Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Relaying Mail From Home (Without Being an Open Relay)
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Relaying Mail From Home (Without Being an Open Relay)

raindog308raindog308 Administrator, Veteran

My residential ISP won't allow connections to port 25. Unfortunately I have various boxes and devices which expect to be able to do things like

# mailx -s "tentacle hentai conversion failed!" [email protected] < /tmp/pr0n.log

(Some devices do allow for Gmail authentication (e.g., Synology) but I would like easy email from shell).

So what I've setup is the following...wondering if there is a better way:

  • all home hosts run postfix and are configured to relay mail to one specific VPS on the net

  • that host (running postfix) looks up my home IP every few minutes and updates its iptables to block connections to port 25/587 from anywhere except that IP. (I'm using afraid.org for dyndns but I could just as easily have a box at home forward the info).

So far it works: I get my mail, and I'm not an open relay. I did try some other things:

  • my_networks in postfix. This didn't work (had 20K in my mail queue in a few hours and google hated me) but it may have been pilot error. I do relay for gmail.com (since I have gmail.com email addresses) so it's possible that the relay was accepted on that basis but I didn't spend time debugging because my priority was getting off Google's spammer list.

  • opensmtpd and postfix with SASL auth, etc. I found this tedious to setup and debug, and the only point for the auth was to prevent open relay.

On the one hand, I'd think it'd be better to simply block the IP packets rather than let the mail engine engage and determine relay permissions, burning CPU. OTOH I send maybe 10 emails a day at most so this really doesn't matter :-)

Just wondering if there's a better way, excelsior, etc.

Comments

  • rm_rm_ IPv6 Advocate, Veteran
    edited November 2017

    Set up Tinc and have all your boxes and the home server join into a single mesh network. Then you can send/receive or access whatever other services you want via internal IPs on the Tinc network and not bother with what external IP you have at the moment.

  • Kinda unrelated: So you intend to send emails with @gmail.com from adresses? I am surprised you had much success with this at all.

    Anyways, how about a vpn if you want to avoid auth? As long as it's not reachable from the outside relay settings should not be a problem.

    1. curl exhentai.org | grep English | grep tentacle

    2. 10 Emails a day? Just use any Email API and quickly wrap a utility.

    3. Dig a tunnel from you machine to your box that will forward anything to GMail, and change your hosts file.

    4. Use SMTP with TLS on port 465/587: https://coderwall.com/p/ez1x2w/send-mail-like-a-boss

  • raindog308raindog308 Administrator, Veteran

    rm_ said: Set up Tinc and have all your boxes and the home server join into a single mesh network. Then you can send/receive or access whatever other services you want via internal IPs on the Tinc network and not bother with what external IP you have at the moment.

    Yeah but that sounds like even more work :-)

    mksh said: Kinda unrelated: So you intend to send emails with @gmail.com from adresses? I am surprised you had much success with this at all.

    So I am using a BuyVM 128 as a relay. I have never had a problem getting emails. They do initially go to spam but I setup a filter so they're never spammed again and it works.

    I know, gmail has a reputation but I haven't had an issue so far.

  • Just install msmtp and set it up with your proxy data- there's no need to run a full-fledged MTA for this sort of deal.

  • @raindog308 said:

    rm_ said: Set up Tinc and have all your boxes and the home server join into a single mesh network. Then you can send/receive or access whatever other services you want via internal IPs on the Tinc network and not bother with what external IP you have at the moment.

    Yeah but that sounds like even more work :-)

    I don't know a bout tinc since i never used it but i would'nt be surprised if it's even easier to manage than openvpn which itself is imo way less of a headache to configure than what ive seen from mail servers.

    mksh said: Kinda unrelated: So you intend to send emails with @gmail.com from adresses? I am surprised you had much success with this at all.

    So I am using a BuyVM 128 as a relay. I have never had a problem getting emails. They do initially go to spam but I setup a filter so they're never spammed again and it works.

    I know, gmail has a reputation but I haven't had an issue so far.

    Interesting. I thought with all the spf, dkim and whatnot today they where likely to go straight to /dev/null.

  • raindog308 said: I found this tedious to setup and debug, and the only point for the auth was to prevent open relay.

    But isn't that easier than all the scripts for iptables and dynamic DNS, etc.?

    My ISP also blocks port 25 and I basically email through submission port with authentication for this type of thing. Works well; never an issue.

    If I wasn't going to do it this way I'd run everything through a VPN.

  • Use sstmpd

  • @rajprakash said:
    Use sstmpd

    IIRC ssmtpd hasn't been updated for quite some time, and msmtpd is the new hotness in lightweight SMTP clients.

  • @WSS said:
    Just install msmtpd and set it up with your proxy data- there's no need to run a full-fledged MTA for this sort of deal.

    Does everyone semi-sane skip over the post after they see my avatar, or what?

  • @WSS said:

    @WSS said:
    Just install msmtpd and set it up with your proxy data- there's no need to run a full-fledged MTA for this sort of deal.

    Does everyone semi-sane skip over the post after they see my avatar, or what?

    What!!!? You gotta speak into my good eye.

    Thanked by 1WSS
  • @WSS said:

    @WSS said:
    Just install msmtpd and set it up with your proxy data- there's no need to run a full-fledged MTA for this sort of deal.

    Does everyone semi-sane skip over the post after they see my avatar, or what?

    Sorry, I meant it as a +1 to your (friendly, helpful, sane) suggestion! I run msmtpd on my VPSes to send cron output and the like to myself via gmail.

    Thanked by 1WSS
  • @WSS said:

    @WSS said:
    Just install msmtpd and set it up with your proxy data- there's no need to run a full-fledged MTA for this sort of deal.

    Does everyone semi-sane skip over the post after they see my avatar, or what?

    I skip over everything you write. Except this one.

    Thanked by 1WSS
  • raindog308raindog308 Administrator, Veteran

    JustAMacUser said: But isn't that easier than all the scripts for iptables and dynamic DNS, etc.?

    It's actually not that much :-)

    The dynamic DNS update is some 3-line script I downloaded from afraid.org. All it does is a wget. Some dyndns services have clients built into consumer routers so no script is needed.

    The mail gateway script is just an nslookup and then popping that variable into iptables.

    OK, maybe it's a few lines of shell...I confess my shell scripting is better than my networking, so at least for me it was easier.

Sign In or Register to comment.