Michael W Lucas 
I didn't plan on this, but it turns out that releasing my new book on running your own email server was SUPER TIMELY. #sysadmin
Colin Cogle 
@mwl Running port 25 behind a residential IP is an instant block. I have everything running like clockwork behind a mid-sized hosting provider, but I'm always looking to improve things.
a
Ryan Castellucci (they/them) 
@colin @a @mwl My experience using RBLs was that I needed to run DNS lookups on the same IP as the mail server which is annoying with socks.
If you have IPv6 at home, you can get a dual stack VPS and use proxy arp to relocate its ipv4 address to the other end of a SIT tunnel (ipv4 over ipv6) terminating on your actual server.
I used to have a web server set up this way.
slash@a @mwl @colin I've been looking at this solution. My email VPS (running for longer than I can recall) is still priced much higher than most.
So I'm thinking about just doing a 1:1 NAT on a (cheaper) VPS and letting my home machine handle all the real work.
In my case, it's to ensure all my _data_ stays on my machines, yet accessible from anywhere on the net. (My corp. blocks my webmail, but not Google or Kolab... I want to be a full peer, dammit!)
Cassandrich@a @mwl @colin You don't run the mail server on the VPS, just proxy thru its IP. The TLS is terminated on your premises, so as always, if certificate is validated correctly (this is what you need DANE for; otherwise TLS on mail is opportunistic), MITM is impossible even if the attacker fully controls the VPS.
@dalias @mwl @colin I doubt the impossible words can be used here. I guess people with more evil imagination than me can think of ways to do so. Just a data point https://notes.valdikss.org.ru/jabber.ru-mitm/
@a @mwl @colin Cryptographically impossible (assuming the cipher isn't broken which isn't a realistic threat).
Where compromises like the one you cited happen are by compromising one party in the cryptographic chain, not by breaking the crypto. With DANE the only parties who can potentially be compromised are your registrar, the TLD authority, and the DNS root.
@a @mwl @dalias Dang, I do use Linode.
On the bright side, yes, I have a Let’s Encrypt CA and DNSSEC/DANE, MTA-STS, CAA, and all the acronyms. I also edited the Postfix config files to require TLS for outbound connections to some servers that I know will never not support it, like Google, Microsoft, and a few others.
@colin @mwl @dalias I'm personally not super concerned about all that because: (a) sending emails means that someone will received and you still need to rely on their infra not to be breached (good luck with that) and (b) I use email mostly to receive messages and as an ID for a bunch of accounts mostly. If I want to share something more personal I would use other mechanism
Nux@a @mwl @colin Never noticed anything and you'll laugh, but my uplink at home is 5G.. so significantly higher latency than your usual broadband. However http and smtp are very forgiving of that.
Of course, you can only sustain so much upload, but if all you're hosting is some blogs and emails, then it's no problem at all. Even 5-10 Mbps is OK for me.
In fact I've just measured now on pingdom and my crappy 5G hosted static site beats the heck out of our $dayjob corporate wordpress one!
Of course, you can only sustain so much upload, but if all you're hosting is some blogs and emails, then it's no problem at all. Even 5-10 Mbps is OK for me.
In fact I've just measured now on pingdom and my crappy 5G hosted static site beats the heck out of our $dayjob corporate wordpress one!