Struggles of a Stay-at-Home server

18 Dec 2022 Home

Ever since I started hosting my own server, I have dreamed of full independence. With a VPS I'm still just a "rentie", living in someone else's computer.

So how about having a server at home? In theory it should be easy, plop NixOS on Raspberry Pi, forward some ports from the router, set up dynamic DNS client to periodically update the IP in your A records and you're rolling. But, of course, it cannot be that simple.

It's web giants' fault

There is this thing called DKIM. It's a smart mechanism of protecting e-mail from getting spoofed using public key cryptography.

Every message sent from, say, is signed with a private DKIM key. The DNS contains a TXT record with the public key, with which the signature can be verified by the receiver. Thus, if the signature can only be correct if the owner of and the owner of the server sending the message are the same person - or rather, if the administrator of entrusts the administrator of the server with the private DKIM key.

Easy, right? If the signature matches, then the recipient can trust no spoofing took place and the message truly comes from And all of this with an open standard, based on solid cryptography.

But it's not enough for Google and Microsoft. See, not only does the DKIM signature have to match, but also the reverse DNS of the sending server has to resolve to one of the MX records for

Why? Beats me. If I have the private DKIM key, I am, end of story. But no, says Gmail and Outlook, on top of that set up rDNS of your server to the host name mentioned in the MX record or you'll end up in spam.

So why am I angry about this? What's the big deal, just set up rDNS with your VPS provider and you're good to go.

If you have a VPS then yes, it's no problem.

BUT if you want to host your mail server at home (like I do), you do not have a static IP address to assign rDNS to - you have a dynamically changing IP. You can update DNS records easily with ddclient, but rDNS would require your ISP to intervene. And they won't because they don't care.

No public IP for you (or me, or anyone)

"OK then", I thought to myself, "I can't have an email server at home, but at least I can host this website on the Pi? Perhaps add a WebDAV server to access my 2TB external HDD for good measure?"

But no. I can't have that either. Why? CG-NAT. I hate CG-NAT, it really ruined my day the moment I found out it exists.

Your ISP does not have enough IPv4 addresses laying around to assign you a unique one. Instead, they put your router (which does NAT for your devices at home) behind an even bigger router, which does NAT for, say, all their clients in your apartment complex. The IP you see when you

curl -4

is the address of this carrier-grade router.

They won't give you a public address, they won't forward you their ports. There is no way to reach your Stay-at-Home server from the outside world, save for hacky VPN tunelling (which would require a VPS anyway).

You must become a "business client" first, which means you need a NIP (tax identification number assigned to a company in Poland). Then you may buy a static IPv4 address (with rDNS to boot), for the equivalent of ~$2.50.

Which I may just do. They won't discourage me that easily.

Blowing off steam

The Internet is no longer a "wild west", where you can run your tiny blog website from your basement.

This use case is not supported.

Browsing Facebook and consooming terabytes of Netflix movies is. But your tiny creative endeavor? Forget it.