advertisement

Securing and enhancing your startup email experience

advertisement

You have heard it on countless occasions that the majority of startups fail in the first few years. What they often do not tell you  is that a good number of startups do succeed nor do they tell you why those startups that do not make it fail. While reasons for the success of startups are many and varied at the top of the list of those that do not make it are two causes: Liquidity and Profitability issues.

advertisement

If a business is to succeed it has to be profitable and liquid otherwise it will inevitably fail once its funding runs out. One of the things they teach you in every college’s Intro to Business class is how to solve these two problems. The solution is simple: You should enhance your revenue and minimise your cost.

What has this go to do with email?

advertisement

Well, while email is an essential part of every business, you have to minimise what you spend on the service just as you should on every other service. This means taking advantage of the freely available solutions such as those found in the FOSS world. Examples include the use of Linux Distros instead of paying for Windows licences, using free CMS, templates,plugins and themes.

Back in the day there were many freely available professional email solutions that you could use with your domain such as Google’s Gmail and Microsoft’s Hotmail/Outlook (I could never tell the difference between these two).

Unfortunately most are no longer free. And while $5/user per month seems like it’s nothing the cost quickly add up and if you are paying for other services you can easily spend hundreds if not thousands of dollars a year on accessory services that you can easily provide for yourself. In fact the key to success as a startup, a technical startup or not, is to learn as much of the technical aspects of your business as possible.

Long story short, although some web hosting providers out there provide you with free email hosting with your domain it might do you a world of good to set up your own email server. It will give you control and afford you with flexibility which might become more and more important as your startup grows.

In this article we are assuming you have your own domain and have already set up you MTA to use TLS/SSL authentication.

The problem

There are a lot of bad people are there who are out to get you, well your server. Most people assume that since their startup is small they can ignore the best security practices because hackers are unlikely to be interested in them only to wake up two years later to discover that they are victims of some random hacktivist because while they were too busy concentrating on their startup’s core business they forgot about their half-hearted security.

TLS/SSL authentication when using email is one of those best security practices. However as most of you probably know the certificate that you will use with these services requires money because self-signed certificates generate warnings and some services.

For example, when trying to add your email POP fetching to your Gmail account, cannot be used with plain text authentication and do not accept self-signed certificates. Certificates can cost you anything between $5/year to hundreds of dollars per year.

We will define more problems and their solutions as we progress in the series.

Startssl

Startssl is a certification authority that offers certification services including certificates that are compatible with most browsers and software. These certificates, like any other certificates from CAs such as Thawte, do not generate any warnings and are accepted by most browsers and software. While advanced certificates from StartSSL such as Extended validation and wildcard (*.youdomain..co.zw) certificates require payment basic  positive validation certificates are given free of charge to users.

How to get your free ssl certificates

  1. Of course you cannot use a dynamic IP to set up your email server find a reputable VPS provider and get a static IP.
  2. Make sure the IP address is not blacklisted. Go to mxtoolbox.com and check. If it is either ask for a different IP or get it unlisted.
  3. Naturally for this guide to work at all you need to ask your server provider to set up a PTR domain record to: somemailserver.yourdomain.co.zw. Make sure to change these details to match your details. While this is not critical at this stage it will become more and more important as we progress.
  4. Set up a matching A record for someserver.yourdomain.co.zw pointing back to your IP address.
  5. Set up your ehlo/helo parameters to match the domain: someserver.yourdomain.co.zw not doing so might see a lot of servers out there rejecting your email.
  6. Once your MTA, preferably Postfix,  is set up go to the StartSSL website and sign up for a free account using the Chrome Browser, go to your email and verify the account.
  7. Once your account has been verified you will be sent an email informing you that your account has been set up, follow the link provided in the email.
  8. You will be asked to generate a key, select a “High” grade key and click install.
  9. A pop down will appear in Chrome telling you that a new certificate has been installed in your browser. Make sure to back up this key because Startssl does not use password authentication. The certificate is used to authenticate and log into the Startssl panel which you will use to generate certificates for your domain.
  10. Before you can start issuing certificates for your domain you will need to prove that you are the owner of that domain. In the Control Panel go to the Validation Tab and select Domain name validation. In order to prove ownership of the domain you should be able to recieve emails for the domain that you want to validate at any of the following addresses:
    postmaster@yourdomain.co.zw
    hostmaster@yourdomain.co.zw
    webmaster@yourdomain.co.zw
  11. Once you have verified domain ownership go to the certificate wizard and generate a Webserver SSL/TLS certificate.
  12. Select your preferred key size and enter a key password of your choice and click continue.
  13. When you select continue you will be presented with a textbox containing your key. Copy and Paste the key into a text editor and save it as tls.key. Remember to select save as all files if you are using Notepad in Windows.
  14. Select the Domain for which you want to create the certificate for e.g. yourdomain.co.zw and click continue.
  15. You will be asked for the subdomain for which you want to create the key. It is important that your subdomain should match the server’s domain name including the PTR record to prevent any problems i.e. somemailserver.yourdomain.co.zw. Click continue
  16. You will be presented with a certificate textbox, copy it and save it as mail_cert.crt.
  17. Copy the files tls.key and mail_cert.crt to your email server.
  18. Make sure you are in the folder with these two files and run the command:openssl rsa -in tls.key -out private.key
  19. Run the command:wget https://www.startssl.com/certs/ca.pem
  20. Copy the files to your postfix certificate directory e.g./etc/postfix/sasl/
  21. Go to/etc/postfix/main.cf and change the following directives to point to the proper files:
    smtpd_tls_key_file = /etc/postfix/sasl/private.key
    smtpd_tls_cert_file = /etc/postfix/sasl/mail_cert.crt
    smtpd_tls_CAfile = /etc/postfix/sasl/ca.pem
  22. Add the proper certificate paths to your MDA’s (e.g. Dovecot’s) configuration as well. On Ubuntu run change change the following lines in /etc/dovecot/conf.d/10-ssl.conf
    ssl=yes
    ssl_cert =</etc/postfix/sasl/mail_cert.crt
    ssl_key =</etc/postfix/sasl/private.key
  23. That’s all. To test your connection using TLS use your email client and you should be able to connect without receiving any warnings.
  24. Of course StartSSL certificates can also be used with your web server. In the next installment (which is not part of the series) we will look at how this can be achieved using Apache on Ubuntu.

If you have anything to add please feel free to comment below. I have deliberately excluded some steps e.g. making sure that the certificates are read only because covering every nook and cranny would have made the article quite cumbersome.

This is a series on securing and enhancing your startup email experience. We will look into the following topics: Free SSL certificates with Startssl, SPIF,DKIM configuration and DMARC setup. This is more of a “teach you how to fish article” and will avoid technical set up details and where this is inevitable we will be using examples from Ubuntu 14.04.2 LTS. These should work on most Linux distros with no or minor modifications. We also assume you know how to configure your own Email server, that you have already set it up and enabled TLS/SSL authentication. See here.

Image credit: magentoaffiliateextension.net


WhatsApp Discussions

Click to join a Techzim WhatsApp group:
https://chat.whatsapp.com/H94LKS22KuvEshYT12phqs

If you find the group full, please notify us on +263 715 071 199 and we'll update the link.


4 thoughts on “Securing and enhancing your startup email experience

  1. Having managed a few mail servers myself, I would strongly advise those that want email services to use free email services (eg ZOHO Mail https://www.zoho.com/mail/zohomail-pricing.html) instead of attempting to run their own mail server.

    If you are a startup company and funds are not forthcoming or you want to save cash, maintaining a mail server is the last thing you want do. There’s the cost of the mail server itself to consider. Then there’s also the cost of the internet that that mail server requires which will not be cheap as it has to be on all the time. Then there’s the issues of availability of electricity for this mail server.

    If you are a startup you want to concentrate on what you are good at instead of fiddling with a server after every few days.

    All you information is correct in the article, its just the general advice/recommendation that i disagree with

    1. Agreed. Managing a mail server is a world of hurt, you need to satisfy all of the conditions below:
      1. You don’t mind dropping some emails incoming mails for a few hours at a time due to a misconfiguration
      2. You have the time & energy to try and get yourself removed from a spam blacklist, because your IP was used by a spammer 4 years ago. While you are on the blacklist, you can’t send emails to a significant percentage of the worlds population
      3. You have the time to do security updates, and you have the technical chops to deter & fend off attacks on your mail server. Any mail server that can deliver emails without being flagged as spam is a juicy target for by hackers & spammers.
      4. You have a warm backup mail server waiting in the wings with 0 downtime, unless you want to start dropping incoming emails when the hard drive fails
      5. You have a backup / disaster recovery plan that you test often

      Depending on how much you value your time, I’d say $5/user per month is downright reasonable

  2. Thanks for the nice instruction. However I do agree with other comments: running your own mailserver is a headache. Add to it that many ISP in Zimbabwe regularly have their ip addresses blacklisted as spam originators (I have used most of them so I know from experience) and you have an additional problem. Personally I host my company domain outside Zimbabwe and there is where my mail resides – but I still get blocked or put in “junk” folder now and then by e.g Office365.com users due to my sending ip being in Zim

  3. I have been using MailChimp to manage our email system. I use it to send our newsletter, freebie email… I found that if we use email marketing, the result is quite good. For eg, I often do cross sales by sending an email that has free like video (eg: Magento Inventory Management video), the open rate and click rate is so high.

Comments are closed.

%d bloggers like this: