We plan to operate a small AS in Japan. It will have minimal prefixes — IPv4 /24 and IPv6 /48. We will host an email server in this range. The matter is, that we hope to run an exit node (since we own an AS!) somewhere in this new network. Does it have any unhappy consequences to email reachability to run a Tor exit relay in a dedicated IP address(es) near an email server? Also, I would like to know the best practice for managing a network hosting Tor relays.
The followings are what I am thinking about:
- Set reverse DNS records for the email server and the tor relay.
- Divide the network into the three zones:
- Users network
- Servers network (hosting an email server, etc.)
- Guest network (hosting guest SSIDs, Tor relays, etc.)
Of course, there are multiple geological locations, so things get more complex.
I never did this, but a few things to keep in mind:
Use a separate IP for email server and Tor exit relay
There is a scammy blacklist called UCEProtect: https://uceprotect.wtf/. Sometimes exits get on there if they hit a UCEProtect trap. Aside from blocking Port 25/465/587, use your exit policy to block UCEProtect’s IP ranges:
ExitPolicy reject 126.96.36.199/29:* ExitPolicy reject 188.8.131.52/32:* ExitPolicy reject 184.108.40.206/32:* ExitPolicy reject 220.127.116.11/32:* ExitPolicy reject 18.104.22.168/32:* ExitPolicy reject 22.214.171.124/30:* ExitPolicy reject 126.96.36.199/29:* ExitPolicy reject 188.8.131.52/31:* ExitPolicy reject 184.108.40.206/32:* ExitPolicy reject 220.127.116.11/32:* ExitPolicy reject 18.104.22.168/32:* ExitPolicy reject 22.214.171.124/32:* ExitPolicy reject 126.96.36.199/32:*