Securing and enhancing your startup email experience

You have heard it on countless occasions that the majority of startups fail in the first few years. What they often do not tell you  is that a good number of startups do succeed nor do they tell you why those startups that do not make it fail. While reasons for the success of startups are many and varied at the top of the list of those that do not make it are two causes: Liquidity and Profitability issues.

If a business is to succeed it has to be profitable and liquid otherwise it will inevitably fail once its funding runs out. One of the things they teach you in every college’s Intro to Business class is how to solve these two problems. The solution is simple: You should enhance your revenue and minimise your cost.

What has this go to do with email?

Well, while email is an essential part of every business, you have to minimise what you spend on the service just as you should on every other service. This means taking advantage of the freely available solutions such as those found in the FOSS world. Examples include the use of Linux Distros instead of paying for Windows licences, using free CMS, templates,plugins and themes.

Back in the day there were many freely available professional email solutions that you could use with your domain such as Google’s Gmail and Microsoft’s Hotmail/Outlook (I could never tell the difference between these two).

Unfortunately most are no longer free. And while $5/user per month seems like it’s nothing the cost quickly add up and if you are paying for other services you can easily spend hundreds if not thousands of dollars a year on accessory services that you can easily provide for yourself. In fact the key to success as a startup, a technical startup or not, is to learn as much of the technical aspects of your business as possible.

Long story short, although some web hosting providers out there provide you with free email hosting with your domain it might do you a world of good to set up your own email server. It will give you control and afford you with flexibility which might become more and more important as your startup grows.

In this article we are assuming you have your own domain and have already set up you MTA to use TLS/SSL authentication.

The problem

There are a lot of bad people are there who are out to get you, well your server. Most people assume that since their startup is small they can ignore the best security practices because hackers are unlikely to be interested in them only to wake up two years later to discover that they are victims of some random hacktivist because while they were too busy concentrating on their startup’s core business they forgot about their half-hearted security.

TLS/SSL authentication when using email is one of those best security practices. However as most of you probably know the certificate that you will use with these services requires money because self-signed certificates generate warnings and some services.

For example, when trying to add your email POP fetching to your Gmail account, cannot be used with plain text authentication and do not accept self-signed certificates. Certificates can cost you anything between $5/year to hundreds of dollars per year.

We will define more problems and their solutions as we progress in the series.

Startssl

Startssl is a certification authority that offers certification services including certificates that are compatible with most browsers and software. These certificates, like any other certificates from CAs such as Thawte, do not generate any warnings and are accepted by most browsers and software. While advanced certificates from StartSSL such as Extended validation and wildcard (*.youdomain..co.zw) certificates require payment basic  positive validation certificates are given free of charge to users.

How to get your free ssl certificates

1. Of course you cannot use a dynamic IP to set up your email server find a reputable VPS provider and get a static IP.
2. Make sure the IP address is not blacklisted. Go to mxtoolbox.com and check. If it is either ask for a different IP or get it unlisted.
3. Naturally for this guide to work at all you need to ask your server provider to set up a PTR domain record to: somemailserver.yourdomain.co.zw. Make sure to change these details to match your details. While this is not critical at this stage it will become more and more important as we progress.
4. Set up a matching A record for someserver.yourdomain.co.zw pointing back to your IP address.
5. Set up your ehlo/helo parameters to match the domain: someserver.yourdomain.co.zw not doing so might see a lot of servers out there rejecting your email.
6. Once your MTA, preferably Postfix,  is set up go to the StartSSL website and sign up for a free account using the Chrome Browser, go to your email and verify the account.
7. Once your account has been verified you will be sent an email informing you that your account has been set up, follow the link provided in the email.
8. You will be asked to generate a key, select a “High” grade key and click install.
9. A pop down will appear in Chrome telling you that a new certificate has been installed in your browser. Make sure to back up this key because Startssl does not use password authentication. The certificate is used to authenticate and log into the Startssl panel which you will use to generate certificates for your domain.
10. Before you can start issuing certificates for your domain you will need to prove that you are the owner of that domain. In the Control Panel go to the Validation Tab and select Domain name validation. In order to prove ownership of the domain you should be able to recieve emails for the domain that you want to validate at any of the following addresses:
    postmaster@yourdomain.co.zw
hostmaster@yourdomain.co.zw
webmaster@yourdomain.co.zw
11. Once you have verified domain ownership go to the certificate wizard and generate a Webserver SSL/TLS certificate.
12. Select your preferred key size and enter a key password of your choice and click continue.
13. When you select continue you will be presented with a textbox containing your key. Copy and Paste the key into a text editor and save it as tls.key. Remember to select save as all files if you are using Notepad in Windows.
14. Select the Domain for which you want to create the certificate for e.g. yourdomain.co.zw and click continue.
15. You will be asked for the subdomain for which you want to create the key. It is important that your subdomain should match the server’s domain name including the PTR record to prevent any problems i.e. somemailserver.yourdomain.co.zw. Click continue
16. You will be presented with a certificate textbox, copy it and save it as mail_cert.crt.
17. Copy the files tls.key and mail_cert.crt to your email server.
18. Make sure you are in the folder with these two files and run the command:openssl rsa -in tls.key -out private.key
19. Run the command:wget https://www.startssl.com/certs/ca.pem
20. Copy the files to your postfix certificate directory e.g./etc/postfix/sasl/
21. Go to/etc/postfix/main.cf and change the following directives to point to the proper files:
    smtpd_tls_key_file = /etc/postfix/sasl/private.key
smtpd_tls_cert_file = /etc/postfix/sasl/mail_cert.crt
smtpd_tls_CAfile = /etc/postfix/sasl/ca.pem
22. Add the proper certificate paths to your MDA’s (e.g. Dovecot’s) configuration as well. On Ubuntu run change change the following lines in /etc/dovecot/conf.d/10-ssl.conf
ssl=yes
ssl_cert =</etc/postfix/sasl/mail_cert.crt
ssl_key =</etc/postfix/sasl/private.key
23. That’s all. To test your connection using TLS use your email client and you should be able to connect without receiving any warnings.
24. Of course StartSSL certificates can also be used with your web server. In the next installment (which is not part of the series) we will look at how this can be achieved using Apache on Ubuntu.

If you have anything to add please feel free to comment below. I have deliberately excluded some steps e.g. making sure that the certificates are read only because covering every nook and cranny would have made the article quite cumbersome.

This is a series on securing and enhancing your startup email experience. We will look into the following topics: Free SSL certificates with Startssl, SPIF,DKIM configuration and DMARC setup. This is more of a “teach you how to fish article” and will avoid technical set up details and where this is inevitable we will be using examples from Ubuntu 14.04.2 LTS. These should work on most Linux distros with no or minor modifications. We also assume you know how to configure your own Email server, that you have already set it up and enabled TLS/SSL authentication. See here.

Image credit: magentoaffiliateextension.net