Hosting - Technical Details

• Spam and virus filtering
• Security
• Server setup

Spam and virus filtering

Mailboxes are protected by spam and virus filtering. All incoming and outgoing mail is scanned with ClamAV, and messages found to be containing a virus are rejected. There are also multiple anti-spam measures in place:

• Servers attempting to deliver mail to a mailbox hosted here are first checked against the Spamhaus SBL+XBL list. This is one of the most reliable, well-maintained, and cautious blacklists available - unlike many other lists (such as SPEWS), if an IP address is on this list, it's very likely that it belongs to a spammer.
• When a remote server that isn't already whitelisted as a "known good" mail source tries to send mail, and that sender/server/recipient triplet has not been seen before, a temporary error ("come back later") is reported and the email is not accepted. When the remote server tries again, typically in a few minutes, the mail is accepted. This process is known as "greylisting", and works because most spammers don't queue outgoing mail so they don't try to deliver twice. Note that greylisting can be opted-out of on a per-recipient basis, so users who need email to be delivered without delay can opt out.
• Per-remote-host and per-mailbox message count quotas are in place to ensure that a sudden mail flood won't overwhelm a mailbox.
• Message senders are checked using SPF (sender policy framework). This is an optional, but growing, framework which allows owners of domains to specify who is allowed to send mail from them.
• Message contents are scanned for URLs pointing to web sites operated by spammers. This often catches spam sent from servers that haven't yet been blacklisted, because they've still got to put their web sites somewhere.
• Various "spam-trap" addresses are maintained which cause any server attempting to email them to be automatically blacklisted for several days.
• Sending servers that violate the SMTP rules, which identify themselves in obviously invalid ways, or which persistently try to send spam, are automatically banned from connecting to this server.

When a message is rejected, the error message will explain to the sender exactly why it happened, so that legitimate senders can attempt to fix the problem.

Additional options are available if necessary, such as per-user Bayesian filters like QSF.

Security

Each sub-server will only accept incoming connections on its standard ports for the services mentioned below; other ports can be opened for listening but attempts to connect to them from outside will fail. This reduces the spread of worms and other malware.

Outgoing connections for each sub-server are also limited. The web server can only make outgoing connections to the HTTP and HTTPS ports (for CGI scripts to be able to fetch other web pages, for instance); outbound mail from CGI scripts must be sent through the mail server. The mail server can only make outgoing connections to the SMTP port. The shell server has a larger range: SSH, HTTP, POP, NNTP, HTTPS and rsync are allowed. Again, all outgoing mail must be sent via the mail server.

These restrictions are in place to help ensure system security. If you have a valid reason for any of them to be relaxed, please use the Contact Form to discuss it.

Server setup

The server is an Intel machine running a version of Linux based on CentOS 5. It is made up of five sub-servers:

Master file server

Holds all user files, and exports them to the other servers. There is no access to this server.

DNS server

Runs the DNS service, for hosting domain name details. There is no access to this server.

Mail server

Runs SMTP and POP3 services (the SMTP server is Postfix). The only access to this server is via each user's .procmailrc file. Some spam and virus filtering is performed (see above), and additional options such as QSF are available.

Web / database server

Runs the Apache web server with PHP, and also runs MySQL for use by CGI and PHP scripts. Users do not have direct access to this server, except via FTP, but can run CGI and PHP scripts. CGI scripts will run under the owning user's UID. Perl and various CPAN modules are installed; more can be made available on request.

Shell server

Accepts SSH connections. While logged into the shell server, users can change their FTP/email/shell password, move files around, test CGI scripts, and so on.