
Dank-selfhosted: automated deployment of email, web, DNS, XMPP, ZNC on OpenBSD - indigodaddy
https://github.com/cullum/dank-selfhosted
======
sashk
This reminds me another OpenBSD-based project, but just for hosting emails —
caesonia[1], which was recently discussed here[2].

[1]: [https://github.com/vedetta-com/caesonia](https://github.com/vedetta-
com/caesonia)

[2]:
[https://news.ycombinator.com/item?id=16392096](https://news.ycombinator.com/item?id=16392096)

edit: formatting

------
SamWhited
Their default Prosody config looks pretty nice; having an easy way to deploy a
local chat service that has reasonable defaults like stream management,
carbons (messages you sent are mirrored across all your clients), history, and
HTTP-based file sharing is really nice.

~~~
ge0rg
Indeed, it would be great to have a standalone recipe / how to for setting
that up. From the scripts there is no black magic involved, except a tiny bit
for the integration with LE certificates.

~~~
toomuchtodo
> it would be great to have a standalone recipe / how to for setting that up.

You could probably distill that from their scripts. Be the change you want to
see in the world!

------
ge0rg
Looks like this is similar to other self hosting projects like FreedomBone and
NextCloud. It's great to see more tools to take back control over our data.

~~~
secfirstmd
Similarly Cloudron.io and Sandstorm.io are very impressive and easy to use
projects.

~~~
indigodaddy
Sandstorm is great but apps really don't get updated anymore sadly. The
founders also now have day jobs with CF, so probably don't get oodles of time
to work on it.

Cloudron I've heard is excellent, completely dockerizes and automates
everything with a slick webui, has lots of apps, however I just am unwilling
to pay $15 a month for it.

Will likely roll my own apps/services with Rancher/haproxy/LE (or traefik as
the reverse proxy/SSL term) on my sufficiently beefy Netcup rootserver KVM
instance (at 8G should handle everything I want to do, but will likely use up
most of it's resources which is fine).

~~~
zaroth
The situation with that first thing you talk about, pretty sure it’s a direct
result of the situation with that second thing you mention.

~~~
marmaduke
Yep funny to see such a A/B test situation play out and people want neither

~~~
nothrabannosir
I've been looking for a solution like this for years and was ready to pull out
my CC when I saw the $15, assuming a "/y". But I have to say, "/m", wow.
Between that and "free", it's not really A/B, more like A/Z with a lot of
letters in between.

------
pickpuck
Awesome Self-Hosted vs Dank Self-Hosted

Ha. I'm not sure of the intent, but I like this as a naming pattern for
different kinds of projects.

Maybe awesome is friendly and optimistic.

Whereas dank is a little more "Really not suited for the general public, no
automated password reset, no web GUIs..."

------
mcny
Probably is trivial but I figured I'd ask anyway.

A one click "email" server which allows you to receive emails from anywhere
but only send emails to addresses on the current server. If I don't send
emails, I don't need to worry about people not being able to receive my
emails, right?

~~~
matthewaveryusa
That's correct. For outgoing, assuming you setup certs and DNS correctly, the
main challenge is your IP that's in an ISP CIDR which gets marked as spam.

I have a small instance on AWS that forwards my outgoing email and it works
great.

~~~
mcny
I was thinking of a mail server for not very technical people that is easy to
install and update.

The use case I'm thinking is let's say I have a domain like foo.bar. Each user
gets a sub domain like user1.foo.bar. User 1 can send emails to anyone with an
email address of _.foo.bar but nobody else.

User 1 can get emails from anyone at _anything* at user 1 dot foo dot bar

For example, facebook at user 1 dot foo dot bar

The main benefit this project would have is zero customization. No setting is
customizable and the whole thing is an appliance that keeps itself up to date.

Thoughts?

------
guiomie
Could there or is there also be a self-hosted version of a facebook clone? For
exemple, you'd configure others server and they would all talk to each other,
giving access to someones shared album, wall and profile.

~~~
ahriman
Diaspora is what you're thinking of. Mastodon is a federated twitter clone.

------
surferbayarea
Self hosted email, chat, messaging, calls is the future. Individuals will own
host and run their own services for these on public clouds. There is no reason
for giant corporations to own these services.

~~~
wskinner
I admire your enthusiasm, but most users don’t want to think about or manage
these things. Convenience and consistency of experience is the reason for
giant corporations to own these services, and unless there is a compelling
shift in consumer preferences, that seems unlikely to change.

~~~
z3t4
It doesn't need to be that difficult. For example, you do not need a CS degree
to own a TV, or a smart-fridge, it just works.

~~~
bananadonkey
Can you open source your tv and smart fridge designs so we can get in on the
action?

An intro to your parts suppliers and negotiating mates rates would also help.

------
ttul
MailChannels offers five free inbound filtering domains with each outbound
mail relay account. If you’re self hosting your mailboxes, this could be an
easy way to handle the inbound and outbound spam control and delivery part.

------
reilly3000
Email delivery issues usually come up in discussions around self-hosting. If
there was a credible collective email delivery relay, I would pay to be a part
of it. Is there anything like that today?

~~~
reilly3000
^^^ self-hosted email that can still legally circumvent ISP restrictions and
enjoy gmail like deliverability/whiltelisting, by freedom minded sysadmins
that self-police abuse in their network.

~~~
reilly3000
Here I am talking with myself...

I suppose hosted SMTP from a hosted service like SES or Mandrill could work,
as long as inbound email was handled directly by my own server. There is also
the matter of spam, but it appears there are many battletested solutions for
that. The last thing I need is wondering if my emails hit the spam folder or
not. I worked for a company with email delivery issues associated with the
corporate domain once... it was difficult to do business.

------
rasengan
I would not put all of this on the same machine.

Edit: To clarify - if one line of code is fd in any of the daemons you’re
running you’ll lose everything.

Practice defense in depth.

Minimize the damage possible.

~~~
seattleeng
what is `fd` in this context?

~~~
elchief
I think he meant "f'd" as in fucked

------
seanvk
Hosted our family email server and Wordpress blog running OpenBSD on an Old
World Mac using DynamiC DNS from home back in 2003. Specifically, I ranOpenBSD
3.4 on my G3 Blue & White with a Sonnet Tempo ATA 133 PCI Card. That was about
15 years ago. I was self-hosting. :-)

------
indigodaddy
Imagine could get away with running this on 1G with light usage/load? Also
don't see webmail here, but imagine shouldn't be too difficult to add (I don't
have much exposure to the OpenBSD landscape).

~~~
rasengan
For webmail you could use rainloop or squirrel which can use the web server
and the email server for example!

~~~
sn
Please do not recommend squirrelmail. It is not really being maintained.

[https://www.openwall.com/lists/oss-
security/2018/07/26/2](https://www.openwall.com/lists/oss-
security/2018/07/26/2)

[https://www.openwall.com/lists/oss-
security/2018/03/17/2](https://www.openwall.com/lists/oss-
security/2018/03/17/2)

[https://squirrelmail.org/index.php](https://squirrelmail.org/index.php)

[https://blog.cpanel.com/the-death-of-
squirrelmail/](https://blog.cpanel.com/the-death-of-squirrelmail/)

~~~
tecleandor
Yep, Roundcube seems to work this days, I've been using it for a while
(lightly, only once a week)

------
vinay_ys
Isn't DJB's Qmail, djbdns etc was exactly this? But at least it was small
codebase. Is anyone still running qmail? Wonder if someone has thought of
running email entirely on their smartphone.

------
HugoDaniel
"You're crazy enough to run your own mail server :-)"

------
judge2020
Looks good for moving away from the widely used centralization services
(CF/aws for DNS, google for email, etc), my only question is how this is #1 on
HN with 12 points.

~~~
hydrox24
Hacker News uses points, (inverse) time since posting, and (inverse) number of
comments to decide the position of an item.

Lots of points in a short time with few or no comments will push an item to
the top.

------
chrisweekly
This is wonderful. Bravo, and thank you!

------
nimbius
[https://github.com/cullum/dank-
selfhosted/blob/master/roles/...](https://github.com/cullum/dank-
selfhosted/blob/master/roles/smtpd/templates/smtpd.conf.j2)

No RBLs? I see cullum hasn't spent any time running a mail server.

------
lwansbrough
Heads up you should probably never host your own email on the same server as
your web/worker servers if you’re worried about IP leakage. Your IP is exposed
on outbound mail. Using SMTP services like SendGrid won’t help, either.

~~~
ge0rg
What's the problem with leaking your IP address? If you host a website or any
kind of API there, your IP is public anyway?

~~~
SturgeonsLaw
Not if it's behind a CDN, if you were to host a website that someone might
consider a DDoS target (frankly anything can be these days), then it can be
wise to keep the host's true IP off the record

~~~
gsich
If your security is only achieved by hiding your IP I have bad news for you.

~~~
lwansbrough
Obfuscating your IP is a foundational part of strong security for websites in
certain industries. For example: the video game industry has a lot of wannabe
hackers and script kiddies, DDoSes are cheaper and larger than ever, which
makes running services in that industry extremely expensive without proper IP
security. I know the purists think the internet should be open and
transparent, but some of us also build services in reality.

~~~
gsich
*weak security

One can scan the whole IPv4 address space in probably an hour, so you'll find
any service you want to find. You might say, "I have a CDN in front of it",
but that is just basic firewalling (or reverse proxying) and not really worth
of being called "IP obfuscation".

~~~
lwansbrough
Firewall only lets in traffic from the CDN, so you wouldn’t find anything.
It’s almost like making sure this can’t happen is my job.

~~~
gsich
Yes, that's what I wrote.

------
Jenz
As usual from OpenBSD folks, quality README.

------
raprp
Great project!

