@mwl Running port 25 behind a residential IP is an instant block. I have everything running like clockwork behind a mid-sized hosting provider, but I'm always looking to improve things.

@colin @mwl I run my own on a vps but I wonder if it would be too shitty to run it at home and keep the VPs as a proxy with socat services?

@a @mwl @colin This is exactly what you want to do. And setup DANE for your domain, and outgoing DANE enforcement, so malicious party on the VPS side can't MITM you.

@dalias @mwl @colin I assume you have full control of the VPS . At least I di

@a @mwl @colin If the VPS isn't on your premises or locked in fail-closed tamper resistant enclosure at your colo, you don't have full control over it. Law enforcement can mandate hosting provider backdoor it, and there are plenty of cross-guest attacks in virtual hosting environments.

@dalias @mwl @colin true, but idk how DANE could alleviate those problems either.

@a @mwl @colin You don't run the mail server on the VPS, just proxy thru its IP. The TLS is terminated on your premises, so as always, if certificate is validated correctly (this is what you need DANE for; otherwise TLS on mail is opportunistic), MITM is impossible even if the attacker fully controls the VPS.

@dalias @mwl @colin I doubt the impossible words can be used here. I guess people with more evil imagination than me can think of ways to do so. Just a data point https://notes.valdikss.org.ru/jabber.ru-mitm/

@a @mwl @colin That's exactly what I'm talking about. And with webpki, controlling the public IP lets attacker get forged certs unless you're using DNSSEC and CAA to forbid all but specific authorized cert issuance. But with DANE, control of the IP gets them nothing because the key is pinned.

@dalias @mwl @colin ...assuming you have full control of the DNS server I guess

@a @mwl @colin The DNS server doesn't have to be trusted either. Just the DS delegation records from the parent zone. If they're tampered with, that provides a paper trail of wrongdoing (compromised registrar).