• 1 Post
  • 21 Comments
Joined 1 year ago
cake
Cake day: June 13th, 2023

help-circle





  • Every time I think about hosting my own mail server, I think back to the many, many, many times I’ve had to troubleshoot corporate email systems over the years. From small ones that ran on duct tape and prayers to big ones that were robust, high dollar systems.

    98% of the time, the reason the messages aren’t coming or going is something either really obscure or really stupid. Email itself isn’t that complicated and it’s a legacy communications medium at this point. But it’s had so much stuff piled on top of it for spam and fraud prevention, out of necessity, and that’s where the major headaches come from. Honestly, it’s one service that to me it’s worth paying someone else to deal with.





  • Set up a VPS. Create a VPN tunnel from you local network to the VPS. Use the VPS as the edge router by opening ports on the VPS firewall and routing incoming traffic on those ports through the VPN tunnel to servers on your local network.

    I used to do this to get around CGNAT. I ran RouterOS in a Digital Ocean droplet and setting up a wire guard tunnel between it and my local Mikrotik router.

    It will obscure your local WAN IP and give you a static IP but that’s about the only benefit. And you have to be pretty network savvy to configure it correctly.

    It does not make you immune to DDoS attacks and is honestly more headache to maintain (albeit just a small headache).




  • Oh, I wouldn’t if I could avoid it. The “fun” of tinkering with IT stuff in my very limited spare time vaporized many years ago. If I could pay for services that did exactly what I wanted, respected my privacy, and valued my business while charging a fair price, I would stop self-hosting tomorrow. But that’s not usually how it works.

    Self hosting isn’t super high maintenance once you get everything set up but it still takes up probably 10-12 hours per month on average and I would not mind having that time back.


  • This is a pretty good summary. In enterprise networking, it’s common to have the ‘DMZ’, the network for servers exposed to the internet, firewalled off from the rest of the system.

    If you have a webserver, you would need two sets of ports open, often on two separate firewalls. On the WAN firewall, you would open ports 80/443 pointing to the webserver. On the system firewall, between the DMZ and LAN, you would open specific ports between the webserver and whatever internal resources it needs; a database server for example.

    This helps limit the damage if a malicious actor hacks into your webserver by making sure they don’t also have unrestricted access to other parts of your system. It’s called a layered security approach.

    However, someone self hosting may not have the expertise or even the hardware to set up their system like this. A VPS for public facing services, as long as it’s configured properly, can be a good alternative. It also helps if you have a dynamic WAN IP address and/or are behind CG-NAT.

    Edit: maybe good to mention that securing your local network behind a VPN, even one hosted on your local network, is more secure than allowing public facing services. Yes, it means you still have to open a port. But that’s useless to a malicious actor without the encryption keys. Whereas, if you have a webserver exposed publicly, malicious actors already have some level of access to your system. More than they would if that service didn’t exist anyway. That’s not inherently bad. It comes with the territory when you’re hosting public services. It is more more risky though. And, if the exposed server is compromised, it can potentially open up the rest of your system to compromise as well. Like the original commenter said, it’s about managing risk and different network configurations have different levels of risk.