing their remote email accounts will usually use a different port--sending directly to port 25 (with or without STARTTLS) is indicative of a server-to-server (relay) connection. Conversely, since a business connection is expected to be running business applications (including email servers), all ports are generally left unblocked. Since you would need a static IP to add into the SPF record to permit the relay, that's also something typically available on a business connection.

@@NextDoorNetAdmin Sorry to say, Comcast in Florida is blocking port 25, even for businesses (which is why I asked). Many companies are dealing with this. To get around it, I set up an SMTP relay server with postfix. It connects to Office 365 using TLS and an account with SMTP authentication enabled.

@@JavierDiaz-zh2jo Ouch! That boggles my mind, honestly. Business connections should be unfiltered, in my mind--it's one of the main reasons to even get a business connection in the first place! I'm going to guess that switching ISPs is likewise not a feasible option. If so, then I would honestly next look at ways of proxying the connection. First thing I would try is probably setting up an SSH tunnel to another endpoint where port 25 isn't blocked. If you had a way to SOCKSify the outbound connection, so much the better--you could use dynamic port forwarding instead of local port forwarding. But I'm afraid that I don't have a ready-made solution at hand for that problem... just ideas that would need more work.

If there are multiple public ip that need to be added, because of multiple locations, would you just add all of them to the spf record? Also, does that not create some other security concerns public the companies public ip on the spf record?

@TheTF01 Every IP address that needs to be allowed to send mail does need to be added... but there's different ways of doing that, depending on the exact circumstances. If they're just single IPs that aren't connected to each other, you can use multiple ip4: entries. If the IPs can be summarized into a CIDR range, you can also enter that. (Example: "ip4:192.168.2.36/30") Does it create a security concern? I don't think it does. For one thing, there's nothing saying that these IP addresses belong to your company. Let's say you have a rule sending all outbound email to a third-party service that adds a signature. (My company does this!) You need to add the third-party service to your SPF record, and they'll typically have documentation telling you what you can put in (it's usually an "include:service.com" entry). But you could just as easily put in the actual IP addresses if you wanted, and it would work the same way. The actual SMTP headers on the email message also include a record of all the machines the email has passed through (using SMTP), including their IP addresses, from start to finish. This not only reveals the sender's IP address (if they used SMTP), but all servers along the mail path. This is standard because it helps to diagnose mail flow issues, as well as allowing things such as SPF to function correctly. And it's been that way since the very beginning of email! As a general security rule, you never want to rely on "security through obscurity"--keeping things safe by keeping them secret. You definitely want to make sure you have a firewall to protect the network, whether you publish the external IPs in an SPF record or not. And if you do have a firewall in place, I think any additional security risk created by an SPF record is minimal, if not negligible.

Thank you! I definitely plan to keep going. :)

Thanks, I'm glad you enjoyed it! :)

No problem, glad it was useful! :)

Fun fact: turns out I needed an additional NIC for a redundant WAN connection. The unit accepted it without trouble and keeps on running like a champ!

You're quite right. I often feel that tension between viewing a network or system as my "creation," versus as a tool to accomplish a business goal. Of course, it can (and should) be both! I do like helping solve problems and achieve goals, so I don't mind building something to be functional and utilitarian, so long as the solution isn't being flagrantly misused. If this little lifeboat system was going to be rebuilt (I'm still not sure it will be), there's already been some discussion around how we would ensure any deployments were actually temporary. I don't think your suggestion had come up yet, though, so thank you for making it!

@NextDoorNetAdmin I was in IT late 70s and 80s. There, we played with bits and bytes pioneered things IBM didn't know was possible. They didn't like me as I worked out by manipulating their software. $60000 network controller's could be doubled in capacity, and what I didn't like about their mainframes. Problem solving is awesome keep doing it. I left IT and set up network systems in disability organisations. With it, I wrote policy and procedures for them, including who was responsible and accountable for maintenance change management backup. Alas, they didn't take advice. Both systems died within a few years, of course. It was the last time I did it.

If this was strictly a router, I would probably agree with you. But as I noted in the video description, this is a firewall. Specifically, this is going to be a layer 7 firewall inspecting traffic for about 1000 devices using a 1 Gbps synchronous connection. www.zenarmor.com/docs/introduction/hardware-requirements With that established, have I overbuilt a little? Possibly! But then, I need the stated requirements immediately, and I still need to take future growth (device counts, connection speed, newly-required features, increased software requirements) into consideration over the next 5-7 years. I actually started by pricing out a rack-mounted Supermicro-based solution where we would purchase parts only and then I would do the assembly myself. Based on just the cost of parts versus the cost of the Dell system, the Dell was cheaper--which surprised the heck out of me, I don't mind admitting.

why you mad bro

im running opnsense with wireguard and openvpn tunneling on a dell poweredge r640 almost 40 users to a connected to the site, a small router wont be able to do that.

As someone who is currently upgrading my opnsense box from a dual core CPU because it handles routing fine but can't handle routing + firewall I'd have to disagree.

You want to take a look at setting up a Scale-Out file server in your cluster. This will let you use a CSV as the backing volume. learn.microsoft.com/en-us/windows-server/failover-clustering/sofs-overview