Apparently I installed that thing in 2006 and I last updated it in 2016, then I quit updating it for some reason that I totally forgot. Probably laziness…
It’s been running for quite some time and we kind of forgot about it in the closet, until the SSH tunnel we use to get our mail outside our home stopped working because modern openssh clients refuse to use the antiquated key cipher I setup client machines with way back when any longer.
I just generated new keys with a more modern cipher that it understands (ecdsa-sha2-nistp256) and left it running. Because why not 🙂
Because why not 🙂
Because security.
It’s behind a firewall. The only thing exposed to the outside is port 22 - and only pubkey login too.
And gee dude… It’s been running for 18 years without being pwned 🙂
It hasnt been pwned so far
For that matter, it hasn’t been ransomwared. There are so many ways to hide a compromise.
without being pwned
How do you know?
There’s a file called /pwnedornot and it contains “no, you’re safe bro”
Mine does
And it’s not like it contains any sensitive information. I’m sure all your emails are just friendly correspondence with your pen pal.
I’d still maybe build a modern OpenSSH package.
There’s been an awful lot of RCEs in the past two decades and uh, if that’s rawdogging the internet, I’m honestly shocked you haven’t been hit with any by now.
Eh, building anything modern on a system that old would be painful I bet.
Maybe you could use https://github.com/openssh/openssh-portable since that’s meant to be portable. I’d certainly would give it a try if I didn’t want to bother trying to upgrade that system. Then again, trying to upgrade it through the releases to a modern Debian might be fun too.
How do you know? Do you constantly monitor running processes, performance and network connections?
sorry, but what kind of email server listens only on SSH?
The most secure ones
How do you know? OpenSSH is pretty good but it isn’t impenetrable. Especially for almost 10 years.
Did you really only use it when you were home? If you used it outside the firewall then port 25 must have been open also.
I used to run my own server and this was in the early 90s. Then one day, perusing the logs I realized I was not smart enough on the security front to even attempt such a thing. It was quickly shut down and the MX record moved to an outsourced mail provider.
deleted by creator
Very very aware.
So you had another mail server elsewhere that port forwarded port 25 via port 22 to your internal mail server’s port 25.
I take it that outside mail server was secure.
That’s an impressive setup.
deleted by creator
Where is the mail server getting incoming mail from?
Stop nuking comments pussy
That’s not what a SSH is. A ssh tunnel only allows traffic after a successful SSH authentication.
Good thing there hasn’t been any remotely exploitable security bugs in any of the mail system components in the 6 years since Debian 7 went EoL
https://security-tracker.debian.org/tracker/
Depending on how it was configured it may or not be have been compromised. Probably better to go the nuclear option.
Why? Then somebody else takes care that it still can send mails
I’m fairly certain that SSH and whatever else you’re exposing has had vulnerabilities fixed since then, especially if modern distros refuse to use the ssh key you were using, this screams of “we found something so critical here we don’t want to touch it”. If your server exposes anything in a standard port, e.g. SSH on 22, you probably should do a fresh install (although I would definitely not know how to rebuild a system I built almost 20 years ago).
That being said, it’s amazing that an almost 20 year old system can work for almost 10 years without touching anything.
The amount of dos systems I have seen powering critical infrastructure in banks and hospitals is quite frankly nightmare fuel.
A basic DOS system has zero networking or open ports
They normally are isolated systems with controlled access. Same with shipping and any other critical industry.
Not to say that there aren’t exceptions but these days there is a required level of compliance
Remember its what the market determined is the best course of action.
Genuinely surprised when I see people running mail servers without issue. I suppose getting in relatively early means you’re not immediately sent to junk mail lists by the big players.
Unfortunately that’s not true. I’ve been running mail servers under my domain since around 2000, almost as long as Microsoft has been running Hotmail, and I was certainly following good standards like SPF and DKIM well before they considered such a thing… and yet Microsoft is the bane of my mail server’s existence. Despite no compromises resulting in spam blasts, MS still regularly shuts me out with no reason given and no hits showing on their monitors. If I can find their email address to ask what the problem is, I get a generic “your domain has been cleared” sort of reply but never any reason why they blocked me in the first place.
To be far you didn’t update for almost a decade. The large email provides fear you
I’ve started up new domains and never had an issue getting mail accepted.
There’s a right way to do it, and most people that complain that hosting email is impossible don’t know how to configure it correctly.
You need SPF, DKIM, DMARC with a RUA set up to an email that doesn’t bounce. That’s pretty much it. I’ve been running email servers a long time and actually set up email from a new domain/IP a couple of years ago as well.
Family email server? Your family have an email server to themselves? You managed to deal with block lists over 2 decades and more?
My utmost respect to your dedication
It takes a special kind to run and maintain a mail server. More so for doing it for such a long time.
If it’s 2 decades old, it was probably grandfathered into all whitelists.
It’s had a good run. Let the little guy have a rest. Whatever you replace it with will consume less electricity.
I gave up running an email server long ago - I thought it was basically impossible because too many spammers were doing it for nefarious purposes.
you name your servers with nuclear subs names?
I’m a kid of the cold war.
Believe it or not I’ve come into contact with Microsoft Exchange 2010 running on Server 2008 for 2000 days once. The company had ransomware.
Not to be that guy but why not use Curve25519?
I still remember all the conspiracies surrounding NIST and now 25519 is the default standard.
In 2013, interest began to increase considerably when it was discovered that the NSA had potentially implemented a backdoor into the P-256 curve based Dual_EC_DRBG algorithm.[11] While not directly related,[12] suspicious aspects of the NIST’s P curve constants[13] led to concerns[14] that the NSA had chosen values that gave them an advantage in breaking the encryption.[15][16]
If you are worried that the NSA might be reading your email maybe it’ll be better for society if you don’t update … just saying.
It took me a while to get this
Please tell you to at least have Freexian patches installed…
This is how massive botnets form
That’s the power of Linux. It can work for decades without issues.
Eh, plenty of dos machines still used in banks and industry. It’s both scary and impressive. I have worked on cnc machines only a few years back that were from the 80s I think. The data transfer between the computer and the machine used a band of paper that had holes punched into it by a printer like device physically attached to the computer.
Good old times.
Or 5 minutes and you pull your hairs out 😂 then reinstall because you screw up something without any idea how to fix it.
Any OS can break and need reinstalling if you screw stuff up, but the majority of them would have a hard time running constantly for almost a decade without so much as a side glance.
You can screw up Windows Server too. My comment wasn’t about that.
I know
I hope you get your data off and then burn it and everything around it. It could be easily compromised you knowing. It could easily be used for spamming