Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| email [2025/03/04 07:32] – willy | email [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1 | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== E-Mail Concepts ====== | ||
| - | |||
| - | While the e-mail is one of the most ancient internet protocols, like DNS, it has been integrated with many pieces and bit over the decades to evolve it to an usable state today. | ||
| - | |||
| - | E-Mail has tons of issues, like spam, abuse and plain brute-force attacks on top of no default encryption and limited overall security. To address most of these issues over the years new protocols and standards emerged, like DKIM, SPF, DMARC and so on. The basic SMTP has been integrated with TLS/SSL to provide wire encryption, and the ancient POP3 is nowadays replaced by IMAP and even JMAP. | ||
| - | |||
| - | |||
| - | ===== Preamble ===== | ||
| - | |||
| - | Hosting an email server is **not** a simple task. Historically it was a matter of setting up tools like [[http:// | ||
| - | |||
| - | One important detail: you **need** to host an email server on a real public and static IP address. No dynamic IP or port forwarding will really work properly. I will show you how to host your email server on your //external server//. A different point relies in how to forward emails generated by your //home server// to your external server, and it is described [[email: | ||
| - | |||
| - | ===== The available solutions ===== | ||
| - | |||
| - | While today there are a few all-in-one solutions that could greatly help you with the process, i couldn' | ||
| - | |||
| - | I tried the [[services: | ||
| - | |||
| - | I also tried [[https:// | ||
| - | |||
| - | If i have to use Postfix and Dovecot, today, then i can go back to how i hosted my mail for the last 20+ years and do it manually once again. | ||
| - | |||
| - | So, my solution is to implement the mail stack with the good old tools, and i will show it in the following pages. | ||
| - | |||
| - | |||
| - | ===== Where to host an email server ===== | ||
| - | |||
| - | Simply put **do not self-host an email server on your home server**. An email server **must have a public IP address** and tunnels like wireguard or any kind of port-forwarding **will not work**. | ||
| - | |||
| - | Let me stress that again: **you must host your email on a server with a public IP - do not put it behind a port forward or a tunnel**. | ||
| - | |||
| - | The reasons are quite a lot, and all critical: | ||
| - | * 90% of email security comes from IP banning, and this cannot happen behind a port-forward or a tunnel, because the mail server will always see the //tunnel// IP address, or the //NAT// IP address of the client connecting, making the ban impossible | ||
| - | * E-Mail uses a lot of ports (25, 465, 993, 443, 587, 143, 4190, 110...) and while you can get rid of some, it's still a pain to forward them all, and ensure the return path is properly NAT'd | ||
| - | * E-Mail sending today is heavily dependent on DKIM and DMARC. You must ensure your email server outgoing connections always go trough the same IP address, because this must be defined in a DNS record. So you would need to forcefully route your email **outbound** data trough your tunnel, which usually is not your home default gateway | ||
| - | * Tunnels and port-foward (VPN...) make GeoIP lookups of email clients useless, or just mess with that. This again is not desirable for email security reasons. | ||
| - | * E-Mail needs to be a reliable service. Home hosting would require setup a secondary mail server somewhere else to cover for situations in which your ISP is acting up | ||
| - | * I am not even considering that any of the email standard ports can be opened toward your home. Residential addresses are usually blocked to prevent spam, so a VPN or tunnel would be needed even if you have a static IP address | ||
| - | * No, DynDNS and such solutions would not work for email, since email delivery is a serious affair, changing IPs would get you blacklisted in no time | ||
| - | * Residential IPs would get you banned, again, blacklisted quickly by most major email providers (gmail, hotmail, etc.) | ||
| - | |||
| - | |||
| - | ===== Is it worth it? ===== | ||
| - | |||
| - | Probably not, since there are lots of email providers out there that for a little money will let you use them to host email for your domain. But is it fun? Yes, so, let's go and do it. | ||
| - | |||
| - | |||
| - | ===== Sources ===== | ||
| - | |||
| - | Everything in the following pages is directly taken (and adjusted to my liking) from [[https:// | ||
| - | |||
| - | The main changes to the wiki pages is using SQLite3 instead of MySQL / PostgreSQL, which is perfectly fine for a few users like my use case, and a different folders & permission layout. | ||
| - | |||
| - | In addition, since the wiki page is a bit outdated, i am also following the great resources from PostfixAdmin [[https:// | ||
| - | |||
| - | |||
| - | ===== Architecture ===== | ||
| - | |||
| - | I will show you how to install and interconnect: | ||
| - | * [[https:// | ||
| - | * [[https:// | ||
| - | * NGINX + PHP-FPM for web access (admin console + webmail) | ||
| - | * [[https:// | ||
| - | * Roundcube | ||
| - | * OpenDKIM | ||
| - | * OpenDMARC | ||
| - | * Spamassassin | ||
| - | |||
| - | |||
| - | |||
| - | + diagramma POSTFIX DOVECOT LMTP SMTP ECC ECC | ||