I recommend that you also support implicit TLS for both client-to-server and server-to-server connections, instead of just STARTTLS. That'd be the "c2s_direct_tls_ports" and "s2s_direct_tls_ports" directives, on port 5223 and 5270 respectively. These should go into your SRV records, too. Also consider enabling SASL2.
"Spamming", or rather, responding too quickly in an intense discussion, is cause for automatic shadowban here on HN. It happened to me on a previous account some years ago. The posts themselves were harmless, I merely responded to too many users in a too short timeframe. My attempts at having the ban undone also turned out to be a waste of time. Completely absurd.
We can't verify that the Pixel phones are safe. Nor can the GrapheneOS people, because they don't know everything that's running in the Google Tensor SoC, and they don't have the source code to the firmware running in the Samsung Exynos cellular modem.
> Please provide a list, no sarcasm. And please don’t put Hetzner on it, as it is not a cloud provider.
In what way are they not a "cloud" provider? Because their managed services portfolio isn't as wide as AWS or Azure? What about Scaleway's services then?
The implied question was what OP's idea of "the cloud" is, where they draw the line between "cloud" and server host. It's possible they simply aren't familiar with the Iaas/PaaS terminology.
I posted a link to what most cloud-native developers understand to be "cloud" a few times already. If IaaS is the only offering on the table, it's not cloud.
I'm not sure you read the OP's comment in full. They are talking about inbound traffic from the Internet. It's certainly a lot more common a case to self-host an MX than running an open DNS resolver or authorative name server.
You may be surprised to learn that there are many types of botnets out there, and many use DNS queries for the C&C.
Although the GP wrote "53/tcp" that is a weird situation, because most (not all) DNS is over UDP.
One day I suddenly found my DNS resolver logs were very active with veritable gibberish. And it seems that my router had been pwned and joined some sort of nefarious botnet.
I only found this out because I was using NextDNS at the time, and my router's own resolver was pointed there, and NextDNS was keeping meticulous, detailed logs of every query.
So I nipped it in the bud, by determining which device it was, by ruling out other devices, and by replacing the infected demon router with a safe one.
But yeah, if your 53/udp or 25/tcp is open, you can pretty much expect to join a botnet of the DNS or SMTP-spam varieties.
That's none of the business of my ISP to care about. If a botnet abuses my connection to send excessive traffic, that's going to be limited by the bandwidth limit I'm paying for.
Restricting ports also doesn't mitigate it, as a port scanner can easily find out I'm running this or that vulnerable server software on a non-standard port.
It's none of the ISP's business to restrict the ports I should be using.
My opinion after self-hosting for over a decade is that, yes, it's easy. See my comment further inside the thread for my take on whether or not it's advisable.
OK: it's easy, unless you're the "atechnical" sort.
Is it recommended? I'm torn here, because the big beasts are systematically spam/junk-classifying and even rejecting e-mail sent from independent MXes despite ticking the right checkboxes (FQrDNS, SPF, DKIM, DMARC) and having a clean IP-address in a tidy network.
reply