Linode.com Forum

[dswartz]

I have a residential broadband connection, so my IP is dynamic. I also run a postfix smtp server for my domain, but unfortunately, sending mail is problematic since quite a few large providers block smtp connections from IP's in known dynamic ranges. A static IP is not an option, since I'd have to get a business account for 2X the cost. What I did: get a linode and install centos 5 on it. Set up an openvpn link between my home linux system and the linode. Set a couple of iptables rules and a custom routing rule so that outbound smtp connections are marked and later snat'ed to the IP of my end of the tunnel, and then sent into the tunnel. The linode has a single iptable rule to snat the outbound traffic. Works a charm. Here is the home end:

iptables -t mangle -I OUTPUT -p tcp --dport 25 -j MARK --set-mark 0x1a
iptables -t mangle -I OUTPUT -p tcp -d 10.0.0.0/24 --dport 25 -j ACCEPT
iptables -t mangle -I OUTPUT -p tcp -d 127.0.0.1 --dport 25 -j ACCEPT
iptables -t nat -I POSTROUTING -m mark --mark 0x1a -j SNAT --to-source 10.8.0.2

[root@sphinx iproute2]# ip rule list
0: from all lookup local
32765: from all fwmark 0x1a lookup mail.out <=== new rule
32766: from all lookup main
32767: from all lookup default

on the linode:

/sbin/iptables -t nat -I POSTROUTING -o eth0 -j SNAT -p tcp --to-source $PUBLIC_IP

[nabber00]

Or you can do like I do and run postfix + smtp auth + SSL/TLS. Works well since most mail clients understand this natively, no need for openvpn software.

[dswartz]

This has nothing to do with smtp clients, but with other sites' servers that will not accept inbound smtp from my smtp server, since it's public IP is in a dynamic IP pool (yes, I know I can just use my ISP's mail server, but I prefer to have more control, since if something goes wrong once it's handed off, I have no visibility into that...)

[SteveG]

Or do what I do and run UUCP for the home<->linode connection, over OpenVPN, if you like. Sure, it's old tech, but it's exactly what it's designed for: pushing and pulling mail from/to an intermittently connected server. And since home is a real postfix (or whatever) mail server, you can use whatever clients you like.

[sweh]

UUCP over stunnel, here (rather than openvpn). Works well :-)

[yejun]

Openvpn solution is more generic and easier to implement. Zero configuration in both server and client software.

[dswartz]

These are all interesting ideas, but completely unrelated to the problem I was trying to solve :(

[SteveG]

No, it's not unrelated. The problem is that mail from your home server is rejected because your home IP is dynamic, right? The solution is not to send mail from your home server, but to route everything (except local mail, of course) through your linode. One way to do this is to have your home server treat your linode server as its smarthub, and have your linode server route local mail to your home server. The downside of this approach is if your IP changes, incoming mail will (for a while) be delivered to the old address. Most of the time there won't be a server there, and it will just sit in the queue until the linode server finds the new address. Occasionally, you'll be unlucky, and the mail will be bounced or accepted, and you'll never see it.

Another way is to not have a local server, and just have your client access your linode. The downside is that the client you like may not support SMTP AUTH, and that each client has to be configured.

Another way is UUCP, which is pretty easy to set up (with postfix, at least). The good thing about this approach is that all transfers are driven by the home server, whose current IP is irrelevant. It has proven extremely reliable for me. The "downside" is that it's old tech, and has a four-letter-acronym, which everyone knows isn't as good as a TLA.

[dswartz]

I understand what you're saying, and I did consider the smarthub approach, but that involves having two sets of mail server software, and I wanted to keep everything centralized (and the simplest possible config on the linode...) This technique is also useful for other applications that need a static IP...

[yejun]

When I use public wireless, I will route all my internet traffic through a openvpn gateway.
It seems to me openvpn is just easy to configure than all these old existing technology such as Ipsec, ppptp, etc.

[SteveG]

Ah, I was assuming you had a mail server on your linode anyway, for incoming mail. So your MX is your home server? That can be problematic...but it's your mail.

[dswartz]

it can be months between my IP changing, and i use a dynamic dns service to update the MX. you raise a good point that i may want to consider mapping inbound traffic thru the tunnel too, to avoid any issues there.