Once upon a time, residential home Internet connections — cable modem and DSL being the choices at the time — were unfiltered and un-firewalled. This had good and bad aspects to it. You may or may not have been firewalled off from your neighbors. I remember a guy who worked for me demonstrating on the TV news one night how he could see every Windows PC in his neighborhood, and send print jobs to random peoples’ printers if he wanted to. Even after they wised up to that little bit of “openness”, it was still possible to run your own services — mail, web, and so on.
Since then ISPs have come a long way. Residential cable, DSL, and fiber connections, often topping out at 1 GB or even higher, are tightly restricted. Your ISP really wants to support only web prosing and gaming, and most certainly do not want any services running on their network. No web servers, no email (in or outbound). Anything inbound on ports 80, 25, and often 443 are blocked, as is outbound port 25.
So, you’ve got your own little web server you run for your own blog (like this one)… or one you run for a nonprofit, club, whatever. You’ve got your own domain and want to run your own email. The solution is usually some combination of a hosted VM, Google, what have you. But it can get a little expensive, and of course you’re dependent on others for critical bits and pieces of your infrastructure. I can’t take all of that pain away, but I can maybe help to reduce it somewhat.
So let’s look at the issues you may face, and how to solve them. I’ll detail each solution in subsequent blog posts, with solutions that may work for you as they have for me.
- Your IP address is dynamic, and you need reliable DNS. This can be fixed using a script to detect when your IP address changes, and update your DNS accordingly. It’s not perfect in that there will be a delay before the IP address change is detected and updated, but if your IP only changes occasionally it’s “good enough”. Of course there are dynamic DNS (DDNS) solutions that will do this as well, if you don’t mind paying for them. I’m a cheap bastard and I like a challenge, so I rolled my own.
- Your ISP blocks connections on port 25 (SMTP). This is pretty much going to require an external mail relay. I have yet to find a way to get the rest of the world to use any port other than 25 for SMTP connections… it really is too bad there’s not a DNS based way around this, like a SRV record (see RFC 6186). Until that happens, I use a small external hosted VM relaying mail on a different port. It could actually be a lot simpler, but I prefer to keep our actual email on a server here, at my house.
- Your ISP blocks incoming traffic on web ports 80 and 443. Easy. Nginx is your answer, what was the question?
The fun part is sizing this stuff. If you’re used to working in a corporate environment like I have been for the past (mumble) years, you’re thinking, “OK, a 4 CPU 16 GB machine for a mail server, than another one for the proxy… that might be OK… ” Nah. You might be shocked at just how little power it takes to do this stuff. After all, we’re just passing packets around. The TLS encryption is the most heavyweight thing being done, I think. If I had a solid place to hang a Raspberry Pi where it would have a static IP and no filtering of privileged ports, it wouldn’t break a sweat — though I’ve had too many of them just stop working to trust them for this kind of stuff, really.