Totally OT comment: Re: Somewhat OT: Mail Relay Services

Russell L. Carter rcarter at
Mon Mar 1 23:57:01 UTC 2021

On 3/1/21 10:41 AM, Tim Daneliuk via freebsd-questions wrote:


> email is always going to be a 'postcard' - anyone along the delivery chain can peek inside
> the envelope if they really want to.  Even if - as I have done - you host your own domain
> on a cloud provider, or even a physical server in your premise - the moment the mail goes into
> flight, someone, somewhere is logging it with the potential ability to harvest it.
> The question, though, is who is more able to make use of your content?  An mail relay company
> of relatively small size, or Google with its billions and advanced tech?
> Even when I ran my own mail services at a static IP I controlled, it was a losing
> game.  When there were reputation questions, trying to get any of the blackholing
> services to pay attention was a major pain.  Some of the smaller ISPs were
> equally disinterested because SPAM management was just overwhelming them.
> So, for now, I've settled on a compromise - I will run our own email servers and the policies
> around them will be under our own control.  But for purposes of external delivery, I am
> now using a 3rd party so that the reputation issues (and resolution) accrue to them.
> We'll see how this works.
> P.S. This did force me to get off my lazy butt and finally get DKIM and DMARC properly
>       configured ...

I've been thinking this through some more.  I'm going to use DuoCircle
outbound SMTP, but I have site local mail users for two of my domains,
and I'm a little icked out to have to run local mail through yet
another evilcorp.  So I'm provisionally going to have the local postfix
instances SMTP relay to a cloud postfix instance I manage.  The same
cloud server will host my dovecot and rspamd infra, so I can deliver 
internal mail to my domains myself.  Everything else outbound is
to be relayed to DuoCircle on a non standard port.  Similarly everything 
from my domain local postfix is relayed to my cloud postfix server on 
anon-standard port.  Then my local IMAPS clients just talk to my cloud
dovecot server, instead of the current local one.  That keeps everything
domain local under my control and theoretically encrypted.  Roamers talk 
encrypted to my cloud postfix instance too.  And my cloud dovecot

Now that wireguard is in the kernel I'm gearing up to setting up a
couple of geographically diverse VPN hosts for my roamers.  Of course
each will run the mail infra.

This has all been an inchoate mess in my head for a couple of years, and
this discussion caused it to coalesce, many thanks!  Anybody see any
gaping holes?  Well there is one hole: redundancy and/or backup.  I
generally just KISS:  two different hosts, near identical
configurations rsync'd on modification, one the primary MX and
the other secondary.  I've got dovecot replication running but I'm
unsure how useful it is.

There wouldn't be some sort of discussion group, like an old style email
list, where these things are routinely discussed maybe?  People are
probably weary of all this mail nonsense in -questions.


> _______________________________________________
> freebsd-questions at mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at"

More information about the freebsd-questions mailing list