[joshavant]

I've hesitated to ever attempt this because every residential ISP I've had refuses to offer static IP addresses.

As well, deploying a server in a Google/Amazon/Microsoft datacenter which could be surreptitiously monitored defeats the theoretical privacy aspects of on-premises mail server hosting inside one's personal residence.

However, today, I looked into the newish movement of 'confidential computing' in the cloud (where data in motion - e.g., in memory - is encrypted and cannot be observed from the OS or hypervisor).

I openly wonder if one solution, then, is to build a secure VM that acts as a simple forwarding proxy to one's home server, gets assigned a static IP from a datacenter, and is deployed on one of these confidential computing instances, ensuring full E2E data privacy and data control?

Any guesses?

[deadlyllama]

Is confidential computing needed if all you're doing is forwarding packets? Your cloud provider can see the packets as they leave and enter your VM.

If I was building this I'd stand up a VPN (choose your favourite protocol) between the cloud VM and home server. For the cloud end pick something from lowendbox/lowendtalk or just use the cheapest Vultr instance. NAT port forwarding down the tunnel back to your server at home - just a few iptables rules. Job done. Bonus points if you get an IPv6 /64 and route that down the tunnel too.

It's possible to use policy routing at home so that traffic that needs to go down the VPN does, and traffic that can egress through your home internet can too. Replies to incoming connections that came down the tunnel go back up the tunnel. Outgoing SMTP connections go down the tunnel. Outgoing HTTP goes out your normal internet.

[oneplane]

If surreptitiously monitoring your stuff in a cloud is in your threat model, what makes you think that anything you can do in a general home environment is beyond the reach of a dedicated adversarial actor?

[j45]

Forwarding proxy sounds like a great idea to try out and report back on. Why wouldn't it work?

[Melatonic]

Not really an issue - just use something like NoIP. No need to pay Amazon or Google for anything.

[deadlyllama]

NoIP/DDNS/etc still means a dynamic IP address, with possibly broken reverse DNS, from a dynamic DNS pool.

To send email you need a static IP with correct reverse DNS, or other people's servers will reject your mail (best case) or silently mark it as spam. Welcome to the real world of email deliverability, the worst part of running your own mail server.

[naasking]

So use an SMTP relay service for outgoing mail. Most of them even have free tiers. I've been using one with a dynamic IP for years, albeit one where the IP doesn't change often.

On the receiving end I use a super inexpensive spam filtering service too, MX Guard dog. If my IP suddenly changes then it queues up mail until host resolution succeeds again.

[Cuuugi]

Fair point.

[Cuuugi]

I personally have a pi running DDNS, which is another option i guess.