Yes, but hacks happen everywhere (iCloud for example). I enforce 2FA via a dedicated identity server everywhere, even for logging into this blog. I don’t drink ZTNA kool-aid too much, so most things stay behind a VPN (for example, domain controllers). Said VPN is also behind 2FA. It’s a reasonable approach.

Does it always work?

Nope. One of my posts got to #1 on Hacker News and even my WireGuard tunnels started collapsing. I’ll blame my ISP for my 7 Mbps connection on that occasion.

Fine, but why host email? That’s crazy complex.

1. Because it matters a lot to me (so all the more reason)
2. It’s not that hard to keep running

Alright, so how did I get here?

1. You asked your DNS resolver where blog.abctaylor.com is
2. ns1 or ns2.arcza.net (my public name servers) probably said it’s at 82.71.78.1, an IP in a /29 block I rent from my ISP
3. A Cisco ISR accepted your packets, and sent you on toward a DMZ firewall
4. The firewall allowed your traffic into the DMZ
5. You hit a DMZ load balancer which did TLS with your browser
6. Another firewall allowed the load balancer though to the core network to a VM running NGINX, which generated this page