
Show HN: OpenBSD Email Service – A free-email alternative - h0r14
https://github.com/vedetta-com/caesonia
======
kennu
I used to do this for a long time (with Ubuntu), but over the years there was
always something popping up that required fixing, updating or other attention.
Eventually I decided to let someone else worry about maintaining the mail
services and spam filters and put my own focus on other things.

~~~
jstanley
By way of a counter-anecdote: I've been running my own email for 8 years and
spend almost no time on it. I can't recall having to do any maintenance at all
in the last 3 years.

~~~
rightos
Yeah, I do the same - I plugged in Postfix, Dovecot and SpamAssassin and
haven't had to touch it other than occasionally confirming backup scripts and
automatic security updates are working.

~~~
sfilargi
Does you email get marked as SPAM by gmail?

I do something similar, but when I send an email to a person for the first
time, it always ends up in the spam folder by GMail.

~~~
snksnk
Just relay it out via a trusted host, in addition to setting up DKIM, SPF,
etc.; that solved all the problems for me. My email server is working
excellent for many years now (OpenBSD, OpenSMTPD, dovecot) with Rainloop as
web-based frontend.

~~~
sfilargi
I have DKIM, SPF, etc. but still gets caught by spam. What do you mean by
"trusted host"?

~~~
snksnk
An email provider that is not blacklisted and allows relay. I currently use my
ISP for that.

Taken from my smtpd.conf:

    
    
      table secrets { mylogin = [email]@ziggo.nl:[pass] }
      accept tagged DKIM for any relay via tls+auth://mylogin@smtp.ziggo.nl:587 auth <secrets>

~~~
sfilargi
Oh, I see, thanks!

It kind of defeats the purpose, since now the third-party will be able to read
all my outgoing emails, and have control over them.

~~~
tux1968
You're transiting over their network anyway -- the jig is already up even
without relaying via their gateway.

~~~
justinclift
Connecting directly to the remote (non-ISP) mailserver with TLS shouldn't
reveal any message contents.

Relaying via the ISP's mail server though (even with TLS) seems like it would
disclose the message contents.

------
webaholic
There is also mail-in-a-box: [https://github.com/mail-in-a-
box/mailinabox](https://github.com/mail-in-a-box/mailinabox)

~~~
splitrocket
This. The hard part of hosting your own mail is emphatically dns and
deliverability. Mail-in-a-box does all of the dns magic to ensure folks get
your email. The rest is gravy.

------
Tepix
LowEndTalk.com will help you find a super cheap VPS.

However I would advise using dedicated hardware for the server instead for
improved privacy. There are two possible routes:

1) Rent a cheap dedicated server such as the Kimsufi line by OVH or the
Personal line by Online.net. These cost below 10€ a month.

2) Run the email service on your box at home and use the cheapest VPS you can
find just to tunnel a non-dialup IP address to that box using OpenVPN. The
cheap VPS usually costs less than $10 per year.

~~~
h0r14
When renting a dedicated box, a VNC-like interface is required to enter disk
encryption password, which could be intercepted by the host. Moreover, this
has to be done on each restart. I look at dedicated box more as an upgrade
from VPS.

For privacy, I think user encrypted email messages provide the best option.

At home self-hosting through VPN is a good idea. It would involve maintaining
hardware, which I traded for low cost VPS. With a replica backup MX, I am not
married to any hosting provider, and can hop without downtime.

~~~
nickpsecurity
" a VNC-like interface is required to enter disk encryption password, which
could be intercepted by the host. "

There's a rule in security that anyone in physical possession of your device
should be assumed to have access to it. The host has the server whether
physical or virtual. You're not safe from them. Trusting them is the tradeoff
made for the cheap, hosted server.

" I look at dedicated box more as an upgrade from VPS."

Multiple VPS's share a physical box. A malicious VPS can look for secrets in
another VPS using side channels. This isn't possible on bare metal: they have
to compromise an app or get a shell first. The next concern would be endpoint
security. OpenBSD covers that well. Then, there's host or peripheral firmware
which is almost always a risk if a 3rd party is hosting things. Your attack
surface does go down, though, when you're not sharing a box with an attacker.
There's also the performance benefits.

~~~
h0r14
Privacy from host is not possible, and you make a very good point about
hardware access.

Virtual machine are secured by the shared host. I don't really expect top
security from this end. A replica backup MX enables me to safely change hosts,
if they behave badly.

OpenBSD defaults are what I base my endpoint security on, and keeping this
updated is super easy.

~~~
nickpsecurity
"Virtual machine are secured by the shared host. "

Virtual machines are not secure in mainstream implementations. The tech they
use has had a lot of vulnerabilities in the past. Google and Amazon even have
their own custom versions for improving security. There's also no covert/side
channel analysis done on those to even know what information leaks will be
found in the future. Finally, hardware-level attacks are possible if you have
malicious code running that bypass VM protection. Most popular recently is
Meltdown/Spectre.

There's only been a few VMM's designed for security (two examples below). Most
of them probably cost five to six digits to license. The FOSS ones are alpha
or beta quality without the tools a big host would want for management. The
VMM's focused on rapid development of features in unsafe languages don't look
anything like the ones that passed pentesting. They also have highest
marketshare due to those features. So, your host serving cheap VPS's is almost
certainly not using a secure VMM: they're saving money using an insecure one
on insecure hardware that they're patching as vulnerabilities are publicized.
Like almost everyone does with their OS's for their beneficial features. ;)

[http://www.cse.psu.edu/~trj1/papers/ieee-sp-
vaxvmm.pdf](http://www.cse.psu.edu/~trj1/papers/ieee-sp-vaxvmm.pdf)

[https://ghs.com/products/safety_critical/integrity-
do-178b.h...](https://ghs.com/products/safety_critical/integrity-do-178b.html)

------
a012
The hardest part to me is to get an IP address that's clean so your outgoing
emails won't be marked as junks. Also, then you'll have to get help from ISP
to update PTR records for your IP address, it's not worth.

~~~
h0r14
I guess I was lucky because I haven't encountered a "dirty" IP yet, but I only
tested 6 VPS providers so far.

PTR records are updated from the VPS provider web interface, it takes a few
seconds to activate.

~~~
Tepix
The last time i rented a new server I checked the IP in the various
blacklists. There was one blacklist that had listed the entire subnet the
server was in. I asked them to whitelist my IP address in that subnet which
they did. It took only a few minutes to write an email.

~~~
dozzie
It took quite a lot of knowledge what blacklists are out there and time to
check them all. It's hardly "just a few minutes to write an e-mail".

~~~
kbenson
There have been sites that check an IP against the vast majority of blacklists
for well over a decade, and they've been free as well.

[https://encrypted.google.com/search?hl=en&q=how%20to%20check...](https://encrypted.google.com/search?hl=en&q=how%20to%20check%20my%20ip%20for%20a%20mail%20blacklist)

~~~
haroldp
I run RBL checks a few times a day in Nagios, so I don't get surprised.

------
scruffyherder
And for 12.50 I get exchange+office all hosted and I don't do a thing. Thanks
best part is that clients get my emails, and I'm not wasting days trying to
fight the brick wall that is Google, Yahoo, Apple, Microsoft,and every other
isp that blocks by default.

~~~
Infernal
I don't really think the downvotes are warranted on this one - given that the
post title calls out the expense, I think a discussion on what you gain
(and/or give up) for an additional $10/mo is well within bounds.

------
dozzie
So basically, step 1: install SMTP and IMAP servers, step 2: configure them to
run your domain, step 3: configure your DNS?

~~~
Tharkun
Step 4: wonder why the hell people aren't replying to your mails. Step 5:
realize you've been blackholed by gmail and hotmail with no bounces and no
explanation. Step 6: frustration. Step 7: tell people to add your e-mail
address to their address book (wtf) and watch as things magically work for a
while. Step 8: repeat.

~~~
semanticist
My mail server routes via Amazon's SES, which provides an SMTP smarthost my
instance of postfix can relay mail to. You authenticate each sending domain
using DNS, and it even supports DKIM signing.

Until I did this, my deliverability, especially to GMail, was awful.

~~~
Tharkun
Assuming you're running your own mailserver because you like the idea of a
decentralized web; isn't it kind of odd to then rely on Amazon?

~~~
semanticist
Maybe, but in my case it would not be a valid assumption.

------
giancarlostoro
I've always wanted to host my own mail but every time I look it up they always
recommend like 2GB of ram. I've thought about whether one in D / Rust would be
easier to host, but are there any decent libs out there or someone know what
mail setup I could have on a simple $5 a month digitalocean VPS?

~~~
emptybits
OP recommendation is minimum 512 MB RAM. Giving it 1 GB for headroom still
lets you run on the AWS EC2 Free Tier (i.e. t2.micro instance). Would that
work?

------
INTPenis
This is a nice writeup but my own personal modification of this model is to
host an MDA at home where I've got plenty of space and it costs nothing. But
then forward all mail to a proxy on a VPS that only does spam filtering and
never saves mails on disk.

------
perlgod
I'm always amazed at the negative comments on HN when the topic of self-
hosting your email comes up - I saw many of the same replies when my mail
server guide [1] got linked here a few weeks ago. Most people suggest to give
all your email to some corporation.

If people want to create their own mail service, more power to them - this is
supposed to be HACKER news!

[1]
[https://news.ycombinator.com/item?id=16238937](https://news.ycombinator.com/item?id=16238937)

~~~
peterwwillis
If you have a lot of time to kill and don't need reliable email, self-hosting
is fine. But it's a bit like building your own car. Fun hobby: not reliable.

~~~
DrPhish
If you follow the guide in this post, you will have reliable email delivery
without involving a possibly untrustworthy 3rd party. What part of it seemed
overly time-consuming or difficult?

If you're worried about monitoring it for operation, make sure there is at
least one automated email that passes in each direction once daily. Use
pingdom free to check for basic up/down. That should suffice for a personal
email system. Email senders will retry for days before giving up.

I say this as someone who has been hosting his own email on his own hardware
on his own ISP connection (on OpenBSD no less!) for over a decade, and have
never had a delivery issue

~~~
bachmeier
> you will have reliable email delivery without involving a possibly
> untrustworthy 3rd party

Only if you limit your email messages to parties that also use your personal
email service.

~~~
peterwwillis
Seriously. Who are these people who don't seem to know what DNSRBLs are, who
don't know about IP blackholing, who don't know about spammers stealing
private addresses and getting your domain blacklisted, or sending out too many
mails at once and getting tagged as a spammer, or sharing your IP space, or
not getting accepted from various domains for not having a high enough
"reputation", etc?

I mean, I must not know what I'm talking about, having run personal and
corporate mail systems for 15 years. Must be pretty easy to get the DNS
extensions which aren't used uniformly across major mail carriers right. And
hey, if your ISP gets blackholed it should be pretty easy to fix, right? And
you just have to set up a separate system with automated tests to alert you
when your service is down so you can get it back up in a few days before the
bounces start going out. And certainly maintaining your own spam filters has
never been difficult, to say nothing of software upgrades, maintenance
outages, security patches, offsite backups, certificate renewals, and moving
hosting providers.

But, yeah. Easy.

~~~
DrPhish
I've been running half a dozen domains since OpenBSD 2.5, over multiple
hardware platforms and ISPs, and I have never felt any of the pain you're
talking about.

I've never had a reputation problem, but I've been sure to test for open relay
on my servers as step zero. Maybe I've been lucky over the 4 ISPs I've had,
but I've always ended up with clean IPs. In any case, that would be something
you'd catch during initial setup and have to deal with before sending out your
first email. This may be super painful to deal with, but I don't have any
experience (fortunately).

I update my server OS (openbsd) once every 6 months and use long-lived self-
signed certs for STARTTLS mail delivery. Combined with DNSSEC and DANE it
makes for a trustworthy setup. Certbot for any certs that are more important
to have a chain of trust for.

I set up DNSSEC/DANE/DKIM/SPF once over a couple of days and have never had a
problem. I don't even have any spam to filter out after having domains for
decades and lots of friends and family members using it. Google sends regular
reports verifying that no one is using my domains for spam campaigns (at least
to gmail addresses).

There are free online services to help generate configs for, and test for the
correct configuration of each part of these setups.

Removable hard drives and fsarchiver make for simple offsite backups (just
store them at work). But if you don't have a good backup plan, whether you're
running your own email system or not, you've got bigger problems.

I'm sure you're dealing with bigger and more sophisticated setups than my
vanity domains, but I'm not talking about those. I sometimes don't touch the
email side of my system for years. Once set up it just works.

------
hapless
I wouldn't entrust my email to an operating system that lacks mandatory access
control.

OpenBSD is a fascinating project, but it is _decades_ behind the state of the
art in security.

~~~
drewpc
Seriously? I'd recommend doing some more research before making that claim.
Your example in a later comment speaks to the area of Privilege Separation,
discussed (and implemented) ad nauseam throughout nearly every application
that is maintained by the OpenBSD project.

[http://niels.xtdnet.nl/papers/privsep.pdf](http://niels.xtdnet.nl/papers/privsep.pdf)

[http://www.citi.umich.edu/u/provos/ssh/privsep.html](http://www.citi.umich.edu/u/provos/ssh/privsep.html)

[https://www.openbsd.org/papers/ven05-deraadt/index.html](https://www.openbsd.org/papers/ven05-deraadt/index.html)

[https://www.openbsd.org/innovations.html](https://www.openbsd.org/innovations.html)

~~~
hapless
Privilege separation is also a nice feature, but it is not the same as MAC.

I would have much greater confidence in an OpenBSD project that included lomac
or capsicum.

