All this new excitement with Lemmy and federation has got me thinking that maybe I should learn to run my own instance. What always comes up though is how email is the orginal federated technology.

I am looking at proxmox and see that is has a built in email server, so now I am wondering if it is time to role my own.

I stopped using gmail a long time ago, and right now I use ProtonMail, but I am super frustrated with the dumb limitation of only having a single account for the app. I get why they do it, and I am willing to pay, but it is pricey and I don’t know if that is my best option. I guess it is worth it since ProtonVPN is included. It looks like they are expanding their suite.

Is it worth it? Can I make it secure? Is it stupid to run it off a local computer on my home network?

  • Admiral Patrick@dubvee.org
    link
    fedilink
    English
    arrow-up
    34
    ·
    edit-2
    1 year ago

    Yes, I still run my own email server. It is not for the faint of heart, but once it’s configured and your IP reputation is clean, it’s mostly smooth sailing. I have not had any deliverability problems to date, initial setup/learning period notwithstanding.

    If you’re not scared away yet, here are some specific challenges you’ll face:

    • SMTP ports are typically blocked by many providers as a spam prevention measure. Hosting on a residential connection is often a complete non-starter and is becoming more difficult on business class connections as well (at least in the US, anyway).
    • If you plan to host in a VPS, good luck getting a clean IPv4 address. Most are on one or more public blacklists and likely several company-specific ones (cough Microsoft cough). I spent about 2 weeks getting my new VPS’s IP reputation cleaned up before I migrated from the old VPS.
    • Uptime: You need to have a reliable hosting solution with minimal power/server/network downtime.
    • Learning Curve: Email is not just one technology; it’s several that work together. So in a very basic email server, you will have Postfix as your MTA, Dovecot as your MDA, some kind of spam detection and filtering (e.g. SpamAssassin), some kind of antivirus to scan messages/attachments (e.g. Clamd), message signing (DKIM), user administration/management, webmail, etc. You’ll need to get all of these configured and operating in harmony.
    • Spam prevention standards: You’ll need to know how to work with DNS and create/manage all of the appropriate records on your domain (MX, SPF, DMARC, DKIM records, etc). All of these are pretty much required in 2023 in order for messages from your server to reach your recipient.
    • Keeping your IP reputation clean: This is an ongoing challenge if you host for a lot of people. It can only take one or two compromised accounts to send a LOT of spam and land your IP/IP block on a blacklist.
    • Keeping up with new standards: When I set my mail server up, DMARC and DKIM weren’t required by most recipient servers. Around 2016, I had to bolt on OpenDKIM to my email stack otherwise my messages ended up in the recipient’s spam folder. -Contingency Plan: One day you may just wake up and decide it’s too much to keep managing your own email server. I’m not there yet, but I’ve already got a plan in place to let a bigger player take over when the time comes.
    • DidacticDumbass@lemmy.oneOP
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      Wow. I am emotionally ready for the challenge, but not intellectually, and maybe not even financially.

      IP reputation is such a new concept to me, but I have already come across it when the IP from the VPN I am using is blacklisted. Super annoying. I really have to reconsider my threat level because I am starting to get the feeling that I do not need it. I am a good boy and don’t pirate much, mostly books. And for the naughty stuff… well I didn’t feel unsafe before I started a VPN.

      Well, you have given me a lot to think about. Thanks!

        • DidacticDumbass@lemmy.oneOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Looking at the pricing for all the recommendations I got, it really is cheap. Like, a tiny fraction compared to what I spend on a single yearly subscription to anything.

    • phase_change@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      Yep. I’ve hosted my own mail server since the early oughts. One additional hurdle I’d add to you list is rDNS. If you can’t get that set up, you’ll have a hard time reaching many mail servers. Besides port blocking, that’s one of the many reason it’s a non-starter on consumer ISP.

      I actually started on a static ISDN line when rDNS wasn’t an issue for running a mail server. Moved to business class dsl, and Ameritech actually delegated rDNS to me for my /29. When I moved to Comcast business, they wouldn’t delegate the rDNS for the IPv4. They did create rDNS entries for me, and they did delegate the rDNS for the IPv6 block. Though the way they deal with the /56 IPv6 block means only the first /64 is useable for rDNS.

      But, everything you list has been things I’ve needed to deal with over the years.

      • Admiral Patrick@dubvee.org
        link
        fedilink
        English
        arrow-up
        6
        ·
        edit-2
        1 year ago

        Yeah, I totally forgot about reverse DNS. Good catch. I probably left out a few other things what with the repressed trauma of it all. lol.

        I had to deal with Suddenlink business, and they were (somehow) surprisingly worse than what you described for Comcast (I didn’t know that was possible, TBH). Suddenlink wouldn’t even unblock the SMTP ports at all let alone delegate rDNS to our static.

    • DidacticDumbass@lemmy.oneOP
      link
      fedilink
      arrow-up
      6
      ·
      1 year ago

      That was a sobering read. We all feel victorious when we see big tech fail after they wronged their users, but fundamental technologies that actually run the world have already been lost, and may never be recoverable for egalitarian use.

    • 2xsaiko@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      2
      ·
      1 year ago

      Great post!

      I’m a rather dismayed to see those universities and institutes nowadays no longer as pioneers and innovators in this area, but instead as mere consumers of ready-made corporate solutions, following corporate interests and centralising solutions. I have two employers, both academic, and both have resorted to big-tech corporations that offer solutions like e-mail as a service.

      Same here, my university recently switched from their Horde webmail to Exchange. The new outlook webmail is absolutely awful and I couldn’t set up all the filters that I had before. Luckily I could enable IMAP login, thankfully without OAuth because imo that’s another awful practice, so I can connect to it with non braindead mail clients. Still a massive downgrade and I bet they now have to run it on a 10x as powerful server because I hear Exchange is an absolute monster in terms of resource usage.

      (Also, I’ve been self-hosting mail for probably 4 years at this point. Here’s to many more!)

    • styraco@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      Aren’t you afraid about some important email getting discarded without you knowing about it? Or about unnoticed downtime which results in missed mails?

      • proycon@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        When I am sending? Well, once things are set up properly I’m pretty confident that things arrive (though nobody can ever be 100% sure of course). I also tend to mail to the same recipient domains a lot, like for work and hobby projects, so once those are tested you get pretty confident.

        Unnoticed downtime is usually quickly noticed, I depend on my server for a lot of things. Senders are often resilient enough to keep things in their queue and try a few times. There’s also a fallback MX registry at my (3rd party) DNS host which will queue stuff in case the primary MX goes down.

    • DidacticDumbass@lemmy.oneOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I like what you write, I am going to look deeper into it. It really sucks that the nearly utopian promises of the future and newfound freedoms have been progressively squashed. Every ‘disruption’ that looked like a return to that utopia has ultimately been evil and firmly entrenched in the capitalist mindset.

      I am glad it is still possible. I think it would be healthy for me and everyone else to practice digital homesteading, to become self-sufficient while still being able to lean on the greater community of like minded people.

    • linearchaos@lemmy.world
      link
      fedilink
      English
      arrow-up
      8
      ·
      1 year ago

      Tbh, that document reads like a discovery channel 2am aliens documentary, but it’s not completely without merit.

      There are a couple line items about software services they’re using that are shitty that sound pretty legit. The fact that they’re operating in locations where they might have to hand over data sounds pretty legit. Their warrant compliance and logging/handing over a person’s IP address is legit.

      The CIA honeypot stuff is all really circumstantial. If the CIA was in as deep as is claimed, a lot of the real evidence people are turning up that they’re not a secure as they could be would be unnecessary.

      My best guess is they decided to make an email company based in Switzerland with the schtick that they’re secure (banks amirite?) They’re doing what they can to appear secure without spending too much money. They’re not going to have legal battles to keep your data private, and they are going to comply with agencies request for data. Even if they support end-to-end encryption if they are required by an agency to turn that encryption off for you, they’re going to do it.

      They’re probably less likely than Google or Microsoft to sell all of your data to the highest bidder, but realistically there’s no such thing as secure email.

      • Sploosh the Water@vlemmy.net
        link
        fedilink
        English
        arrow-up
        8
        ·
        1 year ago

        The basic assumption every privacy-concerned person should have about email is that it’s never secure. Unless you use an offline cryptography program to encrypt your email text and then paste it into the email body before you send it, your emails are insecure.

        Email was never designed with that in mind. If you want to communicate securely with somebody, use a medium/method that has been designed from the start for that purpose.

        I use ProtonMail because it’s not a massive corpo and it’s open source, but I don’t believe that my emails are significantly more secure than on a service like Exchange or Gmail.

        • DidacticDumbass@lemmy.oneOP
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          1 year ago

          This has been my thinking about ProtonMail, even after reading the article on here, and even after reading https://digdeeper.club/articles/email.xhtml (which I have to reread because it keeps getting bigger).

          There is no perfect solution, just different levels of trust. That is right, if I want to be “secure” I got to act like a journalist and use a temporary solution or something that has end-to-end encryption.

          Besides, email is meant for public communication. No reason to elevate it into some something it will never be.

          • Sploosh the Water@vlemmy.net
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            Yeah. In my experience, you have to be careful in the world of tech privacy/FOSS to not fall off a cliff to the extremes.

            You can always find reasons to not trust some piece of tech hardware or software. It’s all too complex and multifaceted to fully vett, and even when you can do that, there isn’t anything that isn’t touched in some way by mega-corps or glowie agencies.

            Tor was developed by the US gov, same with the ancestor of the internet. Your network traffic runs on mega-corp wires, through mega-corp servers. Your hardware is developed, built, and distributed by mega-corps, as is most the firmware and microcode in them.

            Even Richard Stallman, one of the most hardcore Free Software advocates has concessions he makes for firmware, microcode, and so forth.

            The only way to be truly and completely secure tech-wise is to pull a Ted K. And go run into the woods and live in a little cabin, disown any tech built after the turn of the century lol.

            It’s “all or something” not, “all or nothing.” Determine your threat model, your ethical bounds, and let those principles guide you. I think fundamentally what all FOSS folks have in common is the idea that the tech you use should serve your needs and desires, not the needs/desires of billion dollar mega-corps farming you as a product.

            • DidacticDumbass@lemmy.oneOP
              link
              fedilink
              English
              arrow-up
              3
              ·
              1 year ago

              This is the most sane perspective I have read. For sure it is important to have solid principles and do the right things whenever possible, but no one gets to demand changes for something they never contributed to, especially not those things that took a massive amount of money and human power to build. We are all standing on the soldiers of giants, and it is insane to think we can be Ratatouille, controlling them for out benefit.

              The only way to change governments and mega-corps is to make it unprofitable when they do the things we don’t like, or make it so doing the right thing makes them lots of money.

              Thanks for this, it is the reality check I need to make good decisions. Even if I do become the Unidumbass, the people I love who would never follow me into that lifestyle.

              • Sploosh the Water@vlemmy.net
                link
                fedilink
                English
                arrow-up
                3
                ·
                edit-2
                1 year ago

                I actually have a formal methodology for how I engage with software/hardware from a FOSS perspective:

                Embrace, Subvert, Accept.

                For any task I do currently or want to do, I apply this process:

                I first try to find and use any FOSS software/hardware that does that thing well enough to use entirely. (Embrace)

                If there isn’t a FOSS solution that exists or does essential things I need, then I use a proprietary technology in a subversive way to do it. So cracked copies, jail broken or otherwise hacked hardware, or using the proprietary service through an unofficial/unapproved 3rd party app. (Subvert)

                If I can’t do that either, but the task/need is absolutely critical, only then do I accept using proprietary and unmodified software/hardware. (Accept)

                This method has worked pretty great for me. Now about 3 years after starting my FOSS journey, I have almost no software/hardware I use that is in that third category. Basically everything I use is FOSS, hacked, cracked, modded, or runs on platforms that are, and I enjoy tech and computing more than I ever have :)

                • DidacticDumbass@lemmy.oneOP
                  link
                  fedilink
                  English
                  arrow-up
                  3
                  ·
                  1 year ago

                  This is a good method. It is our duty to do everything we can to live by our principles, and be careful about the compromises we make. The more I go deep into FOSS, the more I discover. So much exists, it just takes some work on our part to fit it to our needs. Programming competency does not have to be high, just enough to fix any compile errors.

    • BoneALisa@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      What’s the saying? If you can’t tell if it’s ignorance or malice, it’s probably the former?

      however, with all of these points, even if it is ignorance, the lying about encryption (even though I don’t really use it) is upsetting. That plus the other lies I’ve seen them pull is enough to make me consider switching to something else.

      Got any recs? Lol

    • DidacticDumbass@lemmy.oneOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Fascinating read. I have a lot to research. It is not like ProtonMail is the only alternative provider… there are so many, I just like all the extras that they are attaching to it.

  • thekernel@lemmy.ml
    link
    fedilink
    English
    arrow-up
    14
    ·
    edit-2
    1 year ago

    Not worth the hassle - best compromise is to get your own domain but use a provider like fastmail to host it.

    If they turn sour you can move your domain to another mail host.

    • DidacticDumbass@lemmy.oneOP
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      I think this is the solution I was thinking about in the first place. I was just musing about it being part of a home lab. I have to consider whether this solution is is better than just paying for secure email.

      • thekernel@lemmy.ml
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        There are advantages to having your own domain - you can use something like vendor8832@yourdomain.com so each site you sign up to gets their own unique “to” address, that way you can easily send their mail to trash when you dont’ need to deal with them anymore, and will also let you know what company had a data breach if that unique email address starts to get spam.

        • DidacticDumbass@lemmy.oneOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          This is what I want! I want that granular control of having an email address compartmentalized for specific kinds of communication. I mean, I know it is something provided by basically all email providers, but I don’t know, for sure there are limitations. A unique address for each website seems like such a smart thing to do, on top of being stingy with giving out my email address.

          • timbuck2themoon@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            Protonmail at certain levels gives you simple login with unlimited aliases. Something to look into. I love it and have been with them for years.

            • DidacticDumbass@lemmy.oneOP
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              Thank you! I was also looking for validation that Protonmail is worth the purchase, since I use them anyways.

          • psilves1@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Firefox Relay is by far the easiest (and imo best) solution for that

            You can try it for free and if you use it enough it only costs $24 a year

              • psilves1@lemmy.world
                link
                fedilink
                English
                arrow-up
                2
                ·
                1 year ago

                Your first 5 email masks are free and if you install the extension a little icon will appear in most email fields. Let’s you create a new mask right there.

                If you buy the premium version you can get your own custom subdomain: @XXXX.mozmail.com where you pick XXXX

                This way you don’t even need the extension. You can just do something like “Lemmy@XXXX.mozmail.com” and Relay will “create” that email for you. Cannot recommend it enough, especially since it’s free to start

                • DidacticDumbass@lemmy.oneOP
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  1 year ago

                  That actually seems really awesome, like it defeats the reason I would ever want to create multiple email accounts, which is to manage different contexts like professional, personal for family and friends, commercial email for online stores, and email lists.

  • Thoms@red.cyberhase.de
    link
    fedilink
    English
    arrow-up
    12
    ·
    1 year ago

    Just take a look at https://docs.mailcow.email/

    This runs from a small box with everything included. It gives you all the tools and config needed for running a secure and feature rich email service. Webmail, some sort of exchange emulation, webcalender on top of a solid postfix/dovecot install with rspamd as spam filter. Everything is configurable via a nice web UI.

    After 15y running my own mail service and editing a lot of config files, I use this piece of free and open software and find it very good. All you need is a box somewhere in the internet. Running from a homelab will instantly fail, expect you have a static ip.

    • SmugBedBug@lemmy.iswhereits.at
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Been using mailcow too. Pretty solid setup. Gmail doesn’t play nice with spam though even though SPF, dkim, and dmarc are properly setup. I ended up having to relay through sendgrid to ensure emails for delivered.

      Still don’t regret it though.

      • Thoms@red.cyberhase.de
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Maybe google blocks large IP-blocks of vps-hosters like digital-ocean then? I moved My mail-setup from a 15y old ip with best reputation to a new one on the vps-hoster that is listed as provider on the mailcow-site. I have no problems at all, I have DMARC reports enabled and all mails to gmail are passing.

        The only provider that was blocking the ip was german telekom, t-online. I wrote a mail to the abuse/postmaster and with some asking for imprint on the webpage that the ip was pointing at, they whitelisted the ip in 24h.

        mailcow has some sort of dns-settings agent that shows the dns-settings for every domain, rDNS and DKIM, DMARC, SPF and check these settings with the values reported by the DNS.

        • SmugBedBug@lemmy.iswhereits.at
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          I’m with ovh dedicated. I just gave up on trying to fix the issue.

          I don’t remember mailcow having a list of recommended hosters. I’ll go check that out!

    • DidacticDumbass@lemmy.oneOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Neato! There seems to be a lot of solutions for running a mail server.

      Yeah, I think it is time, I need to get familiar with Docker.

      Yeah, I was clueless thinking I could run it from my home. Hah. I just wanted to avoid paying for a VPS. Which is silly because I buy too much crap all the the time and have multiple subscriptions.

      This is actually valauable.

      • Thoms@red.cyberhase.de
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        mailcow lists a small german vps hoster with a fair price and the right sizing. It’s not a big hoster, gmail and microsoft are not blocking the ip-range and the ASN is not listed on any blacklist.

        The support is quick and helpful, rDNS was a matter of minutes to set up. You don’t need any deeper knowlegde of docker, since it is a one-time job to set the things up und get the stack running. The documentation of mailcow is very good.

        You can run it from home, but you will need a forward host like sendgrid and maybe a backup mx. You can set a primary ip and a backup ip wich will get all the mails when the primary host is down. I guess, there a comercial or free backup-mx services out there. No problem. If you have a static ip for your homelab or at least a dynamic dns-name, it will work. Recieving is easy. But you will need a good forward-service for sending.

        • DidacticDumbass@lemmy.oneOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          Needing an extra service to forward emails seems to defeat the purpose of having everything local. Everything I read about email, being clear-text and whatever, makes it so it is impossible to improve. Email is a dead end, so I probably don’t actually want to get too involved with it the more I learn.

          I mean, growing up I really thought the internet would become a way to connect directly to people, computer to computer interaction. Everything requires an intermediate service, making everything insecure and expensive. What a stupid future.

          • Thoms@red.cyberhase.de
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            That’s right. Also important, email is not a playground for experiments. Once it runs, you should not touch it anymore, except for updates. Otherwise, you will do harm to your own way of communicating. One error, and you will lose all your reputation and someone spams half of the internet with your domain as sender.

            An when it runs, the only thing to improve is tuning the spam-filter for your instance. Implementing all the rules that you fight the other day, because otherwise your inbox explodes. So you have to do all the shady things and block ips, filter with blacklists and check every dns for all those extra entries, needed for delivering mail… You must become a part of the problem, spammers all behind every cracked wordpress and insecure vps out there.

            • DidacticDumbass@lemmy.oneOP
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              Damn, email seems to fragile. I am getting so many perspective, but the main thing that seems like such a gotcha is managing spam, which seems like such a headache.

              No, I do not want to become part of the problem.

  • sunbeam60@lemmy.one
    link
    fedilink
    English
    arrow-up
    11
    ·
    1 year ago

    Despite my willingness to self-host almost everything, e-mail remains the last frontier for me. Keeping abreast of standards, keeping up today, avoiding implications in abuse and many, many smaller issues abound … and that’s despite my fixed IP and ISP willing to set up a reverse-DNS for me.

    Instead I’ve gone with a paid email provider that I’m REALLY happy with.

    • Wintermute@lemmy.villa-straylight.social
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Yeah, after I got my lemmy and matrix servers up and running I started looking at doing mail myself… The rabbit hole just kept getting deeper and darker, and MTAs seems to have stopped evolving in the 90s so I gave up. Email for my lemmy instance is now handled by Google. I’ve always used on of the big players (currently Outlook because I got a good username when they opened up the outlook.com domain) for my personal email.

      • fuser@quex.cc
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        good call. the time spent getting postfix, dovecot and spamassassin set up so they actually work is nontrivial, and then once you congratulate yourself that it’s all working perfectly, none of your email will be delivered, so you can then start learning about how overzealous blacklisting works.

    • flauschke@feddit.de
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      2
      ·
      1 year ago

      I’ve been apparently hating myself for a few years now. It’s going alright though. Google still accepts my emails. Hotmail appears to have blocked me but I’m working on it. I haven’t noticed any other problems so far

  • DrinkMonkey@lemmy.ca
    link
    fedilink
    English
    arrow-up
    11
    arrow-down
    1
    ·
    1 year ago

    Not likely worth it. Primary reason is that the large federated email services are skeptic also of email from services such as your proposed self hosting solution and may simply not deliver the mail you send. This is to mitigate against spammers setting up a bespoke servers.

    There are a bunch of other things that could go wrong if you don’t set everything up perfectly, but even if you do, this would be a big problem.

    Better off using a custom domain with a big provider. Fewer headaches. I like Fastmail, but many others are great too.

    • DidacticDumbass@lemmy.oneOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Thank you for the tip! Any advice on buying a domain name? It is something I should have done decades ago but was never sure about.

      I have basically no web developmetnt experience, but perhaps that will force me to keep it simple. Get that old web style we all miss.

      I would love to have my own website for personal web services, and eventually something professional. I just don’t want to overpay for something like Squarespace or whatever, and it seems dumb to not have full control.

  • UselesslyBrisk@infosec.pub
    link
    fedilink
    English
    arrow-up
    11
    arrow-down
    1
    ·
    1 year ago

    I stopped running my own a while ago. Its no longer really decentralized and the big players (google/microsoft) will often just blacklist you for little reason.

    That said I DO maintain my own domain and backups. So i can take my email to whatever hosting provider I want.

    I also noticed, during the migration, that if you simply register your domain with one of the big players (ie: Google Workspace or M365) you will often get whitelisted and email will flow easier. This was easier when they had a free tier though.

    • SmugBedBug@lemmy.iswhereits.at
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      1
      ·
      1 year ago

      Got the same issue. Everything was setup properly. SPF, dkim, dmarc was all good. Server IP wasn’t in any blocklists. But my messages would still fall in spam with Gmail.

      Ended up setting sendgrid as a relay and all is good now.

    • DidacticDumbass@lemmy.oneOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I guess you got to play the game if you want to win. I Google and Microsoft have the same level of trust from me, so it goes to whoever makes it easier.

      • UselesslyBrisk@infosec.pub
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Pretty much. Its kinda nuts. I just host with Google at this point. Its easier though privacy is a disaster. I consider email to be public at this point though after the Snowden stuff. Have considered moving to something like Photon but their lack of support for contact syncing makes it tough, specifically for my wife. She uses Apple Mail as well, which i THINK photon can now support via IMAP or something, but not having contacts synced is hard.

        That said I back up all of my Google workspace stuff, email included, to a local synology using their app. So i have copies of everything should I need it (ie: google decides to suspend me for no reason.)

        • DidacticDumbass@lemmy.oneOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Damn. Privacy is something I was hoping would be a benefit from self-hosting.

          I mean, I haven’t taken the bite yet but it is way more than I can chew. I am not keen on basic stuff like encryption.

          Hell, I just want to have both my email accounts on my phone without paying for it. I think privacy is worth paying for, but I need to be smart about what I trust.

          • UselesslyBrisk@infosec.pub
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Here’s the catch with email via privacy. Unless you are gpg encrypting the email even photon doesn’t matter, as whoever you are sending to likely has it unencrypted at rest on their server.

            And while tls in transit is better than it used to be with their smpts or starttls, plenty of mail servers don’t do it. So even transport is an iffy game sometimes.

            At the end of the day, it’s better to

            A. GPG encrypt the email. Which requires both ends to be technically competent. B. Consider it to be quasi public, like talking quietly in a coffee shop. Most won’t hear it but if someone does shrug

            • DidacticDumbass@lemmy.oneOP
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              Right. One of the articles someone linked basically explained this limitation. So, privacy is kind of an illusion, or a half-true marketing gimmick.

      • chewbakartik@lemmy.ca
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        I am also using mailcow to host my own email server, and it’s pretty fantastic. One thing that I wanted to note, because as many people have mentioned, the actual sending of emails is a real pain, and hard for anyone that isn’t a major player to not be blacklisted. I am utilizing PostmarkApp as my SMTP provider. They are a leader in transactional sending of emails from applications. For a relatively small subscription fee, you can configure mailcow to use Postmark (or a similar service) to send your emails with higher success rates.

        You can do some research on providers that have good track records for sending out transactional emails from applications (geared towards programmers) and test it out. I believe that AWS also has a service that’s usable.

        The really nice thing about this setup is that it’s inexpensive and easy to have multiple domains with multiple mailboxes on each, compartmentalized, and not have to worry about your outgoing mail being rejected.

        • fuser@quex.cc
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          1 year ago

          AWS has Simple Email Service (SES) which works, although it’s annoying to have to resort to a corporate service for outgoing mail just to make sure it’s delivered. Reliable delivery to every recipient when sending directly from a small mail server seems practically impossible nowadays.

        • DidacticDumbass@lemmy.oneOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          This is probably the most solid advice I have gotten concerning the sending problem. I really hope I can setup something stable and reliable that works in the long term. I do like that once I have my own domain, it is easy to port to other services or providers.

          I think I will take it slow. Learn to use docker. Learn to use proxmox and launch VMs. I have slept on these technologies because I am not a developer, so I it never seemed better than just installing stuff from my package manager. Now I want to learn.

          • chewbakartik@lemmy.ca
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Proxmox is a fantastic option. Let me know if you ever need any help with the setup. Learning new tech options, trying out new things is always something I enjoy doing. Even failing through things is invaluable. Best of luck with your setup.

            • DidacticDumbass@lemmy.oneOP
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              Proxmox is wild. It does so damn much and is open source. The subscriptions look reasonable too. I don’t plan to make money with my server, but I LOVE the range of options they have. Very granular, makes it affordable for everyone.

              Enterprise software is no joke, using it makes me feel powerful, like I can do anything without needing to be a wizard.

    • Vivia 🦆🍵🦀@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Another happy mailcow user here. I used to have everything set up manually until a few months ago when I decided to migrate into a bigger hardware instance.

      My only complaint is that I can’t find a self-hosted way to protect the actual mailbox with 2FA. IMAP/SMTP have plain username/password authentication.

      • Malin@omg.qa
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        That would be next to impossible to fix because the issue lies with the protocols not with the framework using the protocols.

    • tr00st@lemmy.tr00st.co.uk
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Ditto with Mailcow - easy enough to set up, and has worked well enough for setting up multiple domains etc.

    • SmugBedBug@lemmy.iswhereits.at
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Out of curiosity, what is anonaddy used for? I looked briefly on their site and it appears to setup email aliases. You can do that in mailcow though.

      Is there anything else that it allows you to do?

      • Malin@omg.qa
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        Well it is a different type of mail system. I use it for catch all. I have like 200 domain names for various projects or registered to sell and I want to catch all emails sent to those domains without setting them up in mailcow. With Anonaddy I verify their DNS records and that’s it. I can capture all emails sent to them and forward to a specific address. Also, I can use whatever email address I want with whatever domain I want to subscribe to services and keep track of who sells my email for instance. They also have a Chrome extension that you can use to generate emails, but imho that is overkill. Then if you see that one email gets too much spam you can simply delete that forwarder and it gets rejected in the future.

  • Album@lemmy.ca
    link
    fedilink
    English
    arrow-up
    11
    arrow-down
    3
    ·
    edit-2
    1 year ago

    Your own email server requires near 100% uptime or you risk not receiving critical emails. If a remote email server is trying to contact your email server and it can’t it’s only going to retry a few times and then give up. Hosting this yourself sounds great until you realize high uptime is not cheap and requires constant attention.

    Setting it up securely can be difficult depending on your understanding of server infrastructure as well as protocols like DNS. You need to set up SPF, DKIM, DMARC, etc in order to prevent someone from faking an email from your server.

    Of course, federated email does not use SPF/DKIM/DMARC because the whole point is that someone from another server could use your server to send an email (hence the federation). Open email servers were common 20 years ago but very rare today. That makes setup easier, but the main caveat is that most known non-federated email servers will reject email from servers that don’t have SPF/DKIM/DMARC because they generally end up being havens for bots and spam since there is no verification or authenticity of the sender.

    As someone who self hosts a lot of things, I would never self host my email. If i did I would be paying for two boxes in different parts of the world on different ISPs to provide that uptime. I would definitely set it up securely and not as a federated server otherwise it would be practically unusable for day to day emails.

    • Saik0@lemmy.saik0.com
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      Your own email server requires near 100% uptime or you risk not receiving critical emails.

      I disagree. You can take some amount of downtime without issue.

      https://wpmailsmtp.com/docs/how-to-automatically-resend-a-failed-email/ as an example for some services.

      Many services (including postfix by default) will attempt a number of resend operations before it gives up.

      Of course, federated email does not use SPF/DKIM/DMARC because the whole point is that someone from another server could use your server to send an email (hence the federation).

      What? All email is federated. What are you talking about here? SPF/DKIM/DMARC are on top of email… and have nothing to do with the federated property of email. Federation does not mean that you login or use another server. But that you have your instance, and the servers hash out the cross communication amongst themselves. That’s EXACTLY what email servers do using SMTP.

      I would definitely set it up securely and not as a federated server otherwise it would be practically unusable for day to day emails.

      If your email wasn’t federated then you would get emails from anyone outside of your own instance. That would make email useless for 99% of the world.

      • Album@lemmy.ca
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        3
        ·
        1 year ago

        I take “federated email” to refer to a juxtaposition with normal email implementation which harkens back to how it was in the 90s or early 00s where you didn’t need to be registered on many SMTP servers in order to use it and it’s stripped of server-side validation. There’s some discussion on this topic in the fediverse.

        You’re right that the default current implementation is already federated.

    • albemmy@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      This is disingenuous on many counts.

      A mail server does not require 100% uptime. The only messages you would miss from a brief downtime would be from a bad behaving mail sender. Even if your server was down for a day you likely wouldn’t miss any mail, if it was longer than 24 hours you might start missing some.

      SPF is all that’s really needed to prevent someone from faking mail from your domain, if it’s set to strict most mail providers will reject fake/spoofed mail at this point. This let’s the receiving mail server know which servers/IP Addresses are allowed to send mail for the domain.

      DKIM - before sending an email your server will create a signature and add it as a header. The DKIM DNS record stores the public key so the receiving mail server can verify the email’s authenticity.

      DMARC - Largely I only ever get reports from Google. MS and others rarely send them. Anyway, this is basically a tool that alerts you that unauthorized emails are being sent from your domain. If this happens, likely your SPF record is incorrect.

      There are tools to help make sure your setup is correct, such as this https://mxtoolbox.com/SPFRecordGenerator.aspx

      The rest of your comment contains outdated information. This post is about running a mail server in 2023. Some anecdotal statements about what it might have been like to run a mail server 20+ years ago serve no purpose here other than to scare people off from trying to host their own mail. If you succeed in that at least we could continue to sit around whining that Google and Microsoft have email all locked up and us little guys can’t do anything about it but to continue to regurgitate how hard it is and you just shouldn’t even try.

    • albemmy@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      This is disingenuous on many counts.

      A mail server does not require 100% uptime. The only messages you would miss from a brief downtime would be from a bad behaving mail sender. Even if your server was down for a day you likely wouldn’t miss any mail, if it was longer than 24 hours you might start missing some.

      SPF is all that’s really needed to prevent someone from faking mail from your domain, if it’s set to strict most mail providers will reject fake/spoofed mail at this point. This let’s the receiving mail server know which servers/IP Addresses are allowed to send mail for the domain.

      DKIM - before sending an email your server will create a signature and add it as a header. The DKIM DNS record stores the public key so the receiving mail server can verify the email’s authenticity.

      DMARC - Largely I only ever get reports from Google. MS and others rarely send them. Anyway, this is basically a tool that alerts you that unauthorized emails are being sent from your domain. If this happens, likely your SPF record is incorrect.

      There are tools to help make sure your setup is correct, such as this https://mxtoolbox.com/SPFRecordGenerator.aspx

      The rest of your comment contains outdated information. This post is about running a mail server in 2023. Some anecdotal statements about what it might have been like to run a mail server 20+ years ago serve no purpose here other than to scare people off from trying to host their own mail. If you succeed in that at least we could continue to sit around whining that Google and Microsoft have email all locked up and us little guys can’t do anything about it but to continue to regurgitate how hard it is and you just shouldn’t even try.

  • beepboopdanger@lemmy.skl.works
    link
    fedilink
    English
    arrow-up
    9
    arrow-down
    1
    ·
    1 year ago

    Running a mail server these days is not that difficult. While using pre-assembled stacks like mailcow only the DNS entries needs to be done. If you want to run it at home you should do some research on routing all the traffic through a wireguard tunnel to preserve a public IP other mail instances will accept