Cloudron as mailserver
-
Fascinating.
So, I already had SendGrid already for outbound. I have sent one email in the last month. (Or,
my.cloudronhas.) This part was already done.I wiped out my Cloudflare email forwarding experiments, picked a domain to test with, and set up email.
Nothing worked for a while (meaning "why are these messages I'm sending from over there not ending up over here?"), but then I read the documentation. Turns out I had to open port
:25to receive email. Documentation is so silly sometimes.Email routed through. "Step 3: profit," as the cool kids say.
This is slightly terrifying to me, for what it is worth. My concerns are... at least a decade old here, but is there any reason I need to be concerned about my Cloudron becoming an open relay? Given that I'm using SendGrid, could I close my outbound
25as a precaution? (Would it matter?) Or, is that what my DKIM and other DNS records are for? (Eh... kinda, to answer my own question. Documentation rears its head again!)I went ahead and expanded my DNSBL zonelist:
zen.spamhaus.org spamcop.org uribl.com nixspam.orgbecause I could.
Thank you all again for the responses.
-
Hi all,
I once, long ago, ran an
eximmailserver with a colleague. At some point, we got zero-day'd, and I decided that running a mailserver was less fun than I thought. I've never looked back.I maintain a domain on an external provider almost entirely for the email forwarding. That is, I have a domain and addresses that I only forward on to other email hosts (e.g. Gmail).
I could move that domain to my Cloudron. At that point, I would be putting all of my personal infrastructure on a box in my basement, and be relying on it for my most important piece of comms infrastructure. And, I know I'd need to actually test my backup and restore process at that point, because I really couldn't afford to have an outage take out my family's email for (say) days.
Do people use Cloudron for production mail? (I mean, I assume they must.) Are there any concerns? Gotchas? Are there other paths people have walked? I've tried experimenting with Cloudflare's email forwarding solution, but was unable to get it to work reliably (a number of months ago).
Many thanks,
Matt@jadudm said in Cloudron as mailserver:
Hi all,
I once, long ago, ran an
eximmailserver with a colleague. At some point, we got zero-day'd, and I decided that running a mailserver was less fun than I thought. I've never looked back.I maintain a domain on an external provider almost entirely for the email forwarding. That is, I have a domain and addresses that I only forward on to other email hosts (e.g. Gmail).
I could move that domain to my Cloudron. At that point, I would be putting all of my personal infrastructure on a box in my basement, and be relying on it for my most important piece of comms infrastructure. And, I know I'd need to actually test my backup and restore process at that point, because I really couldn't afford to have an outage take out my family's email for (say) days.
Do people use Cloudron for production mail? (I mean, I assume they must.) Are there any concerns? Gotchas? Are there other paths people have walked? I've tried experimenting with Cloudflare's email forwarding solution, but was unable to get it to work reliably (a number of months ago).
Many thanks,
MattWorks without any problems whatsoever
-
Fascinating.
So, I already had SendGrid already for outbound. I have sent one email in the last month. (Or,
my.cloudronhas.) This part was already done.I wiped out my Cloudflare email forwarding experiments, picked a domain to test with, and set up email.
Nothing worked for a while (meaning "why are these messages I'm sending from over there not ending up over here?"), but then I read the documentation. Turns out I had to open port
:25to receive email. Documentation is so silly sometimes.Email routed through. "Step 3: profit," as the cool kids say.
This is slightly terrifying to me, for what it is worth. My concerns are... at least a decade old here, but is there any reason I need to be concerned about my Cloudron becoming an open relay? Given that I'm using SendGrid, could I close my outbound
25as a precaution? (Would it matter?) Or, is that what my DKIM and other DNS records are for? (Eh... kinda, to answer my own question. Documentation rears its head again!)I went ahead and expanded my DNSBL zonelist:
zen.spamhaus.org spamcop.org uribl.com nixspam.orgbecause I could.
Thank you all again for the responses.
@jadudm said in Cloudron as mailserver:
This is slightly terrifying to me, for what it is worth. My concerns are... at least a decade old here, but is there any reason I need to be concerned about my Cloudron becoming an open relay? Given that I'm using SendGrid, could I close my outbound
25as a precaution? (Would it matter?) Or, is that what my DKIM and other DNS records are for? (Eh... kinda, to answer my own question. Documentation rears its head again!)I believe port 25 needs to stay open, @girish ?
I went ahead and expanded my DNSBL zonelist:
zen.spamhaus.org spamcop.org uribl.com nixspam.orgbecause I could.
I recommend updating your firewall regularly with an antispam-list, https://forum.cloudron.io/topic/3795/firewall-spamassassin-automatic-list-update?page=3
Also the ruleset by @d19dotca is really helpful: https://forum.cloudron.io/topic/4770/sharing-custom-spamassassin-rules -
If you set up a relay, outbound 25 can be blocked. Incoming port 25 still needs to be open to receive mail. Note that atleast in the US/Comcast, port 25 inbound and outbound is blocked for all residential connections. (so, one cannot run a mail server at home).
-
If you set up a relay, outbound 25 can be blocked. Incoming port 25 still needs to be open to receive mail. Note that atleast in the US/Comcast, port 25 inbound and outbound is blocked for all residential connections. (so, one cannot run a mail server at home).
@girish said in Cloudron as mailserver:
If you set up a relay, outbound 25 can be blocked. Incoming port 25 still needs to be open to receive mail.
It's a shame you can't differentiate between incoming / outgoing block in Fritz!Boxes....
-
@jadudm said in Cloudron as mailserver:
This is slightly terrifying to me, for what it is worth. My concerns are... at least a decade old here, but is there any reason I need to be concerned about my Cloudron becoming an open relay? Given that I'm using SendGrid, could I close my outbound
25as a precaution? (Would it matter?) Or, is that what my DKIM and other DNS records are for? (Eh... kinda, to answer my own question. Documentation rears its head again!)I believe port 25 needs to stay open, @girish ?
I went ahead and expanded my DNSBL zonelist:
zen.spamhaus.org spamcop.org uribl.com nixspam.orgbecause I could.
I recommend updating your firewall regularly with an antispam-list, https://forum.cloudron.io/topic/3795/firewall-spamassassin-automatic-list-update?page=3
Also the ruleset by @d19dotca is really helpful: https://forum.cloudron.io/topic/4770/sharing-custom-spamassassin-rules@necrevistonnezr Thank you. Absolutely good advice.
My firewall pulls dynamically, twice a week? (I'd have to check---might be weekly) from what I've been able to identify as a "good" set of lists. I think have 6-7 different on the firewall. I could go further, but these seem like the "big ones" from my research. Could be good for me to revisit them.
-
If you set up a relay, outbound 25 can be blocked. Incoming port 25 still needs to be open to receive mail. Note that atleast in the US/Comcast, port 25 inbound and outbound is blocked for all residential connections. (so, one cannot run a mail server at home).
@girish Thank you. I am running a relay. I will check if I'm blocking 25 outbound (I probably am not). My ISP does not seem to block 25 inbound, because once I opened 25 inbound (I now route 80, 443, and 25 to my.cloudron), mail started to arrive.
I'm confident OpnSense will let me open it in one direction for NAT traversal, and block it in the other.
-
@Dave-Swift
I use Hetzner, Netcup, DigitalOcean, hosting.de and others.
Many block port 25 by default but allow it after requesting it.
But a strict ban is a criterion for me to not use that provider at all.@BrutalBirdie DigitalOcean blocks port 25, and didn't open it when I asked, even insisted.
-
@BrutalBirdie DigitalOcean blocks port 25, and didn't open it when I asked, even insisted.
@AmbroiseUnly
https://docs.digitalocean.com/support/why-is-smtp-blocked/SMTP port 25 is blocked on all Droplets for new accounts to prevent spam and other abuses of our platform.
Dedicated email deliverability platforms are better at handling deliverability factors like IP reputation. To send mail from DigitalOcean, we recommend using SendGrid:
Is your account new?
-
I've been using Cloudron Mail for a long time with 3 different providers (Linode, OnetSolutions and Hostinger). I never had an issue on sending and receiving e-mails.
What bugs me a lot is the search. It doesn't work well even with full-text search enabled...
Another issue is the lack of good webmail software to use with Cloudron Mail server. Any other mail provider (Gmail, Proton etc) have a much better UX than what is available on Cloudron. I used for some time SOGo but now I use Nextcloud Mail and Snappymail's Nextcloud app as a fallback. From now and then I ask Mozilla to develop a Thunderbird Web
