purelymail-issues icon indicating copy to clipboard operation
purelymail-issues copied to clipboard
verified publisher icon ScottPeterJohnson

Feature Request - Wireguard access

Open youainti opened this issue 2 years ago • 4 comments

I would like to use Purelymail as a relay to a mailserver at my house. I would like to be able to do this over a vpn connection such as wireguard so that I can move locations as needed etc. I envision this would be an additional paid feature (maybe a flat fee of $1-$2 per year?). My preference would be to use wireguard.

youainti avatar Jun 14 '23 02:06 youainti

I'm not totally familiar with Wireguard or what Purelymail would need to do to interface with it. Usually with a VPN, wouldn't you just need it to have a public IP that Purelymail can relay to which tunnels to your home-net IP?

ScottPeterJohnson avatar Jun 19 '23 07:06 ScottPeterJohnson

I could chime in as I feel that I understand OP's request (I was coming up with something very similar for myself so the description sounded familiar right away). If moving locations is the key here, it's assumed that the public IP side you want to relay to is unknown (or doesn't even exist, behind NAT, shared ISP and so on). Hence the VPN, so you can always relay to one specific IP in the private range from inside your infrastructure.

That's where Wireguard would come in, the only required bit of information would be the public IP of the Purelymail Wireguard server. Clients just connect to it from wherever they are (irrelevant to PM side, but this is controlled with static auth keys which identify the client, enforce his internal IP and so on) and the client would always end up having assigned the same local IP. So if the relay "target" is once decided to be 10.1.2.3, which has been reserved for the client "youainti", doesn't matter where the real "house mailserver" is on the Internet - as long as "youainti's" Wireguard connects from anywhere, the "house mailserver" will be always sitting there, locally, on 10.1.2.3.

This would be relatively trivial to set up as e.g. EC2 instance in a couple of hours of work (any slightly modern Linux image will have Wireguard support*), just add wireguard-tools as a package and write couple of startup configs, for more enclosed setup and to not expose anything into the VPC, just add something like socat to the same EC2 instance and set it to reach:

(*) - Not looking at you, "Amazon Linux 2023"

ec2-instance:10001 -> 10.1.2.3:587 (client yuainti...)
ec2-instance:10002 -> 10.1.2.4:587 (client xxx...)
ec2-instance:10003 -> 10.1.2.5:587 (client yyy...)
...

Note: Wireguard can of course prevent crosstalk between clients, so they won't end up with a huge mesh of in-VPN reachable mailservers (which the respective owners certainly wouldn't want to)... Though you could probably sell that as additional feature if some wanted :)

So given the setup above, to relay to client "youainti", just target your ec2-instance:10001 (assuming the same VPC/subnet as the PM mailserver), to reach any other client, swap the port, etc. Doesn't even require any load balancers for the initial setup as long as you don't want to go for HA or more delicate VPC separation.

MV-SH avatar Jun 21 '23 13:06 MV-SH

Thanks @MV-SH that is a really good description.

One other note is that it would allow people to bypass ISP firewalls blocking specific ports if needed.

youainti avatar Jun 21 '23 22:06 youainti

Why not just set your local relay server to relay via PurelyMail server directly? What's the purpose of VPN here?

daqqad avatar Nov 22 '23 20:11 daqqad