You look spammy if you don't have SPF or DKIM, and hopefully both. Your email will either be bounced or sent to a spam folder. You need a reverse pointer as well, but that shouldn't be an issue. The situation is actually worse than it sounds. ATT/SBC needs to whitelist you by IP if you are using a VPS. Spectrum/Charter just plain blocks many VPS with no recourse.
Regarding geofencing, look back at my post. I leave port 25 open to the world. I can receive email from any country. Using submission port 587 means you can geofence from where your employee sends and receives email. It does not effect your customers since they use port 25.
The reason I run my own email server is I got hacked when using a hosting service. The hacker used a vulnerability in RoundCube and could send email as me. My PayPal account password was then changed. The hacker was in Morocco. I'm sure Morocco is a fine country but I don't plan on visiting it and thus don't need to access my email from there. Note the hacker could have changed my email password too but didn't. To top it off, I don't even use RoundCube. Never use a browser for email.
When I set up my own email / webserver I made it a point to not use any GUI control panel. If there is no hook to change a password from a control panel then it won't happen. You reduce the attack surface. All passwords are SHA512.
You geofence all email ports except 25.
I also have a VPS using openvpn but it is on a different IP. That is a tunnel out of it to use the internet. Now I think for what you want to do is to have openvpn show up as the local host. What you might want to do is join the postfix users group. I wouldn't bring up this kind of proxied email scheme you want to set up. Rather just ask if it is possible to set up postfix/dovecot so that the user who will always be on a VPN can send and receive email. That is I think it will boil down to permit local host and nothing else in certain places. There are guru status users there.
One thing you will learn about email servers is there are many programs to chain together. However think of light bulbs in series. The more in the chain, the more likely it is to fail. I dropped SpamAssassin and amavisd due to poor reliability. That was when I used freeBSD. I now run centos but just don't bother with those extra programs. I use RBLs for spam blocking. I use my brain for antivirus. Antivirus isn't all that good anyway. The key with antivirus is at what point in time do they recognize the file is a virus. I send all my malware links to virus total.com and maybe two will recognize the link goes to malware.
Original Message
From: rdiezmail-2006@yahoo.de Sent: October 25, 2020 3:25 PM To: lists@lazygranch.com Cc: dovecot@dovecot.org Subject: Re: Looking for a guide to collect all e-mail from the ISP mail server
You need SPF and DKIM for your outgoing email to be accepted. [...]
I don't understand why that is the case (but keep in mind that I am a newbie).
Is it not possible to set up some internal SMTP server that only relies the e-mails to the external ISP SMTP server? The internal SMTP server would then act like a normal user's Thunderbird.
At first I tought that the internal SMTP server would need to know the password for each mailbox user. But then I asked, and the ISP SMTP server allegedly accepts any source e-mail address, as long as you are using one e-mail account that is valid in the domain. I wonder if that is standard practice.
My idea of a secure email server is to use submission port 587. Expose port 25 to the world and aggressively filter all remaining email ports with a firewall. And I mean aggressive. Geographically filter so only countries where youe users reside can send and retrieve email. Block major hosting IP space.
Geo blocking can be problematic. Depending on the small business, some customers and suppliers may sit in China or some other geographical area you would normally block.
I am too afraid, I would not expose any such port on the Internet. Who knows if the mail server stays months without an update. If I am to recommend or implement any such mail server solution to a small business, I would insist that the e-mail server is not exposed at all on the Internet.
A web interface etc. is not a problem: I just connect with a VPN and bypass most external security issues. If you are the admin, you can also forward the web interface over an SSH connection.
Best regards, rdiez