It’s a bad title, but I’m trying to figure out how to describe what I want.

First, I got my photoprism working thru cloudflare. Now, on the same domain I would like an email address.

So mysite.com gets routed to 56.654.234.12 let’s say by cloudflare such that a global user never sees my ip. But mail.mysite.com that’s different, they don’t proxy email so if you do a reverse lookup you can find the origin IP.

I heard about tunnels so I stupidly signed up for that, only to learn that a tunnel just lets you into an internal network. So an SMTP server can’t get emails from outside that way.

Ideally, somehow I could setup one user at Gmail or proton mail, then somehow setup the same or different user...user1@mysite.com and I could then use mailu, mailcow, mail docker to house my user1@mysite.com which routes mail thru Gmail or protonmail. I know all this makes little sense because I don’t know the proper way, so that’s my question for you smart people who have done this twice over. Could someone point me to the best way of setting up a local mail server that routes thru cloudflare but is not easily reverse looked up? Is that even a problem at all?

  • just_another_person@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    3 months ago

    Mail hosting is not that simple anymore. Your understanding of how it works is missing an entire world of complex issues that you need to solve outside of just hosting a mail server with an open SMTP port.

    The biggest certainty is that just having an open port for an SMTP server dangling out there means you will 100% be attacked. Not just sometimes, non-stop. So you don’t want to host on a machine with anything else on it, cuz security. So you need a dedicated host for that portion, and a very capable and restrictive intrusion detection system (let’s say crowdsec), which is going to take some amount of resources to run, and stop your machine from toppling over.

    Next, you need all your secondary record systems (SPF, DKIM, DMARC) pointing at a defined and unchanging record for your SMTP server, so you’ll need a static IP. If you don’t have that already, you’re kind of SOL.

    Next, you’ll need to be running your own peer authentication system, then a spam filtering system (of which none of them work well without massive amounts of sample data, but you can use public lists to help block known bad actors), decent file threat scanning…you see where I’m going with this. It all takes a fair amount of resources, and even more if/when you get bad actors spamming the machine all the time.

    Finally, you’ll probably want this machine completely segmented from the rest of your network, which isn’t really complicated, just costs a bit more money.

    There’s a reason why mail hosts and forwarding services cost money, and still exist. It takes a large amount of effort to be somewhat secure, or at least to best of your efforts. With the added costs associated with hosting your own mail servers, most people just avoid the hell out of it. I certainly wouldn’t recommend it.

    • farcaller@fstab.sh
      link
      fedilink
      English
      arrow-up
      0
      ·
      3 months ago

      The biggest certainty is that just having an open port for an SMTP server dangling out there means you will 100% be attacked. Not just sometimes, non-stop. So you don’t want to host on a machine with anything else on it, cuz security. So you need a dedicated host for that portion, and a very capable and restrictive intrusion detection system (let’s say crowdsec), which is going to take some amount of resources to run, and stop your machine from toppling over.

      I need to call BS on this. No one cares. I’ve been running a small go-smtp based server that would do some processing on forwarded mail for 2 years now and I don’t see much of “attacks”. Yeah, sometimes I get passersbys trying to figure if this is a mail relay, which it’s not.

      You absolutely don’t need a dedicated machine and an IDS. And you definitely need crowdsec.

      Yeah, sending mail is somewhat hard lately, but DKIM and DMARC can be figured out. Receiving mail is just straightforward.

      • just_another_person@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        arrow-down
        1
        ·
        3 months ago

        As is your want to do. I’ve run thousands of different combinations and type of SMTP related services at all stages of processing, and I’ve seen the above 100% of the time.

        You are talking about receiving mail from another forwarded entity. It’s not the same thing. You’re also proving my point, because you’re already getting your intake handled upstream, so there you go. What I said is accurate. 👍