This is why ISPs typically block port 25. Also, I love containers as much as the next guy but for the reasons mentioned I reduce complexity in all areas of critical systems were it doesn’t belong such as a email server.

You are not the first to do this with docker hosted email servers and you won’t be the last. The Internet is full of people talking about this exact issue.

I’ll leave with this. ANY service exposed publicly or not should not have vulnerabilities. If there is any hint that your NAS webserver has vulnerabilities, it shouldn’t even be used internally. So to me, it does not matter. I don’t expose my NAS webserver because I have no reason to increase my attack surface that wide.

But I’m comfortable exposing any of my internal services as needed because I’ve personally checked the source code for vulnerabilities, and have proper checks in place on top of regular security updates. I understand why others wouldn’t think the same way, as this takes a high level of confidence in your ability to assess the security posture of your systems and network. I’ve had penetration tests in my network, conduct them myself for business.

Meh, been doing it for 5 years now with minimal issues. Had one issue come up where my domain was flagged as malicious, but was solved in a few days and some emails to security vendors.

I think it’s important that those who can, and are educated enough to keep it running properly do host their own. Hosting your own email should be encouraged if capable because it helps reduce the monopoly, and keep a little bit of power for those who want to retain email privacy.

If your NAS is properly updated, and SSL is used, then the login screen it just as safe as any other web app with regular updates. I would ask why someone would want that.

The web version is most definitely safer. Most of the people here probably don’t penetration test their servers, conduct security audits or use best practices. Unless you are a cyber security guru on par with a dedicated team, the web version will be much safer for you.

People talk up Pterodactyl like it’s difficult to install, but if you follow the documentation it’s fine if you’ve had any experience with installing Linux programs beyond running a script. You can also find scripts on github that make it a one stop shot or one liner install like most are used to. I have an AMP license, and kind of regret it to be honest. I thought a paid solution may be better, but I was wrong. The UI and navigation in AMP is among the worst software front end navigation I’ve ever seen.

I’ve ran both and unfortunately, as much as I HATE to admit it, pfSense “just worked”. I tried opnsense, but strange problems kept coming up that had me fixing issues like wack a mole in a time where I needed something to just do it’s job. I’ll give opnsense another shot in the future. But as of now pfsense is doing what I need, the way I need it to on the community edition. I have no reason to swap now, but if they screw around with that, I guess opnsense will get another shot.

Brother, there is no difference. I think you are confused. They can “understand your traffic and do something about it” it’s unencrypted, and you agree to a fairly strict terms of service that allows them to basically do whatever they like. Maybe you should read the agreement, and if you’re using the tunnels, maybe turn them off until you understand your security posture and exposure of your network