> In message <[hidden email]>,
> Wietse Venema <[hidden email]> wrote:
> >> and then use something like fetchmail to poll that periodically to pull
> >> down all mail for my several domains and then have fetchmail re-inject
> >> all of those mail messages into the local Postfix. The plan would be to
> >> get all this running and then give up my local static IP here, exchanging
> >> it for a dynamic one instead. (This will save me a tiny bit of money on
> >> my monthy local ISP bill.)
> >What about setting up a tunnel between home (dynamic IP) and cloud
> >(static IP)? Could be a VPN, or SSH.
> In a word, yea. That exact light just came on over my little noggin.
> If I can figure out how to make that work, I think that will be THE
> I just need to find some tool... some something... that will *transparently*
> proxy all of the inbound port 25 traffic that comes in to the cloud VM
> server machine to some other IP address... some other IP address that
> will in fact be dynamic and changing, over time. (And yes, I understand
> that dynamic DNS is likely to be helpful here.)
> So, what tool should I use to do this transparent TCP proxying?
HaProxy for inbound mail. Postfix supports their protocol.
For outbound, you need an MTA on the static IP address.
> Let's say that the the dynamic IP that I *was* using, just before the
> power fail, was a.b.c.d. The question is: While I am wandering around
> with my flashlight in the dark, what if some other customer of my ISP
> happens to request a DHCP lease and also happens to get a.b.c.d ... which
> is possible, because after all, *I* am not using that specific IP address
> anymore, so it will have been returned to the DHCP free pool.
> In this scenario, could that other party who got a.b.c.d, dynamically,
> turn on a mail server and begin sucking down *my* emails from *my* cloud
> VM Postfix instance?
- Use a tunnel (ssh port forwarding, or vpn) which is initated
by the home machine. This sidesteps any dynamic DNS issues.
- On the cloud MTA, require certificate authentication, so that
it will not send mail to the wrong 'home' server.
> I'd very much like to move my (Postfix) mail server, which currently resides
> on a (static IP) end-luser broadband line, to some VM in the cloud someplace,
> and then use something like fetchmail to poll that periodically to pull
> down all mail for my several domains and then have fetchmail re-inject
> all of those mail messages into the local Postfix. The plan would be to
> get all this running and then give up my local static IP here, exchanging
> it for a dynamic one instead. (This will save me a tiny bit of money on
> my monthy local ISP bill.)
> Googling for options just now, it sure sounds like ODMR/ATRN would fit
> my needs nicely, however I can't quite make out whether any of this
> ODMR/ATRN stuff has ever actually been implemented in Postfix or not.
> Has it been?
> Regardless of whether it has or not, if anyone wants to suggest or recommend
> any alternative solution(s) I'm all ears. I am open to anything that
> will get the job done. My only real requirements for a solution are:
> 1) Must support unlimited email addresses per each recipient domain.
> 2) Must preserve envelope sender information.
I use authenticated SMTP for this. Each cloud VM has two postfix instances:
One is the MX:
- low-security opportunistic TLS
- spam filtering
- envelop validation using relay_domains and relay_recipient_maps
The other is the authenticated SMTP relay:
- mandatory TLSv1.3 with private EC PKI
- permit_tls_clientcerts only
- long maximal_queue_lifetime
- per-destination transports for defer_transports granularity