I have MiaB on a DO droplet and I wonder if I could mount a remote storage on my on-prem server (ubuntu 18.04) and store the emails on the on-prem server for better security.
Basically if/when my DO droplet gets compromised, I want to make sure that my emails won’t be at risk.
Any idea?
Best,
Savas
If your remote VPS has the ability to modify anything locally, then the compromised machine may not be protected in the way you may be desiring.
For example, if you mount a remote storage to store (i.e., read/write) emails, the compromised machine can still perform those same functions.
Other options for protecting data with a local device include performing backups, such as using rsysnc.
Good feedback, thanks.
But how can I mount a remote storage to store emails? Any idea?
Unfortunately, you’ll have to figure that out … then reinstall MiaB using the new directory on the mountpoint of the new storage location as the storage root.
But this is going to cause you a problem - email is disk i/o intensive, so performance is going to suffer greatly from having your storage remote to your VPS. You should really go at this from a different angle if snooping from the VPS provider is your concern. For instance I would host on a server at your location assuming that you can successfully do so with your local ISP. Most ISP’s will require business class internet to allow a mail server and provide a static IP complete with rDNS.
Thanks for the feedback. I will check how I can achieve this.
Btw, my ISP in this country is a joke, therefore I don’t have much expectation for static IP/eDNS. Therefore, I would like to use the MiaB on DO (so that I can have a) static IP b) port 25 functionality) and on prem server (so that I can have a) better security b) more storage space)
This is completely outside the scope of this project … but consider using the DO VPS as a proxy to/from your on-prem server. I do not know how to set this up, but perhaps come to Slack during the day CET and there are a couple of people there who may be able to help…
Perhaps I should consider deploying MiaB on my local server and connect the local server to the DO VPS over Stunnel or WireGuard or OpenVPN.
That’s how I do it using a route based ipsec VPN to my DO droplet. Lets me run MIAB on premises with DO providing point of presence only.
spot on. btw, why did you prefer IPsec instead of Stunnel/WireGuard/OpenVPN? Any specific reason?
Only because my edge router supportA hardware accelerated ipsec