On Sun, Jul 11, 2021 at 11:23 AM Keith Smith via PLUG-discuss <
plug-discuss@lists.phxlinux.org> wrote:

>
> I am talking about a virtual PHP host running Ubuntu LTS, LAMP, Let's
> Encrypt, BIND, Postfix, Dovecot, and possibly some webmail app.  Not
> sure of anything else I would need. Is there more?
>
> We can throw in learning Apache SPF and NGINX.
>
> 1) First question is this a reasonable idea or am I crazy?
>

For learning and tinkering, it's a good idea, production for yourself
probably not.  I set all that up some 10-15 years ago, thought it was cool,
then got tired of upkeep.  If you plan to maintain it right, you probably
will too.

These days any internet-facing service needs almost religious zeal to
upkeep, lest some jackass use a 0-day to cryptolocker your system(s), and
if you watch security lists for those, they are still pretty frequent I'll
bet.  Or you could just pay gmail/orfice365/rocketmail, or any other and
let all that patching and upkeep be automated by them.  I used godaddy mail
for a decade, later gmail, and I really don't mind not managing my own
email or dns servers ever again since.

2) 2nd question is what skills would I need?
>

The ability to google your ass off mostly.  I've not read a how-to or
protocol or certification-type book in 20 years, trust me it's not terribly
practical, and I fifo from my brain quickly.  Searching how to's and
troubleshooting as you do is how you learn.  If you must, I'd recommend
linux academy, udemy, or other online class-type courses, as most can be
had cheap around holidays with sales, mostly what I do these days to learn
if not just searching.

Email is email and hasn't changed much in 20 years.  Understanding
encryption, authentication (ie. 2fa), use of SPF/DKIM with DNS,
certificates (openssl, letsencrypt, build your own CA).  Security in
general is pretty key more than knowing how email protocols work.

Web stuff is again more about security imho, redirect all non-encrypted to
encrypted (tcp/80->443 redirection), proper certs/encryption standards
(enable tls1.2, disable rest, strong ciphers).  Some vhosts, proxy
redirection if needed, etc is helpful.  If you want to scale, add
load-balancing via apache/nginx proxy or appliances (F5, AWS ALB,
Netscaler, etc) across multiple hosts.

System security is key too.  Securing SSH, disabling unnecessary services,
local firewall in/out, log monitoring, networking, file system/service
integrity, etc.

I am not a dev or a sysadmin, more a network guy that ends up
troubleshooting systems more than their owners do when they blame my
network, or just tinkering for myself.  IMHO with above, but YMMV.

-mb