0

I want to run an email server for myself (I'm leaning towards postfix), but I need it to look something like this:

[MUA] <-> [Home MTA] <--> [External MTA]

The Home MTA sits on a virtualization server at my home, and only accepts mail from the external MTA (through its config but also firewall). The external MTA only accepts email for my domain, has DKIM/SFP, and (initially, anyway) isn't going to be delivering email to anyone except my home MTA.

I think if I do this right, that should prevent me from being blacklisted and also from doxxing my home IP as that won't be the MTA listed using my domains’s MX records. I think of this almost like a bastion or jump server, but for mail instead of ssh.

  1. is this possible to do?
  2. what else should I be thinking about? e.g. I found a page talking about preventing backscatter email, which hadn't occurred to me.
  3. I'm assuming the MTA-to-MTA can be encrypted and authenticated. Is that SASL?
  4. Is there a term for this type of setup so I can find a basic config and go from there? E.g. is this called smart-relay with a satellite or something?

EDIT: I think I would want to disable SMTP in favour of SMTPS, and configure postfix not to accept outbound email from an unauthenticated user. That prevents spammers from using my MTA to get mail out, right? If that’s the case why is it still generally recommended not to run your own mail server due to having to deal with all the spam?

Improve this question
5
  • 1
    I have voted to close this because it basically a request for a how-to. Also, it is effectively several questions with no real focus on anything in particular. It would be better to do research and make an attempt at putting something together and then ask a question on something that is giving trouble. Commented Jan 13 at 1:17
  • I disagree. At this point I don't know where to begin, largely because I don't want to experimentally put a server on the internet that will immediately cause harm (by e.g. being an open relay for example - and that's just one risk that I know about. What about the things I don't know about?). Would you really prefer me to break this up into a series of separate posts that essentially ask the same thing? Commented Jan 13 at 2:04
  • 1
    You just admitted yourself that it is several questions and that you are effectively asking for a how-to. You can begin by creating a test system that isn't open to the internet and then asking a question on what isn't functioning. Commented Jan 13 at 2:24
  • I'm not disputing that I could break my post out into multiple separate questions if push came to shove. I bet a good portion of the questions on this site could. In fact I have a numbered list of separate questions. Sometimes questions lumped together makes sense as a single post. I checked the meta and I don't believe there's anything here that violates any rules or guidelines. I'm also not asking for a how-to, I'm asking for an expert to help cut through some of the clutter so that I have a sense of where to start. I'm not going to argue with you about it, you made your point. I disagree. Commented Jan 13 at 3:39
  • You came to a public forum where anyone can read and reply. There's no need to take it so personally. It's up to you but helping you out is more viable if you make an effort and let people know where you are going wrong than asking several questions and having to sort through each of them to figure out where you are. Good luck. Commented Jan 13 at 22:42

1 Answer 1

Reset to default
1

is this possible to do?

Yes, multi-hop delivery is part of the original design for SMTP. It's not any different from having a backup MX, or using mail forwarding. Email comes from an era when many other networks existed alongside Internet, and you often had to use email gateways to get from one place to another.

and also from doxxing my home IP as that won't be the MTA listed using my domains’s MX records.

Each MTA adds a Received: line indicating where it received the message from. Most likely it'll have more than just that. Send a few test mails (to a different domain, e.g. to Gmail) and make sure to check the full headers. Some MTAs can be configured to remove 'Received:' headers, though if I remember correctly, they are also part of SMTP's loop prevention mechanism.

I'm assuming the MTA-to-MTA can be encrypted and authenticated. Is that SASL?

MTA-to-MTA connections normally use TLS for encryption. Standard mail exchange on port 25 uses STARTTLS in the "hope for the best" mode, but you can usually configure your MTAs to make STARTTLS mandatory for certain destinations or to use a "TLS-only" (SMTPS) port.

(Though you're free to use any other encryption mechanism, e.g. plain SMTP over IPsec, or over a WireGuard tunnel... or something else entirely, like UUCP over SSH.)

As far as SMTP is concerned, SASL is only an authentication framework. Yes, technically it could provide encryption, but SMTP does not use that feature.

(Indeed very few protocols do; LDAP being one of them. One reason is that the encryption capability of SASL is only available with certain SASL mechanisms – e.g. 'GSSAPI' with Kerberos is able to produce an encryption key, but 'PLAIN' with a basic password cannot do that.)

As with TLS, you can use any authentication you like – you can require SASL, or use TLS client certificates, or IP-based authentication (especially with VPNs).

Is there a term for this type of setup so I can find a basic config and go from there? E.g. is this called smart-relay with a satellite or something?

Broadly, SMTP just calls it 'relaying'. Sending mail outbound in this way (i.e. relying on a single proxy/jumphost server for all outbound delivery logic) is commonly called "smart host" or similar, but it is not an official term as far as I know.

On the client side use the Postfix relayhost option to direct all mail through a single server; on the server side use transport_maps to direct mail for your own domain through a specific system (overriding MX records).

(There are many examples for configuring Postfix as e.g. a "smarthost" client for Gmail, which could be adapted to any other SMTP MTA that accepts TLS and password authentication. But usually such examples don't cover inbound mail at all.)

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.