I Have Mail
It's a conspiracy I tell ya
I've wanted to run my own self-hosted email server for a long time. No real reason other than I want to. Like most people I have perfectly adequate email services from several providers to include Google, Outlook, and ProtonMail. I can't say enough good things about Proton, I have a paid plan with them that includes their excellent VPN, password manager, calendar, and cloud drive applications. There is a free tier for all of their applications if you want to give them a try.
So, back to my struggle to get my email server communicating with the outside world.
Almost all ISP's block port 25 outbound, port 25 is needed for SMTP servers to communicate.
Ostensibly, to prevent 'bad actors' from sending out SPAM emails. Now, I don't know about you but I get tons of email SPAM. So it begs the question of why do the internet service providers continue to block port 25? Could it be that allowing those who want to run their own self-hosted email servers would no longer be under their control and monitoring (I exempt Proton from this as they are an exception)? I mean how is it that Google and Microsoft can let millions of users send emails via their services for free? Because yet again we are the product being sold. I wonder.
To get around CGNAT I already have a VPS located in AWS, so I was going to need to send all the SMTP traffic through my tunnel between my SMTP service and the VPS. AWS doesn't really like you sending mail from port 25 either and they recommend getting an Elastic IP and setting a reverse PTR record in DNS to your mail-server.
I added an email relay host in my local email server settings that pointed to Postfix running on my VPS instance in AWS reachable through a Tailscale tunnel. I need to use a relay host as my (so called) public IP where the email server sits will not resolve to the IP of my VPS which is where all the inbound/outbound traffic magic happens.
So I send an email from my server and with some network forwarding magic it makes it's way through the tailnet from my NAS to the EC2 instance.
Where Postfix is waiting to relay my outbound email to the internet.
Conversely, when an email is sent to my local email address it arrives over the internet at my VPS address where it gets routed via some rules to my NAS at home where the email server is running.
As a prerequisite for all of this I first had to make sure the DNS for my domain had been updated with A records for the mail host (the VPS), a reverse PTR that also pointed to the A record. An MX record, SPF record, DKIM record with certificate, and a DMARC record. DNSSEC had to be enabled as well. Nothing too complicated but entirely necessary.
There were also a few forwarding rules to allow some masquerading as well. This tells the VPS to send the traffic on these ports on to somewhere else, in this case the other end of the tailnet where the NAS awaits.
# SMTP inbound (port 25)
sudo iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to-destination 100.118.10.71:25
sudo iptables -t nat -A POSTROUTING -p tcp -d 100.118.10.71 --dport 25 -j MASQUERADE
# SMTPS/Submission (465)
sudo iptables -t nat -A PREROUTING -p tcp --dport 587 -j DNAT --to-destination 100.118.10.71:465
sudo iptables -t nat -A POSTROUTING -p tcp -d 100.118.10.71 --dport 465 -j MASQUERADE
# SMTPS/Submission (587)
sudo iptables -t nat -A PREROUTING -p tcp --dport 587 -j DNAT --to-destination 100.118.10.71:587
sudo iptables -t nat -A POSTROUTING -p tcp -d 100.118.10.71 --dport 587 -j MASQUERADE
# IMAPS (optional, 993)
sudo iptables -t nat -A PREROUTING -p tcp --dport 993 -j DNAT --to-destination 100.118.10.71:993
sudo iptables -t nat -A POSTROUTING -p tcp -d 100.118.10.71 --dport 993 -j MASQUERADE
Also, if you haven't already guessed, there was a good reason I have my relay listening on port 2525. If not when email was sent out from the NAS on port 25 to the VPS to be relayed, the forwarding rule for port 25 just sends it right back resulting in a loop.
With all of that complete my emails are flowing!
This is AF5QH. 73 and out.