Conversation
Notices
-
Embed this notice
Ive finally moved my email internal to my homelab
- imaps and SMTP are on an internal VM
- SMTP outbound is relayed to the public VM relay server
- SMTP inbound for known domains is relayed across the wireguard vpn to the internal SMTP server using the public SMTP listener/forwarder.
Certs are renewed each week (or attempted) and upon renewal copied to the mailserver over ssh using a systemd timer target. The mailserver then has a timer to copy those certs to their secure resting place on the mailhost.
Next step is Nat forwarding authoritative DNS over the tunnel into a new knot server, and moving the unbound cacher off the vps and into the homelab. One complete I can move letsencrypt renewals to DNS 01 style renewal with txt records and completely internalize cert management and distribution from the lab.
Complex but fun.
- Doughnut Lollipop 【記録係】:blobfoxgooglymlem: likes this.
-
Embed this notice
@Nimbius666 But how are you going to get GMail and friends to not treat messages from you as spam?
-
Embed this notice
@tk awesome question
- check senderbase and rbl sites for your public vps IP. Do some reputation management if need be. This is a public IP, and youre its responsible maintainer.
- nobody likes a spooky bando... be a good neighbor and mow your lawn. Add SPF records to your DNS, add opendkim processing and opendmarc processing using milters to your email. Offer strong ecc crypto for all your SMTP traffic. Provide reverse DNS for everything.
- tighten your SPF policy when youre comfortable doing so.
- Consider creating looking glass accounts on the big 3 to periodically test the traffic. Challenge yahoos often capricious blocks. Remember, the big 3 block anyone who isnt the big 3 so be prepared to see some 421 in the logs and monitor for 500s to investigate rolling shitlisting from outlook.