Actually it's fine until it's not. Then your email doesn't work and you could be missing out on important communications. And then you're scrambling to figure out how the spammers managed to exploit your setup this time. And you have to learn a tonne of crap in order to manage it... and the text files! Configuration... configuration everywhere. Obscure configuration. Configuration that has real consequences and causes spooky action at a distance. Configuration that will soon be exploited in strange ways.
I was so frustrated the last time my mail server went down that I started writing an SMTP protocol handler in Haskell with the intent of writing a MTA with the goal of minimizing configuration and being secure and resistant to attacks by default. So that hopefully more people can run their own infrastructure without prematurely aging. I dunno how useful it will be to others but at least it will keep my gray hairs at bay, I hope, when it's ready for use.
Until then though we need more guides like this for us poor souls who do go down this route. There are way too many out-dated guides awash in the sea of information.
...
" ... writing a MTA with the goal of minimizing configuration and being secure and resistant to attacks by default. "
As a 20+ year UNIX sysadmin and fellow owner of my own email infrastructure for 18 of those, I am surprised to read this and am not even sure what you are talking about.
Can you explain what you mean by attacks and exploits from spammers ?
Other than accidentally running as a relay or actually having a remote exploit in your server(s), what are the attacks that you have in mind ?
"Configuration that will soon be exploited in strange ways."
Again, am genuinely interested in an explanation ... other than running as a relay, and maybe handling backscatter (but that's not really config, it's just a blacklist) what are you referring to ?
Mail server setup for the uninitiated does look a little daunting, especially if you're more accustomed to "all-in-one"-ish software. If you want to do this, I recommend starting with making sure you have a clear mental model of mail server architecture, especially where it touches other things (DNS, DKIM, spam filters, local delivery, probably IMAP, maybe LDAP, maybe databases, etc.) Without a clear idea of the dataflow and reasons for different decision-points, you're going to have a very bad time troubleshooting things.
[1] SBCGlobal.net has been rejecting me for over a decade despite there being zero spam ever having been emitted by my domain. Eh, my userbase communicates with exactly one SBC user; ATT can bite me.
The problem I have is that it's a pain in the ass to setup correctly and when things do go wrong it's really hard to figure out what's going on.
> Can you explain what you mean by attacks and exploits from spammers?
I haven't encountered a remote exploit (yet) but yes: accidentally running an open relay, backscattering, etc. You also have to worry about the system security of the box you're running it all on but let's treat that as a separate concern.
I'd been running my setup for years and as recently as August of last year I was dealing with an outage of my email server. I must've missed something somewhere because someone had figured it out and started using my server as a relay. It took me a few days to figure it out and I'm still not sure what the problem was or how I fixed it. Though my server stopped bouncing emails and started forwarding things again so... win?
As I was fixing this issue, not the first time, it occurred to me that it was just criminally easy to not know if your system is being exploited as a relay or not. There are a bunch of different configuration files in all different formats and guides that require working through dozens of steps. It's way too easy to get something wrong.
For someone like me who works at deploying software running on hundreds of nodes it seems manageable but I don't think it's ready for my cousin who's good with computers.
That's where the idea for a secure-by-default MTA that couldn't possibly be configured to be an open relay came from. Minimize the configuration so it was hard to get wrong even at the expense of flexibility.
I dunno, maybe it's not a great idea. But it's fun to hack on in the evenings when I've got nothing better to do and hopefully I'll have a fewer text files to manage in the future.
I know my emails aren't being farmed from the NSA (at least from my side). I know Google isn't scanning all my emails to sell me garbage. I know it won't be shut down because of some errant algorithm. I have a really short email address. I can setup family and friends easily. I can send newsletters without having to deal with someone else's policies (on my side anyway). I love it.
>Then your email doesn't work and you could be missing out on important communications
Pretty much every E-mail server will retry sending your E-mail for a long time (like 2 days is default on postfix). Once your mail server comes back up all of your E-mail you missed during the downtime will come in slowly as messages are retried
>you're scrambling to figure out how the spammers managed to exploit your setup this time
Any tutorial should point you in the right direction restricting open relay on your mail server, just basically requiring authentication to send E-mail outside of your server.
>I started writing an SMTP protocol handler in Haskell
Do you have any link to your progress? Postfix's configuration definitely shows age, but all of the options do important things that you could actually want to change. It seems other MTAs either have just as complicated configuration (to do the same things), or have stunted functionality.
>being secure and resistant to attacks by default
I agree about sensible and more secure defaults in configuration. But the application security of postfix and dovecot are both pretty robust[0][1]. Considering they are 19 and 15 years old, both applications have seen several developer-lifetimes of effort.
>we need more guides like this for us poor souls who do go down this route
I agree, though mediocre howtoforge tutorials seem to have worked fine for this poor soul.
[0] https://www.cvedetails.com/product/14794/Postfix-Postfix.htm...
For larger scale e-mail sending I built my own MTA (https://github.com/zone-eu/zone-mta), our main instance sends about 750k emails a day (mostly normal ISP traffic, maybe 25% marketing emails) and its most valuable feature is juggling with IP addresses and blacklist detection, so if some mailbox gets hacked, starts sending out spam and the IP ends up in Spamhaus et al then this IP is removed from the list for other users automatically. Has saved us a ton of time.
It sucks ass when your mail does not get through as GMail/Hotmail rejects a connection from the IP address your cloud company allocated for you, in spite of DKIM etc. Or they decide to mark your mail is "suspicious" and it goes into the recipient's Spam folder. Fighting these huge hosting companies is impossible as they don't want to talk to you.
Also constant tweaking Spamassassin is not fun. My setup worked well for for the first four years but then started letting more crafty junk through... So, I had to compromise by moving the mail to Fastmail.
God, yes. Gmail, in particular, really enjoyed just dropping connections from my IPv6 addresses every few months. Sometimes it would return an error, something obtuse and wrong like maybe, "your forward and reverse DNS records do not match" even though they absolutely did and hadn't changed in years.
Outlook/Hotmail was far better and would always return a sane, yet sometimes inscrutable, error that bore some resemblance to reality. It still took them a week to get me off the hit list that I got dropped on for no discernible reason.
> Or they decide to mark your mail is "suspicious" and it goes into the recipient's Spam folder.
Gmail was the ABSOLUTE FUCKING WORST about this. My spouse's e-mail to Etsy customers who used Gmail--not spam, not newsletters, person-to-person e-mails INITIATED BY THE CUSTOMER--would work for the first couple of e-mails in a thread and then start going into spam. Or, even more fun, friends with whom either of us had e-mailed would send us a mail and then we'd reply and nope, into spam.
Gmail would do this for WEEKS and no amount of poking or begging or pleading would make it stop. And then it spontaneously would. So maybe the begging did work but was just delayed. I dunno. I tried signing up for Gmail's "Postmaster Tools" but no data was ever reported because "your mail volume is too low."
The ultimate ignominy? The final humiliation that sent me to Fastmail? I finally, through a couple of professional contacts, got to actually e-mail (via Gmail, of course, because they were blocking my personal domain again) with a real, live Gmail SMTP admin to ask why my latest round of e-mails were going into the bit bucket. Know what he said, even though my domain has been hosted on a server in the same colo facility with the same IP addresses for a decade? Something along the lines of "your domain reputation is coming back as too new."
Ladies and gentlemen, I give you whois:
google.com - Creation Date: 1997-09-15T04:00:00Z
mypersonaldomain-notreallythisvalue.org - Creation Date: 1997-03-10T05:00:00Z
You can have a domain registered with Gmail or Rackspace Mail or whatever, and use the SMTP credentials they give you for outbound, while keeping MX records point to your own SMTP for inbound. Or you can let them process the inbound as well (fighting spam for you) and you just forward everything (or sweep via IMAP) and put it into your own Dovecot.
This way you control what's important to you (email storage/backups/etc) but outsource delivery and spam filtering.
That's only if your broker and doctor are not using Gmail or G Suite, otherwise your email (with them) is likely to be read by Alphabet regardless of your server setup.
The biggest pain is no longer having a static IP or reverse DNS (thanks Sonic!). Having reverse DNS setup and an IP address that doesn't map to a pool of dynamic IPs are the big things that will keep you off of spam lists.
Coming from sendmail I think postfix and dovecot have been a breath of fresh air. The defaults generally just work. Getting inbound (so spamassassin can check) and outbound dkim to work were the trickiest part. Aside from regular OS updates it's largely hands off.
So you call it easy to configure together 7 different systems just to get a working mail server?
If you can't run Postfix, run Exim in a container.
Configuration is one file, very simple. It won't do everything a sendmail does, but it's never had me pulling my hair out.
Configurations were incredibly unfriendly and tedious. Despite all anti-spam measures, Microsoft was blocking their IP according to some private spam blacklists. Then they couldn't send emails to some ancient government server in Guatemala because of encoding incompatibilities.
I ended up moving them to the free MailGun plan. It took me 2 hours instead of 2 days.
What do I do?
Get a nice VPS from a company like GoDaddy. Setup whatever domains you need. Setup as many email accounts as needed. And off you go. No problem. I don't even have to think about email.
I thought about rolling my own on one of our Linode servers but every time I compare the no-brainer of doing the above to what it would take to run this ourselves on Linodes I can't justify the pain and aggravation.
What I don't like about the Gmail approach (other than it is Gmail and I do not trust Google to not shut down all of our accounts for some stupid reason) is the cost. I can spend a few bucks a month on a VPS and have a hundred email addresses. The same on Gmail would cost significantly more and you would be under their irrational thumb.
A few years ago I looked into running Zimbra on Linode. Back then it was so resource hungry it just didn't make any sense. I wonder if it has gotten any better over time? I really like the concept.
1. Custom MTA that handles incoming SMTP.
2. SpamAssassin that is called by the above MTA which flags email as spam/not-spam.
3. Custom MTA forwards not-spam to the users inbox.
4. Custom MTA forwards SPAM to postmaster (this bit needs significant re-working)
5. Main Mailserver is Microsoft Exchange run On-Premises.
6. All Mail clients are Outlook 2016, or Android Phones.
The reason I had to write my own MTA was so that I could leverage a 3rd party anti-spam solution, as Exchange doesn't come with one, and add-ons for Exchange are quite expensive.
Running your own mailserver is a complete nightmare. If I knew it would end up this complex 20+ years on, I'd have never done it in the first place.
Of course I still have to worry about attacks at my domain provider level, but at least it removes one weak point. I'm waiting for the day that someone pretended to be me calls me to get me to reset my mail account password.
All the things that make running your own server hard are software problems, the protocol itself lends itself very well to running your own. We just need someone to build the [Caddy](https://caddyserver.com/) of mail servers. You have the right idea with your Haskell server, though I think in this day a Go project might be more successful.
I typically don't recommend someone running their own mail server, but if they do, I wish there'd be a good one they can use, and that one would definitely be a Caddy plugin.
Edit: it's been so long that i forgot it was in fact postfix.
This for me is the deal breaker. I say this as a sysadmin.
It's all well and good running a single server but if that shits the bed then you have to deal with it immediately.
So to run something that doesn't require 24/7 support I now have to run a cluster of servers.
I'll also need something to manage those servers like salt/ansible/puppet
I also need to deal with being my IP blacklisted because of a previous owner, or just entire domains now delivering my email because they don't like the fact i'm not using $email provider
Then there is spam filtering and the constant battle that is.
Or I could just pay someone a couple of bucks a month to worry about all that shit and not worry about it.
It's totally up to you how you prioritise getting a server back up again, and frankly if the message can't handle at least a few hours delay then email probably isn't the right medium for it.
This may have been the case in the mid-90s, but it is certainly not the case today. I frequently receive emails that require immediate attention, whether from my employer, my bank, or any number of other notifications. Normal email users expect emails to be delivered in seconds, not hours.
Sadly, I haven't figured out a proper fully-redundant solution. Syncing mailboxes with e.g. Syncthing is way too fragile. Recently, I wanted to experiment with DBMail + CockroachDB cluster but haven't yet found time for that.
Never found any MRA that uses document-oriented database like RethinkDB; and GlusterFS is way too sensitive to high latencies - so DBMail+CRDB looks like the only readily accessible option sans of trying more "raw" programmable solutions like Salmon or Haraka and writing own storage backend.
keep your DNS up always - so have a backup if this is running DNS - many mailing list programs and other things will drop a mail immediately if the destination cant be resolved..
It's really more of a second job.
But it's ever so much fun once you have a decent grasp on all these things
If the server falls over during the night, then meh... I'll probably fix it reasonably quickly if I'm not on a beach somewhere, and the sending server is supposed to try again anyway.
That's the number one reason I would like to run my own server. (And, no, the Gmail trick of adding "+foo" to the username doesn't satisfy me because spammers know this trick and can strip it.)
Well, that depends on your needs. SMTP will keep retrying, so you won't lose any emails, you just might not be able to access them immediately. For my personal email, this is perfectly OK. Not that it ever happened, in my six years of running Exim + Dovecot, but that may have just been luck.
My two most recent uptimes for my personal FreeBSD mail+web server were each over 1200 days.
My current months sent-mail folder stretched back for years - which is to say, my (al)pine process itself was 3+ years old.
No, you don't need a cluster of servers for your personal mail server.
> "I've never personally experienced a BSOD in Windows ME, so obviously it's incredibly stable. Those other people are just doing something wrong."
If it's just for your own use, no you don't. If a mail server is down, other mail servers trying to send mail to it will re-try for some time.
Just this week I was remotely logged in and screwed the iptables making the machine catatonic to the outside world. Came home in the evening and didn't even bother fixing it until after dinner and various other activities. Like, "oh yeah, before I sleep, I should fix that mail server ...".
Yes, servers are supposed to resend when they can't connect, but in practice for those periods where the backup MX was down, I'd still lose some messages I know I should have received.
Reliability and delivery consistency is more valuable then pretending your personal email server actually protects you from dragnet surveillance (in my opinion). The truth is every other smtp server you communicate with could be compromised, and if what you're sending is that sensitive, encrypt it at rest, not just in transmission.
I've been running my own mail server with https://mailinabox.email for ~2 years and can heartily recommend it.
Still, even with that there are gotchas if you want to be able to send messages from your server to Google et al, eg. reverse-DNS-records, DKIM, SPF.
Not for the pressed-for-time.
The integration with Let's Encrypt and a relatively smooth upgrade process has made it one of the more enjoyable services I manage. I would highly recommend it.
I also have no trouble sending email to Gmail users after carefully following all the steps in the manual! The only sticky point I had was that it required fancy DNS records that Namecheap doesn't support -- I think if I were doing it all over again I'd transfer domains over to a better nameserver.
It's fantastic.
Can't configure post-install? At all? This seems like it would be a showstopper for some.
I think what I'm trying to say is that it's not harder than it used to be (though some problems, like spam and security requirements for safety, have gotten worse in absolute terms). With modern tools and packaging on modern Linux distributions, you can be up and running pretty quickly. My company ships a turn-key solution as part of Virtualmin, but you can build something similar without that in an afternoon or two if you're reasonably Linux-savvy and have some notion of how all the pieces fit together (maybe a couple extra afternoons if you don't know the basics; DKIM and SPF can be tricky, since you also have to know or learn you some DNS).
It's harder than a web server or DNS server, but not something you should flee in terror from. Admittedly, it's gotten cheaper in recent years to outsource it...and with microservice-based architectures, maybe it makes more sense to have some other API than SMTP (though SMTP is very easy to use from every language I've ever worked in). But, there are problems and complexities with outsourcing, as well.
Have I invested enough energy? Apparently not. But I'm over the weekend-sized amount by a multipler bigger than three.
It would be great if someone wrote a program handling all of this that could be deployed as a single binary with secure defaults and limited configurability, but I don't see that happening any time soon. Email providers are good enough for almost everyone and the people who are good enough programmers to make sense of all the different protocols they'll have to deal with and get everything to interoperate nicely probably have other things to work on that people will actually pay for.
Edit: That said, this guide does look like a great resource for someone who is interested in doing this. It's interesting to learn how email works and if I had this guide when I started out I'd have saved a ton of time.
I've never regretted running my own server, nor have I ever contemplated moving to a hosted solution. Spam is not a problem either, Spamassassin in combination with a greylist make for a nearly spam-free experience. The whole setup has been migrated from the original Pentium-66 via an aBit-BP6 (SMP for the masses [2], retired in 2009) to the current Intel SS-4200 (upgraded to a dual-core Pentium but still limited to 2GB). In practice a Raspberry Pi would be enough to run a viable mail server so even this rather anaemic setup does its job without breaking a sweat.
The whole setup consists of Debian (Sid) running Exim through a smarthost, feeding through Spamassassin + greylistd into Dovecot. Apart from some auto-manual intervention to cope with Microsoft/Google/... not coping with the greylisting and thus needing whitelisting it more or less just works. In other words, just go ahead and run your own server.
[1] http://shop.oreilly.com/product/9780596510299.do
My wife won't let me have a neckbeard though.
Total time spent on the mail infrastructure over these 22 years is negligible, probably ~8 hours per year.
I've also always been on Postfix, which has always been way more secure than sendmail ever was at the time. And Postfix is also much easier to configure for the basic case of "send/receive email for a personal domain".
I have been using mailcow[0] for years now and it does all of this for me and works great. The UI is beautiful and intuitive. And setting up mailcow literally takes a few of minutes, since the project was ported to docker. Highly recommend it.
How to run your own mail server (for experts): Don't.
I say this as someone who has run my own mail server for 20+ years.
Now, if you absolutely have to get off Google, and the other available hosted options don't work for you, then this article looks like a good start. I'd add roundcube for web access and letsencrypt for SSL.
One thing you'll never really get, in my experience, is good spam handling. The big providers just have so much more data to work with to prevent spam.
I've found the exact opposite. Big providers have to run more lenient rules than I'm willing to use. I can use SORBS and Spamhaus to bounce mail. Sure, both SORBS and SH suggest never ever doing this, but when you self-host you can check your logs, and over the course of a few years I've never had a false positive.
Now that I'm reliant on my ISP for inbound mail I don't have that low pass filter and the amount of spam I get is staggering.
Google is the worst offender in my experience. They don't take spam reports and they don't do a good job of filtering users' inboxes. Sure, there's a SORBS list to bounce mail from hosts that have bogus WHOIS info... but then you block Google... and everyone uses Google... so you just get to put up with all the spam they send out. From the other end, my gmail inbox is nothing but spam these days (the report spam link is generally useless).
Not in my experience. I'm in general very happy with the results of SpamAssassin. Occasionally sth. slips through but when I compare it to my gmail account it's not worse, maybe even better. The only thing I use in addition is postscreen [1] (pregreet test only) to stop the dumbest category of spam bots.
If I had to worry about IMAP, Webmail, etc. I wouldn't run my own.
Not quite the same calibre, but really, SpamAssassin+RBLs tuned a smidge too high plus a user whitelist is pretty darn good. Scripting something that auto-adds to whitelist based on sent mail would do even better (but is exactly the kind of 'fun' that people don't have to deal with using 3rd party service). I've heard you can do better with dspam.
That seems like an awful amount of work / overkill. This is not a good introduction for a normal geek, and die-hard open source fans will figure it out without too much trouble anyway.
Postfix is not the best choice for novices, FreeBSD is not the most well-supported/documented system just because it's not as popular as some others, and a directory service shouldn't be necessary.
We had to setup Exim, Postfix or Sendmail for school. Sendmail was universally hated the most, Postfix came in second, and Exim was... well, not exactly logical or easy, but the best of the three mainstream MTAs.
I'm running hMailServer at home. Windows-only, unfortunately, but until I find a proper replacement, I'll just keep running it in a VM. Nothing else even comes close in admin-friendliness. It's just install and run, with either a local admin interface or a web interface (using PHP, so it runs anywhere).
I'll give you that in general, mail servers are not for novices, and they have a huge array of configuration options, but Postfix is by a wide margin the best piece of software that I've come across the last couple of years, and I've been using it for a long time because of that.
It's reliable, it works exactly as documented, it's up to date, it's documentation is excellent, and it's community helpful, if overly precise - but then that's exactly what makes it so good.
I've literally never come across any problem with it, that turned out to be problem of postfix.
I can't say that for any other piece of software that I know.
I invite you to look at hMailServer. I set this up when I had a reasonable clue about SMTP and only a vague understanding of POP3 or IMAP. Let alone how spam filters worked ("they look at words like viagra" was my understanding) or what mailing lists are.
It's really a Windows-like utility in the sense of next-next-next-finish. By now I despise most Windows Server wizards for not being flexible enough and prefer command line tools on GNU/Linux, but this mail server is one thing I just cannot find a good replacement for, and the interface provides everything I need (no need for command line or config file magic).
The documentation for the base system, however, is very good. The man pages are complete and well-written, and the handbook[0] is a great source of documentation as well.
Which was my point. I know it's better integrated and has better documentation (some coworkers were fans, plus what I read online about it), but I still think going with mainstream is the better choice when writing a general post like "how to run your own mail server".
Not that guides for "how to run a mail server on FreeBSD" shouldn't exist. Just that then it should be called that, and not be general advice to anyone who might be googling the general title. There's so much bad press for running your own mail server, while really it's not that hard with the right tools and explanations.
If tweaking spam filters and deleting spam is your idea of fun, then run your own email server.
Thanks for bringing up the painful memories of adding new filters each night. So glad those days are over for me.
edit: Although some training (i.e. manually moving spam to IMAP-Junk) was necessary during the first few months.
The only spam mitigation I use is greylisting and blacklisting.
Then I'd block the spam only domains like .click, .link, .party, .top, .webcam, .xyz, and .stream.
That should be enough to get you close to zero, sure having spamassin learn based on your Junk folder will help improve things.
I've run a mail server for 20+ years and never had a spam issue, periodically I do updates spam assassin of course.
I know the article is concerned with owning your own data, and I appreciate the point. But finding a mail provider that meets your needs is, IMO, a better way to spend your time than just saying "Gmail isn't good for me, so I'll do my own."
https://www.linuxbabe.com/mail-server/ubuntu-16-04-iredmail-...
I dunno. I feel like I'm sitting on a timebomb. It's hosted on DigitalOcean and while it works great with RoundCube and gmail... eh. I dunno why I even did it in the first place.
I'm also a developer, btw. This mail server is only for me so it's not a big deal but if I had to I'd probably be comfortable setting it up for a small business. I wouldn't recommend it for that still, though, since you are the support in that case.
This just isn't true. You can host your own mail server and GMail will probably still end up hosting a large fraction of the email you read and write, because the people you correspond with are still using GMail.
(In the same vein, you can refuse to have a Facebook account but Facebook probably has a dossier on you anyway. Enough people you know have dumped their contacts into Facebook that they already know your place in the social graph.)
You can and should work to reduce your footprint if that concerns you, but there are still systematic issues that make it hard to stay completely outside of there services. Mainly what OP mentioned with contact uploads.
My setup is similar, but it uses MySQL instead of LDAP.
I love being able to make aliases and even better - deleting them when I'm done with them.
Unfortunately most MTAs aren't configured to check the certificate chain, so they'll happily take any SSL cert they're handed and start chatting. MITM or downgrading is trivial.
There is an IETF draft ( MTA-STS ) from 2017 that should address this.
Running your primary email on these big hosting companies is taking your privacy and pissing it right down the drain.
It's really not that hard folks.
Not sure how you go about colocating a Mac Mini in a datacenter though.
Prepare for changes to macOS Server https://support.apple.com/en-us/HT208312
The services deprecated include davmail, dovecot and postfix. They say the changes are "to focus more on management of computers, devices, and storage."
iRedmail - https://www.iredmail.org/ Mail in a box - https://mailinabox.email/
They allow you to setup your own mail server and yet make it easier to get started.
I have been using iRedmail and it has been working well so far.
Exim MTA, Courier IMAPD on Debian.
Pretty easy setup; nothing complicated.
For remote access I use two things: RoundCube webmail, and K-9 Mail on Android. For sending mail from K-9, I connect home, via authenticated SMTP which is on port 587, rather than 25.
I have developed a little web app called Tamarind for generating throw-away mail aliases.
http://www.kylheku.com/cgit/tamarind/tree/
I run some mailing lists which use GNU Mailman. For archiving them, I don't use that horrible pipermail, but rather a hacked version of Lurker. I patched Lurker to pass through HTML so that HTML mails end up rendered as HTML in the archive. The HTML has to be scrubbed, so I wrote a little scrubber for that:
http://www.kylheku.com/cgit/hc/tree/
Lurker patches:
Second, if you must... I'd recommend Mail-in-a-Box. MUCH easier to setup / maintain than this one, at least from a cursory read. https://mailinabox.email
I used to run my own email server for around 15 years with minimal issues, but I gave up when my mail started disappearing into the hotmail/gmail/yahoo blackhole.
And then ... after you've done every damned thing exactly by the book, and DKIM'ed the dickens out of your headers, killed the spam, policed yourself off the blacklists, etc. etc. - turns out you might as well not have bothered. The googles and the microsofts (the microsofts especially!) will one day drop your outgoing mail without the slightest notification, because the ip range, or because the full Moon, or just because they can.
I ran that show for nearly fifteen years, but threw in the towel last year, and handed over to Fastmail. With regret, although their service is first rate.
Email is not a succesful federated protocol these days. The monoliths effectively killed it off.
I also learned that having it in your basement means trouble: Someone pulls the plug, your IP changes or ends up on a spam list. For some years I ran my own server on a DO droplet. It is very cost effective when you can make as much mailboxes as you want for family (+ unlimited aliases, addresses that deliver to both you and your wife, being able to email 500 mb to familie, etc). I still don't know down what sinkhole emails to my brother-in-law's outlook.com address went down. The literal response of MS at the time: We don't manage our own spam filter, try adding more text, make it look more real...
But man, the pain, the complexity, the reverse DNS, the startTLS, the SPF record, the DKIM records. It took me a long time to understand the difference between mail servers and MTAs and why there are different ports for them. Also, few providers in the Netherlands even allow you to use port 25, luckily mine did. Email is truly an old protocol that has been hacked up-to-date (more or less) and setting up your own mail server will make this very clear to you :)
I'd recommend it though, you'll learn a lot! But to be honest, I now pay 3 euros a months to a dutch email provider because email is too important and I didn't want to go through the pain again when 16.04 came out. I might still have a go at it in the future, there is something beautiful about running your own email server :)
[0] https://arstechnica.com/information-technology/2014/02/how-t...
One nice thing about the programs he chose is that their config options are fairly stable (can't vouch for Solr). That many moving pieces would be absolutely unmanageable if the options changed frequently. Been using a similar setup for years without difficulties.
Adding something like fail2ban into the mix wouldn't hurt.
If you're going to do this, first check that your VPS / ISP allow inbound traffic to port 25/tcp. AWS allows it upon special request. GCE doesn't. Don't know about the others. In the US, most residential ISPs block 25/tcp inbound.
Its useful as quite often youll get blocked just for being in the same IP block as a spammy server. My experience to date is that once you notify them your IP isnt the culprit the block gets removed pretty quick.
Curious if you looked into other mail server options? I mean Postfix (not Postgres) easily handles the load of a single user, but it is still rather hard to configure and modify.
I recently started to work with Haraka and even thought its ment for high traffic use cases i wont ever look back to Postfix (not Postgres).
Postfix is super easy, and well documented for normal use cases.
In any case you should ask the author, as they are currently active on another discussion where they linked their article in a comment: https://news.ycombinator.com/item?id=16238501#16238845
>perlgod: I've spent years tweaking my mail server setup (Postfix, Dovecot, RSPAMD, LDAP...) and did a full writeup a few months ago. I've used other guides online but found most of the rest lacking on details
And yes, damn it. Fixed
Switched to Fastmail and haven't looked back. Their Android and Web client are great and they've opened their JMAP[0] interface.
[0] http://jmap.io/
Compliance.
NDA's.
I set up my configs ~5 years ago, and other than apt-get update; apt-get dist-upgrade, I havent had to do anything
Instead of running each component individually, I would recommend looking at something like Zimbra or another OSS mail package that handles a lot of this.
I hosted my own email for over 10 years and maintaining the bits are as painful if you don't have a plan in place.
A decent comparable for do-it-yourself hosting is the kind of luck a product like MDaemon provides - it decent job on windows of rolling all the features into a reasonably manageable server, as well as being quite affordable. I don't work for MDaemon, but tools like this make hosting email relatively trivial.
Fighting spam effectively is not trivial.
1) install spamassassin 2) turn on greylisting
During if you want to to from 1-2 spam a day to 1-2 a month you might want to block the garbage domains like click, link, party, top, webcam, xyz, stream etc. Probably worth enabling a DNS based block list.
So an apt get or two, 2-3 lines in a config file. Seems trivial to me, most every mail server HOWTO mentions them, should be just a cut/paste.
Sure 9-12 months from now it won't work as well, thus updating SA periodically, just like anything else internet facing.
I thought about Fastmail, but its too expensive when you want to do more than one email address or domain. I run mine on a $5 server from DigitalOcean.
The current pricing[0] seems to let you have 100 domains plus 600 aliases[1] for $5/mo.
I've got this thought that I will create aliases for every different thing I sign up for and use them to track who's selling my email address to who. I think that a domain plus aliases will do the trick and I think that what I want to do will fit in their limits.
I can set up 100 domains and 600 aliases, but if I want my wife to have access to hername@mydomain.com, does she need her own $5/mo account?
Not true, I run multiple email addresses and domains on my $5 account. Each address is routed to a different folder.
I also accept inbound mx for some of my personal domains, but I don't currently manage my own mailboxes, the mail gets aliased to my Gmail account.
If at some point I get fed up with this arrangement I can transparently change where the email ends up.
It's basically a single binary that has an SMTP server and webmail server. It works absolutely fine for me without much stress. I do hit a couple of bugs here and there, mainly on the mail parsing, but it's not big deal.
However, after reading this, the software developer in me feels like "These tutorials should not be necessary."
This should be a GitHub repo, trivial to fork and trivial to test out locally for anyone.
I.E. like this:
Internet Email (SMTP) -> [MTA + Rspamd] -> [Real MTA + Inboxes]
Thanks.
Sure it's _hosted_ in a centralised place but since you're paying for it Amazon shouldn't have an incentive to harvest your data.
From reading their blog[0] you can tell that they are passionate about email.
It is a bit pricey for a personal email with a few accounts, but I'm happy to give them their well-earned money.
The easiest way to get this type of VM setup going is to start up the container on your mail host with all of the fun features (filters mostly) turned off, verify that the new mail container works as expected, then slowly start turning on features one by one so that if you happen to break something with a bad configuration you know how to roll back to a configuration that is functional.
Looks pretty daunting to me
If you like email Zimbra's great - it's a fully baked mail server which you install on your Linux distro of choice and it goes off and installs all of the above for you. Everything is managed via a GUI and you have a great web interface and standards based IMAP, CalDAV support.
If you buy the paid version you can even get ActiveSync and Exchange Web Services for it.
Despite all that though, I would give anything to have all those countless hours I put into running my own mail server back. It is a colossal time sink. I can't even stress how much work it is, especially if you have anyone relying on the box for their primary mail account. It's no fun at all.
You're gonna be debugging Fetchmail for when you or your user's want POP3 accounts downloading mail locally. Procmail for filtering. SpamAssassin (gawd if ever there was something which consumed my life it's that software and its myriad libs and helpers), not to mention familiarize yourself with DNS MX records, SPF, DKIM etc. etc.
All of the above works surprisingly well and is fairly solid - until it isn't. When Google added DKIM/SPF protection and blacklisted servers which didn't was a fun weekend that I'd rather have spent with my family. When customer emails started bouncing because their IPs had hit an over zealous RBL list which Zimbra was using was a fun afternoon of debugging. When Zimbra decides to randomly let in 10-20 spam emails a day into my mailbox is another weekend project which I've yet to get round to. Thank god I'm self employed is all I can say because no employer would tolerate an employee putting the care and feeding required to maintain a personal email server!
Unless you want to nurture a career as a mail sysadmin seriously, don't host your own mail server.
Bottom line I'd recommend to anyone thinking about hosting one to either:
1. Don't
2. Use Microsoft Exchange Server
3. Use Zimbra
4. Seriously, don't - consider Fastmail, Gmail, O365 or Protonmail instead.
Postfix supports a selection of block lists for spam, and I get no spam at all - although unfortunately my gf sends me email from a Yahoo account, and certain Y! servers get blocked, so that mail bounces.
She doesn't do it often enough for me to spend more time getting whitelisting to work. (Currently it doesn't - I don't know why.)
The hard part is getting a working config file for postfix, but there are tuts and examples online.
Like a lot of older FOSS code, postfix is basically an insane collection of every possible switch for every possible feature, dumped with no particular thought or care into a single config file, and written up - ditto - in a single help file.
You only need about 10% of it, but you won't know which 10% until you try.
The server gets regular hack/relay attacks from all over, but those get killed by Fail2Ban. I'm not exactly a high profile target, but unlike an old WP site I used to run - it was hacked in weeks - the servers seem to have survived for more than five years now.
For example, suppose I have things set up so all outgoing mail from my home goes through my SMTP server. If I send an email with a from address of tzs@mydomain, then the setup in the article is perfect.
Suppose, though, I send an email from home with my from address set to tzs@employer, where "employer" is my employer's domain? Assume this email is not to an @employer address [1]. With the setup in the article (and in almost every other similar setup I've seen covered in similar articles) this might run into spam filter issues unless I've convinced my employer to add my SMTP server to their SPF record.
The way I want this to be handled is for my SMTP server to see that the mail is from an @employer address, and instead of trying to deliver it directly, relay it through employer's SMTP server.
This is similar to the common "smart host" configuration often used when you run an SMTP server at home, but want it to send all outgoing mail through your ISP's SMTP server instead of trying direct delivery. Essentially what I want is a conditional smart host based on the from address.
Postfix supports this. In fact, it seems to support it in a couple different ways. I played with it a bit but could not quite get it working.
What I'm doing for now, until I find out how to do it right, is only send work email outside of work from my desktop Mac. I took tzs@employer off the list of mail aliases for my mydomain mail account, and created a second account in Apple Mail for @employer. I set the incoming mail server to POP3 on 127.0.0.1 so that it would fail, and set the outgoing server to smtp.employer. It complained for a while that it could not contact the POP3 server, but eventually stopped complaining, and the address in the configuration dialog changed to 0.0.0.0.
With that setup Apple Mail sends mail from @employer directly to my employer's SMTP.
Sometime recently, after an OS update, that stopped working. It would no longer let me enable an account unless it could successfully talk to the incoming mail server for that account.
I did find an ugly workaround for that. I gave it the correct address for employer's POP3 server, and the correct password. Once it was happy, I went to Keychain Access, found the saved password for the POP3 server, and changed it in Keychain Access to something incorrect. Mail then complains that it cannot login to the POP3 server, but that does not cause it to disable the account. Net effect: a send only account in Apple Mail. (It is important to do the password change in Keychain Access, not in Mail, because Mail won't save the change until it sees the new password work).
(If that had not worked, I probably would have written a dummy POP3 server that always reports no mail and used that).
[1] This happens reasonably often for me, because I have my mail server set up to use fetchmail to fetch my incoming work email and deliver it via procmail. Same for any other SMTP accounts I have. That way I only have to configure mail clients to work with mail server and I get access to all my mail from all of my non-web email accounts.
If Apple mail is broken and keeps dropping things I'd suggest thunderbird.
I swear, I don’t work for Fastmail, but I’d much rather use them (or any email provider that is halfway decent) than fiddle with my own mail server.
One of the easiest mailserver setups i've ever had.
If you don't like that it's not super free, there's open source alternative: https://mailu.io/
I even put together a self-contained single-DVD installer that would install and set everything up securely and solidly. (I don't think I have a copy any longer and if I did it's very out of date)
I still don't recommend doing it. Even for the security-concious. It's just not worth it.
The use case is to transfer arbitrary files over a local hotspot.
I tried installing from the Apple TV tutorial, but it put my iPhone in a boot loop.
Just a chance, but are there any iOS jailbreakers here who could advise?
Running a Postfix on anything else than a dedicated server with a static IP is a pretty bad idea (half the internet will reject the emails you send).
And to do all that just to transfer some files is probably like using an iPhone as a fly swatter.