Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Open Source Communications

Ask Slashdot: How Would You Host Your Own Email Server? (linuxjournal.com) 337

"It has become too easy to take Linux and FOSS for granted," warns a Linux Journal editorial by Doc Searls, complaining, for example, that today "We collaborate inside proprietary environments, such as Slack and Google Hangouts."

Long-time Slashdot reader whh3 wants to live differently -- and to model a different set values: After reading the recent Doc Searls article in Linux Journal, I realized that I need to get back to my roots. The first step will be to build/setup/run my own email server for my vanity domain.

The problem is, I haven't run my own email server since the 90s. It was easy back then -- there was much less SPAM and self-hosted email servers didn't have to jump through hoops to make sure that they weren't blacklisted as senders.

So, I am reaching out to this great community to find out if there are any good tutorials on modern-day best-practices for self hosting an email server. Any tips/tricks/pointers would be great appreciated!

A lot's changed in 20 years -- but for such a basic form of online communication, is it still possible to roll your own? Or are we trapped in a world where private conversations about valuing open source software take place inside Google's proprietary Gmail client.

Leave your own suggestions in the comments. How would you host your own email server?
This discussion has been archived. No new comments can be posted.

Ask Slashdot: How Would You Host Your Own Email Server?

Comments Filter:
  • Mail in a box (Score:5, Informative)

    by goaliemn ( 19761 ) on Saturday May 11, 2019 @06:38PM (#58575798) Homepage

    An all in one package that runs on Linux. It uses a dedicated server. I use a $5 linode and it runs great.

    https://mailinabox.email/

    • by nbvb ( 32836 )

      Best answer yet. Damn thing works great, and has for the last few years.

    • Mailinabox is a turn key solution, sort of, and there is nothing really wrong with that. But the problem with those is that you get people who know enough to apply a turn key solution without knowing enough about the workings to handle issues that come along.

      If you really want to get a good mail server running, the best way to do it is to learn and do it yourself. When I set mine up it took me a week or so of initial pain, and it was a lot of work I won't lie, but now I have a server I know inside and out and has been reliable as a Clydesdale. I have multi-domain virtual mail hosting configurable with a few clicks through PostfixAdmin. It's end-to-end secure with excellent encryption that I can trust. It also lets me run a couple domains of WordPress too. And, as a bonus, it gives me a "server" for SyncThing, which means I have my own "DropBox"-like solution that I control.

      I'm not going to give total step-by-step instructions, because that's long and complicated. But I will offer some points of advice plus all the documentation I usd to set up mine:

      1. 1) First thing to think about is hosting. I recommend finding a good KVM VPS (Virtual Private Server) hosting service. No matter where you live, I'd highly recommend not even thinking about getting one physically located in the USA [nomadcapitalist.com]. Being Canadian, I chose a home-based solution. This is great for people physically located in the USA too, since it offers you better privacy protection, and good connectivity. The one I use is CACloud [cacloud.com], and I have found them to be extremely professional and very reasonably priced. Make sure your login to your VPS host is extremely secure.
      2. 2) Heir and a Spare. Whatever solution you get for hosting, get two. One will be the production, the other will be the test. This lets you try everything out (including upgrades) on the test platform before rolling out on prod. This also lets you do your own DNS and gives you a primary and backup DNS server. You will want your own DNS server for when you get into SPF, DKIM, DMARC, and so forth. When you set them up, set up testing first. When you are using root to first set it up, create an admin directory and religiously duplicate every config file you edit into that admin directory so you can duplicate everything you do onto prod when you set it up. I pay $10/mo for prod and $5/mo for my testing server. It shouldn't break the bank.
      3. 3) Pick a Linux flavour. I highly recommend vanilla Debian. 95% of all desktop Linux is based on Debian, vanilla Debian is server friendly, Debian is conservative (which is what you want for a server) and they take software freedom seriously. They may dither themselves into insensibility sometimes, but that just makes it stronger if you ask me. Plus, as a bonus, almost every tutorial for Ubuntu, Mint, etc will also work on it.
      4. 4) The first (and I mean very first) thing you do the first time you log in is make sure SSH is set up properly. This is tinfoil hat time. The NSA is known to collect SSH keys as systems get set up, so be careful. Until SSH is set up properly on your machine, consider that any password sent through is compromised. A lot of VPS hosts are insecure on their initial setup. If you are using a VNC applet, like some places use, be careful because the applet sometimes is running on your local machine, which means the connection is insecure.
      5. 5) The hard work starts here. Tutorials are your friend. Luckily there are some really good ones. Here are the ones I used. The nice thing about Debian is, because it's pretty conservative, tutorials for one version often work very well on later ones.
        Secure Secure Shell [github.io]
        Stong SSL Security on lighttpd [raymii.org]
    • Look at Haraka. A mailserver written wih nodejs that is trivial to program your own plugins for. In many respects Much easier to make your spamfilter and blackwhite lists precision surgery.

      Example for haraka:

      Timed addresses like joe-04052019@domain.com gets delivered to joe but only begore a deadline
      You can precisly blacklist addresses and match rhem with specific snders. Sonif you an an email like bank@joe.domain.com and the mail is not regex matched from xxx@yyy.bank.com it is wiped off the earth.

      My Harak

  • An all in one package that

  • by Static ( 1229 ) on Saturday May 11, 2019 @06:40PM (#58575808) Homepage

    I run my own email server. I pay for an EC2 instance in AWS that it sits on. Inbound email goes straight to it (and there are a few settings in the SMTP server to control spam and other crap); outbound email goes out via Amazon's Email system. I run Courier as the MTA and connect to it from my laptop using IMAP over SSL. I have all my DNS records in Route 53 on AWS, too.

    • by jwhyche ( 6192 )

      This was pretty much going to be my recommendation. I run my own email server here at my home office, but I've thought of moving it to a online host like AWS or Azure.

    • by ron_ivi ( 607351 )

      outbound email goes out via Amazon's Email system

      Does that defeat half the purpose?

  • Use smtpd & Roundcube on a virtual private server (VPS) such as Linode or dreamhost. I use this with SSL and it works great.
    • by PCM2 ( 4486 )

      This. If you've just got a "vanity domain," I don't see why you wouldn't just get cheap shared hosting and be done with it. I think my provider runs Postfix, but I've had few problems with mail bouncing because of blacklists. The one or two occasions were swiftly resolved.

      For spam, I use SpamAssassin and two folders in my Inbox: "spam-learn" and "ham-learn," to which I copy messages as appropriate. Each night, a cron job scans both folders and trains the Bayesian spam filters accordingly. I'm down to less t

      • The problem with shared hosting comes down to ip reputation. You have to have your own ip address for your account. Otherwise all it takes is one bad customer out of thousands on that server to get you blacklisted.

  • You're lucky in that regard that is email and things haven't changed all that much since the 90ies. Probably since the 80ies in fact. The tough part is that things haven't changed all that much. Email is a protocol from the steam age of computing.

    However, I have heard that Postfix is easyest to configure. And there's a good Oreilly book on it.

  • Comment removed based on user account deletion
    • by AHuxley ( 892839 )
      Freedom of speech and freedom after speech for everyone on a email service?
      More free speech than on social media?
      Email works on most OS, with most type of internet.
      Easy to search, sort, archive.
      Social media is no longer a gatekeeper on the content sent between people.
  • by lorinc ( 2470890 ) on Saturday May 11, 2019 @07:10PM (#58575932) Homepage Journal

    Set up a raspberry pi with debian, dovecot, exim4, spamassassin, apache and rainloop. It's easy and it works great. For smtp, use your provider server, as most won't let you set up one.

    • by rnturn ( 11092 )

      "For smtp, use your provider server, as most won't let you set up one.

      I think you're referring to the connection you get with the typical consumer ISP service. Users of these services have been up against this problem for years and years. Pay extra for the fixed IP address option and you likely won't have a problem with setting up your own servers.

      The only outfit that I've had problems with runing servers was a new wireless provider who was offering fixed IP addresses--at extra cost--but with a "no serve

  • by mabu ( 178417 ) on Saturday May 11, 2019 @07:19PM (#58575954)

    Don't listen to the people who say it's too difficult. It's not.

    I've been running my own mail server since 1994.

    These days I'm using Postfix instead of Sendmail or Qmail.

    I have my own relatively large IP-based blacklist that I use both inbound and outbound.

    You can stop a huge amount of the spam by doing two things: Using SORBS relay blacklist (as well as various others) and also maintaining your own Class A and Class B IP-based blacklist. For example, are you doing any business with China, Russia or other countries from which the lion's share of spam originate? If not, then just refuse to accept any mail traffic from them by default and manually whitelist anybody you need.

    On the receiving end, here's where you also need to apply dilligence, because as soon as you have a port open for IMAP or POP3, you're going to be bombarded with lots of automated attempts to crack e-mail accounts. Again, apply very broad IP-based blacklisting (I like to use tcp_wrappers with dovecot) to wholesale ban anybody from countries where it's unlikely I'd be to check my mail -- or better yet, block all IP traffic except for specific addresses. This works great.

  • I personally use Mailu. It's easy to roll and scale in Docker. However for the cost of a VPS and time consumption of maintenance, you'd better spend money on a privacy-centric e-mail service such as ProtonMail.

  • by Dorianny ( 1847922 ) on Saturday May 11, 2019 @07:37PM (#58575982) Journal
    Unofrtunately to combat spam SMTP outgoing has bcome pretty complicated.

    1. you will need a reverse arp so a machine running behind NAT will not do.

    2. you will need ssl certificates for tls. Fortunately you can now get them for free from letsencrypt, however they expire every 3 months so make sure to setup certbot to automate.

    3. SPF/DKIM/DMARC

    Without setting up all of these at best your emails will go straight to the receivers Spam folder

    • by kwalker ( 1383 )

      ARP does not cross network boundaries. I think you mean a reverse DNS that matches your domain name. That is not required, but would be a good idea. If you have a decent ISP (Beyond the scope of this conversation) that should be a contact to their support department.

      You can get SSL certs for free from Let's Encrypt. You don't need to though. No one verifies the certs, they just auto-accept them so the connection is encrypted and harder to snoop.

      SPF is a fire-and-forget change to your DNS settings. DKIM and

      • Thanks for the correcting me on "reverse DNS," I should have read what I wrote before I fired the post.

        I was not aware nobody verified the SSL cert, good to know but if you are going to get one for webmail anyways, it doesn't hurt to use it as the MTA cert too.

        As far as DKIM and DMARC, they both require manual configuration, so they can be tricky for someone that doesn't know much about DNS and MTA's

  • 1) Get a VPS. I've been on transip.eu for quite a few years now.
    2) Install your distro. I use Debian, YMMV.
    3) Install iRedMail (https://www.iredmail.org/). It automates the installation of your mail server, and protects it with fail2ban.
    4) Point your domain name toward the VPS

    Done, probably.

  • Spin up a virtual machine using free s/w like Virtualbox, install an edition of Ubuntu Linux, then install the free version of Virtualmin.

    The virtual machine will give you the freedom to move your servers to better hardware if you like, or even move it to a cloud server. Virtualmin will give you an amazing web-based interface to launch and manage all kinds of servers such as Postfix email. You'll be able to receive email directly, use free blacklist services and also install local spam & virus filters,

    • no need for virtualization at all. run the Linux on bare hardware, you'll still have the freedom to move to better hardware, it's trivial. No need for any admin GUIs, the command line setting up of postfix with spam protection takes minutes. It can easily been done on a BSD or Linux elsewhere.

      what's this nonsense about needing a relay outbound? You don't, as long as port isn't blocked: don't chose service where it is

      been doing my own mail server for a couple decades, easier than making a web server.

      • The last time I upgraded my home server, I just took the boot drive from the old server and stuck it in. It took a little longer to boot the first time, but no issues.

        Believe it or not, Windows 10 can do this now. If the source and target motherboards both have their own digital license, you don't even have to deal with activation issues.

  • I've been running my own since forever. It's become harder over time, and I don't think I'd set up my own if I was starting from scratch now, but I can respect the desire to DIY and keeping control of your own communications.

    You can't run an SMTP server on a home connection any more. Dynamic IPs are completely blacklisted, and even static IPs won't be accepted a lot of the time. You will need a server in a colo. I'm using a small VPS.

    I use Postfix, Amavis, Spamassassin, Dovecot, and Mairix. I'm happy w

    • by bobby ( 109046 )

      Thanks, great info. I might take some of your advice someday if I get the chance...

      One of my part-time jobs is admin for a small hosting company. We have static IPs of course, and static NAT and I route external ports to whatever internal IP and port I choose. Works perfectly.

      We used to have an email server that was a major part of the business. I did _not_ build it. It was CentOS running Qmail (and Squirrel Mail for webmail which I kind of liked.) It was fine until Verizon decided to stop relaying po

  • I saw this review go by recently and it looked interesting. It avoids many of the do-it-yourself pitfalls, but it still involves a third party that you have to trust, but in a different way.

    Helm email server [theintercept.com]

    I've not used this, so I can't offer any experience with it. And I have no association with them.

  • Get a cheap VPS (ssd vps on OVH are great) and install debian stretch. Then follow the ispmail guide: https://workaround.org/ispmail... [workaround.org] I just got this set up after running a jessie server for the past few years, it is AMAZING. Spam blocking, virus blocking, DKIM, SPF, dmarc, etc etc etc
  • I run my own email server. It's not that hard. Postfix for the MTA, Dovecot for the IMAP server, MySQL for the mail address/routing database, OpenDKIM and OpenDMARC and postfix-policyd-spf-python, SpamAssassin and the Zen RBL to clean up the crap, and a self-writtten small Vue.js application and Rails back-end to manage the database. There's turn-key mail-server systems available, but for me they were more work to set up and maintain than rolling what I needed from scratch. The config changes (to go from th

  • 1. Business ISP plan so the ISP isn't blocking you with static IP, get a domain, get DNS and reverse DNS configured properly.

    2. postfix, clamav, spam assassin, milter-greylist, fail2ban monitoring the mail logs - block for long term and automatically for certain mail failures, use RBLs. Grey listing is the best defense against spam, but longer delays in getting E-mails can be a problem. Check top spamming countries or spam providers and use long grey listing for them. Monitor the logs for a while and perma

  • by PuddleBoy ( 544111 ) on Saturday May 11, 2019 @08:43PM (#58576114)

    I've run my own (and other) mail server(s) for over 20 years. It's not bad once you have the basics down.

    Pipe: I currently have a 100M/100M business-class fiber connection, though I have used EoC and DS-1 in the past. Yes, I pay more, but don't all hobbies cost money? You don't generally need bandwidth as much as you need low latency and reliability. You should really have a 5-block of public, static IP addresses. Ask local providers if they have any offerings between cheap residential and spendy business class.

    Firewall: tons of options here, just put up something to lay down a basic (but stringent) set of rules (both in- and outbound). Start with nothing in/nothing out and only open what you really need. Bear in mind that 98% of the time your server doesn't really need to use a browser, or ftp client, or Spotify, etc, so keep those ports closed. Some firewalls will allow you to filter out originating IP space by country - I think I must filter out about 100 countries right now.

    UPS: it should go without saying, but be sure to put *everything* on one of more UPS's. Every router, switch, server, everything that might carry your TCP-IP stream *and* those devices you need to admin your server. I split the server side between 2 1500vA units and my workstation on its own, with extended runtime batteries.

    MTA: I am currently using Netwin's Surgemail, but there are lots of options. I have about 40 or so basic filter rules to keep some of the obvious spam out (no hosts using an IP address as a hostname, no domains ending in ".party", maybe throw in a couple honeypot email addresses to filter out sending IP's, etc.) Also bear in mind that, even though some companies charge by the account, you can often have lots of aliases, but just a couple of 'real' accounts.

    Server hardware: CPU speed is not generally as important as fast, reliable I/O and drives. The MTA software makes very little demand on CPU (unless you have a very busy personal mail server) but lack of reliability in drive storage means you might as well just use Gmail...

    Good luck

  • Aside from the usual customer-service and technical support issues (I got a new phone, I didn't get one in ten thousand e-mails, et cetera), it's easy.

    Technically, I'm running a plesk server, which makes things even easier these days. But it's not at all required.

    IMAP/POP/SMTP/webmail
    spamassassin (at least for a little while longer)
    an SPF record
    postfix, courier, roundcube/horde
    plesk for administration, especially by customers

    the whole thing costs exceptionally little. Quite frankly, the backup efforts cos

  • Pick what you need (Score:5, Informative)

    by Woefdram ( 143784 ) on Saturday May 11, 2019 @09:02PM (#58576156) Homepage

    Self-hosting isn't particularly difficult. I ran a mailserver at home behind a cable modem for about 15 years, I've recently moved it to a VPS.

    Back in the days I used to run Postfix and Courier, and that was it. Nowadays it's Postfix, Dovecot, Sieve, SpamAssassin, PolicyD, ClamAV, Razor/Pyzor, OpenDKIM and OpenDMARC, so yes, it has become a lot more complex over the years. But it's still worth the effort, I think. The agressive spam filtering is recent, I ran without any spam filtering until recently. If you do the right checks on incoming mail, a lot of junk is rejected before it can even reach a filter.

    I would just start with Postfix and Dovecot, make sure that works. Make sure that your server uses the correct FQDN in its HELO/EHLO and that you have a matching PTR-record for that, or most of your outgoing mail will be refused immediataly.

    Then add what you think you need. You'll probably want Sieve, very nice to have the server deliver e-mail in the correct folder, but it can do a lot more than that. If you want webmail: Roundcube has a plugin that allows you to manage Sieve filters.

    Adding PolicyD allows you to to check blacklists and SPF before you accept mail. Very useful, that filters out a lot of junk before it's even queued. Make an SPF-record in DNS, telling the world only to accept mail for this domain from your servers. That makes it less likely that someone can abuse your domain to send spam, possibly leaving you with a lot of bounce messages. Checking SPF-records (and a whole lot more) can be done here:

    https://mxtoolbox.com [mxtoolbox.com]

    DKIM isn't particularly difficult to set up, and everybody loves a signed message. Create one keypair for all your domains, or a separate pair for every domain, whatever you want. Then publish the key in DNS and check if it works. A nice site to do that is this one:

    http://www.appmaildev.com/en/dkim/ [appmaildev.com]

    If you have SPF and DKIM (and why wouldn't you?), you might consider using DMARC too. You publish your policy in DNS, so that every receiving mailserver can check what to do with a message that fails, for example, the DKIM validation. OpenDMARC can check the policy for incoming mail, and can send status reports. Most of DMARC is configured in DNS, this document gives a good overview of how you should set up a machine that uses all of these techniques:

    https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/ [skelleton.net]

    And then there's spam and virusfiltering. I'm running a combination of SpamAssassin, Razor/Pyzor and ClamAV for that, which was basically one install of Amavis and then some tinkering to get it right. My next server will probably use Rspamd for that.

    Is it still worth hosting your own e-mail? Hell yeah!

    • what you don't mention is when your hosting provider gets a legal request

      will Gmail or office365 legal dept get a legal request from the government or legitimate request in the USA do they hand over all your data...

      Yes you should run your email server in the country you operate in since you pay tax's there and abide by the laws and have those laws protect your privacy

      i.e.
      USA should host their email in the USA
      Canadians should host email in Canada
      Germans should host email in Germany
      etc etc

      WHY do companies/peo

  • I just telnet to port 25. Problem solved, Helo.
  • http://vax.zia.io/mail_part_1.... [vax.zia.io]

    Be patient. It's running on a real VAX.

  • You can use something like Webmin/Virtualmin on various Linux or a FreeBSD system. The system can be a PC or a virtual machine hosted somewhere.

  • Many of the folks around on Slashdot were part of the generation that handled the consumer-level rise of email in the '90s and 2000s. The basic concepts haven't changed... about the only differences now are the number of DNS-related validation mechanisms that you'll want to adopt to help increase the legitimacy of your domain.

    Once you've done things like setting up SPF records, added DKIM and other signing, and set up certificates, it's not much more difficult than it was 15 years ago. Now, admittedly I'm c

    • by rnturn ( 11092 )

      "If you're setting up an open relay, I don't *want* your mail server on the internet thanks

      You'd think that this problem would have been automated out of existence by now but I'm still surprised by the number of attempts that I see in my logs as a result of sites trying to use my server as a relay.

  • Not the RFC https://tools.ietf.org/html/rf... [ietf.org] the question is do ya still grock?

  • Really not that hard to set up if you have a clue about how email works. Add some spam-protection though. I have greylisting, spamhaus DND-RBL anda custom spamassasin config.

    You learn a lot and it is the difference between a luser and somebody that understand how things work. Comes in handy all the time.

  • I actually can't imagine not running my own; I've been doing it since the mid-late 90s one a server at home. I still am as I'd prefer it all be on-prem (my prem, dammit!) vs someone else's. But that's neither here nor there.

    My "stack" has grown a bit complicated over the years because of the sheer amount of spam I get. Spamassassin is good, but not good enough. In fact, not good enough by a long shot. Not for the crap I'm getting, even after carefully training it. It looks like:

    - Port 25 blacklist (wi

  • National Security Letters (NSL) are the reason I run My own email server. I want the 4th Amendment protection. I have been running my own email server since 1995, and yes, it is getting more difficult. For three years in 1999, I co-locate two Dec Alphas as my web and email servers. I checked them maybe once a years. Now I have to update and maintain then daily. I am using docker inside a VPS to reduce maintenance.
    If your privacy is important and you want to stay current on security, you should run your ow
  • I seem to recall in the last few years (?) we had another story about this. Spam was the problem, but not as people think it is here.

    The gist of that article was that it was of questionable use to operate your own email server anymore, since all the big email domains would tend to dump emails from YOUR rinky-dink domain as spam. People who attempted it back then reported that most messages sent from your (unrecognized) domain never make it to their recipients, if it involved any of the major email domains
  • I have running my own email server from home now for many years using a CentOS server. You have to jump through quite few hoops to get Gmail and the likes to accept your email but even then your email is often delivered to the recipients spam folder. Basically an annoying PIA.

    The amount of spam you receive is huge but when you analyse it you soon realise that 70% of it comes from certain ISPs or countries which do not seem to have any real users i.e. they 100% spam sources. About 100 entries in your ip
  • I run my own mail server since 1997, and today I find more and more problems from Google than from any spam messages. Spam is relatively easy to deal with, but Google rejecting your messages out of blue isn't. Their internal anti-spam logic punishes small mail servers, no matter what you do. Reverse zone, spf, dmarc, whatever. Sometimes messages from my server pass to @gmail emails for months and sometimes don't. Google does not provide any choice, nothing lands into spam folder, nothing. They just randomly
  • We run a couple of cPanel servers to add value to our web design and IT services business. It's nice to be able to provide a gold plated, over engineered, reliable service to make our hard work shine. While cPanel has a great out of the box email implementation, one thing that really bugs me is our inability to provide simple contacts and calendar, without client end plugins.

    Most small business and individual users want something pretty simple, to have their email, contacts and calendars available on all

  • by Chewbacon ( 797801 ) on Sunday May 12, 2019 @10:38AM (#58577962)

    Subject has the three challenges summed up. There are advantages to this such as privacy and you can tune your service to operate how you want. I like Gmail's spam filtering, but I can setup something similar and almost as effective - even if it isn't as good as Gmail, the privacy would be a good trade off. So I've setup and ran a few of them. Two for personal use, but cost eventually turned me off. Now I'm setting up another one with a more cost effective solution (about $60-70/year).

    My favorite software setup is Dovecot, Postfix, and MySQL. This allows you to run multiple domains as "virtual hosts." Can easily find a howto to get you started, but don't let that be the ultimate authority. There's still much to learn and do! You'll have to handle spam and antivirus somehow. You'll need SSL. You'll need an IP that isn't blacklisted. I don't find the learning curve terribly steep, but it is an undertaking to get things running.

    My latest idea is this: running the server at home, using a VPS service as a VPN for the public IP. Services at home connect to the VPN, a little routing and firewalling points connections from the outside VPN to appropriate services on my home server. Cost? About $60-70/year.

Do molecular biologists wear designer genes?

Working...