# Moving private mail server to home server



## abishai (May 10, 2017)

Hello,
I use private mail server for a decade. I decided to move it to my home as I don't need expensive outer server anymore. And start from scratch as software is rather outdated.

My home subnet is not good for outbound mail, so I want to split send and receive functions.

1. Home server receiving mail (postfix + rspamd + dovecot). Submission for relay, smtp for local delivery, imap4 for me. Postfix relays to [2] mail server. MX record points here.
2. Cheap VPS (postfix). VPN from home, allow VPN connections to relay. DKIM signing here. It needs virtually nothing, so can be very cheap.

Sure thing, everything would be on FreeBSD.

I poked dovecot and looks like it's quite happy with my existing maildir, however full setup is a big pain, so I'd like to know before I start : it this scheme works or looks seldom used and suspicious? I don't my mail landed to SPAM. 

And no, don't tell me about gmail. I already banned there.


----------



## SirDice (May 10, 2017)

Although it's common in large environments to split ingress and egress mail traffic your setup is quite uncommon. I don't really see the added benefit either. Just run everything on the VPS. Add some LetsEncrypt SSL certificates and you're good to go. I have exim, dovecot, spamd, clamav all running on the VPS. Added Roundcube to it so I can easily read my mail from anywhere.


----------



## abishai (May 10, 2017)

SirDice said:


> Just run everything on the VPS


Big maildir and spam fighting needs some CPU power. What part of my setup is uncommon ? Relaying, I suspect?

Right, I forgot about roundcube. Will add it as well.


----------



## SirDice (May 10, 2017)

abishai said:


> Big maildir and spam fighting needs some CPU power.


Not really. Not unless you plan on receiving thousands of emails per second. My VPS also doubles as a game server. The game server uses a LOT more CPU than spamd ever did.



> What part of my setup is uncommon ?


Receiving SMTP on a home connection. A lot of ISPs actually block this traffic to prevent abuse.


----------



## abishai (May 10, 2017)

SirDice said:


> Receiving SMTP on a home connection. A lot of ISPs actually block this traffic to prevent abuse.


I tested it already. It's OK. As the biggest problem of home-made mail servers is delivery without triggering spam alarms, my initial question was about relaying to the second postfix. 
However, as I can easily move config to VPS entirely in any case, probably I should start and check it by myself...


----------



## Remington (May 10, 2017)

I have my own private email server using dovecot, dspam, postfix and postgrey.  It does a very good job filtering out spams without using clamav or spamassassin.


----------



## ekingston (May 10, 2017)

As noted by SirDice, a lot of ISPs will block SMTP traffic to your home IP. So, your first step is probably to check with your ISP to make sure they don't do this.

Another problem is your home IP address. Some email service providers and businesses are blocking dynamic IP address ranges used by ISPs. I believe Google does this. 

Even if that doesn't concern you, there are blacklists of known spamming sources that get updated regularly. These are fully of DHCP assigned addresses provided by various ISPs. So, when your IP changes, you may end up on a blacklist because whoever had it before was part of some spammers botnet. If you have a statically assigned IP address (provided by your ISP), you will want to monitor the blacklist providers and learn their processes for getting removed in case your IP gets put on their list.

As much as I admire you for running your own mail server, It is probably far more cost effective to pay for hosted e-mail. You said you don't approve of using Google (I tend to agree) but there are lots of other options. Most of the Cloud VPS providers have a hosted e-mail option that costs between $1 and $5 per month per e-mail account for somewhere between 1GB and 5GB of storage. Assuming you are paying the extra for a static IP address, it might actually be cheaper to go for the hosted e-mail option and drop to a dynamic address.


----------



## Remington (May 10, 2017)

I agree with the above comment about ISP blocking SMTP and dynamic IP address can be a problem.  IP address will need to be static with reverse IP lookup for sending outbound emails so it will be accepted by other SMTP servers as they usually reject emails that doesn't have correct reverse IP lookup.

My server is at the data center so my suggestion is to use VPS provider or business account with your local ISP with a static IP address and reverse IP lookup too.  That way you can install packages and configure the email server to your liking.


----------



## abishai (May 10, 2017)

Guys, please 
I wrote before, that I plan to use different servers for receiving and sending mail. All of your precautions are for sending server and I agree with you. The scheme was:
1. MX points to my home server.
2. Home server relays outbound to external server that has necessary prerequirements.

However, I queried IP I received from ISP against 137 BLs and all of them are green. And in ISP control panel I can assign IN PTR. I'm in doubts now that I ever need second postfix.


----------



## sko (May 11, 2017)

I've considered the same setup a while ago with 2 postfix as local and external relays for incoming/outgoing mail and a local dovecot in the background, but running crucial services like a mailserver (which I also want to access from work or by Phone or Laptop) on a wonky home internet connection just won't work well enough to be worth the trouble. Yes, your external postfix could act as a secondary MX for receiving email and temporary cache them, if the local postfix/dovecot server isn't available, but there's often/mostly some manual work necessary to clean up queues after such events and on a longer term blackout you eventually have to bounce mail (IIRC the RFCs state a maximum delivery delay of 3 days with notice to the sender about the delay after 4 hours).
Your home ISP won't care what services you are running - if they have network problems, you're just another small and pesky customer who has to wait like all the others. I can guarantee; after the first time your ISP has problems for several days in a row, you'll be migrating everything to the external server. (been there, done that...)

You also have to consider the implications of revealing local hostnames/IPs of your delivery chain within outgoing headers. Besides giving away some information of your local infrastructure, such entries of martian (local) networks can often lead to higher spam scoring, so you may need to rewrite the headers on your outgoing postfix server.


Despite me having several servers running at home, my mailserver runs on a rootserver in a datacenter (which also hosts several other services); and if I'd had to relocate the mailserver, I'd definately go for a small VPS instead of using one of the servers at home. 
I'm using Digitalocean for testing or small projects, so I'd use one of their lower end droplets and attach a seperate storage volume with ZFS to it as mail storage. This way backup and an eventual later migration to another server would be childsplay. 
As you will need an external MX anyways, why not using this server/VPS for the whole mailserver setup? A private mailserver won't have that much traffic, so even a small VPS for 5$/month can handle the load of a whole mailserver setup. If you want to cut cost on the storage and the included storage won't suffice, archive older mail to your local server; but at ~0.1$/GB (and falling) I'd be way too lazy for that


----------



## abishai (May 15, 2017)

sko said:


> I can guarantee; after the first time your ISP has problems for several days in a row, you'll be migrating everything to the external server.


Mail will be not the first in my priority list in that scenario. 

I found no traces that using my IP from ISP has any drawbacks. ISP even set IN PTR pointing to my name. So, I decided not to use external postfix. I installed postfix, dovecot, SPF, DKIM and DMARC policy. Google seems to like my mails. Most of stuff is already running.

I have a question about sieve. Is it OK to expose it ? I can use thunderbird plugin to manage rules in this case. It opens external port, so I'm not sure if it is safe. I can use RoundCube for this.


----------

