E-Mail hosting

Hosting your email server is not for the faint of heart. While the e-mail is one of the most ancient internet protocols, like DNS, it has been integrated with many pieces and bit over the decades to evolve it to an usable state today.

E-Mail has tons of issues, like spam, abuse and plain brute-force attacks on top of no default encryption and limited overall security. To address most of these issues over the years new protocols and standards emerged, like DKIM, DMARC and so on. The basic SMTP has been integrated with TLS/SSL to provide wire encryption, and the ancient POP3 is nowadays replaced by IMAP and even JMAP.

Hosting an email server is not a simple task. Historically it was a matter of setting up tools like Postfix, Dovecot, OpenDKIM, OpenDMARC, spamassassin, interface them properly and fine tune a bunch of settings using decade old syntax and overall pretty hard. Add that you also had to understand and setup various DNS entries and deal with stuff like blacklists…

Today there are a few all-in-one solutions that greatly help you with the process and make the overall task quite enjoyable, but still hard.

The one i choose is Stalwart Mail Server, because it's an all in one modern solution, probably the most promising new approach in town for email hosting.

Another option is mailcow which is a ready made containerized solution encompassing all the above tools. While it's indeed a great tool, i find it a bit too heavy for my needs.

Simply put do not self-host an email server on your home server. An email server must have a public IP address and tunnels like wireguard or any kind of port-forwarding will not work.

Let me stress that again: you must host your email on a server with a public IP - do not put it behind a port forward or a tunnel.

The reasons are quite a lot, and all critical:

• 90% of email security comes from IP banning, and this cannot happen behind a port-forward or a tunnel, because the mail server will always see the tunnel IP address, or the NAT IP address of the client connecting, making the ban impossibile
• E-Mail uses a lot of ports (25, 465, 993, 443, 587, 143, 4190, 110…) and while you can get rid of some, it's still a pain to forward them all, and ensure the return path is properly NAT'd
• E-Mail sending today is heavily dependent on DKIM and DMARC. You must ensure your email server outgoing connections always go trough the same IP address, because this must be defined in a DNS record. So you would need to forcefully route your email outbound data trough your tunnel, which usually is not your home default gateway
• Tunnels and port-foward (VPN…) make GeoIP lookups of email clients useless, or just mess with that. This again is not desirable for email security reasons.
• E-Mail needs to be a reliable service. Home hosting would require setup a secondary mail server somewhere else to cover for situations in which your ISP is acting up
• I am not even considering that any of the email standard ports can be opened toward your home. Residential addresses are usually blocked to prevent spam, so a VPN or tunnel would be needed even if you have a static IP address
• No, DynDNS and such solutions would not work for email, since email delivery is a serious affair, changing IPs would get you blacklisted in no time
• Residential IPs would get you banned, again, blacklisted quickly by most major email providers (gmail, hotmail, etc.)

Probably not, since there are lots of email providers out there that for a little money will let you use them to host email for your domain. But is it fun? Yes, so, let's go and do it.

I explain in details how to setup the email server itself here. While in this page i cover the topic of local email delivery, from your home server to the outside world, which is a different topic altogether.