Iptable rules for SMTP NAT to borrow static public IP of data center server

I'd like to run my own mail server on my (decent) home ISP connection rather than trusting my emails to any data center provider - mostly because I already have a machine running.

Although in practice, my public IP never changes, my ISP would not provide me with a proper static IP for which I could adapt the reverse DNS PTR record without switching to a business plan which comes with a significant markup. As a result, emails transferred by my server are treated as spam - obviously.

So I thought I could borrow a public IP of a small VPS (of which I can control the PTR record) by chaining two iptables NATs. Using NATs rather than a SMTP relay, does not impair the end-to-end TLS encryption.

However, I'm struggling setting up the NAT(s) as follows. Each machine has a single network interface only and I plan to limit the NATing to the TCP/25 port as I do not want to run all my private traffic through the Relay/VPS.

Home Server 1.2.3.4             Relay 5.6.7.8             Recipient Mailserver 10.11.12.13
[home.server.mydomain]          [relay.mydomain]          [mail.recipientdomain]

OUTPUT/MASQUERADE       <=>      FORWARD/MASQUERADE    <=>  INPUT

For testing the setup, I am using netcat for now and run a firewalled placeholder Mailserver 10.11.12.13 which only accepts traffic on port 25 originating from the Relay 5.6.7.8.

Yet, somehow I fail to wrap my mind around the iptable rules/NAT concept and am hoping for some hints (ip forwarding is enabled in sysclt on the relay):

Home Server 1.2.3.4

-A OUTPUT -t nat -p tcp --dport 25 -j DNAT --to-destination 5.6.7.8:25
-A POSTROUTING -t nat -d 5.6.7.8 -p tcp --dport 25 -j MASQUERADE

Relay 5.6.7.8

-A INPUT -s 1.2.3.4 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP
-A FORWARD -s 1.2.3.4 -p tcp -m tcp --dport 25 -j ACCEPT
-A POSTROUTING -t nat -p tcp --dport 25 -j MASQUERADE

Mailserver 10.11.12.13

-A INPUT -s 5.6.7.8 -j ACCEPT # for testing
-A INPUT -j DROP

With these, the Home Server is able to reach port 25 on the relay but nothing else:

$(mailserver)> nc -ltp 25 $(homeserver)> nc 10.11.12.13 25

Any advice highly appreciated. Disclaimer: My idea might still have some security implications I haven't thought about yet.


Run the mail server on the VPS.

Encrypt data in motion by enabling TLS for all protocols.

Encrypt data at rest with disk encryption. If you don't trust the provider, consider a more complex setup of doing the encryption yourself, and entering the key on instance boot.

Back up data and get it off site to home and a different provider's archival storage.

Do not NAT. Consider implementing IPv6 instead.


Should you value running a mail server at home, switch to business service. Typically, that is the price ISPs extract for static addressing and to remove their SMTP filtering.

IPv6 has more than enough addresses for every residential customer to get a /48. And competent IPAM systems will reliably give a customer their assigned prefix. (No, this is not necessarily MAC based, because non-MAC DHCPv6 unique identifiers (DUIDs) exist.) But that doesn't mean ISPs promise static addresses. My home has been stable but renumbered once for reasons unknown to me.