Date: Mon, 1 Mar 2021 16:56:52 -0700 From: "Russell L. Carter" <rcarter@pinyon.org> To: freebsd-questions@freebsd.org Subject: Re: Totally OT comment: Re: Somewhat OT: Mail Relay Services Message-ID: <5b1d0cdf-65c8-19bd-1d3f-0a3ff2922d1f@pinyon.org> In-Reply-To: <8dc26e45-355a-dadd-0309-02dda1da3d87@tundraware.com> References: <877d08ef-d533-69f6-4c44-f2cbbe39ba31@tundraware.com> <3926E240-2226-4E94-96E2-10A877B139D0@kicp.uchicago.edu> <3dac8dd5-7751-1823-3cfc-45172cd77b64@FreeBSD.org> <2edd9853-3af7-c0b8-7118-329d8af346be@kicp.uchicago.edu> <8dc26e45-355a-dadd-0309-02dda1da3d87@tundraware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3/1/21 10:41 AM, Tim Daneliuk via freebsd-questions wrote: [...] > > email is always going to be a 'postcard' - anyone along the delivery chain can peek inside > the envelope if they really want to. Even if - as I have done - you host your own domain > on a cloud provider, or even a physical server in your premise - the moment the mail goes into > flight, someone, somewhere is logging it with the potential ability to harvest it. > > The question, though, is who is more able to make use of your content? An mail relay company > of relatively small size, or Google with its billions and advanced tech? > > Even when I ran my own mail services at a static IP I controlled, it was a losing > game. When there were reputation questions, trying to get any of the blackholing > services to pay attention was a major pain. Some of the smaller ISPs were > equally disinterested because SPAM management was just overwhelming them. > > So, for now, I've settled on a compromise - I will run our own email servers and the policies > around them will be under our own control. But for purposes of external delivery, I am > now using a 3rd party so that the reputation issues (and resolution) accrue to them. > We'll see how this works. > > P.S. This did force me to get off my lazy butt and finally get DKIM and DMARC properly > configured ... I've been thinking this through some more. I'm going to use DuoCircle outbound SMTP, but I have site local mail users for two of my domains, and I'm a little icked out to have to run local mail through yet another evilcorp. So I'm provisionally going to have the local postfix instances SMTP relay to a cloud postfix instance I manage. The same cloud server will host my dovecot and rspamd infra, so I can deliver internal mail to my domains myself. Everything else outbound is to be relayed to DuoCircle on a non standard port. Similarly everything from my domain local postfix is relayed to my cloud postfix server on anon-standard port. Then my local IMAPS clients just talk to my cloud dovecot server, instead of the current local one. That keeps everything domain local under my control and theoretically encrypted. Roamers talk encrypted to my cloud postfix instance too. And my cloud dovecot instance. Now that wireguard is in the kernel I'm gearing up to setting up a couple of geographically diverse VPN hosts for my roamers. Of course each will run the mail infra. This has all been an inchoate mess in my head for a couple of years, and this discussion caused it to coalesce, many thanks! Anybody see any gaping holes? Well there is one hole: redundancy and/or backup. I generally just KISS: two different hosts, near identical configurations rsync'd on modification, one the primary MX and the other secondary. I've got dovecot replication running but I'm unsure how useful it is. There wouldn't be some sort of discussion group, like an old style email list, where these things are routinely discussed maybe? People are probably weary of all this mail nonsense in -questions. Russell > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5b1d0cdf-65c8-19bd-1d3f-0a3ff2922d1f>