I have an iPhone and a gl.inet gl-e750 portable cell router, and my SIM card stays in the router. I don’t actually restrict my phone the way you’re talking about, but this gives me vpn to my home network without needing the vpn running on each client device. And if I wanted to block connections to big tech company services, I could do that.

I do, and I agree about their utility. My users and aliases are in OpenLDAP but it’s pretty easy to add new ones.

Separate accounts are preferable if you’re actually going to be responding to messages. I’ve had some embarrassing encounters where I’ve given an alias to a business that I didn’t realize was going to actually use it for real email conversations with a human. By default roundcube web mail lets you hit reply anyway and the reply goes out with your real address, which can lead to confusion.

I host my own for mspencer dot net, used this 15-ish step walkthrough from linuxbabe dot com. Only maybe three instances of spam in two years, gmail and outlook receive my messages just fine, etc. (Successful spammers were using legitimate services, and those services took action when notified. Greylist delays emails by a few minutes but it’s extremely effective against most spammers because they never come back to retry messages after a few minutes, while legitimate senders will.) I don’t know if I would accept blanket advice against self hosting.

Fundamentally if your mail server can see the addressee, it can see the content. SMTPS encrypts both in the same channel. So at the point where you accept messages and store them in a mailbox, the messages have to be readable.

Encrypting them at rest isn’t something I currently do, but if you’re going to later serve those messages to an email client that expects to receive clear text, your server needs both the keys and the messages. They can be stored in different places.

Most of your needs could be met with full disk encryption on the box hosting Dovecot. If you’re worried about being compelled to decrypt, there’s always the deck of cards trick: The pass phrase for full disk encryption consists of a memorized portion plus the letters and numbers of the top N cards in this deck of cards you keep by the server. If someone were to shuffle that deck of cards, and the server were powered down, the encrypted volume would be impossible to recover.

I’m eager to learn what other Dovecot tricks people can recommend to improve security.

Hmm, you have uncovered a problem with both of our ideas. Steam’s leverage is reduced after they have deposited sales proceeds, and is gone after the publisher isn’t selling games on the platform any longer.

(I’m griping about Rockstar specifically but my point is still flawed in the general case.)

Now punish publishers who try to change the terms of sale after sale. “Want to play the single player game you bought a decade ago? Agree to this new arbitration clause.”

Are you going to be hosting things for public use? Does it feel like you’re trying to figure out how to emulate what a big company does when hosting services? If so, I’ve been struggling with the same thing. I was recently pointed at NIST 800-207 describing a Zero Trust Architecture. It’s around 50 pages and from August 2020.

Stuff like that, your security architecture, helps describe how you set everything up and what practices you make yourself follow.

In a general sense, you are discussing a way to control other people and organizations, and to make them stop talking about you. (Communicating and storing your information) This isn’t always possible or practical.

If you pay a merchant with your payment card, that merchant is allowed to know your payment card number. If you call a toll free number, the recipient of your call is allowed to know your phone number.

If they decide to share what they learn about you, and they do so legally, there’s not a whole lot you can do to stop them. I’m not saying this to antagonize or hurt you. I invite you to think differently about what you can control and what is worth worrying about.