There are quite a few articles on the web with titles along the lines of “Don’t self-host email“, most of which are pointing to the difficulties of maintaining an email server’s reputation as not being a source of spam.*
Yet, I still want to have the ability to send email from my server at least, so I’m going to skip that part of the problem by using a free Mailjet account as a mail relay for outgoing mail.
Incoming mail is a little trickier. I really don’t want my home network’s external IP address listed as a mail server, since that would make it a target for attack. So, clearly I need an external host to be the public face that forwards mail to my server on an obscured port that is only open to that external host.
There’s a really detailed ars.technica article that describes a good system config. Unfortunately, it seems pricing models may have changed somewhat since the article was written, as they claim an Amazon Web Services EC2 instance for free, which you can do, but only for a year. I wasn’t entirely happy with the idea of paying for my EC2 instance after a year, so I managed to discover that Google Cloud Services will give you one month’s worth of F1 micro Server for free, so I’m going with that. I will have to pay somewhere under $5 a month for an external IP address, though. Funny thing with these cloud providers, there’s all sorts of extra costs that get tacked on before you can just use a specific feature.
Process stack
- My DNS provider points my domains’ mx records to my external MTA F1 instance
- Emails come in from various sources to the external MTA.
- External MTA (postfix) uses Spamassassin or rspamd combined with a few simple rules to filter spam early. This isn’t going to be a particularly critical initially. Simply filtering on valid email recipients will avoid most spam while these email addresses are not actually being used.
- I’ve also seen one system described that maintained whitelists automatically using a list of approved email senders in combination with an auto-reply that sends a code to the sender asking them to confirm that they really wanted to send an email to the recipient, then looks for that code the next time an email comes in from that address and if it matches, add to the whitelist. I’d like to implement a system like that, but it does need to exclude mailing lists.
- External MTA then forwards mail to my home server on a specified port (not the default SMTP port 25) using secure connection.
- That port is configured in my router to port-forward to my server only when the source is the external MTA
- My home server runs an MTA (postfix) as well, which may do some slower spam filtering analysis, then stores emails in local files.
- Then a Dovecot service makes these local mail files available to IMAP clients. and routes sent mail back to the postfix MTA for external delivery
- postfix sends external mail to Mailjet according to account config, from where it is distributed to other mail servers using Mailjet’s MX reputation
Order of config is to start with Dovecot, then move back through the chain until the external MTA is functioning, at which point I can activate Mailjet and set up the outgoing mail.
*- Yes, I realise all these articles are actually not telling you not to self-host an email server, exactly.