We’re configuring Kumo to take over as our main MTA and we want to use proxied outbound IPs so we can easily scale horizontally and add/remove IPs as necessary.
From what I can tell - options on securing Kumo → proxy communications are very limited.
Direct SSH proxy comes to mind (as in - ssh -D $port_number $username@$hostname ) listening on different loop-back addresses on Kumo side. Simply secure it with a solid SSH key and you’re done.
If we where running the proxies on one cloud - no problem. Proxy could simply listen on internal IP and lock down the connections, but we’re migrating our legacy infra from DigitalOcean to GCP (bye bye ZoneMTA, you won’t be missed, along with DOs perma-placement on UCEPROTECTL3 blocklist)
We’d like to re-use the IPs and do a full switch-over to Kumo while we warm up new IPs on GCP.. This as you understand means going over the internet.
Any advice on securing proxy communications and/or using ssh as SOCKS proxy?
I’m not sure if my original message is showing, but honestly - looking for an interim solution (sorry, new at discord). Once we have warmed up new IPs fully - we may switch to a simple “listen to a private IP” approach. Just need something to bridge the gap
you could use ssh, but I think you’d spend a lot of effort to ensure that the ssh connection remains up. Tailscale can be deployed robustly in a few minutes and will just work with no fuss, and no cost if you have only a couple of users of the tailnet, regardless of the number of machines you deploy in it. It’s really worth checking out: it’s so easy!
the deployment architecture would be to deploy tailscale on each mta as well as on the proxy node, then you’d configure the mtas to use the tailnet ip address of the proxy node for the socks proxy address
you could use ssh, but I think you’d spend a lot of effort to ensure that the ssh connection remains up
I need to validate my assumptions here, but seems systemd service with restarts properly configured seems straight-forward enough. I’ll research tailscale, but Occam’s razor is kinda pushing me to simple SSH
it’s the client side of the ssh tunnel that seems like a headache to me. Whether you use tailscale here or not, I do recommend playing with it some time as it really broke my brain how easy it is to use: it’s like magic, and it may change the way you look at this sort of networking setup now and into the future
I’ll definitely check it out. If anything for getting the outbound IPs on an entirely separate subnet in GCP. At the time when we first spun up our MTAs - GCP was stingy with their port 25 privileges and DO was not. So DO it was. Many years later - we now are in the good graces of Google and can open port 25, so with the move to Kumo - moving to GCP seems only logical. That and I’ve seen DO entire ASN out from UCEPROCECT L3 list for like 24h total
You can use a nat gateway for your MTAs to route out of (Aws terminology, sure GCP has an equivalent), or something similar that gives you a single static IP. Then setup your proxies wherever they are to only allow traffic from that 1 IP
The PTR can only be applied for the main NIC IP btw.
Their IPs end up in UCEPROTECT as well but then again, who even uses UCEPROTECT…
At times their IP space end up being in the “never should mail” kind of blacklists. Like spamhaus PBL
…
…
…
Anyways, there is also the option to run IPSec. Even Google’s VPN/Router options make use of StrongSwan for Site-to-Site encryption. And you can run Kumo’s proxy on the DO in the meantime.