>Nowadays, running a website from home is just about impossible. You may not have a public IP, and if you do, it likely changes from time to time. And even then, your ISP probably blocks you from running servers on it.
I'm not sure about the author's country / ISP, but here in Midwest USA, our residential ISPs (cable or DSL, fiber if you are lucky) generally do not change IPs frequently (unless your router/modem is restarted), and generally only block port 25 (SMTP). I've been running a web/ssh server from home in some form or another since 2002, originally with DynDNS to paper over the IP changes.
Blocking port 25 is pretty annoying. I know there are explanations, but a month ago I really wanted to run a mail server for jaytaylor.com myself. Only to find out it's basically impossible with mainstream ISPs. It's not a realistic option, regardless of Comcast, AT&T Fiber, no big boy ISP supports it at this point.
I don't know if ATT even provides email with my service, much less for a custom domain.
How did the de-facto solution become "Just use Gmail" or pay a third party to do it? It's a little sad for those of us who like running our own servers, total uphill battle. All that work in the early days of the internet to ensure such a feat was possible, only for it to become near impossible for most, regardless of technical prowess.
Just give all your data to a huge company, it's fine. Pft.
Sorry for the rant. Am I really becoming those old hags I used to make fun of on slashdot? Shoot...
p.s. It's easier than ever to do, too, because high-quality docker images are abundant. Tragic for nerds like us!
Port 25 is blocked by default for many ISPs around the world, and it makes sense. Look at it this way: If it was open by default, a lot of IPs would be blacklisted, making them basically unusable for email anyway.
You can always rent a subnet or a server including network and host mail yourself.
Residential IPs are generally proactively added to RBLs by the ISPs themselves as a form of spam protection. Before they started doing that it was basically whack-a-spammer all day every day for them.
I suppose you can, but in my experience, I think you'll find that people proactively find the dynamic ranges of IPs in eyeball networks and make it very difficult to get mail accepted. If you want to send email from your own server, you will either have to get a 'business/static IP' account or use an IP in a block where you can both control the RDNS and servers are expected to be. i.e. a VPS provider or colo IP range.
On a related note, what if I want to run a mail server but only for incoming emails? As in I want to buy a domain and create basically a sinkhole email address and create email addresses like hn@example.com
I never need to reply from that email. I just need to be able to read emails I get. Should be much easier, right?
That should be pretty easy. It mostly depends on the exact configuration of the networking where your mail host is and your ability to correctly lock it down so it's not a spam machine.
Receiving email is pretty straight and forward, filtering it can be a little tougher but should be fine.
Which docker images? I've been having trouble finding "simple" mail servers for incoming and outgoing. Stuff like postfix and dovecot make my eyes cross, I just want to point DNS at an IP and send and receive mail there, securely.
It's not that I can't set those other ones up, I just don't want to, nor should I have to for a small service...
I've been using Zimbra 8 for years. Not a docker image but has a single install script and sits on ubuntu. It's a poor-mans enterprise email client for free.
It's a bit chunky and when it doesn't fall apart it has a nice friendly client with support for mobile. Includes all the bells and whistles of spam assassin, dkim, briefcase etc. Mobile view is a bit dated but it works for elementary sending / receiving.
The free version has no backups which is a pain and makes me scared to reinstall/move away from. But for a all-in-one email server client it does have a charm.
I've been using Zimbra's free edition for quite some time myself too, since v4 IIRC (back before it moved from TomCat to Jetty). Ran DayJob's mail server from it for a fair few years too.
> The free version has no backups which is a pain and …
I “simply” rsync the key parts off to my usual backup locations (where snapshots are made etc.)⁰. There are a few articles on how to do this floating around. The restore procedure is basically the same as transplanting a Zimbra instance from one install to another¹. For paranoia's sake I have a small extra VM that automatically restores itself from the latest backup daily, and I check occasionally to make sure it is running fine and has recent mail. That VM is not publicly addressable, but if my main instance dies irreparably I could make it so easily and flip DNS over to point its way, probably bumping up its RAM allocation too, losing at most what happened since the last backup. The VM actually thinks it is the “real” primary instance, even with the same local network addresses, as they live behind a split DNS arrangement. A copy of this VM can be used to test upgrades and other major admin to an extent too.
> makes me scared to reinstall...
I've found upgrades work smoothly, if you wait a bit after major versions to let the quick adopters iron out the issues first, so I've not had to completely fresh install. Just don't upgrade the base OS at the same time as Zimbra. For OS upgrade when an Ubuntu TLS release nears its own EOL or Zimbra's support for it does. I do by reinstall rather than upgrade but for Zimbra in the process things are the same as the backup restore operation. There has always been sufficient overlap between Ubuntu LTS lifetimes and what versions Zimbra supports that this has worked for me.
> makes me scared to … move away from
I've successfully used imapsync³ to move mail between various servers in the past, including into, out of, and between, Zimbra instances. Obviously that doesn't cover calendar data, config, and other features, if you use them, but for mail it is a good option. Regular syncing to something else could be an extra fall-back backup option too though I've only used imapsync for one-off bulk transfers.
> Zimbra 9 looks nice but licensing.
Same. Given how many times Zimbra has changed hands I'm surprised similar hasn't already happened sooner and I've had a good run with it! Maybe closer to 8's EOL others will start maintaining reliable builds of the OS parts, though I'm thinking I'll shift to something else next year. I've mainly stuck with Zimbra because it just works, given my needs have changed considerably over the years something lighter will probably be better and if I'm going to have to do more work (or pay, of course) to keep using Zimbra it is definitely time to properly reconsider the state of the many alternatives. At least we've got a decent amount of time to transition.⁴
[0] Hot rsync to local LAN backup first to speed up the part where the instance needs to be down, stop Zimbra, rsync to local LAN again to get a consistent backup there, restart, then soon after that the local backup is rsynced off to the offsites.
[1] Install same OS+Zimrba versions, stop, restore data from backup over the top, some steps to check/fix perms, off you go. Again, there are examples in the docs & forums.
[4] IIRC 8.x is due to EOL and stop getting security updates at the end of 2023, I'm intending to have something else in place by the end of 2022. If I have time to look around properly and make a decision by then, maybe I'll get around to it over the extended bank holiday weekend at the start of June.
Stuff like postfix and dovecot also make my eyes cross
I've been using nodemailin to receive all emails as POST requests. Set the DNS ip address to a vps on hostwinds (they don't seem to block incoming port 25) so it worked for me right away.
I pay $15/mo for static IP with att. I just sent a message through the chat in their site, please unblock port 25. They replied ok, and it got unblocked next day
You can tunnel wireguard from a local server to a cheapie DO droplet for about 5$ USD/mo.
Only one ipv4 pre dropte though.
I read a blogpost that mentioned a free tier cloudflare service for public ips, but have not investigated.
At least where I am, the business class internet that I have access to doesn't come with static IPs and is approximately three times as expensive as residential for the same service level.
yes, a VPS would absolutely be cheaper. Even if you get the port unblocked, you're still not going to be able to set reverse DNS for spf records unless you have a business connection with static IPs. An IP alone will probably cost you the same as a VPS that will run a tunnel back you your home box.
In my experience, a business connection is usually twice the price and half the bandwidth.
Actually I just remembered, I can probably use my free Oracle OCI VM, not sure if they'd set up reverse DNS, though. Will have to file a ticket or search about it to learn more.
Disclaimer: Currently I work there, and it's true anyone can get a free VM "forever" (I've had one for 4 years).
I almost did this; but my residential account has a "life-time" price contract which the business-class internet does not have. I worry that the business rates will increase with a higher probability.
A fair measure imo. You are probably going to see 1 legitimate email server mixed in with 1 million infected spam machines. For the legitimate user, its easier to tell them to rent a $5/month VPS.
There are free tier at some third parties to redirect for you - usually port 25 is blocked outbound, not inbound (at least mine does this), so you can receive email easily, sending them out you use a free service but they can read all your emails.
> How did the de-facto solution become "Just use Gmail" or pay a third party to do it?
But, also, havn't you read all the cry babies on hackernews talking about how complicated it is to run a mail server? Why would you even try??? And, don't take calculus when you're in high school. That's hard too, I heard.
But, also, havn't you read all the cry babies on hackernews talking about how complicated it is to run a mail server?
Complexity isn't the issue. It's about the utility of doing it. What you gain from running your own mail server is so minute that it's not worth the effort even if you think it's simple and easy. I could run my own MTA from my house, but I pay someone else to because being a sysadmin is so boring.
In France, it depends on the provider. The ones I've tried:
Orange DSL would change the IPv4 fairly often, sometimes while using it during the day. Huge PITA. You could pay for a fixed IP. No IPv6 on DSL. I have no experience with their fiber offer.
SFR used to have a fixed IPv4 on FTTH, but now they're rolling out CG-NAT. Which is even worse, because not even DynDNS can save you. Not sure if there's the option of paying for your own fixed IP. You do get a fixed routable IPv6 prefix (/56 I think). Older installs based on FTTC + Docsis get a new IPv4 on reconnection; no IPv6.
Bouygues still seems to have a fixed IPv4 on FTTH. They're rolling out IPv6 with a fixed /60.
There are "pro" offers, but they usually require you to have an actual registered business, which does incur some other costs.
when i signed up for verizon fios maybe.. 3-4 years ago, they blocked http port(s). i'm not sure if they still do.
also, the author makes the point that you quote,
>> You may not have a public IP, and if you do, it likely changes from time to time.
you then go and deny this claim and contradict yourself,
> generally do not change IPs frequently (unless your router/modem is restarted)
That's the point the author is making. How frequent and what may cause it doesn't matter, the point is, your IP address will change. When it does and if you ignored that in your infrastructure, you'll have problems. Regardless of how frequently it happens, you have to deal with dynamic IPs.
From what I've heard and experienced, Southeast Asia is mostly "interNAT" -- you don't get a publicly routable IP unless you pay a lot more, CGNAT is all you get.
Start a listening service, portforward to it if you're behind a NAT router, then use one of the online port scanners or some other host you have access to from somewhere else on the Internet to attempt connecting to it.
Yes, mobile internet has AFAIK always been behind a NAT --- I'm not sure if you can even get such a service with a publicly routable IP, since there's not much interest in e.g. hosting a server on your phone while you carry it everywhere, as useful as that could be.
I used to think "who cares? why would I want to self host?" but even if I or anyone doesn't care about self hosting, the fact that they block everyone from doing so is wrong.
I have the same problem with my ISP. Solution was easy, just use DNS validation. All my home service's have valid Lets Encrypt certs using this method.
At my previous home, Xfinity let me host my personal webpage/ webapps on 80/443. IIRC, they did block 25.
I moved to a new location a few miles away, and Xfinity doesn't cover this area. The new ISP blocks the following:
"TCP 25, TCP 80, TCP 443, TCP 445, TCP 1080, TCP 6667-6669, TCP 1433-1434, TCP&UDP 135-139, TCP&UDP 67 are blocked for security and network management reasons"
The only way I can get high speed service that doesn't block these is to purchase a business plan from PennTeleData, but they won't even talk to you unless you have a federal tax ID for an actual business.
I ended up putting haproxy on a free Oracle instance and changing what port I listen at here at home.
I'm outside of Pittsburgh, and I've had two different IP's in the last 10 years. The IP change only happened when I upgraded my service a few years ago. I suspect it would still be the same if I didn't change plans.
I get rare IP changes (not sure when exactly as I don’t care much because Dynamic DNS is a thing), have the option of a 5€/month static IP, and have no ports blocked. Germany, Vodafone cable.
> our residential ISPs [...] generally only block port 25 (SMTP)
While outbound connections to port 25 may be blocked, the ISP we are with still allows inbound connections to port 25.
I have a few accounts on the net tied to an old domain, and what I've done with that domain is that I now have the MX record for that domain set to my home IP address, but I reject connections to port 25. Then, when I need to reset a password for an account tied to an email address on the old domain, I start a simple mail server on my computer that accepts incoming mail, and I open for incoming connections on port 25.
I receive the password reset mail, and then I block port 25 again and shut down the mail server program.
For services that are actually important, I’ve changed the email address associated with the account to a hosted one, so that I receive mails about billing and such related to those services.
For less important accounts where I only need to be able to receive password reset mails but otherwise don't want mail related to the service, I keep them associated with the mail address of the old domain that has its MX record set to my home internet IP address, and where I only accept incoming connections when I am doing a password reset.
This way I can receive those password reset emails while avoiding most spam since I only keep port 25 open for incoming connections for short and infrequent periods of time.
It’s certainly too peculiar of a setup for most people. But I figure some others here on HN may find that they might want to do something similar.
So if your ISP allows incoming connections on port 25, you could set up MX records on a new domain or on a subdomain of an existing domain, and run your own server for the sole purpose of registering accounts or receiving password reset emails, and like I do only run that server when you are creating an account or resetting the password for an account.
It’s sort of a fourth option to other alternatives that I more often see other people use. The four ways that I commonly see others do it is:
- Some use “+” addressing with your Gmail account. Not ideal because spammers know of the “+” trick and can just strip the suffix.
- Some self host catch all mail. Not ideal because spammers also blast out email to commonly used names for email addresses. So if you have a domain and you accept mail to any address at that domain you will get spam for addresses like bob@ your domain, sales@ your domain and all sorts of random names @ your domain.
- Some generate a uuid as name portion of email address, unique for each service, or some other scheme with unique name portion per service. This is pretty good but has a couple of drawbacks still. One of which is that you need to explicitly create a new account in your mail system each time, which also can take time – this can be set up so that the operation is pretty simple but still.
- Some use a throwaway email from a free service like Guerrilla Mail or similar. Mostly fine if the account you are registering is really just some temporary thing, but if you do decide that you want access to it later then because the mail address was temporary you will not be able with most throwaway mail services to read mail for that address after like 1 hour or 24 hours or whatever limit they have set. So then password reset becomes difficult or impossible. Also some sites maintain lists of domains from such services and will not allow you to create an account with an email address using any of those domains.
Whereas what you might do instead, which is what I am doing now, is to run catch all but only during the moments where you know you will be receiving an account creation or password reset mail.
For this I use a very basic mail server that receives the mail and just dumps the mail in the terminal that the program is running in. Portions of some mail may be base64 encoded, but you can just copy the encoded text, run a base64 decoding program in another terminal and paste it into that. macOS, FreeBSD, most Linux distros etc all come with a base64 encoding and decoding program shipped with the default install of the system. At a glance it may seem like a bit of work, but I find this the simplest and fastest for the purpose of receiving one-off password reset mails.
First of all, forward port 25 TCP from your router to your computer.
Then, create an MX record on the domain or subdomain that you'll be using.
Install aiosmtpd:
pip3 install aiosmtpd
And then run it:
sudo aiosmtpd -l 192.168.x.x:25 -n
where again 192.168.x.x is the LAN IP address of your computer.
Then when an email is sent to any address at your domain you should see the message show up in the terminal where you have aiosmtpd running.
When you've received the mail, shut down aiosmtpd on your computer and disable the port forwarding of port 25 TCP on your router. Also, remember to update the MX record next time you want to receive an email if your global IP address has changed in the meantime.
If you are feeling adventurous you could write some code to make this even simpler to use. Perhaps going as far as to both automatically enabling and disabling the port forwarding for your router (for example by emulating the login and other HTTP calls that your browser would send when you manually manage the router), and updating the MX record for your domain if needed, as well as to write received mail to disk in Maildir format. https://en.wikipedia.org/wiki/Maildir
Wow the idea of using a throwaway MTA to block marketing emails is super interesting. Do you reset your MX record after the reset is finished, or do you just go back to blocking 25?
But at that point, why not run your own MTA all the time and then just have your firewall cut port 25 off? When you want to start accepting mail again just turn the firewall rule off temporarily. That way you don't need to muck with setting up the MTA.
I keep the MX record all time and just block port 25. Before using it again I just double check that the global IP is the same still or if the MX record needs to be updated.
> But at that point, why not run your own MTA all the time and then just have your firewall cut port 25 off?
You could do that as well for sure. Mainly I do it the way I do simply because the mail server I am running on my desktop that I linked to is run from the terminal and I routinely close terminals which I am not using.
But for example instead of running the server from your desktop you could use the same general idea and have it always running on a Raspberry Pi and block port 25 like you say.
I was going to ask how the routing algorithm differs from eg Kademlia[1], but then I realised this explicitly builds on Kademlia’s ideas.[2]
Kademlia uses “bitwise XOR of peer id” as a distance metric for routing; after querying the DHT you can immediately build a routing table for reaching a particular peer, and you instantly know a next hop for any particular destination you had in mind.
Yggdrasil’s contribution is that it only does this next-hop thing when you first wish to connect to an Yggdrasil IP; instead of just sending to The closest current peer and expecting them to forward, you recursively ask that peer if they have any closer ones to a particular address and add them to your list. When you can’t get any closer, you have either found that peer (and a public internet IP you can contact them on), or the closest node to them that can forward there (eg over non public network, Bluetooth, etc), or you can’t find them. Very cool.
Future work alluded to at the bottom of that post:
> Also, while the current DHT should be fine for peer-to-peer type applications, I wouldn’t want to be the keyspace neighbor of an especially popular server, as this would mean a large number of DHT lookups would go through my node. A caching DHT could, in principle, be able to address that issue without changes to the protocol, but that’s not a very high priority given the size of the current network.
Another interesting comparison is Matrix’s Pinecone, which originally used Yggdrasil but eventually wrote their own custom version. See why in the README. https://github.com/matrix-org/pinecone
I ran a citadel mail server on a pi, using a xyz domain..worked for few days before getting blocked as possible spam from google..no appartent solution... the old internet is indeed broken..
Would this be useful to people in countries like Iran, where the internet is restricted and completely cut out whenever the government needs to shut people up?
No. This is useful against assholes, not fanatics.
Assholes will opportunistically shit on anything that isn't too difficult for them to worm their way into. Crapping up DNS by making all unknown domains resolve to an ad server? Sure. Making unencrypted HTTP unusable by inserting ads and blocking keywords? On it. Blocking any port they haven't heard of? Hey, who needs ports 70 or 23 anyway, am I right? Assholes can be state actors in a state which doesn't go to extremes censoring the Internet, or they can be companies or other institutions with assholes dictating IT policy.
Fanatics will poison BGP to blackhole YouTube and, if it knocks out YouTube for a couple neighboring countries, well, those countries either agree with them or are kiddie-porn-hacker-atheist-terrorists who need to be put in their place by Morally Righteous Leaders anyway. Fanatics will kill anyone who sends or receives encrypted messages the authorities can't read, just on general principles.
HTTPS and maybe some tricks with DNS will protect you from assholes. You need legitimate tradecraft to thwart fanatics, and even then you're rather likely to be killed by a government that really doesn't care enough to even stage a convincing accident.
You do it the same way it works in most of these politically-motivated-censorship countries: the sneakernet. Black market smugglers smuggle along USB sticks or preloaded laptops. But, yes, with a motivated despotic government aimed against a single individual, it's going to be mostly impossible.
Let's assume this is a perfect technical solution to a government that wants to censor your speech - that doesn't help much if the government has ball-pein hammers and rubber hoses, and is willing to use them on people living in houses broadcasting wifi.
Cell phones are popular with drug dealers in south america because they're impossible to shut down - if the government can't shut down drug dealers, they definitely can't shut down people sharing offensive memes.
They're impossible to shut down without (potentially) affecting innocent bystanders. If they don't care, they absolutely can and do shut down towers.
In this case, if they judge anyone broadcasting or using this network as subversive, then there are no bystanders, only accomplices. And, thanks to the tyranny of the inverse square law, it becomes much easier to sniff out broadcasters/uplinks as well.
The easiest way to mitigate this is to do both -- rebroadcast a cell connection over WiFi, and do so intermittently and in varying locations to complicate triangulation.
Drug dealers are an annoyance but they aren't a direct threat to any government (as long as you let them be in peace). If it's a direct threat to you, then you do anything, even if the benefits outweigh the risks.
Zerotier is typically used for privace networks, and AFAIK it routes through a central server whenever p2p is not possible. On the other hand, the Yggdrasil main net is a public network, and each peer is a router. You don't (and can't practically) connect to every single peer, but any nodes in the middle can route things the right direction. Also, Yggdrasil can run on top of existing tcp/ip like zerotier, but it can also run on custom mesh base protocols.
Tried getting some answers on their site and older HN post (did not spend too much time doing so), but I failed to find answers to couple of questions, few being:
* What transport does this network use for the IPv6 overlay network? (6in4 encapsulation, IPSec... this probably opens a number of other questions)
* I saw some notes about "hosting your own website" while reading about this project, does it allow for any YG node/network (from 200::/7) to be reachable from Internet? (I know 200::/7 will not be reachable directly, and I believe the answer is obvious NO, but then I am puzzled why is there a mention of hosting your own website like back in the day when it's only available on YG network).
* Is there a large performance hit when a node with IPv6 X, moves across the world (say my laptop when I travel), and it changes it's place in the topology? I will assume it only requires new DHT discovery and that the rest mostly depends on actual Internet lacentcy between end nodes + some overhead. (question is meant to be about the risk of overlay topology not converging when underlay changes, possibly causing packets to go around the world few times).
Is there a community or conference that is a good “watering hole” for ideas like this one? (Ideally not web3/crypto related - real decentralized solutions - not scams and hucksters)
I believe DNS works like normal with there being AAAA records for yggdrasil's 200:: ips. y.matrix.tomesh.net vs matrix.tomesh.net is an example of that
If my ISP hadn’t sent those legal threats for having an open access point someone used to downloaded music from, I’d run this kind of thing on a guest network segment.
Edit: open to suggestions like running a segment through Tor
meh, if you want to do that, limit this bandwidth to x mbps and dump that through a VPN to a VPS. If you ever have any trouble there, just get a different VPS.
Additionally, you can provide usable http/https access but block services that are likely to get you into trouble. You can even put it on your captive portal:
This service blocks torrent traffic, Use a VPN if you need to do that. (link to VPN)
Computers (even phones) have a enough spare computing power and bandwidth that a true, cooperative mesh network is probably possible now: Data routed through a mesh of local networks created by each device to taps which can route across long-range fiber and satellite comms.
phones probably spend 1/3 of a day (during night) being charged and plugged to the wall. You could have a mesh network that at any given time at least 1/3 of members is active - public key could have a timezone/timerange during what time note usually operates.
Phones spend almost all of their time charging next to the owners wifi router which is always plugged in. It just makes no sense at all to use phones as mesh nodes.
you still have to have back haul if you want to connect to the rest of the internet. If you want to make a mesh and do things locally with people on the mesh, and I certainly believe there is a place for that, this will work. If you want to mesh net your way out of a great firewall, you still have to find a point that has a connection to the rest of the world.
I think this touches on an issue with internet decentralization though, a large component (although definitely not all) is to do with lack of unique IP4 addresses which makes it difficult to decentralize even if you wanted to. I have no idea why the whole idea of web3 is associated with crypto now.
With so much (real) money at stake, it is not surprising that “crypto” tries to latch onto any technology unrelated to “crypto”. Every time it successfully gets associated with something else, it drives the frenzy.
Once I find a secure OS for a daily driver, this could be a path back towards the fun of the 1980s, being able to try out software on a whim and sharing it with everyone, in a safe and secure manner.
What was the name of the Spanish company that offered a similar idea circa 2010? They had a big community branding and a catchy name – and the focus was on phone calls.
Perhaps you are referring to Fon, though their idea was quite different (‘democratized public Wi-Fi hotspots’, basically), and despite the name I don’t think they did anything re: phone calls. I think I still have one of their Fonera routers lying around somewhere (long unused by this point).
Looks like they’re still around, but these days they partner with telcos rather than individual consumers [1]. One of the largest Dutch ISPs (KPN) used to provide access to their network on all their consumer modems until 2020 [2].
This is perhaps the worst branding I've seen in awhile. It's impossible to say correctly without being taught, difficult to remember, and difficult to spell. It's almost like they don't want their efforts to be acknowledged.
Tbh, you don't have to be Nordic to have a basic grasp of mythology from around the world and Yggdrasil is pretty commonly known. Even if people just know it from Marvel comics or heavy metal or something.
Mine, apparently. I don't have any particular connection to Norse mythology afaict, but I've encountered the term "Yggdrasil" at least half a dozen time just surfing on the net.
> It's impossible to say correctly without being taught
I mean, the world of tech is littered with "permanently questionable" pronounciations, one more makes no difference. SQL, GIF, LOG4J, etc etc, they are all successful products despite people not agreeing on how they should be pronounced.
I'm Italian so I read it like it's written: "ee-gg-dra-seel".
He's marketing to the kind of people for whom Yggdrasil is a memorable name.
When I was a nerd teenager in the 90s, reading F-PROT's built-in encyclopedia of computer viruses, it was hard not to notice the abundance of Tolkien and similar references. Hackers have always loved this stuff.
> Yggdrasil is the name of the authentication system that is currently used for authenticating user credentials for Minecraft. ... Mojang has said that this authentication system should be used by everyone for custom logins, but credentials should never be collected from users.
They couldn’t come up with anything else? Shit you could’ve just named it after some random fruit and it would’ve been better than this dungeon and dragons sounding ass name.
I'm not sure about the author's country / ISP, but here in Midwest USA, our residential ISPs (cable or DSL, fiber if you are lucky) generally do not change IPs frequently (unless your router/modem is restarted), and generally only block port 25 (SMTP). I've been running a web/ssh server from home in some form or another since 2002, originally with DynDNS to paper over the IP changes.