Running a Mail Server on a Residential Broadcast Connection
For those few of us who are crazy enough to still want to run their own e-mail servers, a major roadblock has cropped up in the past few years due to the prevalance of spammers, mail-sending viruses, etc. -- automated blacklisting of dynamic IPs located on residential broadband connections. Essentially, if you try to send mail from Comcast, SBC, or some other ISP that provides accounts to the unwashed masses, you'll be bounced on the spot by major mail providers like AOL, Yahoo, Hotmail, etc. While it's technically possible to get each of these mail providers to whitelist you, the time and the effort it would take to reach what will ultimately be an incompletel solution using this method are staggering.
Luckily, there's an easy way for to get around this problem: mail relaying. This can be done either through the ISP directly (smtp.comcast.net, in my case), or through an outside service such as DynDNS' MailHop Outbound. Any decent mail server will support forwarding; I'm going to go through the process of setting up a Qmail system to do relaying, since that's what I now.
Step 1: Trimming Bounce Messages
The first thing you'll want to do isn't strictly necessary, but it's definitely in your best interests: apply John Simpson's validrcptto patch. The process is very simple and well-described on his page, so I won't go into the details of installation here. What's more important is the reason for applying this patch: keeping the number of outbound messages you send down by eliminating bounce messages for invalid addresses at your domain. In my case, I was generating thousands of messages per day, because spammers were sending to addresses like abcd123@schnarff.com, foobar@schnarff.com, etc., and Qmail was being a good Netizen and sending back proper bounce messages for all of these attempts. After specifying all of the valid addresses at my various domains, validrcptto will reject messages destined for invalid addresses during the SMTP conversation, a la:
220 schnarff.com ESMTP
ehlo spammer.net
250-schnarff.com
250-STARTTLS
250-PIPELINING
250 8BITMIME
mail from: evil@spammer.net
250 ok
rcpt to: spamvictim@schnarff.com
553 sorry, this recipient is not in my validrcptto list (#5.7.1)
quit
221 schnarff.com
For those who are concerned about maintaining a whitelist, and would prefer to be able to blacklist certain addresses in a similar fashion, use badrcptto.
Step 2: Routing Through Your ISP
For those running through their ISP's mail server, edit /var/qmail/control/smtproutes to read:
:smtp.comcast.net
...with "smtp.comcast.net" being replaced as necessary with your ISP's mail server. Make sure that this file is readable by the user running qmail-send (usually just "qmail"), and you're good to go!
One thing to keep in mind when running through your ISP's servers is that they may shut you down if you send too many messages. I was automatically blocked by Comcast within 8 hours, due to the volume of mail I had generated; I got directed here via a 550 error message. While I'm not sure precisely how many e-mails are necessary to trigger a block (my logs were already turning over by the time I saw this), I believe it's in the range of 1,000 outbound per day.
Step 3: Routing Through An Outside Authenticated Service
Setting up an outside service is typically a bit more difficult, as it will usually require SMTP authentication. It's not bad, though, so don't write it off altogether.
The first thing you'll want to do is find an outside mail relay provider. I recommend DynDNS' MailHop Outbound service, as it's cheap and reliable. Sign up with them and get the address of their mail relay provider (outbound.mailhop.org with DynDNS). Make sure you've got your username and password available before proceeding.
Next, you'll need to install the Qmail remote auth patch. This is as simple as:
- Applying the patch with
patch -p0 < qmail-remote-auth.patch in the directory with qmail-remote.c
make qmail-remoteinstall -m 711 qmail-remote /var/qmail/bin/qmail-remote
Once this is done, you'll want to edit /var/qmail/control/smtproutes to read:
:outbound.mailhop.org username password
...with values above being replaced appropriately depending on your setup.
Eventually, I am planning on writing a Qmail wrapper that will detect errors such as Comcast's 550 that let you know that you've been blacklisted or otherwise locked out, and check /var/qmail/control/smtproutes for second through Nth servers to send mail through. This will allow people to use their ISP or other free relay up to their quota, and then switch over to a paid service if necessary. Please contact me at alex at schnarff dot com if you are interested in such a piece of software.