SMTP on the edge

Disclaimer: this post includes my worst idea yet! Until now my contact form submissions were posted to a Cloudflare worker. The worker encrypted the details with PGP encryption. It then used the Amazon AWS “Simple Email Service” API to send an email to myself. […]


This content originally appeared on dbushell.com (blog) and was authored by dbushell.com (blog)

Disclaimer: this post includes my worst idea yet!

Until now my contact form submissions were posted to a Cloudflare worker. The worker encrypted the details with PGP encryption. It then used the Amazon AWS “Simple Email Service” API to send an email to myself. PGP encryption meant that any middleman after the worker, like Amazon, could not snoop. (TLS only encrypts in transit.) The setup was okay but involved too many services.

If you thought that was over-engineered, get a load of my next idea.

SMTP experiments

My experiment with a self-hosted SMTP server was short-lived but I did learn to code SMTP protocol with server-side JavaScript. During that tinkering I had issue upgrading TLS on the SMTP server for receiving email.

In my recent AT Protocol PDS adventure I learned that Proton Mail can generate restricted tokens for SMTP client auth. I’ve also been slowly migrating from Cloudflare to Bunny in my spare time. I was reminded that Bunny has Deno edge workers.

Lightbulb moment: can I rawdog SMTP in a Bunny worker?

New idea

  • PGP encryption in the browser
  • POST to Bunny edge worker
  • SMTP directly to Proton

This cuts out the AWS middleman. Neither Bunny nor Proton ever see the unencrypted data. True end-to-end encryption for my contact form!

I threw together a proof-of-concept. My script opened a TCP connection to Proton using Deno.connect and sent the SMTP STARTTLS message. The connection was upgraded with Deno.startTls to secure it. It then followed a very fragile sequence of SMTP messages to authenticate and send an email. If the unexpected happened it bailed immediately.

Surprisingly this worked! I’m not sharing code because I don’t want to be responsible for any misuse. There is nothing in Bunny’s Terms of Service or Acceptable Use policy that explicitly prohibits sending email. Magic containers do block ports but edge scripting doesn’t.

I asked Bunny support who replied:

While Edge Scripting doesn’t expose the same explicit port limitation table as Magic Containers, it’s not intended to be used as a general-purpose SMTP client or email relay. Outbound traffic is still subject to internal network controls, abuse prevention systems, and our Acceptable Use Policy.

Even if SMTP connections may technically work in some cases, sending email directly from Edge Scripts (especially at scale) can trigger automated abuse protections. We actively monitor for spam and unsolicited email patterns, and this type of usage can be restricted without a specific “port block” being publicly documented.

If you need to send transactional emails from your application, we strongly recommend using a dedicated email service provider (via API) rather than direct SMTP from Edge Scripting.

bunny.net support

…that isn’t an outright “no” but it’s obviously a bad idea.

New idea v2

To avoid risking an account ban I decided to use the Bunny edge worker to forward the encrypted data to a self-hosted API. That service handles the SMTP. In theory I could decrypt and log locally, but I’d prefer to let Proton Mail manage security. I’m more likely to check my email inbox than a custom GUI anyway.

The OpenPGP JavaScript module is a big boy at 388 KB (minified) and 144 KB (compressed). I load this very lazily after an input event on my contact form.

Last year in a final attempt to save my contact form I added a Cloudflare CAPTCHA to thwart bots. I’ve removed that now because I believe there is sufficient obfuscation and “proof-of-work” to deter bad guys.

Binning both Cloudflare and Amazon feels good. I deleted my entire AWS account.

My new contact form seems to be working. Please let me know if you’ve tried to contact me in the last two weeks and it errored. If this setup fails, I really will remove the form forever!

Thanks for reading! Follow me on Mastodon and Bluesky. Subscribe to my Blog and Notes or Combined feeds.


This content originally appeared on dbushell.com (blog) and was authored by dbushell.com (blog)


Print Share Comment Cite Upload Translate Updates
APA

dbushell.com (blog) | Sciencx (2026-03-17T15:00:00+00:00) SMTP on the edge. Retrieved from https://www.scien.cx/2026/03/17/smtp-on-the-edge/

MLA
" » SMTP on the edge." dbushell.com (blog) | Sciencx - Tuesday March 17, 2026, https://www.scien.cx/2026/03/17/smtp-on-the-edge/
HARVARD
dbushell.com (blog) | Sciencx Tuesday March 17, 2026 » SMTP on the edge., viewed ,<https://www.scien.cx/2026/03/17/smtp-on-the-edge/>
VANCOUVER
dbushell.com (blog) | Sciencx - » SMTP on the edge. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2026/03/17/smtp-on-the-edge/
CHICAGO
" » SMTP on the edge." dbushell.com (blog) | Sciencx - Accessed . https://www.scien.cx/2026/03/17/smtp-on-the-edge/
IEEE
" » SMTP on the edge." dbushell.com (blog) | Sciencx [Online]. Available: https://www.scien.cx/2026/03/17/smtp-on-the-edge/. [Accessed: ]
rf:citation
» SMTP on the edge | dbushell.com (blog) | Sciencx | https://www.scien.cx/2026/03/17/smtp-on-the-edge/ |

Please log in to upload a file.



There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.

Related Posts