I’m reaching out in a very difficult moment. My wife just had emergency surgery, and my time is now extremely limited. To be honest, I am using my lunch breaks to go from place to place to raise the funds needed to pay for her medical expenses, and then I return to work. My focus is divided, and I am exhausted, but I must deliver a rock-solid Mail Server on NethServer 8 (Rocky Linux 9) for my company.
I cannot afford any “trial and error” or configuration mistakes right now. I need to get it right on the first try so I can focus on my wife’s recovery. Could you please provide the most stable “Gold Standard” configuration for:
Hardware: Are 2 vCPUs and 4GB RAM enough for 50 users, or should I push for 8GB to keep ClamAV/Rspamd stable without supervision?
Setup: The most efficient way to deploy the Mail module with full security (SSL, SPF, DKIM, DMARC) in NS8.
Reliability: Any “set and forget” advice to ensure the mail containers stay solid while I’m away from the keyboard attending to my family?
I’ve always been here to support others, and today I truly need your expertise to help me fulfill my professional duty during this crisis.
P.S. The domain is https://discentralca.com. You will likely notice several security gaps in our current setup; I need the NS8 implementation to close these breaches definitively.
Thank you for your prayers, your empathy, and your technical guidance.
NS8 provides all mail server capabilities incl. security out of the box. It is matter of configuration
You need full access to the DNS system of the domain to set security/verification methods
For 50 users, the pricing difference between 4 Gb or 8Gb is to be ignored, even go higher and better CPU speed
User experience is everything. You could present the users with options, either webbased SoGO or Roundcube (both NS8 apps) fat client on PC’s and Activesync.
Do the users expect email, calandering/sharing/delegation?
Make sure service interruptions are identifiable as Your screw up, Internet connection, hardware, Domain provider, DNS provider. At some point in time you will get blamed and you need to be able to show what the root cause is/was of issues.
It sounds to me there is a need of a solid design before any implementation and some nuts to crack on what design choices to make. I would advice you to do that first, create a total design, both server, clients (web/fat) security/Calendaring, delegation/vacation, OOO etc etc.
Present that plan, get consensus, get the budget and agree on timelines. There are reasons why it is a messy heap right now….
Yes, that’s what I’ll do. But they need to buy a PC to run the tests. I’ll take care of that. Yesterday I had to stay late because of a problem with how they use MS SQL, and in my audit I discovered they only use one user for multiple sessions. Well, brother, I’m going to get ready and at 12 I’ll go look for money. I’m exhausted.
I run several mail servers. Given my limited experience, I would recommend the following:
The NS8 mail software is designed and built to be secure from the ground up
However, you must ensure a secure operating environment
In concrete terms, without further explanation, this means:
(Assumption: the mail server has an MX record pointing to mail.discentralca.com).
Use CrowdSec
Use LE certificates
Use DNS keys,
3.1. for DKIM look on Mail–>Domains–>3-dot menu–>configure DKIM–>copie your key into DNS Zone like: default._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIj_YOUR KEY_"
3.2 for SPF like mail.discentralca.com. 86400 IN TXT "v=spf1 a mx ~all"
for explanations look here: https://dmarcadvisor.com/es/tabla-sintaxis-spf/ or here https://powerdmarc.com/es/spf-all-vs-all/)
3.3 for DMARC like: _dmarc.discentralca.com. 86400 IN TXT "v=DMARC1;p=reject;pct=100;rua=mailto:abuse@discentralca.com;ruf=mailto:abuse@discentralca.come;fo=0:d:s;aspf=r;adkim=r;"