I have to ask this. Is there a service where I could bring my own FQN like Notgoogle.com and then have them handle emails for me? But with a twist… I want notgoogle.com to send and receive emails via that outside entity, but I want to send the emails from a self hosted server that maybe has mailcow or similar and I want that same server to receive the emails from the outside company. Ideally the outside company is basically just a relay from my IP to the outside world and vise versa. The outside company would basically hold the emails until my server checked and downloaded them. any advice on this. Hopefully with a useful step by step guide from somewhere in the webs?
the vpn login to my home is one way of reaching the email account on the home server. the way i do it is that my VM -the internetfacing mail server - actually has a vpn server and my home server logs into that. on the VM i run a haproxy with port 443 open anyway for similar things. the haproxy determines what connection it is by SNI value and decides what to do with it. for smtp and imap i use ssl as encryption with client certificate (easy-rsa same i use for vpn). one of which is terminated at the haproxy checking client cercificate there, the other is terminated in the homeserver, but both connections go throug haproxy and through vpn to the homeserver and thats as stable as my internet connection at home, where the ip changes sometimes. you maybe would not have the VM as emailserver, but i guess you want to check emails also when not at home, thats why i asked for vpn. i am using k-9 and it works, only thing missing is that before answering an email with the correct outgoing address, i have to setup that address on the client first, thats not automatically, i’ve heared other clients exist that can answer directly using the from-address for which an email was sent to. another issue with my concept is, that setting up each emailaddress at the server IS work (same with moving already existing accounts to new aliaseses). i currently have a ‘tables’ app table on nextcloud that i can manage from my cellphone and a cronjob checks database for changes and adjusts postfix virtual_alias_maps table on the mx, so that i have a ui to do so easily when not at home, that comes in handy whenever someone asks me for my email address. another concept (that i never did) was just having some email addresses ready to use at hand, so i dont have to set them up when not having access to the server. however having separate emails per portal, shop newsletter a.s.o. also documented where i have accumulated accounts over the decades (and that were a lot)
there is one thing i came up with quite late, the email address that i use to login to my server and also the address that fetchmail uses to place emails into the imap store should not be reachable from the internet as it would be more work to change it on arrival of spam. in your setup this might be the “main” address of that emailservices account, on my setup its the address of the local users mailbox. however as postfix uses that address in the value part of virtual_alias_maps table, it needs to know the address and its also in virtual_mailbox_maps table thus reachable from the internet. in my new setup it is also an address like <internalaccountname>-<randomnumber>@domain.tld so it is not guessable by spambots and changeable of course too.
when the server is at home you can login to it with k-9 when at home for sure. but for connecting from abroad you need some sort of connection like using dyn.io or such which also could be a proxy like cloudflare from cellphone perspectice but that would not work like i do it because in my setup where i terminate one protocols ssl at the haproxy (which would do what imho roughly cloudflare would to) the connection to my homeserver is then without encryption which is ok for me as its through “my” vpn, but with cloudflare i guess thats rather not possible as you said as the protocol is not even http. haproxy instead can just terminate ssl and proxy raw tcp then, so that even ssh could go through haproxy to the local machine so that no extra port is needed to be open (thats actually one of my backup strategies to gain ssh access to the VM when other connections become somehow impossible. i also use knockd and a selfmade https based mechanism to open the ssh port for my current ip just in case.
something like dyn.io has advantages, you would not have to use vpn on the cellphone, but ip changes make you connect to third party IPs regulary and also your home network would have at least one extra port open to the world which i would rather like to prevent - if not for security, then at least for less logs caused by scanners. i prefere the stealth mode of openvpn/udp using that extra ta key, but using port 443 (which also is very likely to be accessible from most networks that want to restrict their users available protocols) to pipe things through haproxy is imho the second-best stealth available, also just random https scans without correct domains can be blocked before the ssl connection even starts only using the sni value.
if you have a VM in a datacenter i’ld suggest to use that as a vpn, make your homeserver login to it and your cellphone doesn’t need a vpn then.
ovh.com sometimes has offers for small VMs for just 1€ / month for new customers, it is also limited to the first year, but a pretty good offer anyway and really not too much for just experimenting a bit.