Relaying Mail From Home (Without Being an Open Relay)
raindog308
Administrator
My residential ISP won't allow connections to port 25. Unfortunately I have various boxes and devices which expect to be able to do things like
# mailx -s "tentacle hentai conversion failed!" [email protected] < /tmp/pr0n.log
(Some devices do allow for Gmail authentication (e.g., Synology) but I would like easy email from shell).
So what I've setup is the following...wondering if there is a better way:
all home hosts run postfix and are configured to relay mail to one specific VPS on the net
that host (running postfix) looks up my home IP every few minutes and updates its iptables to block connections to port 25/587 from anywhere except that IP. (I'm using afraid.org for dyndns but I could just as easily have a box at home forward the info).
So far it works: I get my mail, and I'm not an open relay. I did try some other things:
my_networks in postfix. This didn't work (had 20K in my mail queue in a few hours and google hated me) but it may have been pilot error. I do relay for gmail.com (since I have gmail.com email addresses) so it's possible that the relay was accepted on that basis but I didn't spend time debugging because my priority was getting off Google's spammer list.
opensmtpd and postfix with SASL auth, etc. I found this tedious to setup and debug, and the only point for the auth was to prevent open relay.
On the one hand, I'd think it'd be better to simply block the IP packets rather than let the mail engine engage and determine relay permissions, burning CPU. OTOH I send maybe 10 emails a day at most so this really doesn't matter :-)
Just wondering if there's a better way, excelsior, etc.
Comments
Set up Tinc and have all your boxes and the home server join into a single mesh network. Then you can send/receive or access whatever other services you want via internal IPs on the Tinc network and not bother with what external IP you have at the moment.
Kinda unrelated: So you intend to send emails with @gmail.com from adresses? I am surprised you had much success with this at all.
Anyways, how about a vpn if you want to avoid auth? As long as it's not reachable from the outside relay settings should not be a problem.
curl exhentai.org | grep English | grep tentacle
10 Emails a day? Just use any Email API and quickly wrap a utility.
Dig a tunnel from you machine to your box that will forward anything to GMail, and change your hosts file.
Use SMTP with TLS on port 465/587: https://coderwall.com/p/ez1x2w/send-mail-like-a-boss
Yeah but that sounds like even more work :-)
So I am using a BuyVM 128 as a relay. I have never had a problem getting emails. They do initially go to spam but I setup a filter so they're never spammed again and it works.
I know, gmail has a reputation but I haven't had an issue so far.
Just install msmtp and set it up with your proxy data- there's no need to run a full-fledged MTA for this sort of deal.
I don't know a bout tinc since i never used it but i would'nt be surprised if it's even easier to manage than openvpn which itself is imo way less of a headache to configure than what ive seen from mail servers.
Interesting. I thought with all the spf, dkim and whatnot today they where likely to go straight to /dev/null.
But isn't that easier than all the scripts for iptables and dynamic DNS, etc.?
My ISP also blocks port 25 and I basically email through submission port with authentication for this type of thing. Works well; never an issue.
If I wasn't going to do it this way I'd run everything through a VPN.
Use sstmpd
IIRC ssmtpd hasn't been updated for quite some time, and msmtpd is the new hotness in lightweight SMTP clients.
Does everyone semi-sane skip over the post after they see my avatar, or what?
What!!!? You gotta speak into my good eye.
Sorry, I meant it as a +1 to your (friendly, helpful, sane) suggestion! I run msmtpd on my VPSes to send cron output and the like to myself via gmail.
I skip over everything you write. Except this one.
It's actually not that much :-)
The dynamic DNS update is some 3-line script I downloaded from afraid.org. All it does is a wget. Some dyndns services have clients built into consumer routers so no script is needed.
The mail gateway script is just an nslookup and then popping that variable into iptables.
OK, maybe it's a few lines of shell...I confess my shell scripting is better than my networking, so at least for me it was easier.