More than happy to resolve this. I apologise unreservedly and retract any inference that szatox is a dude.pietinger wrote:I wouldn't want - and wouldn't allow - anyone to address me as ‘dude’
Fully self-hosting my email
Message
Gentlemen please, no fighting in the War Room 
Thank you all for the broad and plentiful feedback. I will try and come back on everything significant (to me) that was said by all participants.
1. I did not realise VPS were so cheap now. When they first became a thing I was looking at costs close to small dedicated servers; now they are definitely in territory I would consider, if not necessarily for this. I would want to keep it to UK datacentres to keep the legal context as simple as I can, but on a quick scan that doesn't leave me totally bereft of options. Good to know! But for this project I'd probably rather keep it under my roof.
2. My new ISP does not block port 25, as expected from an outfit that is still close to its business-serving heritage. (I mean, they still give you a static IP as standard on residential.) Could change down the line, I suppose.
3. They also let me define the revDNS name for my IP. However I've only got one (and I actually would feel silly having more than one IPv4 just for this purpose in this day and age, notwithstanding the extra cost). I guess that I could have multiple domains pointing their MX records at a single domain; but does that cause reputation problems for the domains that differ from the mailserver's domain?
4. I had overlooked how sending servers behave (progressively doubling retry interval up to a few days before giving up) so if I did go ahead with this, I think I'd be OK flying without a backup MX.
5. I did not actually know that DKIM is a dynamic operation (unlike SPF which just needs a properly crafted DNS entry, which I think I got right eventually
). Sounds fun.
6. I absolutely don't want to have to be triaging which providers will accept mail from me. At the moment I get occasional hiccups with GG and MS, but they have always been short-lived. (It's a bit shitty when they sometimes don't even bother sending back a bounce, though.) If whatever I home-brew gets a hard pass from anyone, then that's a dealbreaker.
7. I don't think I've slept 8 hours in my life. Can't do it. I have above average leisure time demands though. Then again, if I did this, I'd consider it leisure activity
8. b11m's well-intentioned scolding has made me a little reflective upon the risks. True, exposing port 25 should not be done lightly, and on a machine that is my household "fun" box that does all sorts of nonsense I would need to tread very carefully managing a service whose capacity for third-party harm would be significantly elevated from its current level should it be pwned. I like to think I weigh up odds vs stakes pretty accurately most of the time, but might be I've underthought it this time. I do use fail2ban, and my iptables permaban list is already groaning from its input, but if this host became signposted online in the more saliva-inducing manner that I imagine an MX record denotes, I certainly worry that it might be strained by the extra attention. Spamassassin ditto. And I'm forced to acknowledge that my update game is not strong on this box, because, well, I'm on Gentoo
9. The possibility that this enterprise would not improve my outgoing acceptance rate (and could potentially worsen it) does demotivate me terminally. Take that off the table and at heart I'd only be doing it out of utopian digital libertarianism and/or boredom.
I think I'm going to put a pin in this. Maybe I'll give it a go at some point with a non-critical domain; in any case all your input was much appreciated.
Thank you all for the broad and plentiful feedback. I will try and come back on everything significant (to me) that was said by all participants.
1. I did not realise VPS were so cheap now. When they first became a thing I was looking at costs close to small dedicated servers; now they are definitely in territory I would consider, if not necessarily for this. I would want to keep it to UK datacentres to keep the legal context as simple as I can, but on a quick scan that doesn't leave me totally bereft of options. Good to know! But for this project I'd probably rather keep it under my roof.
2. My new ISP does not block port 25, as expected from an outfit that is still close to its business-serving heritage. (I mean, they still give you a static IP as standard on residential.) Could change down the line, I suppose.
3. They also let me define the revDNS name for my IP. However I've only got one (and I actually would feel silly having more than one IPv4 just for this purpose in this day and age, notwithstanding the extra cost). I guess that I could have multiple domains pointing their MX records at a single domain; but does that cause reputation problems for the domains that differ from the mailserver's domain?
4. I had overlooked how sending servers behave (progressively doubling retry interval up to a few days before giving up) so if I did go ahead with this, I think I'd be OK flying without a backup MX.
5. I did not actually know that DKIM is a dynamic operation (unlike SPF which just needs a properly crafted DNS entry, which I think I got right eventually
). Sounds fun.6. I absolutely don't want to have to be triaging which providers will accept mail from me. At the moment I get occasional hiccups with GG and MS, but they have always been short-lived. (It's a bit shitty when they sometimes don't even bother sending back a bounce, though.) If whatever I home-brew gets a hard pass from anyone, then that's a dealbreaker.
7. I don't think I've slept 8 hours in my life. Can't do it. I have above average leisure time demands though. Then again, if I did this, I'd consider it leisure activity
8. b11m's well-intentioned scolding has made me a little reflective upon the risks. True, exposing port 25 should not be done lightly, and on a machine that is my household "fun" box that does all sorts of nonsense I would need to tread very carefully managing a service whose capacity for third-party harm would be significantly elevated from its current level should it be pwned. I like to think I weigh up odds vs stakes pretty accurately most of the time, but might be I've underthought it this time. I do use fail2ban, and my iptables permaban list is already groaning from its input, but if this host became signposted online in the more saliva-inducing manner that I imagine an MX record denotes, I certainly worry that it might be strained by the extra attention. Spamassassin ditto. And I'm forced to acknowledge that my update game is not strong on this box, because, well, I'm on Gentoo
9. The possibility that this enterprise would not improve my outgoing acceptance rate (and could potentially worsen it) does demotivate me terminally. Take that off the table and at heart I'd only be doing it out of utopian digital libertarianism and/or boredom.
I think I'm going to put a pin in this. Maybe I'll give it a go at some point with a non-critical domain; in any case all your input was much appreciated.
You own your DNS namespace including SPF/DKIM config
You own your CERTIFICATE
You own your mail software
You own your OS
You do remote attestation and remote encryption unlocking
You choose a VPS provider with reverse DNS support
You trust your VPS provider to not monitoring your CPU registers and memory.
But VPS provider can have bad RBL reputation and you are out of luck to send mails to BIG mail providers.
How do your select a VPS provider with good RBL reputation?
You own your CERTIFICATE
You own your mail software
You own your OS
You do remote attestation and remote encryption unlocking
You choose a VPS provider with reverse DNS support
You trust your VPS provider to not monitoring your CPU registers and memory.
But VPS provider can have bad RBL reputation and you are out of luck to send mails to BIG mail providers.
How do your select a VPS provider with good RBL reputation?