Domain hoarding and email forwarding

A brief tour of email

MDA, MTA, MUA

Email works through three acronyms, and it is very much like a post office:

Gmail does all three: its servers are the MTAs, and its web interface is an MDA and MUA rolled into one.

Protocols

There are three protocols used for emails, with secure variants too; I've listed them with their default port and secure port.

IMAP and POP3 are for storing mail and SMTP is for sending mail; it's pretty unlikely that you will want to use POP3 these days, I certainly don't, but it can be suitable if you want to download all of your mail and then not interact with the internet for long periods at a time.

OpenSMTPD

OpenSMTPD is a Mail Transport Agent; it's part of the OpenBSD project and runs on Linux quite well. It's also very simple to configure, and like pretty much everything in the OpenBSD project, it's confidently secure.

In this use case, secondary domains use a MX record1 to point to a server running OpenSMTPD, which then accepts all mail for those domains and forwards it to a single address, accomplished as follows:

#/etc/smtpd/domains

secondary.com
tertiary.net
quaternary.org
#/etc/smtpd/secrets

memorable-label authenticating-account@gmail.com:PASSWORD
#/etc/smtpd/users

@        me@primary.com
#/etc/smtpd/smtpd.conf

# We're accepting external mail
listen on eth0

# The domains we want forwarding for
table domains file:/etc/smtpd/domains
# Credentials to sign in to gmail SMTP servers
table secrets db:/etc/smtpd/secrets.db
# Mappings of where emails should be forwarded to
table users file:/etc/smtpd/users

# Required for local mail
accept for local alias <aliases> deliver to mbox

# If it's not from here, and it is for any of our domains, deliver it according
# to our rules
accept from ! local for domain <domains> virtual <users> deliver to mbox

# Authenticate with gmail's SMTP server and use that to send mail sent from here
accept from local for any relay via tls+auth://memorable-label@smtp.gmail.com:587 auth <secrets>

# !!! Make sure that you're not accepting any old mail to relay or you could
# !!! help send spam. This is included in the default config to make you aware.
#accept for any relay # If this isn't commented, it probably should be

(Note: There's no reason why me@primary.com can't be the same as authenticating-account@gmail.com)

Closing thoughts

I would strongly suggest that you use an Application Specific Password instead of your main password, so that two factor authentication works, and if it's compromised at least your password is okay.2 Also it might not be necessary to use Gmail's SMTP server, but I tend to find that things get flagged as spam if I don't - Your mileage may vary.

And there we go, sign up for whatever you want with your throwaway domains and make up email addresses for them on the spot; filtering can be done in your inbox by recipient as that's not overwritten during forwarding.


  1. FreeDNS is what I personally use, and I've never had any issues with it.↩︎

  2. Not that I am in any way trying to imply that this is a competent way to treat your account security - it's basically a password in plaintext regardless.↩︎

Back to archive