Ask Slashdot: How Would You Host Your Own Email Server?

"It has become too easy to take Linux and FOSS for granted," warns a Linux Journal editorial by Doc Searls, complaining, for example, that today "We collaborate inside proprietary environments, such as Slack and Google Hangouts."

Long-time Slashdot reader whh3 wants to live differently -- and to model a different set values: After reading the recent Doc Searls article in Linux Journal, I realized that I need to get back to my roots. The first step will be to build/setup/run my own email server for my vanity domain.

The problem is, I haven't run my own email server since the 90s. It was easy back then -- there was much less SPAM and self-hosted email servers didn't have to jump through hoops to make sure that they weren't blacklisted as senders.

So, I am reaching out to this great community to find out if there are any good tutorials on modern-day best-practices for self hosting an email server. Any tips/tricks/pointers would be great appreciated!
A lot's changed in 20 years -- but for such a basic form of online communication, is it still possible to roll your own? Or are we trapped in a world where private conversations about valuing open source software take place inside Google's proprietary Gmail client.

Leave your own suggestions in the comments. How would you host your own email server?

Mail in a box

[goaliemn]

An all in one package that runs on Linux. It uses a dedicated server. I use a $5 linode and it runs great.

https://mailinabox.email/

Re:

[nbvb]

Best answer yet. Damn thing works great, and has for the last few years.

An alternate idea is to really roll your own

[Excelcia]

Mailinabox is a turn key solution, sort of, and there is nothing really wrong with that. But the problem with those is that you get people who know enough to apply a turn key solution without knowing enough about the workings to handle issues that come along.

If you really want to get a good mail server running, the best way to do it is to learn and do it yourself. When I set mine up it took me a week or so of initial pain, and it was a lot of work I won't lie, but now I have a server I know inside and out and has been reliable as a Clydesdale. I have multi-domain virtual mail hosting configurable with a few clicks through PostfixAdmin. It's end-to-end secure with excellent encryption that I can trust. It also lets me run a couple domains of WordPress too. And, as a bonus, it gives me a "server" for SyncThing, which means I have my own "DropBox"-like solution that I control.

I'm not going to give total step-by-step instructions, because that's long and complicated. But I will offer some points of advice plus all the documentation I usd to set up mine:

1. 1) First thing to think about is hosting. I recommend finding a good KVM VPS (Virtual Private Server) hosting service. No matter where you live, I'd highly recommend not even thinking about getting one physically located in the USA [nomadcapitalist.com]. Being Canadian, I chose a home-based solution. This is great for people physically located in the USA too, since it offers you better privacy protection, and good connectivity. The one I use is CACloud [cacloud.com], and I have found them to be extremely professional and very reasonably priced. Make sure your login to your VPS host is extremely secure.
2. 2) Heir and a Spare. Whatever solution you get for hosting, get two. One will be the production, the other will be the test. This lets you try everything out (including upgrades) on the test platform before rolling out on prod. This also lets you do your own DNS and gives you a primary and backup DNS server. You will want your own DNS server for when you get into SPF, DKIM, DMARC, and so forth. When you set them up, set up testing first. When you are using root to first set it up, create an admin directory and religiously duplicate every config file you edit into that admin directory so you can duplicate everything you do onto prod when you set it up. I pay $10/mo for prod and $5/mo for my testing server. It shouldn't break the bank.
3. 3) Pick a Linux flavour. I highly recommend vanilla Debian. 95% of all desktop Linux is based on Debian, vanilla Debian is server friendly, Debian is conservative (which is what you want for a server) and they take software freedom seriously. They may dither themselves into insensibility sometimes, but that just makes it stronger if you ask me. Plus, as a bonus, almost every tutorial for Ubuntu, Mint, etc will also work on it.
4. 4) The first (and I mean very first) thing you do the first time you log in is make sure SSH is set up properly. This is tinfoil hat time. The NSA is known to collect SSH keys as systems get set up, so be careful. Until SSH is set up properly on your machine, consider that any password sent through is compromised. A lot of VPS hosts are insecure on their initial setup. If you are using a VNC applet, like some places use, be careful because the applet sometimes is running on your local machine, which means the connection is insecure.
5. 5) The hard work starts here. Tutorials are your friend. Luckily there are some really good ones. Here are the ones I used. The nice thing about Debian is, because it's pretty conservative, tutorials for one version often work very well on later ones.
   Secure Secure Shell [github.io]
   Stong SSL Security on lighttpd [raymii.org]

Flip the NSA the good ole American Bird

[Excelcia]

you cannot protect yourself from three letter government agencies. All they have to do is say "it's a matter of national security," and people stop asking questions if they want to stay alive and out of prison.

They have to say a lot more than that to operate here.

If the NSA has hard hooks into my Canadian VPS hosting provider, then sure, it's likely game over from the beginning. Even if it is the case, I still intend to make it as hard for them as I can and so should you. Don't roll over for anyone. But I don't think that is the case. We learned a lot from Snowden on how they operate sniffing for older, insecure ways that SSH created and used keys and we know they would actively store secret keys when they co

Some tips

[tigersha]

Look at Haraka. A mailserver written wih nodejs that is trivial to program your own plugins for. In many respects Much easier to make your spamfilter and blackwhite lists precision surgery.

Example for haraka:

Timed addresses like joe-04052019@domain.com gets delivered to joe but only begore a deadline
You can precisly blacklist addresses and match rhem with specific snders. Sonif you an an email like bank@joe.domain.com and the mail is not regex matched from xxx@yyy.bank.com it is wiped off the earth.

My Harak

Re:

[Narcocide]

If your mail server is a resource hog, you're doing it wrong.

Mail in a box

[goaliemn]

An all in one package that

This is not difficult.

[Static]

I run my own email server. I pay for an EC2 instance in AWS that it sits on. Inbound email goes straight to it (and there are a few settings in the SMTP server to control spam and other crap); outbound email goes out via Amazon's Email system. I run Courier as the MTA and connect to it from my laptop using IMAP over SSL. I have all my DNS records in Route 53 on AWS, too.

Re:

[jwhyche]

This was pretty much going to be my recommendation. I run my own email server here at my home office, but I've thought of moving it to a online host like AWS or Azure.

Re:

[ron_ivi]

outbound email goes out via Amazon's Email system

Does that defeat half the purpose?

Roundcube

[nickwinlund77]

Use smtpd & Roundcube on a virtual private server (VPS) such as Linode or dreamhost. I use this with SSL and it works great.

Re:

[PCM2]

This. If you've just got a "vanity domain," I don't see why you wouldn't just get cheap shared hosting and be done with it. I think my provider runs Postfix, but I've had few problems with mail bouncing because of blacklists. The one or two occasions were swiftly resolved.

For spam, I use SpamAssassin and two folders in my Inbox: "spam-learn" and "ham-learn," to which I copy messages as appropriate. Each night, a cron job scans both folders and trains the Bayesian spam filters accordingly. I'm down to less t

Re:

[omnichad]

The problem with shared hosting comes down to ip reputation. You have to have your own ip address for your account. Otherwise all it takes is one bad customer out of thousands on that server to get you blacklisted.

You're lucky. And not.

[Qbertino]

You're lucky in that regard that is email and things haven't changed all that much since the 90ies. Probably since the 80ies in fact. The tough part is that things haven't changed all that much. Email is a protocol from the steam age of computing.

However, I have heard that Postfix is easyest to configure. And there's a good Oreilly book on it.

Re:

[Aighearach]

Postfix isn't the easiest, it is just the easiest of the feature-complete options.

Re:

[Tough Love]

TLS is a pretty big change, but it isn't too hard to get it set up.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[AHuxley]

Freedom of speech and freedom after speech for everyone on a email service?
More free speech than on social media?
Email works on most OS, with most type of internet.
Easy to search, sort, archive.
Social media is no longer a gatekeeper on the content sent between people.

Re:

[account_deleted]

Comment removed based on user account deletion

raspberry pi

[lorinc]

Set up a raspberry pi with debian, dovecot, exim4, spamassassin, apache and rainloop. It's easy and it works great. For smtp, use your provider server, as most won't let you set up one.

Re:

[rnturn]

"For smtp, use your provider server, as most won't let you set up one.

I think you're referring to the connection you get with the typical consumer ISP service. Users of these services have been up against this problem for years and years. Pay extra for the fixed IP address option and you likely won't have a problem with setting up your own servers.

The only outfit that I've had problems with runing servers was a new wireless provider who was offering fixed IP addresses--at extra cost--but with a "no serve

Not that difficult

[mabu]

Don't listen to the people who say it's too difficult. It's not.

I've been running my own mail server since 1994.

These days I'm using Postfix instead of Sendmail or Qmail.

I have my own relatively large IP-based blacklist that I use both inbound and outbound.

You can stop a huge amount of the spam by doing two things: Using SORBS relay blacklist (as well as various others) and also maintaining your own Class A and Class B IP-based blacklist. For example, are you doing any business with China, Russia or other countries from which the lion's share of spam originate? If not, then just refuse to accept any mail traffic from them by default and manually whitelist anybody you need.

On the receiving end, here's where you also need to apply dilligence, because as soon as you have a port open for IMAP or POP3, you're going to be bombarded with lots of automated attempts to crack e-mail accounts. Again, apply very broad IP-based blacklisting (I like to use tcp_wrappers with dovecot) to wholesale ban anybody from countries where it's unlikely I'd be to check my mail -- or better yet, block all IP traffic except for specific addresses. This works great.

IF you want to go that route

[guruevi]

I personally use Mailu. It's easy to roll and scale in Docker. However for the cost of a VPS and time consumption of maintenance, you'd better spend money on a privacy-centric e-mail service such as ProtonMail.

outgoing SMTP is a headache nowdays

[Dorianny]

Unofrtunately to combat spam SMTP outgoing has bcome pretty complicated.

1. you will need a reverse arp so a machine running behind NAT will not do.

2. you will need ssl certificates for tls. Fortunately you can now get them for free from letsencrypt, however they expire every 3 months so make sure to setup certbot to automate.

3. SPF/DKIM/DMARC

Without setting up all of these at best your emails will go straight to the receivers Spam folder

Re:

[kwalker]

ARP does not cross network boundaries. I think you mean a reverse DNS that matches your domain name. That is not required, but would be a good idea. If you have a decent ISP (Beyond the scope of this conversation) that should be a contact to their support department.

You can get SSL certs for free from Let's Encrypt. You don't need to though. No one verifies the certs, they just auto-accept them so the connection is encrypted and harder to snoop.

SPF is a fire-and-forget change to your DNS settings. DKIM and

Re:

[Dorianny]

Thanks for the correcting me on "reverse DNS," I should have read what I wrote before I fired the post.

I was not aware nobody verified the SSL cert, good to know but if you are going to get one for webmail anyways, it doesn't hurt to use it as the MTA cert too.

As far as DKIM and DMARC, they both require manual configuration, so they can be tricky for someone that doesn't know much about DNS and MTA's

Done it for years - its easy(ish)

[snarfies]

1) Get a VPS. I've been on transip.eu for quite a few years now.
2) Install your distro. I use Debian, YMMV.
3) Install iRedMail (https://www.iredmail.org/). It automates the installation of your mail server, and protects it with fail2ban.
4) Point your domain name toward the VPS

Done, probably.

Virtualmin (Webmin + Usermin)

[pepsikid]

Spin up a virtual machine using free s/w like Virtualbox, install an edition of Ubuntu Linux, then install the free version of Virtualmin.

The virtual machine will give you the freedom to move your servers to better hardware if you like, or even move it to a cloud server. Virtualmin will give you an amazing web-based interface to launch and manage all kinds of servers such as Postfix email. You'll be able to receive email directly, use free blacklist services and also install local spam & virus filters,

Re:

[iggymanz]

no need for virtualization at all. run the Linux on bare hardware, you'll still have the freedom to move to better hardware, it's trivial. No need for any admin GUIs, the command line setting up of postfix with spam protection takes minutes. It can easily been done on a BSD or Linux elsewhere.

what's this nonsense about needing a relay outbound? You don't, as long as port isn't blocked: don't chose service where it is

been doing my own mail server for a couple decades, easier than making a web server.

Re:

[omnichad]

The last time I upgraded my home server, I just took the boot drive from the old server and stuck it in. It took a little longer to boot the first time, but no issues.

Believe it or not, Windows 10 can do this now. If the source and target motherboards both have their own digital license, you don't even have to deal with activation issues.

It's still possible. I'm stubborn enough to do it.

[subreality]

I've been running my own since forever. It's become harder over time, and I don't think I'd set up my own if I was starting from scratch now, but I can respect the desire to DIY and keeping control of your own communications.

You can't run an SMTP server on a home connection any more. Dynamic IPs are completely blacklisted, and even static IPs won't be accepted a lot of the time. You will need a server in a colo. I'm using a small VPS.

I use Postfix, Amavis, Spamassassin, Dovecot, and Mairix. I'm happy w

Re:

[bobby]

Thanks, great info. I might take some of your advice someday if I get the chance...

One of my part-time jobs is admin for a small hosting company. We have static IPs of course, and static NAT and I route external ports to whatever internal IP and port I choose. Works perfectly.

We used to have an email server that was a major part of the business. I did _not_ build it. It was CentOS running Qmail (and Squirrel Mail for webmail which I kind of liked.) It was fine until Verizon decided to stop relaying po

Another option

[Flexagon]

I saw this review go by recently and it looked interesting. It avoids many of the do-it-yourself pitfalls, but it still involves a third party that you have to trust, but in a different way.

Helm email server [theintercept.com]

I've not used this, so I can't offer any experience with it. And I have no association with them.

Requires a little effort

[mewsenews]

Get a cheap VPS (ssd vps on OVH are great) and install debian stretch. Then follow the ispmail guide: https://workaround.org/ispmail... [workaround.org] I just got this set up after running a jessie server for the past few years, it is AMAZING. Spam blocking, virus blocking, DKIM, SPF, dmarc, etc etc etc

Easy to build

[Todd Knarr]

I run my own email server. It's not that hard. Postfix for the MTA, Dovecot for the IMAP server, MySQL for the mail address/routing database, OpenDKIM and OpenDMARC and postfix-policyd-spf-python, SpamAssassin and the Zen RBL to clean up the crap, and a self-writtten small Vue.js application and Rails back-end to manage the database. There's turn-key mail-server systems available, but for me they were more work to set up and maintain than rolling what I needed from scratch. The config changes (to go from th

Just do it

[hierofalcon]

1. Business ISP plan so the ISP isn't blocking you with static IP, get a domain, get DNS and reverse DNS configured properly.

2. postfix, clamav, spam assassin, milter-greylist, fail2ban monitoring the mail logs - block for long term and automatically for certain mail failures, use RBLs. Grey listing is the best defense against spam, but longer delays in getting E-mails can be a problem. Check top spamming countries or spam providers and use long grey listing for them. Monitor the logs for a while and perma

Pipe, firewall, UPS, MTA

[PuddleBoy]

I've run my own (and other) mail server(s) for over 20 years. It's not bad once you have the basics down.

Pipe: I currently have a 100M/100M business-class fiber connection, though I have used EoC and DS-1 in the past. Yes, I pay more, but don't all hobbies cost money? You don't generally need bandwidth as much as you need low latency and reliability. You should really have a 5-block of public, static IP addresses. Ask local providers if they have any offerings between cheap residential and spendy business class.

Firewall: tons of options here, just put up something to lay down a basic (but stringent) set of rules (both in- and outbound). Start with nothing in/nothing out and only open what you really need. Bear in mind that 98% of the time your server doesn't really need to use a browser, or ftp client, or Spotify, etc, so keep those ports closed. Some firewalls will allow you to filter out originating IP space by country - I think I must filter out about 100 countries right now.

UPS: it should go without saying, but be sure to put *everything* on one of more UPS's. Every router, switch, server, everything that might carry your TCP-IP stream *and* those devices you need to admin your server. I split the server side between 2 1500vA units and my workstation on its own, with extended runtime batteries.

MTA: I am currently using Netwin's Surgemail, but there are lots of options. I have about 40 or so basic filter rules to keep some of the obvious spam out (no hosts using an IP address as a hostname, no domains ending in ".party", maybe throw in a couple honeypot email addresses to filter out sending IP's, etc.) Also bear in mind that, even though some companies charge by the account, you can often have lots of aliases, but just a couple of 'real' accounts.

Server hardware: CPU speed is not generally as important as fast, reliable I/O and drives. The MTA software makes very little demand on CPU (unless you have a very busy personal mail server) but lack of reliability in drive storage means you might as well just use Gmail...

Good luck

It's an easy part of my business offerings

[holophrastic]

Aside from the usual customer-service and technical support issues (I got a new phone, I didn't get one in ten thousand e-mails, et cetera), it's easy.

Technically, I'm running a plesk server, which makes things even easier these days. But it's not at all required.

IMAP/POP/SMTP/webmail
spamassassin (at least for a little while longer)
an SPF record
postfix, courier, roundcube/horde
plesk for administration, especially by customers

the whole thing costs exceptionally little. Quite frankly, the backup efforts cos

Pick what you need

[Woefdram]

Self-hosting isn't particularly difficult. I ran a mailserver at home behind a cable modem for about 15 years, I've recently moved it to a VPS.

Back in the days I used to run Postfix and Courier, and that was it. Nowadays it's Postfix, Dovecot, Sieve, SpamAssassin, PolicyD, ClamAV, Razor/Pyzor, OpenDKIM and OpenDMARC, so yes, it has become a lot more complex over the years. But it's still worth the effort, I think. The agressive spam filtering is recent, I ran without any spam filtering until recently. If you do the right checks on incoming mail, a lot of junk is rejected before it can even reach a filter.

I would just start with Postfix and Dovecot, make sure that works. Make sure that your server uses the correct FQDN in its HELO/EHLO and that you have a matching PTR-record for that, or most of your outgoing mail will be refused immediataly.

Then add what you think you need. You'll probably want Sieve, very nice to have the server deliver e-mail in the correct folder, but it can do a lot more than that. If you want webmail: Roundcube has a plugin that allows you to manage Sieve filters.

Adding PolicyD allows you to to check blacklists and SPF before you accept mail. Very useful, that filters out a lot of junk before it's even queued. Make an SPF-record in DNS, telling the world only to accept mail for this domain from your servers. That makes it less likely that someone can abuse your domain to send spam, possibly leaving you with a lot of bounce messages. Checking SPF-records (and a whole lot more) can be done here:

https://mxtoolbox.com [mxtoolbox.com]

DKIM isn't particularly difficult to set up, and everybody loves a signed message. Create one keypair for all your domains, or a separate pair for every domain, whatever you want. Then publish the key in DNS and check if it works. A nice site to do that is this one:

http://www.appmaildev.com/en/dkim/ [appmaildev.com]

If you have SPF and DKIM (and why wouldn't you?), you might consider using DMARC too. You publish your policy in DNS, so that every receiving mailserver can check what to do with a message that fails, for example, the DKIM validation. OpenDMARC can check the policy for incoming mail, and can send status reports. Most of DMARC is configured in DNS, this document gives a good overview of how you should set up a machine that uses all of these techniques:

https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/ [skelleton.net]

And then there's spam and virusfiltering. I'm running a combination of SpamAssassin, Razor/Pyzor and ClamAV for that, which was basically one install of Amavis and then some tinkering to get it right. My next server will probably use Rspamd for that.

Is it still worth hosting your own e-mail? Hell yeah!

do NOT pick let legal pick

[johnjones]

what you don't mention is when your hosting provider gets a legal request

will Gmail or office365 legal dept get a legal request from the government or legitimate request in the USA do they hand over all your data...

Yes you should run your email server in the country you operate in since you pay tax's there and abide by the laws and have those laws protect your privacy

i.e.
USA should host their email in the USA
Canadians should host email in Canada
Germans should host email in Germany
etc etc

WHY do companies/peo

Oblig

[phantomfive]

I just telnet to port 25. Problem solved, Helo.

A little email server how-to

[chaoskitty]

http://vax.zia.io/mail_part_1.... [vax.zia.io]

Be patient. It's running on a real VAX.

Very easy to do

[mschaffer]

You can use something like Webmin/Virtualmin on various Linux or a FreeBSD system. The system can be a PC or a virtual machine hosted somewhere.

This is not complicated

[Etcetera]

Many of the folks around on Slashdot were part of the generation that handled the consumer-level rise of email in the '90s and 2000s. The basic concepts haven't changed... about the only differences now are the number of DNS-related validation mechanisms that you'll want to adopt to help increase the legitimacy of your domain.

Once you've done things like setting up SPF records, added DKIM and other signing, and set up certificates, it's not much more difficult than it was 15 years ago. Now, admittedly I'm c

Re:

[rnturn]

"If you're setting up an open relay, I don't *want* your mail server on the internet thanks

You'd think that this problem would have been automated out of existence by now but I'm still surprised by the number of attempts that I see in my logs as a result of sites trying to use my server as a relay.

A lot's changed in 20 years...

[fred911]

Not the RFC https://tools.ietf.org/html/rf... [ietf.org] the question is do ya still grock?

Postfix

[gweihir]

Really not that hard to set up if you have a clue about how email works. Add some spam-protection though. I have greylisting, spamhaus DND-RBL anda custom spamassasin config.

You learn a lot and it is the difference between a luser and somebody that understand how things work. Comes in handy all the time.

Have Always Run My Own

[jvp]

I actually can't imagine not running my own; I've been doing it since the mid-late 90s one a server at home. I still am as I'd prefer it all be on-prem (my prem, dammit!) vs someone else's. But that's neither here nor there.

My "stack" has grown a bit complicated over the years because of the sheer amount of spam I get. Spamassassin is good, but not good enough. In fact, not good enough by a long shot. Not for the crap I'm getting, even after carefully training it. It looks like:

- Port 25 blacklist (wi

Running your own email server to protect from NSL

[SysEngineer]

National Security Letters (NSL) are the reason I run My own email server. I want the 4th Amendment protection. I have been running my own email server since 1995, and yes, it is getting more difficult. For three years in 1999, I co-locate two Dec Alphas as my web and email servers. I checked them maybe once a years. Now I have to update and maintain then daily. I am using docker inside a VPS to reduce maintenance.
If your privacy is important and you want to stay current on security, you should run your ow

This subject seems familiar, sort of...

[Slugster]

I seem to recall in the last few years (?) we had another story about this. Spam was the problem, but not as people think it is here.

The gist of that article was that it was of questionable use to operate your own email server anymore, since all the big email domains would tend to dump emails from YOUR rinky-dink domain as spam. People who attempted it back then reported that most messages sent from your (unrecognized) domain never make it to their recipients, if it involved any of the major email domains

Doable but a lot of work

[ukoda]

I have running my own email server from home now for many years using a CentOS server. You have to jump through quite few hoops to get Gmail and the likes to accept your email but even then your email is often delivered to the recipients spam folder. Basically an annoying PIA.

The amount of spam you receive is huge but when you analyse it you soon realise that 70% of it comes from certain ISPs or countries which do not seem to have any real users i.e. they 100% spam sources. About 100 entries in your ip

Spam is not the problem -- Google is

[burbilog]

I run my own mail server since 1997, and today I find more and more problems from Google than from any spam messages. Spam is relatively easy to deal with, but Google rejecting your messages out of blue isn't. Their internal anti-spam logic punishes small mail servers, no matter what you do. Reverse zone, spf, dmarc, whatever. Sometimes messages from my server pass to @gmail emails for months and sometimes don't. Google does not provide any choice, nothing lands into spam folder, nothing. They just randomly

No real option for contacts and calendar

[lucifer_666]

We run a couple of cPanel servers to add value to our web design and IT services business. It's nice to be able to provide a gold plated, over engineered, reliable service to make our hard work shine. While cPanel has a great out of the box email implementation, one thing that really bugs me is our inability to provide simple contacts and calendar, without client end plugins.

Most small business and individual users want something pretty simple, to have their email, contacts and calendars available on all

Learning curve, cost and maintenance

[Chewbacon]

Subject has the three challenges summed up. There are advantages to this such as privacy and you can tune your service to operate how you want. I like Gmail's spam filtering, but I can setup something similar and almost as effective - even if it isn't as good as Gmail, the privacy would be a good trade off. So I've setup and ran a few of them. Two for personal use, but cost eventually turned me off. Now I'm setting up another one with a more cost effective solution (about $60-70/year).

My favorite software setup is Dovecot, Postfix, and MySQL. This allows you to run multiple domains as "virtual hosts." Can easily find a howto to get you started, but don't let that be the ultimate authority. There's still much to learn and do! You'll have to handle spam and antivirus somehow. You'll need SSL. You'll need an IP that isn't blacklisted. I don't find the learning curve terribly steep, but it is an undertaking to get things running.

My latest idea is this: running the server at home, using a VPS service as a VPN for the public IP. Services at home connect to the VPN, a little routing and firewalling points connections from the outside VPN to appropriate services on my home server. Cost? About $60-70/year.

Re: Don't waste your time

[Anonymous Coward]

Bullshit. My server has been running for 10+ years and I have no spam issues. You will need to invest some time in configuring and updating spam screening, for sure.

Re:

[HotNeedleOfInquiry]

Depends on how fast your internet connection is. If you have a slow link, it will saturate with spam even before the spam gets to your filter.

Re: Don't waste your time

[b0s0z0ku]

The goal should be to drop suspicious connections before they even have a chance to transfer messages.

Re:

[kwalker]

Please define 'suspicious' cleanly enough that it doesn't false-flag people who are trying to run their own servers.

Re: Don't waste your time

[Anonymous Coward]

One connection per IP allowed per hour. Rest of the time just black hole it. With the email delivery lifetime being 5 days all legit email should get delivered in a day. As an added bonus always drop the first connection from an IP you have not seen before and block it for an hour

Re:

[dynamo]

I like this idea. Worth an upvote, wish I was a mod today.

Re:

[Phics]

A reputation blocklist works great for blackholing or blocking emails from known malicious sources. I recommend Barracuda's: http://www.barracudacentral.or... [barracudacentral.org]

Re:

[bferrell]

Yeah... That's the point.
Barracuda does that as an outside service.
YOU DON"T DO IT, THEY DO.

sigh

Re: Don't waste your time

[kwalker]

False.

Having run my own e-mail server (Along with web and jabber) on a 1.5Mbps (896Kbps upload) DSL line for over a decade, recently upgraded to fiber when I moved into a town that has it. This is e-mail we're talking about, not video files. They're tiny compared to modern web traffic.

I registered my own domain in 2002 and it has been in continuous use since then. I even forwarded my Gmail account to it (back when you could do that), and used fetchmail to siphon RocketMail/YahooMail down until they broke that and I abandoned them. I don't even bother with throw-away mail accounts to see who sold my account anymore, as they were more trouble than they were worth. And in the last five years, my entire family has started using the accounts I created for them on my server. I receive, on average, maybe 20 spam messages per day. All of which go into my SpamAssassin filter for training. Between 1 and 2 spam messages per month make it through, and they only make it through once.

Re:

[fred911]

"I even forwarded my Gmail account to it (back when you could do that)" they still support POP3 and IMAP, pretty much the same outcome, right?

Re:

[bferrell]

Yes they do and then you use fetchmail to dump it into your local mail spool

Re:

[kwalker]

Yes, the main difference being the way I did it, e-mail arriving at Gmail automatically and immediately goes to my mail server, rather than me having to poll using a POP/IMAP client like fetchmail.

Re:

[ClickOnThis]

This is e-mail we're talking about, not video files. They're tiny compared to modern web traffic.

Unless someone e-mails a video file.

Re: Don't waste your time

[Z00L00K]

I do a similar thing and I have a number of blacklist services that sendmail checks against. On top of that I use the spam filter in Thunderbird, which takes down spam too. Most spam I get is through a public group mail address on a voluntary organization I'm member of, but even that is pretty moderate.

From my perspective the spam flood that was seen a few years ago has slowed down considerably. Spam mail isn't as effective as it used to be since spam sources now are quickly blocked by various blacklist ser

Re:

[93 Escort Wagon]

I even forwarded my Gmail account to it (back when you could do that) ...

Are you referring to earlier today? Cuz you can still forward gmail to any address you control - you just need to be able to acknowledge receipt of an email sent to that address.

Re:

[bferrell]

Spam has NOTHING to do with link saturation... Post scanning, on the other hand CAN be a world class PITA.

I've been running this rig for 20 years and it started on a demand dial PPP link, migrated to DSL and now is on business class service.

 

Re: Don't waste your time

[ctilsie242]

If you have a static IP address assigned to you, life becomes a lot easier. However, if one is using a dynamic DNS server, that means that the IP range is already in a DUL, and blacklisted. At best, you have to use a third party's SMTP server, be it your ISP or someone else.

Yes, it can be done. However, I have better things to do. Rackspace, Google, Amazon, or Microsoft have multiple, redundant servers and their server IP ranges are quite unlikely to be blackholed. I just give the devil his due, and let someone else worry about E-mail. Most companies, from SOHOs to Fortune 10 places are already moving to O365, so might as well join them and focus one's efforts and such on other things. Plus, if E-mail needs to be encrypted, there is always PGP/gpg or S/MIME.

Re:

[Anonymous Coward]

I like how you properly capitalized and hyphenated E-mail. You are a proper gentleman, and a scholar, and if I may be so bold, I'm guessing the owner of one highly organized sock drawer!

Re:

[Aighearach]

Chivalry was the first casualty of the Culture War.

Re:

[duke_cheetah2003]

Bullshit. My server has been running for 10+ years and I have no spam issues.

Also calling bullshit. Been sending email from my vanity domain for almost 20 years now. No issues.

Re:

[JMJimmy]

You don't have spam issues until you do.

I've got a pair of domains, one for myself which I use as a tracker to see who is selling my information (ie: catch all with theirdomain@mydomain) and my parents domain. I had them setup as a catchall as well until one day it exploded with spam. Thousands of emails flooding in with random address names... I had to blackhole the entire domain and restrict them to a single email address.

That's what we told him on Reddit

[raymorris]

That what we told this guy on Reddit - don't. You don't know what you are doing.

Mr. Paul Combetta, you already caused enough trouble last time you tried this. Since you don't even know how to set up a regular email server, with DKIM, you have no business trying to set up one that handles Top Secret government communications.

Next, Paul asked us on Reddit how to edit the emails left on the server.

Mr. Combetta, please stop.

Re:

[ignavusinfo]

It seriously isn't. Fastmail (for instance) is $60/year — say 40 minutes of labor if you're billing $100/hour. I sure can't setup and maintain a full featured, no maintenance email system in 40 minute/year.

Re:

[kqs]

I ran mail servers (both personal and for $DAYJOB) for 20 years. It is utterly not worth it anymore. Spammers and blackhats have a lot more free time to spend making your life difficult than you do in fixing things.

Re:

[bferrell]

Spamassassin works well. So does milter-greylist. Neither will cost a dime nor take any time to maintain.

But you DO have to actually put them into service.

Never mind... It's Toooo Haaaaarrrrd!

Re:

[HotNeedleOfInquiry]

This. Most everyone will see you as spam and as OP said, there's nothing you can do about it. And regardless of the quality of your spam filter, the spam between your router and the spam filter will still eat a chunk of your bandwidth.

Re:

[b0s0z0ku]

I don't think that's as true as you'd think. We have some servers on a commercial IP sending out daily health messages without a proxy. The emails usually get through, even to gmail.

Re:

[unity]

Same here. I host my own personal/vanity domain. I have a static ip, but it doesn't reverse DNS to my domain. I can send to nearly everybody. I think o365 flagged it once and I had to click a link to verify domain with them. I send to gmail all the time without an issue. I haven't had a problem with getting spammed either.

Re:

[NormalVisual]

Most everyone will see you as spam and as OP said, there's nothing you can do about it.

I've run my own mail server for close to 20 years now, and It hasn't been a problem for me. Then again I have true redundant DNS, reverse DNS records for the SMTP server, and proper DKIM and SPF records, and everything's configured properly (no open relaying, etc.). About five years back I briefly had some kind of issue where Gmail would only accept mail from my IPv6 address, but Google got that resolved within a few we

Re:

[Aighearach]

... there's nothing you can do about it.

Well, between the people doing it successfully, and the people who say they don't know how, I'm gonna believe the people doing it. ;)

Re:

[b0s0z0ku]

Set up a rule that email to certain providers is proxied.

Re:

[technothrasher]

You won't be able to send to gmail/other big providers, they'll always see you as spam. People who try to email you won't be able to, and they won't know why,

Sorry, but that's BS. I run several small email servers off VPS based hosts using FreeBSD and Exim, both for vanity domains and for a small manufacturing company, and it all works just fine. Nobody has any issues emailing us and the big providers don't tag me as spam.

Re:

[Excelcia]

SPF, DKIM, and DMARC aren't rocket science. It's not all that hard to do:
https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy [digitalocean.com]
https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/ [skelleton.net]
The first is a bit dated, but still works if you follow the comments. The second is a little better in that it includes a lot of the goodies to tack on to a mail server (DKIM, DMARC, SPF, SpamAssassin), though it does advocate inet s

Re:

[NynexNinja]

I agree with you, as long as you set Postfix (or whatever MTA) with SPF, DKIM and DMARC enabled, the majority of your mail will not be blocked as spam. One thing to note is that if you put any URL's in your outbound messages, those messages will get checked by Google's filters and if there is an Email Address type form variable in the form, it will get flagged as suspicious. So, just avoid doing speficially that. Also make sure that your MTA (Postfix) is sending out using Smtp-Auth enabled, as this is oth

Re:

[Aighearach]

You're not an idiot and probably don't think SPF has to do with sunscreen.

This whole thread is hilarious.

When I started reading slashdot, the joke was that sendmail (the dominant email server software at the time) required its own PhD to configure.

And slashdot was the place where half the users already know how to do that.

If you can't set up a modern email server, just give up at having root.

Re:

[mabu]

With all due respect that's bullshit.

Any major e-mail provider will offer a resource where if you're RBL'd, you can petition to have your IP address un-blacklisted.

Now if you choose to host your mail server with an ISP that's notorious for hosting spammers, that's another issue. But this has to do with the quality of your hosting company -- and the super cheap hosting companies will be more problematic than more reputable operations.

Re:

[msauve]

"Any major e-mail provider will offer a resource where if you're RBL'd, you can petition to have your IP address un-blacklisted."

So, how's that work out if you have an ISP which hands out different IPs on a regular basis? Last I tried to run a "direct" SMTP server, there were _lots_ of places which would bounce or simply blackhole outgoing email, simply because I'm in a "consumer" address space and not a commercial one. And that was supported by some RBL lists, who were illegally (by deliberately) interfer

Re:

[mschaffer]

You won't be able to send to gmail/other big providers, they'll always see you as spam. People who try to email you won't be able to, and they won't know why, but what's worse - there's absolutely nothing they can do to rectify the situation.

This is simply not true if you set up your DNS records and DNS server correctly. Look into SPF, DKIM, and DMARC. Very easy to do if you use BIND.

Re:

[rnturn]

What are you doing that would cause gmail and company to see you as a spammer? I've been running a local email server for upwards of 10 years and have only had trouble sending email to two destinations: one was a commercial site and the other was Ameritech (who a couple of friends were using as their email provider). Both situations were corrected with a tweak with the MX configuration at my ISP (who also buffers my email should the local system be down for an extended time).

Re:

[Temkin]

If you can't host it at home, throw it up in AWS. an AWS nano instance should be plenty for a personal email server and costs $5ish a month.

The problem with AWS last time I checked, was you need an elastic IP address to set the rDNS. So the Lightsail node is a non-starter.

Linode still does a $5 VPS with a static IP. You'll need to spend a couple weeks keeping it's nose clean before trying to use it.

Re:

[bobby]

Thanks- I haven't tried PostfixAdmin. I don't make many changes to the email system I admin, and the ones I do I've been fine with simple text editing. I'll have to try it for fun. I don't normally run X on the servers, but I can, or in another machine client-server mode.

Are Postfix and Dovecot functionally the same? (sorry- too tired to search...)

Re:

[nawcom]

Dovecot is POP3/IMAP, Postfix is the MTA for SMTP.

Re:

[bobby]

Thanks, that's what I thought I remembered. It's all coming back to me now. And Dovecot can do some submission functionality but I think it still needs sendmail or postfix.

Re:

[bobby]

Thank you! When I get the owner to (finally) switch ISPs I'll build up a new mailserver. He keeps talking like he wants to, but then months and years go by... It's one of at least a dozen businesses he owns and probably the least important of the currently active ones. I have Postfix fully running well, as I have sendmail and fetchmail. Thanks again!

Re:

[omnichad]

It is critically important to follow the RFCs

With you so far...

never scatter back,

While this is very important to keep your server reputation up, it also violates the RFCs. There's no way to satisfy both.

Re:

[bobby]

I get downmodded? Touched someone's nerve? Butthurt? No sense of humor?