What to be aware of before opening port 25 on a postfix Raspberry Pi?
from Flax_vert@feddit.uk to selfhosted@lemmy.world on 22 Apr 17:59
https://feddit.uk/post/10830588
from Flax_vert@feddit.uk to selfhosted@lemmy.world on 22 Apr 17:59
https://feddit.uk/post/10830588
I have a raspberry pi running postfix. I Realised unless I open port 25 I absolutely cannot receive emails (I have 587 open and can send but not receive them). However I heard there are scaries online which someone could potentially send emails from your server without consent. I believe as well my ISP doesn’t block port 25. Is there anything I should do right now before opening port 25, or should everything be safe enough?
threaded - newest
Avoid being an open relay indeed. Some background information : www.postfix.org/SMTPD_ACCESS_README.html#relay But with the defaults in postfix you should be fine unless you made a lot of changes and made a mistake in it.
Ideally, don’t. Self-hosting email is complicated, easy to get wrong (and dangerously wrong, where people could use your server as an open relay and send spam).
That said, if you really want to, make sure you’re not accepting email except for what’s destined for you. There are a bunch of postfix best-practice guides out there that can be easily found with a Google search. I don’t host my own email, so I can’t vouch for any.
Agreed. I used to host email professionally and would not recommend managing your own mail server. It will constantly be under attack by spammers and if the inbox email address is exposed at all, soon 90% of incoming mail will be spam and you’ll need antispam software to filter it.
Not sure about you latter point tbh. I run an email server, with nothing but grey listing and spamassassin and the amount of spam is absolutely minimal.
Proper config and fail2ban easily takes care of direct attacks.
Nevertheless, I wouldn’t recommend it to anyone but the most determined.
To be fair, they said that you would need anti spam software and you do use anti spam software.
And even if you do everything 100% right, your emails will mostly get flagged as spam if not outright blocked anyway. Esp. if you’re using a residential IP.
You can check for being an open relay with tools like this one: mxtoolbox.com/diagnostic.aspx
Thank you so much! It just tested it for me
You should be aware that a large number of mail hosters will block all mail from your server merely because it is sent from a dynamic IP address.
I’ve got a domain
The domain won’t change that. Even with a static IP if it’s coming from an ISP owned up block you’re likely going to get banned. Even with reputable VPS’ it’s hard. Make sure you have DMARC, DKIM, and SPF setup, but even then almost certainly going to get banned. The big player are creating and inherent monopoly instead of improving their spam filters.
If you manage to get a good SMTP relay host or authenticated SMTP account for your outgoing email then playing around with small scale self hosting email (Granted that it is not your important daily driver email accounts) can be an interesting and fun experience. But you will have to invest some time reading and tweaking and figuring things out. Slightly comparable with installing Arch Linux. Lots of people will warn you to not do it but you might learn a few valuable things on the way there.
It’s time to learn the difference between a domain and a dynamic IP.
Meh that sucks i even have a perfectly working ddns, I mean I know I don’t get something like a PTR record but i wish that mail hosters would allow for more self hosting options
Have you ensured that your setup will pass email authentication processes?
It has been a long time since email from random hosts is accepted for forwarding or delivery. This Wikipedia may help en.wikipedia.org/wiki/Email_authentication
friends dont let friends host email. its just become too top heavy (complexity-wise) if you want it to be fully functional and secure.
100% agreed. It's well worth outsourcing to someone else for $10/mo versus the amount of work it takes to do it well unless you're a large business.
I'd make this argument for DNS too - a lot of work for how easy it is to pay someone else to handle it.
How can I have reliable email that I can control, then?
Buy your own domain name and put it in front of someone else's service. This is going to be a ton of work to do correctly and you're unlikely to be able to host it out of your house.
Also, something you're running off a Raspberry Pi in your house is not going to meet most definitions of 'reliable'.
What “someone else’s service” would you recommend?
Personally I'd probably go with MS hosted exchange or a Google business account. If you don't trust those entities I've heard good things about ProtonMail - I imagine they have some kind of business solution.
Google and MS are the entities you’d definitely want to keep your data away from, no thanks. And Proton doesn’t work with normal mail clients, which is kind of a dealbreaker. I remember seeing a comparison chart somewhere with an assortment of other services.
There’s mailbox.org for example
Mango mail, porkbun, proton mail
Each does a slightly different niche.
Mango is cheap, but limits outbound mail. Porkbun has a good all-around mail service, bit is a little more costly. Proton is very secure, but can be inconvenient for export (though it can be done, it requires purchase of a month of business service to export away from them).
If you own your domain name, then you can use any email service and still have control over it and move around if needed.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
7 acronyms in this thread; the most compressed thread commented on today has 5 acronyms.
[Thread #705 for this sub, first seen 22nd Apr 2024, 19:05] [FAQ] [Full list] [Contact] [Source code]
Many ISPs will also block inbound SMTP unless you have business account (and sometimes even then) because it's a common malware/spam vector.
If you insist on going through with this the key thing is to make sure that you're not an open relay.
If you follow the ISPMail guide at workaround.org you’ll be safe.
That’s called an open relay and websites like mxtoolbox.com/diagnostic.aspx can test for it.
Either way your biggest issue won’t be that, if you’re running on a residential internet connection the IP is already flagged as such and will have a very low reputation with other e-mail providers causing Microsoft, Google and any other large provider will simply refuse your email. You’ll also need reverse DNS for your IP pointing at the domain you’re using that your ISP is most likely not going to provide.
What do you mean reserve DNS?
Pretty sure they meant reverse dns :)
Yes, reverse DNS. Typo there.
IMHO a RasPi is just not reliable enough. Your internet connection is just not reliable enough. You are going to lose some of your incoming mail and NOT notice it, unless you have somebody who hosts a secondary MX for your domain.
Chances are also that it’s not powerful enough when some of these automated attacks come knocking.
If you know how to set it up, RPI can be reliable enough
Even, IMAP is TCP already, any coming mail should be cached by the router until delivered, and your router usually doesn’t loose connection as often as the connected devices
Hi, I recommend you read the book “Run Your Own Mail Server”. The fact that a book exists for this topic is all the proof you need to not do this decision. But if you absolutely must, this is the way.
🤣
Don’t do that
too late.