Apparently I installed that thing in 2006 and I last updated it in 2016, then I quit updating it for some reason that I totally forgot. Probably laziness…

It’s been running for quite some time and we kind of forgot about it in the closet, until the SSH tunnel we use to get our mail outside our home stopped working because modern openssh clients refuse to use the antiquated key cipher I setup client machines with way back when any longer.

I just generated new keys with a more modern cipher that it understands (ecdsa-sha2-nistp256) and left it running. Because why not 🙂

    • ExtremeDullard@lemmy.sdf.orgOP
      link
      fedilink
      arrow-up
      52
      arrow-down
      18
      ·
      edit-2
      3 months ago

      It’s behind a firewall. The only thing exposed to the outside is port 22 - and only pubkey login too.

      And gee dude… It’s been running for 18 years without being pwned 🙂

        • Possibly linux
          link
          fedilink
          English
          arrow-up
          11
          ·
          3 months ago

          For that matter, it hasn’t been ransomwared. There are so many ways to hide a compromise.

      • n2burns@lemmy.ca
        link
        fedilink
        arrow-up
        66
        arrow-down
        3
        ·
        3 months ago

        And it’s not like it contains any sensitive information. I’m sure all your emails are just friendly correspondence with your pen pal.

      • schizo@forum.uncomfortable.business
        link
        fedilink
        English
        arrow-up
        34
        arrow-down
        2
        ·
        3 months ago

        I’d still maybe build a modern OpenSSH package.

        There’s been an awful lot of RCEs in the past two decades and uh, if that’s rawdogging the internet, I’m honestly shocked you haven’t been hit with any by now.

        • Sbauer@lemmy.world
          link
          fedilink
          arrow-up
          3
          ·
          3 months ago

          Eh, building anything modern on a system that old would be painful I bet.

          Maybe you could use https://github.com/openssh/openssh-portable since that’s meant to be portable. I’d certainly would give it a try if I didn’t want to bother trying to upgrade that system. Then again, trying to upgrade it through the releases to a modern Debian might be fun too.

      • Lucy :3@feddit.org
        link
        fedilink
        arrow-up
        26
        arrow-down
        2
        ·
        3 months ago

        How do you know? Do you constantly monitor running processes, performance and network connections?

      • Possibly linux
        link
        fedilink
        English
        arrow-up
        8
        ·
        3 months ago

        How do you know? OpenSSH is pretty good but it isn’t impenetrable. Especially for almost 10 years.

      • rhacer@lemmy.world
        link
        fedilink
        English
        arrow-up
        8
        arrow-down
        2
        ·
        3 months ago

        Did you really only use it when you were home? If you used it outside the firewall then port 25 must have been open also.

        I used to run my own server and this was in the early 90s. Then one day, perusing the logs I realized I was not smart enough on the security front to even attempt such a thing. It was quickly shut down and the MX record moved to an outsourced mail provider.

    • psycho_driver@lemmy.world
      link
      fedilink
      arrow-up
      6
      arrow-down
      11
      ·
      3 months ago

      Most ‘hackers’ are just mid tier (mediocre) IT level types who rely on existing exploits floating around in the wild. It’d probably be hard to find any still in circulation for such an old system.

      • limonfiesta@lemmy.world
        link
        fedilink
        English
        arrow-up
        24
        arrow-down
        1
        ·
        edit-2
        3 months ago

        We’re not talking about some punch card COBOL machine he jimmy rigged with network access, it’s an old Debian Linux box with SSH enabled.

        It’s not like Metasploit would have a tough time finding unpatched vulnerabilities for it…

        • Possibly linux
          link
          fedilink
          English
          arrow-up
          2
          ·
          3 months ago

          What makes it a even bigger target is the fact that it is a mail server

          • limonfiesta@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            edit-2
            3 months ago

            Unless it’s for SMTP only, it’s probably a back end sever to some other front facing box, or service, that has IP addresses whitelisted for email.

            I’m pretty sure I read one of his comments elsewhere talking about tunneling everything over SSH, so I assume that’s what he meant, but I could be mistaken.

            Regardless, using an EOL distro as an internet facing SSH server that’s 8 years behind on SSH updates, is probably a bad idea.

      • Possibly linux
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        2
        ·
        3 months ago

        It isn’t the “hackers” you should worry about. Its the nation states that take over huge numbers of machines.

        • DemocratPostingSucks@lemm.ee
          link
          fedilink
          English
          arrow-up
          3
          ·
          3 months ago

          If the NSA (GCHQ here in the UK) want my emails they’re getting it either way, I’m not able to stop nation states

          • Possibly linux
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            3 months ago

            I was more referring to foreign countries and cyberwarfare. Like it or not counties have now realized cyberattacks can be very devastating. A compromised server may very well be used for all sorts of purposes that many are probably not ok with.

        • PlexSheep@infosec.pub
          link
          fedilink
          arrow-up
          1
          arrow-down
          1
          ·
          3 months ago

          As a private person, defending against nation threat actors is impossible. And not only as a private person, but even as a medium sized company.

          • Possibly linux
            link
            fedilink
            English
            arrow-up
            3
            ·
            3 months ago

            You just need to not be the easy target. You don’t need outrun the bear you just need to be ahead of whatever Joe is doing

  • RegalPotoo@lemmy.world
    link
    fedilink
    English
    arrow-up
    108
    arrow-down
    1
    ·
    3 months ago

    Good thing there hasn’t been any remotely exploitable security bugs in any of the mail system components in the 6 years since Debian 7 went EoL

  • Nibodhika@lemmy.world
    link
    fedilink
    arrow-up
    45
    arrow-down
    1
    ·
    3 months ago

    I’m fairly certain that SSH and whatever else you’re exposing has had vulnerabilities fixed since then, especially if modern distros refuse to use the ssh key you were using, this screams of “we found something so critical here we don’t want to touch it”. If your server exposes anything in a standard port, e.g. SSH on 22, you probably should do a fresh install (although I would definitely not know how to rebuild a system I built almost 20 years ago).

    That being said, it’s amazing that an almost 20 year old system can work for almost 10 years without touching anything.

    • Sbauer@lemmy.world
      link
      fedilink
      arrow-up
      12
      arrow-down
      1
      ·
      3 months ago

      The amount of dos systems I have seen powering critical infrastructure in banks and hospitals is quite frankly nightmare fuel.

      • Possibly linux
        link
        fedilink
        English
        arrow-up
        7
        ·
        3 months ago

        They normally are isolated systems with controlled access. Same with shipping and any other critical industry.

        Not to say that there aren’t exceptions but these days there is a required level of compliance

    • Max-P@lemmy.max-p.me
      link
      fedilink
      arrow-up
      39
      ·
      3 months ago

      Patience. It really helps to have all the latest set up: SPF, DKIM, DMARC. Then after that it’s a matter of IP reputation, you can email the various blocklists and you wait for the rest of them to clear on their own.

      I’ve had that IP for 10 years and it has never sent spam, and I’ve sent enough emails that people open that it actually does get through fine. I haven’t had to think about it for a long time, it just keeps on working. Barely had to even adjust my Postfix config through the upgrades.

      • Avatar_of_Self@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        3 months ago

        This is true. If you have DMARC and your RUA set up (with a working email (or one that doesn’t bounce at least)) along with SPF and DKIM, Google and MS will accept your mail. The only time it won’t at that point is if your IP is in the same /24 as a known spammer but so long as the spam stops, you’ll fall off the list. Some of the common spamlists allow you to request your IP be removed by request and I can only recall one list that almost nobody uses that makes you pay for the removal though there may be more I don’t recall.

  • merthyr1831@lemmy.ml
    link
    fedilink
    English
    arrow-up
    37
    ·
    3 months ago

    Genuinely surprised when I see people running mail servers without issue. I suppose getting in relatively early means you’re not immediately sent to junk mail lists by the big players.

    • Shdwdrgn@mander.xyz
      link
      fedilink
      English
      arrow-up
      37
      ·
      3 months ago

      Unfortunately that’s not true. I’ve been running mail servers under my domain since around 2000, almost as long as Microsoft has been running Hotmail, and I was certainly following good standards like SPF and DKIM well before they considered such a thing… and yet Microsoft is the bane of my mail server’s existence. Despite no compromises resulting in spam blasts, MS still regularly shuts me out with no reason given and no hits showing on their monitors. If I can find their email address to ask what the problem is, I get a generic “your domain has been cleared” sort of reply but never any reason why they blocked me in the first place.

        • Shdwdrgn@mander.xyz
          link
          fedilink
          English
          arrow-up
          6
          ·
          3 months ago

          My primary domain is something that people have blacklisted because four letters happen to partially match a word that could be spammy (how ridiculous is that?), however the mail servers (the ones they keep blocking) are attached to my computer business name which I registered in 2006, so there’s really no reason why they should block it for that reason.

      • Possibly linux
        link
        fedilink
        English
        arrow-up
        4
        ·
        3 months ago

        To be far you didn’t update for almost a decade. The large email provides fear you

    • ikidd@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      ·
      3 months ago

      I’ve started up new domains and never had an issue getting mail accepted.

      There’s a right way to do it, and most people that complain that hosting email is impossible don’t know how to configure it correctly.

    • Avatar_of_Self@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      3 months ago

      You need SPF, DKIM, DMARC with a RUA set up to an email that doesn’t bounce. That’s pretty much it. I’ve been running email servers a long time and actually set up email from a new domain/IP a couple of years ago as well.

  • Findmysec@infosec.pub
    link
    fedilink
    English
    arrow-up
    32
    ·
    3 months ago

    Family email server? Your family have an email server to themselves? You managed to deal with block lists over 2 decades and more?

    My utmost respect to your dedication

  • some_guy@lemmy.sdf.org
    link
    fedilink
    arrow-up
    20
    ·
    3 months ago

    It’s had a good run. Let the little guy have a rest. Whatever you replace it with will consume less electricity.

  • limelight79@lemm.ee
    link
    fedilink
    arrow-up
    18
    ·
    3 months ago

    I gave up running an email server long ago - I thought it was basically impossible because too many spammers were doing it for nefarious purposes.

    • psycho_driver@lemmy.world
      link
      fedilink
      arrow-up
      4
      ·
      3 months ago

      Nah you can use ghetto smtp to relay incoming mail to a different port on your server if your ISP blocks incoming 25 and sendinblue (it’s changed names but my sendinblue config is still working) to send outgoing mail if they block outgoing 25. It’s less than ideal but doable for low volume private email servers.

      • schizo@forum.uncomfortable.business
        link
        fedilink
        English
        arrow-up
        42
        ·
        3 months ago

        This suggestion always amuses me.

        “You can easily run a mail server! All you have to do is route all the mail through someone else’s mail server and bam, you’re running a mail server!”

        I mean it’s not wrong, but it causes a case of the giggles.

  • mlg@lemmy.world
    link
    fedilink
    English
    arrow-up
    14
    ·
    3 months ago

    Not to be that guy but why not use Curve25519?

    I still remember all the conspiracies surrounding NIST and now 25519 is the default standard.

    In 2013, interest began to increase considerably when it was discovered that the NSA had potentially implemented a backdoor into the P-256 curve based Dual_EC_DRBG algorithm.[11] While not directly related,[12] suspicious aspects of the NIST’s P curve constants[13] led to concerns[14] that the NSA had chosen values that gave them an advantage in breaking the encryption.[15][16]

    • Sbauer@lemmy.world
      link
      fedilink
      arrow-up
      6
      ·
      3 months ago

      If you are worried that the NSA might be reading your email maybe it’ll be better for society if you don’t update … just saying.

  • Possibly linux
    link
    fedilink
    English
    arrow-up
    11
    ·
    3 months ago

    I hope you get your data off and then burn it and everything around it. It could be easily compromised you knowing. It could easily be used for spamming

    • Sbauer@lemmy.world
      link
      fedilink
      arrow-up
      3
      ·
      3 months ago

      Eh, plenty of dos machines still used in banks and industry. It’s both scary and impressive. I have worked on cnc machines only a few years back that were from the 80s I think. The data transfer between the computer and the machine used a band of paper that had holes punched into it by a printer like device physically attached to the computer.

    • UnbalancedFox@lemmy.ca
      link
      fedilink
      arrow-up
      3
      arrow-down
      1
      ·
      3 months ago

      Or 5 minutes and you pull your hairs out 😂 then reinstall because you screw up something without any idea how to fix it.