I'm currently using Gmail and getting more and more worried about my privacy. I'd like to know my options if I decide to jump ship. Should I setup my own email server ? Or use another less invasive service ? What are your thoughts ? How do you concile email and privacy ?
If you're worried about privacy, I hope all your contacts use GPG. Practically none of my contacts know how to use that. Practically all of my contacts use Gmail and Outlook.com. That means all of my emails will end up in Google and Microsofts hands anyway. I'm sure they will build shadow profiles on me (especially since I'm a former customer, using the same domain alias on my new host as I did with them).
That being said, I recently switched to https://mailbox.org (they have a very good reputation). Mainly because I love the web UI it's an awesome service and I get CalDAV and CardDAV that works beautifully.
I found that mailcow is a bit too heavy on the requirements. Instead I've started using mailcow (https://mailcow.email/) which runs a mail server in docker.
It's a bit less of a hassle to actually start up and keep maintained.
Setting up your own email server will bring you into the wonderful world of big email corporations not delivering your emails until you subscribe to their whitelist with, for some of them, subscription fee.
Back in the time, I had this problem with sending emails from my private server to yahoo or microsoft (hotmail, live.com, etc...), both refusing to deliver my emails to their clients as I could be a potential evil spammer.
For the subscription fees, a few weeks ago I saw a price chart for <I don't remember which company, probably Microsoft> about how much you have to pay them depending on your situation and how many emails you plan to send to their servers. Unfortunately I didn't find this page again.
I think the best option is to go for a paid service with a good privacy policy. It will cost you a lot less in time and probably in money. Also, they will probably be more reactive than you in case of problem, and more aware about security.
I've heard this before, but I have my own vanity domain, a well run mail server (postfix), and I I've never had a problem. I do support DKIM, SPF, DNSSEC, and of course I don't send spam.
I have heard that newly registered domains do have a period before they are trusted.
I used to run my own mail server for ~7 years and never had issues. I used DKIM, SPF, etc and still do although they're problematic with mailing lists...
I've been running my own mail servers for quite a while and I can assure that this is total nonsense. No large email host charges a fee for mail delivery. There are some rogue antispam solutions that do so, but they are rare and only used by shady small email providers. There's even an RFC stating that charging for blacklist removal is forbidden.
You will sometimes have delivery problems, although the problem is much smaller than often painted. But they can usually be avoided if you don't send spam (many people send spam but like to call it differently - your newsletter you subscribe people that haven't asked for it is spam) and if you properly react to error messages and abuse reports.
I agree with you but wanted to give a data point that I have been self hosting with cloudron on digital ocean since almost 2 years now and I have had no problem with mail delivery.
Use a paid service. I use Fastmail. It baffles me every day, how HN is obsessed with Gmail as if there was no alternative and are willing to trade a minor improvement in comfort over having every email read, analyzed, indexed, profiled and put into the Ad machine. I'm also surprised that so many people use the web client and not a native client with IMAP.
I agree with noja, fastmail is pretty popular on HN.
Nonetheless, I use it as well and I'm very happy with them. The Android client is sometimes a little weird, but mostly it works and you can always use one of the many IMAP clients if you want. And I prefer their webinterface over google's
After years of self-hosting I finally switched to https://protonmail.com and I'm much happier for it.
Self-hosting is still possible nowadays but email delivery is an uphill battle. You can expect to write several major email providers to remove you from their blacklists even if your address and domain reputation is good.
VPS privacy and security is questionable and dedicated servers are usually expensive. Hosting SMTP from home is virtually impossible without a VPN to a "proper" IP.
Are you willing to spend the time to update all parts of your infrastructure on a regular basis? Are you certain you will keep up to date on recommended ciphers and protocols?
How is your data going to be secured at rest? If it's encrypted, how are you going to provide the keys during unexpected reboots?
If you want push notifications, synchronized calendars, contacts and notes you will need to add another layer of complexity to your setup.
Critics of Protonmail and similar will point out that browser based encryption is a weakness, however that doesn't change the fact that it is a major step in the right direction. The battle for privacy is fought in depth, not absolutes.
Protonmail is hosted in a Swiss datacenter, run by a Swiss company under strict data protection laws. They offer a free tier and a paid one for your own domains.
If you still want to go the self hosted route iRedMail and Mailinabox both work well. Sovereign runs too many services - it should really be split into VMs or containers.
I can second this. I used to selfhost mail and it was a lot of work to keep up. Nowadays I am also quite happy with protonmail but since I got cloudron installed for other services, I just enabled mail there and will see how that goes over the next few months, so far so good. Hopefully I can go back to email selfhosting through that in the long run.
Also I agree, the privacy implications when using a VPS is still something worth taken into account.
Hi, we had similar concerns about privacy and have built https://cloudron.io to solve not only the hassle of setting up email but also other services where applicable selfhostable options are available.
The mail server is fully built into the platform itself and automatically takes care of all the tiny details required to get over the often stated deliverability issues (SPF, dkim, PTR, ...). So far we have found that many of the issues described here are not actually a big issue as long as everything is setup the way those large providers want it to be. The occasional report from a user about getting blacklisted usually is a matter of submitting the required form on the providers unlisting site. They do act timely as well in my experience and the process is not very time consuming.
Overall I was pretty surprised how well it works in the end, given that there are so many reports about selfhosting email is too complex to deal with.
I have been setting up mailservers since the '90s when you still had to deal with sendmail's configuration format. I've used most email servers available on unix platforms. And I'm also someone who wants to do everything myself and not depend on anybody else if I don't have to. Still, and it hurts me to say this, it might simply not be worth your time. I use a paid service for my main mailbox now.
I have a mailserver handling some personal email, but I feel it's too risky (to take the responsibility) and too much effort to host email accounts for just a few other people. You can and probably will be every once in a while blacklisted by one of the big providers or have legitimate email bounce, even if you have SPF, DKIM, TLS and your own spam filters set up. You also have to keep an eye on your servers to see if no new filth gets through. And you'd probably want to keep a backup relay ready. You have to provide ways for the users to configure or fine-tune their individual spam settings and mark messages. You most likely want to install a web interface next to the IMAP and/or POP service, which opens another can of worms.
I feel I'm too old now – meaning I have so many other responsibilities – that I don't want to babysit something that is after all rather crucial and should "just work". If you have the energy and time, please go for it, otherwise just search for a reliable paid service.
Note that assuming privacy when talking about email, even though most protocol interactions might be encrypted these days, is in my opinion somewhat misguided. Don't use email if it's truly private. Or use end-to-end encryption, such as PGP.
There might be a hole in the market for a company that helps geeks host reliable email servers, for those that want more control than just an IMAP account with sieve support, but maybe the margins are too low and fighting spamming subscribers too hard.
I'm the ex-CTO of Lavaboom, a German startup that did encrypted email. Right now I'm working on Oakmail, which will be even more radically open and easy to use. I reckon it will be 2-3 months before we launch an open beta (and of course you will be able to deploy it any time once it's usable).
If you have concerns for privacy, find a paid service you trust.
Hosting an email server yourself is a great learning exercise but you'll be forever playing whack-a-mole with spam and wondering if your setup is actually properly secure and waiting for the day you get hacked.
I did this myself for a few years and at one point had very few deliverability problems, then one day out of the blue I ended up on a black list and started getting complaint emails. After that it was either rebuild on a new ip address and start again or choose a paid provider and move on, I did the latter and opted for Fastmail.
If you're concerned about privacy, don't use a free service. Pay for it and the privacy concern usually goes away.
If you specifically concerned with US laws go German:
https://posteo.de/ is a good one to consider.
How exactly do privacy concerns "go away" when you start paying? Your email is still readable by a third party.
On the other hand, I can see trusting a paid provider more for reasons of stability, level of support (in case, say, I lose access to my account), and continued development (the Gmail webclient has been relatively stagnant for a while now).
This is true with Google, as well. Yes, my earlier comment was about setting up a domain on mailinabox. That said, for my business? I use G Suite. For everything. I pay. No ads. No privacy concerns. It just works.
I keep backups, but in ~13 years (I've been on Gmail since
nearly day one) I've never had any issues.
I was amazed to find out that is just 4 euro a month per user. I mean, if someone ( or a company ) cannot afford this amount, then they don't really value their privacy.
Either way they're going to be digging through the emails. NSA and I think the US military is allowed to hack into any communication traversing boundaries between countries. And Germany is also part of the alliance of the many eyed spies. You're either going up against NSA/Military grade surveillance that feeds into FBI, DHS, CIA, etc... databases, or going up against "internal" politics and services that does the same.
Simply not true. Telekom gives your data on a plate to whichever agency wants to access it. To the point that an NSA watch post is 5 minutes away from the Telekom headquarters in Darmstadt.
Not anymore. Yes, they used to, but since some incidents with NSA spying Merkel&Co, they closed all such collaboration programs. Now they are building something like a closed garden, where only german interests have access.
If this is tamper and intrusion proof, this is other story.
The Merkel case was denounced by an infosec outsider during a local security event. The local government/news played down the shock and made sure that no real (legal) consequences would happen. Would therefore say that collaboration still happening, perhaps not so voluntarily with the new gov but doesn't really differ much.
More worrying is the dark fiber backbone between Frankfurt and Darmstadt and the satellite uplink from both space agencies placed on the same city. Plus the fact they keep hiring more contractors to work on that specific location. If critical networks are monitored, civilian networks stand less of a chance.
Judging by the country's past practices and the prevalent culture of "I value my privacy, yet want to know everything about you" I'd rather have the Americans or the Russians reading my mail.
Formerly, I'd say maintaining your own email server isn't easy. It was hell trying to set one up 10-15 years ago. This guy (and the contributors) have made it about as easy as it can get. I've hosted mail for one of my domains on a DO droplet, where I set up a mail server with that guide. Been running it for ~4 years. No issues. Highly recommended.
Run an ubuntu LTS makes it pretty easy. There's many guides. Make sure you control DNS that allows you to set MX and SPF records and the like. It's really just tweaking a few config files after you apt-get install dovecot postfix amavisd clamav. If that sounds scary pay a few $ a month for protonmail fastmail, or one of the others with a decent reputation.
Interesting, I am not the only one. Additionally for me, its also pretty expensive to host domains for all my startup-ideas on gmail. I know, it's just $5/user/mo, but if you run 20-30 "fun ideas" it adds up...
So far I am pretty pleased. I opted against mailinabox because I want to use the server for other things too and mailinabox strongly suggests against it...
I can highly recommend Mail-in-a-Box [1], especially if you're looking for a solution that is secure, easy to install, and doesn't require any fiddling. You can host it on a cheap VPS for $5 a month and it'll happily chug along without any problems.
Deliverability will only be an issue if you land up on an IP address that was previously abused, so it may be worth checking out the IP address reputation on DNSBL [2] before setting up Mail-in-a-Box.
Make sure you configure an SPF record for the server's IP address, and then also set up DKIM and SPF. I have yet to see any deliverability issues using this setup.
You may want to consider German-based Tutanota (https://tutanota.com) who uses open-source cryptography, rather than some alternatives such as Swiss-based ProtonMail who use a combination of open-source and proprietary closed-source cryptography.
I use GoogleMail behind a custom domain ($50/year) and am quite pleased. I used to be a FastMail customer but a couple minor outages and weirdness around billing made me switch a few years ago. Functional "report spam" is a big win for GoogleMail, and as an apps (or is it "GSuite" now?) customer you don't have to worry about ads/privacy issues. Don't self-host, I self-hosted (Postfix/Dovecot) before using FastMail and it was a huge headache between reasonable spam filtering on the receiving end, and undelivered/spam-marked emails on the send side, although I learned a lot by self-hosting. Also, it was hard to pretend I was serious about privacy/security when I was self-hosting on a box that any Linode admin could shell into as root, especially after Linode's security dramas. This is not to say that self-hosting cannot be cheaper and more secure than alternatives, but if you're not a full-time sysadmin regularly setting up mail hosts, you probably will get something(s) wrong. I never could silence that voice in the back of my head saying "what if some really important email couldn't be delivered to/from me?", which was sometimes right. As others have said, you have to use GPG if you're serious about privacy, regardless of your email provider. Anyway, for me, $50/year is a great deal for reliable email with good spam filtering, and being able to use my personal address/domain for Google Hangouts and Docs is a decent win for collaboration.
I run Postfix & Dovecot (with SPF, DKIM, DMARC, DNSSEC, TLS) from my home network with a remote backup just in case it goes down, as well as my own DNS servers.
I had to ask my ISP to disable some rules on their end and pay a fee to have a static IP address, but overall it was pretty painless. Though I can imagine some providers being much worse.
After the initial hurdle of setting everything up in my experience everything went mostly fine. I had to whitelist my domain on Microsoft's site, but Gmail and Yahoo worked fine from the start. I haven't had a problem since. My university teachers receive my email just fine, so did my co-workers before I was given a corporate email address.
Is it worth it? Maybe not. It was more of a learning experience for me, but I find it works just as well as any other provider I've used. At least for now.
As others have said there are lots of outdated guides. I found the Archlinux Wiki and the manpages to be the most useful resources. Also please stay up to date on the software.
Setting up Dovecot (with master-master replication) and Postfix (+ spamassassin, dmarc, SPF) isn't too bad. There's a lot of dated guides out there though. Stick to the man pages as far as possible.
Can someone share their experience with Kolab Now? I'm almost convinced but still have some doubts. What about them versus Fastmail? Fastmail is USA based entity so has their own cons. What about customer service if something go wrong? Can we report bugs somewhere etc.
I'm not planning to hide from Mossad or NSA, but have some above average quality and privacy service, not funded by bulk selling my data.
I am not implying this is any better or worse for your privacy. I personally use and trust Fastmail with the security and privacy of my email. However everyone concerned about such matters should do their own research and decided based on their own needs.
I've been using Kolab for personal mail for a few years. No complaints, but no raving reviews either. There is downtime for a few hours once or twice a year, but I haven't missed any emails or anything that I know about.
It's amazing how little storage, features, uptime, spam filtering, integration, etc you get for your money when you move away from Gmail! But servers and engineers aren't free, and I'm happy to pay for things I depend on (more people should realize this!).
That's what I use. Works great and I've only ever had a few hours of service interruption.
One alternative I would suggest to people trying to decide between self hosted or hosted email is to consider a hybrid. Host your own inbound SMTP, but use a service for outbound, e.g. Mailgun. The hardest part of running a mail server today, is getting your email accepted by the receiving SMTP server.
The premise here is thatservices such as gmail or outlook don't respect the privacy of their customers. Can someone point me to an actual case where gmail for business (using gsuite) or outlook haven't respected their privacy engagement ? Or a serious report on that matter ? thanks.
I chose Google GSuite to avoid non-delivery of emails which was happening when I was still on self-hosting. Most emails I send used to be marked as spam and blocked. Not anymore. Fee I pay every month is very low compared to the time I used to spend managing my own servers.
I'm using gmail for my daily use and tried maintaining my own server and it was too much effort.
I'm a little bit worried what happens when gmail is blocking my account for whatever reasons, but if, i would create a second own managed mail address only for accounts.
One of the small businesses I work with has used them for ~6 months. Way too many rejected emails and mail server failures for my comfort (about 1%). I'm probably going to switch soon if the problems aren't resolved. Too bad, the product and price is perfect for our needs otherwise.
The lack of IMAP is my main issue with protonmail. Not that I need imap as such but its one way of doing a local backup. Right now they have no way for you to backup your email except saving them one at a time from the browser.
That being said, I recently switched to https://mailbox.org (they have a very good reputation). Mainly because I love the web UI it's an awesome service and I get CalDAV and CardDAV that works beautifully.