Running from home

Yeah, I know, you don’t think it’ll work and don’t support it:

[Can I run my Mail-in-a-Box at home?]

No. Computers on most residential networks are blocked from sending mail both on the sending end (e.g. your ISP blocking port 25) and on the receiving end (by blacklists because residential computers are all too often hijacked to send spam. Your home IP address is also probably dynamic and lacks configurable “reverse DNS.” If any of these apply to you, you’ll need to use a virtual machine in the cloud.

But bear with me. Folk do run mailservers from home successfully. Google it if you like. Now I admit I have tried and failed, but I’m seriously short of time, and overcommitted so it’s on the try-again list.

Given you’ve ruled it out I imagine you’ve tried or have a handle on the problems. I had one working 90% for a bit, basically worked fine, but had some trust issues delivering to gmail targets. So slated reading up on DKIM and more before hitting it again.

But if you’ve tried I’m especially keen to hear why this concerns you:

configurable “reverse DNS.”

as in what you mean by it and what you need it for. I’m guessing you mean this sort of thing:

https://mxtoolbox.com/SuperTool.aspx?action=ptr%3A202.21.9.92&run=toolpage

which does fail in IPv4 dynamic pools but:

  1. I have no idea why that’s needed on a mailserver. And I’d appreciate learning here.
  2. It’s not everyone’s situation at home, it’s easy enough to buy a static IP and might even come cheaper than renting space on a server farm and come with more control.
  3. Ipv6 is on the way (at a glacial rate but sliding down the ol’ valley) and static IPv6 addresses are likely to be fairly common if not universal.

As to port 25, my ISP doesn’t block it. And nor is my (current IP) nor any of my domain names on the black list you shared (spamhaus dot org). But yes it is a landscape to navigate and trust building is key. There is an historic issue with home systems hijacked for spam sending yes, but they have (as good as never) never been home mail servers (who has those historically?), rather, mail clients and hijacking on a home network run by anyone wanting to host a mailserver is no more likely to be hijacked than any of the big sites out there. I mean firewalls are solid and standard, and the hurdles you need to jump to get an outbound mail trusted pretty high nowadays. But I’m no spam researcher and can’t be sure. I do imagine it pumping out of dedicated sites in Russia, China, the US and a few other places though that do the IP/DNS dance in much way bittorent sites have to of late, and hijacked home (Windows) PCs and mail clients.

This of course:

Can I modify my box after / use my box for something else too? (Advanced.)

No. Mail-in-a-Box must be installed on a fresh machine that will be dedicated to Mail-in-a-Box, and you cannot modify the box after installation (configuration changes will get overwritten by the box’s self-management). If you are looking for something more advanced, try iRedMail, Sovereign, or Modoboa.

Does suggest trying modoboa (among others, iRedMail is pricey, and soverign demands ansible) and thanks for that, it looks pretty darn good too.

This puzzles me too:

How will this affect my website? (Advanced.)

If your website is just HTML pages and static files, you can copy it onto your Mail-in-a-Box for a really simple hosting solution. If you have a website already, be aware that your Mail-in-a-Box wants to take over your DNS so that it can configure it correctly for email, and we recommend you let the box do that, but you can configure the DNS to keep your website on another machine. You may also need to configure relaying for outbound transactional email.

What do you mean by that? I’m just curious. For example I have a DNS:

https://www.knot-resolver.cz/

Running on an OpenWRT router/gateway. How can MIAB reconfigure it. But that’s just the local resolver the root DNS for my domain names is provided by namecheap dot com and again that could have been godaddy or any other popular name provider. And I need to set up MX records there indeed but how does MAIB do that?

Forgive the naiviete. I’m blown away at how simple and cool MAIB looks to be and might even try it, bar that I am building it at home not on a server farm and I don’t understand how it’s going to try and configure things that lack standards (unless there are standards there?).

Anyhow, love what I see. May or may not benefit from it or modoboa may have won a customer thanks to your reference. Sure is a lot of cool stuff out there.

For all of the hoops one must go through to make it work … no, it is not within the scope of this project to support. That said, I shall be happy to read through your post and offer feedback on it. And, the solutions that WILL work. Because, YES it can be done. But it is absolutely not worth the time and effort for most.

I just have to take care of some other things first … :slight_smile:

Ok, so this article has one very important paragraph:

Why it’s needed

The most common reason for establishing a reverse DNS is for outbound e-mail servers. Since a reverse DNS record adds further tracing to the origin of an e-mail, it also adds credibility to the e-mail server itself. For that reason, some incoming mail servers will not even consider accepting a message from an IP address which does not identify itself with a PTR record in a reverse DNS zone.

When this article was written several years ago, the word ‘some’ was used in reference to incoming mail servers requiring rDNS … today the correct word would be ‘most’.

True? Maybe … remember we are dealing with generalities here. Most of the time it is NOT easy enough to buy a static IP address as most residential ISP’s will not offer them - yes, there are some which will but definitely not ‘many’.

And again, we are back to ‘generally’ as most residential ISP’s generally block port 25. You have found a rare gem!

But keep in mind what I originally said … it is not impossible, just not worth the time and effort for many. As the two largest hurdles are obtaining the static IP and then being given access to incoming traffic on port 25. Which MANY residential ISP’s won’t do.

DNS is a complicated subject. Mail-in-a-Box was created with the small personal user in mind. One that most likely will not have a web page, or if they do it would be a simple static web page. So MiaB will host simple static web pages on the server … but some people have web pages hosted else where. It is in this case that a determination has to be made to either use the DNS capabilities of MiaB, or to use a different DNS provider (such as your web host, CloudFlare, or your domain registrar).

As I said DNS is complicated. First off MiaB will not reconfigure your router/gateway … as you said your current DNS provider is Namecheap.com … MiaB would either replace them and act as the authoritative DNS for your domain, or you would continue to use them and MiaB will have no part in your DNS hosting - you will have to manually copy the necessary records to Namecheap.

In the case that you use Namecheap DNS (external DNS) MiaB does not set up the MX records. It would be up to you to manually copy them over.

You need to have a registrar that lets you, you need to have an ISP that lets you and you need to have an infrastructure (router) that lets you. But that said, I’m running MIAB from home over a VDSL line without major problems since early 2017 :slightly_smiling_face:

1 Like

It is possible to do it. I’ve hosted my own email servers on my own DSL, and ISDN before that, for more than 20 years. And do it today with MIAB.

Just to add to what’s already been said, I would highly recommend not to run MIAB in production on your NASes or elsewhere on your internal network. Best to create a DMZ network and place MIAB/NextCloud in said DMZ network, which has absolutely no access to your internal network. Chuck your BitTorrent and anything else that allows access from the Internet side while you’re at it.

This assumes you’ll also setup a dedicated Firewall to separate and route packets between the Internet, the DMZ network and your Internal network appropriately. If you don’t already have that, begin with building that first, before MIAB. Can recommend pfSense/OPNSense, but there are other free firewall options like Untangle and more.

One way to do this is setup everything on it’s own bare metal, but you can also use VMs and virtual software defined networks to facilitate this. Get yourself a little energy efficient NUC with an i3 or i5 processor and deck it out with 1TB SSD or more and 16GB of ram and some USB Gigabit network dongles, and you’ll have enough horse power to do everything above in a single hardware box - your firewall, your IDS/IPS, your DMZ network(in software), your MIAB / NextCloud VM, other VM’s for hosting, etc… Use ESXi, Proxmox, XCP-NG, or one of many other enterprise capable VM solutions is what I recommend, and utilise that to manage. your backups, staging environment, VM snapshots…and if you really want to go wild, setup a High Availability cluster. Why not? If you do, welcome to the wonderful world of Domestic Data Centres. :slight_smile:

1 Like

Concur with the pfSense recommendation and dedicated hardware. I don’t use VMs as not to complicate stuff. I like to keep things simple. I’m very happy with a couple of

https://pcengines.ch/apu2.htm

An APU2D4 (now called 2E4 I think) is small, cheap, silent, uses a couple of watts and is capable of running MIAB for a couple of domains. With the aforementioned advantages and its three interfaces it also makes a wonderfully capable pfSense router with a WAN, LAN and DMZ.

In my case this setup removed all of my mail, calendar and contacts from Google back to the cloud in my meter cupboard data center where I can see it :slightly_smiling_face:

YMMV.

1 Like

Hi ThumbOne - there are a few people running MIAB at home. I got it going without too much trouble, but I was in IT for years and at least know how to spell ssh. Regarding MIAB config and non-standard stuff, it would be nice to tweak the config and setup, but for me it’s even nicer to have stuff just work - it’s infrastructure and I don’t want to have to play with it every day :slight_smile: I can tell you what I did…

Notes: I’m using a Rapsberry Pi 3B+ with an external SSD, running Ubuntu 18.04. It’s a bit underpowered but has been working fine so far. They have a reputation for loosing the SD (boot) card, but I’ve been happy running another one as a piHole DNS and storage server for some time, so I’ll give it a go and can change to more substantial hardware if needed.

#1 Get domain name, fixed IP address and open required ports.

For domains, I use gandi.net - been happy so far.

For a connection, I’m on a cable internet with an ISP (Aussie Broadband) who was very happy to assign me a fixed IP address. With my ISP, the fixed address automatically opened up all ports, I didn’t even need to request port 25. Great to have a sensible ISP :slight_smile: I did check that the static address wasn’t on the blacklists - got lucky and it was a clean address.

Regarding IPv6 and networks: I initially had trouble because the IPv6 address changes on every reboot - security & privacy you know :frowning: I didn’t want to change anything that might get touched by MIAB or subsequent upgrades, and Ubuntu on the Pi seems very poor at IPv6 control (not easy to disable the privacy extensions or IPv6 at boot time!). In the end, I just disable IPv6 before the install - the MIAB install then ignores IPv6 and I don’t care if the address appears/changes later.

#2 Setup "DMZ"

I just have a basic home router (Netgear) and it won’t let me setup multiple isolated subnets. This might have put an end to the whole experiment - no way I’m letting the whole world see everything on my LAN. However I can config a “guest” network which does not have access to the rest of my LAN, and I can designate one address to be a DMZ server which is passed all unexpected traffic. The only negative is the guest network must be wifi - not great for a server but traffic is low.

Watch out I was using a wired connection for initial setup and config, and a wifi connection for the external facing DMZ address. The MIAB DNS server seemed to listen on only one address, randomly, so would work after some installs and after others nslookup would fail. The work around is to disconnect the wired connection before running MIAB install, so it sees only the external facing (DMZ) address.

Raspberry Pi issues A few of things unique to the pi: Configuring to use wifi at boot time requires a little investigation and playing with config files, but is easy enough. The pi has no battery backed RTC. It would often boot with an old time and have trouble with DNS resolution - the fix was to put the IP address of a local time server into /etc/systemd/timesyncd.conf. And be sure to install libffi-dev before running the MIAB install, or the install will fail - right near the end!

#3 Storage

I’ve got the box configured with a moderate sized external SSD, which has partitions for swap, /home, and /var. I hope that moving /var off the pi’s SD card will improve card life - my other similar box uses a ram-disk to minimise /var/log writes.

#4 Install

Very straight forward, as per the instructions. When it’s all going, copy the DNSSEC stuff to gandi, and then ask my ISP to update the reverse DNS entry. That took a little while but no problems.

Now all the checks show greens, and all the spam checkers say 10/10. I’m happy.

2 Likes

If you don’t have a static IP at home and/or can’t change the PTR record for that IP you can do the point of presence approach.

Buy the cheapest cloud based VM you can find and build an encrypted tunnel to it from your local network using ipsec or openvpn or something like that. Make all traffic from your local server go via that encrypted route and similarly NAT back ports 25, 443, 53 etc from your VM to your local server. Then install MAIB.

Same approach can be applied to many services you might want to host at home but access over the internet.

I keep meaning to write a how to based on my set up with an ipsec tunnel to DO. Maybe people would find it useful?

Yes, I think that the few who want to run MiaB from home would find it very useful.

Let me know if you do not have a blog to publish it to as I’d actually be interested in including it on mine (with full credit to you, as a guest author, OF COURSE.)

Ok here goes. I am writing this up as I build a test environment so bear with me :slight_smile:.

Since people have different routers at home many of which won’t have the abililty to build IPSEC or OpenVPN tunnels I am going to base this around a raspberry pi using the following topology as a starting point:

local network (192.168.58.0/24) -> router (dynamic or static ip it doesn’t matter) -> internet

N.b. you should change 192.168.58.0/24 to match your local network subnet. Many off the shelf routers use 192.168.0.0/24 or 192.168.1.0/24.

I am going to put a raspberry pi on the local network with an ip address of 192.168.58.64 (static), create a cloud based VM on Digital Ocean and then build an OpenVPN tunnel between the two. It will look a bit like this:

raspberry pi -> encrypted tunnel -> DO VM -> internet

Once that is working you follow the MIAB instructions as if you were installing it on the DO VM (DNS glue records, PTR record etc) except you don’t install it there. Instead you install it on another local server (not the raspberry pi) which has one small modification to its network configuration prior to installing MIAB which is to set its gateway IP address to that of the raspberry pi instead of the router - i.e. it will send all non-local traffic to the raspberry pi which will forward those over the encrypted tunnel to the DO VM which becomes the point of presence.

Step 1. Create a DO droplet with Ubuntu 18.0.4. Login and install OpenVPN.

curl -L https://install.pivpn.io | bash

Don’t worry that your droplet isn’t a Raspberry PI. I chose the defaults except to select OpenVPN instead of Wireguard because I have no prior experience with it.

Reboot when prompted and login again and create a single vpn user:

pivpn add

Follow the prompts chosing sensible values. I chose ‘miab’ as the name. Save the miab.ovpn file (it will tell you where it has saved it) somewhere local as we’ll want to install it on the Raspberry PI in a bit.

Before rebooting, edit the following file

/etc/openvpn/ccd/miab and add this line to inform OpenVPN of our local subnet

iroute 192.168.58.0 255.255.255.0

Step 2. Install raspian buster lite on the raspberry pi and do a full package update.

sudo apt update && sudo apt upgrade.

Make sure it has a static IP (in this case 192.168.58.64)

sudo nano /etc/dhcpcd.conf and make the necessary changes e.g:

interface wlan0
static ip_address=192.168.58.64/24
static routers=192.168.58.1
static domain_name_servers=192.168.58.1

Enable IP packet forwarding (we’re going to be acting as router later) and disable redirects.

sudo nano /etc/sysctl.conf and add the following:

net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

Install openvpn & speedtest-cli

sudo apt install openvpn speedtest-cli

Copy the .ovpn file from your droplet over to /etc/openvpn/ on the Raspberry PI. If you created private key password you should also create a /etc/openvpn/maib.pass file containing that password and edit the .ovpn file adding a line under ‘client’ like so:

client
askpass /etc/openvpn/miab.pass
....

Also add keepalives to the same file to keep the tunnel up

keepalive 10 60

You can test the tunnel works by typing

sudo openvpn /etc/openvpn/miab.ovpn

and in another SSH session you should be able to ping the remote tunnel IP of the droplet

ping 10.8.0.1

Similarly from the droplet it should be possible to ping 10.8.0.3

Finally check that when you run speedtest-cli it reports

‘Testing from Digital Ocean (X.X.X.X)’

when the tunnel is up.

Finally make sure the tunnel comes up at boot. I added the command to /etc/rc.local but there are better ways to do this.

sudo nano /etc/rc.local and add

openvpn /etc/openvpn/miab.ovpn &

Also to make the Pi act as a NAT router add the following line as well.

iptables -t nat -A POSTROUTING -s 192.168.58.0/24 -o tun0 -j MASQUERADE

Note on Buster this won’t work unless we switch to iptables-legacy using

sudo update-alternatives --config iptables and select option 1.

Now reboot and re-run speedtest-cli to make sure everthing still works as expected.

Step 3. Install Ubuntu on your local server that you which to be your on premise MIAB server.

Install the version that the instructions advise you to (18.04 at the time of writing).

Change the network settings so that it has a static IP (in this case 192.168.58.85) and its default gateway is 192.168.58.64 - i.e. the Raspberry PI not your router.

Reboot and install speedtest-cli

sudo apt install speedtest-cli and run it to verify that packets are being routed via the DO droplet correctly:

Retrieving speedtest.net configuration...
Testing from Digital Ocean (167.x.x.x.)...

If that works then horray! Your on premises MIAB server routes packets oubound to your DO droplet not to your ISP. Of course you ISP still carries those packets but they are encrypted and wrapped in OpenVPN tunnel packets.

Step 4. NAT inbound HTTP(S), IMAP, SMTP, DNS traffic arriving at DO public IP (167.x.x.x) to MIAB

First test that you can ping 192.168.58.64 from the DO droplet. If not make sure that you did enter the iroute directive into /etc/openvpn/ccd/miab. I forgot the first time.

We now need to NAT inbound traffic arriving at the droplet. I.e. an HTTP connection to 167.x.x.x.:80 will be redirected to 192.168.58.85:80 causing the packets to traverse the tunnel.

Add the following into /etc/rc.local and reboot:

iptables -t nat -A PREROUTING -d 167.x.x.x.x -p tcp --dport 53 -j DNAT --to-dest 192.168.58.85:53
iptables -t nat -A PREROUTING -d 167.x.x.x.x -p tcp --dport 80 -j DNAT --to-dest 192.168.58.85:80
iptables -t nat -A PREROUTING -d 167.x.x.x.x -p tcp --dport 443 -j DNAT --to-dest 192.168.58.85:443

etc for all the ports MIAB requires - UDP 53, TCP 80, 443, 25, 587, 993, 4190.

After reboot you should be ready to install MIAB on your local server.

Note that there are some security considerations here. If someone broke into your droplet they could poke around your internal network at will. You’ll need suitable firewall rules set up on the Raspberry Pi to prevent this.

And finally a disclaimer that I’m not suggesting this is best practice but rather to show that it is possible. MIAB does a great job taking back some control of our e-mail communications and I think being able to self host is an extension of those rights over the data itself. Plus I like having my own server closet with flashing lights :slight_smile:

2 Likes

Thanks so so much. I’m a tad short on time to digest it all now. But will keep this bookmarked and ready. So much to do, but to see some of you are using MAIB at home and giving it thought is a blessing. I have a Rpi set aside for the job already, but am snowed under for now. As I said, bookmarked, noted and loved! Back later.

ThumbOne - afraid I’ve given up on the Raspberry Pi as a mail server :frowning: I’ve switched to an Intel NUC and (touch wood) it’s been fine, so far. (Still happy with MIAB.)

The pi seemed ok initially. I’m pretty confident the hardware was ok (I’ve since exercised it and the storage pretty well, without seeing any problems, under raspbian). But the server would crash about weekly! It might have been something to do with munin or one of the services, running wild - it would normally just die around 6am and need a hard reset.

My guess (without looking too far) is that it’s some subtle bug showing up in the pi ubuntu. Anyway, I changed to a NUC (still at home) and it’s been good…

1 Like

Ironic. I’ve been running NextCloudPi for a long while now on an RPi and am having similar troubles. Regular need to reboot the thing. The one thing I can say for the Pi is it reboots easily, cleanly and quickly. But the irony is I too have a NUC set aside for a while now (a reject from an HTPC experiment which is now running on MintBox the NUC having proved painfully unreliable, blue-screeny and crashy when HDMI and DP devices come and go - firmware issues even with latest firmware updates and Intel support so I doungraded it to a screenless server role some time) but I had that earmarked as a Nextcloud server with Ubuntu20 perhaps.

I haven’t got around to the MAIB experiment yet (there’s always a long todo list of projects and such) but I have this thread bookmarked for when I do as MAIB seems like maybe doable and a bundle deal (as opposed to configuring all the bits myself). Though I may still try modoboa some time too, who knows? It is awesome to hear from successful MAIB @ home users here though!

If anyone over her is from the UK and has access to xDSL then have a look at
my ISP AA (Andrews & Arnold Ltd) Home::1 300GB / no upload restriction …
https://www.aa.net.uk/broadband/home1/

Setting up reverse DNS (domain not hosted with them) was not a problem
https://support.aa.net.uk/Reverse_DNS

No port blocking, no filtering :slight_smile:

Maybe we can have a list of ISP that are friendly in running your MAIB/mail server from home?

I have Dell OptiPlex 9020 Micro that I picked up on eBay


with 120GB M.2 (22x80mm) SSD and 2TB internal 2.5” inside.

2TB HDD was set up on install as /home partition :wink:

And quote from their website:
“By default a fixed IPv4 ‘WAN’ address and a /64 IPv6 block will be assigned. If you’d like a block of IPv4 addresses then please contact us and we’ll assign a /30 or a /29 upon request. Further IPv6 blocks can be assigned too, as needed.”

I am using RPi for less intensive projets RasPBX, NTP, ADS-B, Log server, TVHeadEnd+PiTV Hat, but also using Dell OptiPlex Micro for TVHeadEnd with 5 USB DVB-T/T2 and one DVB-S2X (my 20M upload is not enught of the 4K streaming outside LAN) and extra HDD attached and works great and now MIAB as well :wink: and one more Micro in reserve for spare project (I can not help my self not picking up a good deal on eBay …)