[cubesnooper]

> You need a dedicated box, not a VPS. … Unlike some people are saying, you should never do this off a VPS if you have an interest in keeping the email secure and functioning for a long time.

I agree that hosting a mail server directly on a VPS compromises privacy and control. But there’s a better alternative: use VPSes for cheap static IPs, while hosting the server locally on hardware you physically control, using WireGuard tunnels and port forwarding to connect things. Port forward incoming SMTP over WireGuard to your real MX, and use MTA‐STS and DANE so that as many senders as possible will TLS‐encrypt mail they send you. Have your outgoing SMTP server handle DKIM signing, then send it out via WireGuard so it looks like it came from the VPS, while enforcing TLS encryption.

The VPS won’t be able to forge mail from you without your DKIM keys. It won’t be able to read your outgoing mail due to TLS. It won’t be able to read incoming mail that’s TLS encrypted. It will be able to read unencrypted mail, but the big providers that follow MTA‐STS will abort if the VPS attempts to block encrypted connections.

This has the added benefit of reducing your dependence on an external provider (the VPS company) for server setup. If you’re unhappy with a particular provider, just switch to another one. The issues associated with sending email from a brand new IP will be there, but you won’t have to set up complicated infrastructure on the new host, only a few WireGuard tunnels and firewall rules.

[noduerme]

That's a cool idea I'd never considered. And it's easy to set up. But then the main thing you're getting out of the VPS is the static IP. The main reason I was advising against VPS's, besides obvious vulnerabilities, was that their IP blocks get banned all the time. If you want to run a mailserver for a long time you need to cultivate that IP address's reputation for years, and you don't want it to be anywhere sketchy.

If you're paying for that, why not just pay for a static IP at home?

[cubesnooper]

> the main thing you're getting out of the VPS is the static IP.

Yes, that and RDNS.

> If you're paying for that, why not just pay for a static IP at home?

That’s a good question. I too hear that mail providers consider IP blocks assigned to VPS providers less trustworthy than others. The reasons I don’t take the ISP/dedicated server route, aside from price, are:

• VPS providers are not tied to my physical location. If I move, I probably can’t take my ISP’s static IP with me (I may even move to somewhere they don’t service). Conversely, if I want to switch away from a local ISP, the selection of alternatives is extremely limited.

• Risk of neighboring IPs reducing the reputation of the block exists with server companies and local ISPs as well. I concede that the problem is probably worse with VPSes, but I hope to mitigate it somewhat by avoiding bottom‐of‐the‐barrel providers and by the fact that my own IP will never be used to spam.

• I’m somewhat worried about the possibility of DDOS, and VPS companies provide a lot of cheap bandwidth, so in case of attack I might be able to salvage the situation with careful firewalling on the VPS.

[noduerme]

That all makes sense. Although in my experience, if you're really being careful about not sending spam, you've got a lot more to worry about from your VPS being blacklisted than your own IP personally.

>> I’m somewhat worried about the possibility of DDOS

The one time I got severely dDoS'd, because I'd let a friend run a tiny static website off my server that attracted that kind of attention, the hosting company I was with shut my account down immediately and asked for $5000 in reparations. I had to backdoor into the server and salvage whatever I could. That was a hardened box in a military grade facility. I don't think a VPS is going to be kind. Push comes to shove, if it's in your house you can pull the cable.