
How do we explain email to an “expert”? - ashitlerferad
http://sobersecurity.blogspot.com/2016/08/how-do-we-explain-email-to-expert.html
======
zAy0LfpBZLC8mAC
1\. It's a massive exaggeration that it's dangerous to run your own email
server. Now, he doesn't explain why he thinks that it is, but I guess there
would be two major categories, both based on the assumption of
vulnerabilities: (1) your server could be abused against others (yes, but so
could your laptop or smartphone) or (2) your own emails could be at risk of
being leaked (yes, but the solution to that obviously is not to directly give
them to someone else instead).

2\. None of that is actually solved by simply trusting someone else to run
your email servers for you if you also can't judge whether they are doing it
properly and, in particular, in your interest.

3\. If you think that trusting someone else to run your email servers for you
is an acceptable solution, that is functionally equivalent to trusting someone
else to provide you with a software package to run on your email servers.
Everything that someone else could do on an email server that they run for
you, they could just as well package into, say, an install CD image, which you
then could use to run your own functionally equivalent, hopefully well-
configured and well-updated, mail server.

So, I would think, this is at best an argument against putting together your
own mail server from distro packages, and configuring everything yourself,
maybe.

Other than that, there is no fundamental reason why you would need to know
email RFCs any more for running an email server than you need to know them for
running an email client. In either case, knowing them can help you with
figuring out some problems. But also, in either case, if the software is good,
the programmers should have taken care of reading the RFCs for you, so you
don't need to, for the most part.

~~~
ikeboy
>Everything that someone else could do on an email server that they run for
you, they could just as well package into, say, an install CD image, which you
then could use to run your own functionally equivalent, hopefully well-
configured and well-updated, mail server.

Gmail won't give you their entire software stack (also good luck running it
even if they did). Neither will any of the other big players.

~~~
zAy0LfpBZLC8mAC
Are you saying that gmail are the only ones who know how to run a mail server?

~~~
ivanca
You were claiming "they could just as well package into, say, an install CD
image" which is likely not going to happen, so he was just giving an example.

The perfect spam filter Gmail has its probably based on data and ML analysis,
not a simple software you can put on a CD and install on some little server;
so even if someone who works there wanted to help you they probably can't do
it.

~~~
stonogo
GMail's "perfect spam filter" is so bad that it is the reason my institution
moved away from Google services. It's also the main reason so many people
consider it 'impossible' to host your own email.

It's anything but perfect. It's a black box, with no user-serviceable parts
inside. Completely useless for any organization with needs that deviate from
Joe User.

~~~
newjersey
How would you implement a spam filter?

You can sort of turn off spam filtering on incoming emails but I don't most
people or organizations would want that.

> Completely useless for any organization with needs that deviate from Joe
> User.

Maybe but being slightly over aggressive means a world in terms of user
happiness. Think about email before Gmail. How much junk did you see in your
inbox? There is a lot LESS today. Joe User would be very happy if they dried
to think about it for a second.

~~~
zAy0LfpBZLC8mAC
> How would you implement a spam filter?

What do you mean "implement"? You are aware that there exists free spam
filtering software that you can install, like, say, spamassassin (which has
been around longer than gmail)?

> Maybe but being slightly over aggressive means a world in terms of user
> happiness.

Dropping legitimate emails is good for user happiness? You have strange users.
I imagine if the post office decided to throw away some letters "slighty over
aggressive[ly]" ... there are people who would be happy if that happened?

> Think about email before Gmail. How much junk did you see in your inbox?
> There is a lot LESS today.

I see maybe one to three spam mails per day, with nearly zero false positives
(maybe one per year). And that's without gmail. Obviously, I could reduce that
to zero spam, at the cost of increased false positives, which is not a
sensible option as far as I am concerned, deleting three mails per day isn't
really all that much work.

------
femto
Be wary when something is described "too hard", but the describer
doesn't/can't give specifics on why it is too hard. If a person can't give a
generally understandable description of the difficulties, one has to ask
whether they understand the topic well enough to make a pronouncement of
hardness.

> Then you'll understand there are no experts.

I disagree. There are, but experts have to keep learning in order to maintain
their expertise.

~~~
shawkinaw
This line is what got me:

> There are literally more topics than one could read in a lifetime.

Literally no part of that sentence is accurate.

~~~
jethro_tell
Especially considering, all documentation and concepts regarding email have
been written/designed in a single lifetime.

~~~
dllthomas
That's no guarantee, given that they have been written/designed by multiple
people in parallel.

------
lwhalen
Horsepuckey. Hosting your own data services is not dangerous, if you do your
homework. Email is not _that_ complex (compared to something like a federated
Kerberos environment), and there are several good, concise, HOWTOs, books, etc
on the subject. Running your own stack makes you a first-class citizen of the
'net, and more people should do it.

~~~
imron
> Hosting your own data services is not dangerous, if you do your homework.

Well, sure, not dangerous like underwater welding, or electrical powerline
installation or something, but it's something that requires constant attention
to do right.

Even people who do their homework and start out vigilant, can eventually
develop entropy and then 3 years later you get a message from your host
telling you your machine is being used for spam - like this guy who is also
coincidentally on the front page:

[https://news.ycombinator.com/item?id=12384880](https://news.ycombinator.com/item?id=12384880)

Sure, it's not _dangerous_ , but it's awfully time consuming if/when things go
wrong.

~~~
lwhalen
> Sure, it's not dangerous, but it's awfully time consuming if/when things go
> wrong

Perhaps, but that can be said of most things. Model rocketry, glass blowing,
hell even woodworking. That doesn't mean people shouldn't roll up their
sleeves and get into it because 'some megaultracorp has perfected the
process', for some incredibly generous definition of 'perfected'.

Running your own server does in fact take some time and a little bit of elbow-
grease, but scare-articles like this does nothing to further an open internet.
As the tech-elite (for the most part), we should be encouraging folks to host
their own data, learning how 'those damn computers' work, and do our best to
raise the next generation of engineers, sysadmins, devopsen, docker deployers,
or even just computer dabblers 'right' so they at least have some concept of
How The Internet Works(tm) beyond "oh, send this dict to an API...". If
hosting your own email server is too scary for you at this time, suck it up,
do it anyway, and figure out what needs to happen to make it better for the
NEXT guy. Write down what breaks and when. Publish that data. Let us learn
from your fail, as you learn from ours. Holler at your nearest Google or
Comcast or Centurylink engineer, suit, or peon to un-fsck their infra. It's
not glamorous work, but it is necessary.

~~~
imron
I agree that people should be encouraged to learn how things work. In the past
I have run my own mail server, and I'm aware of the time and effort involved.

As fun as it was, I now find it less hassle to just outsource that to a third-
party that specialises in it.

------
viraptor
> most of #3 knows running your own email server is pretty dangerous

I think this could be phrased better. Or at least expanded on what "dangerous"
means here. Someone breaking in is just one tiny part of it. Getting incoming
emails dropped due to misconfiguration is another. Then there's the whole
issue of getting your mail accepted.

After such comment there's always a few people ready to say that it just
worked for them and they don't have any issues. That's great. As long as they
actually know that's the case (how often do you test for your mail being
silently dropped? how often do you send copies to yourself on gmail, yahoo,
etc and verify they don't go straight to spam), and as long as nothing around
their network changes (two spammers in your /24 means you're suddenly being
filtered, someone changes description of your range to dialup and you're being
filtered, etc.).

Running your own email long term can be easy, hard or a full time job. And
that can change day to day. "pretty dangerous"? No... Closer to: suddenly
requiring a great deal of work while you're wondering if you dropped an
important document.

------
Animats
Are there any good email servers which aren't horrible legacy messes? No UUCP
support, no M4 macros, no ancient C code?

I once looked at writing an immediate email forwarder in Go, a mail forwarder
for servers that don't receive mail. It would, upon receiving a message via
SMTP but before replying with a status, open a connection to forward the
email, and return the status of the send to the input SMTP connection. No
local message storage at all. Runs in a jail. It's not hard to do this as a
minimum viable product in Go. But all the anti-spam stuff you need today makes
it a far larger project.

It would be interesting to write both that, and a pure SMTP to IMAP server. No
local mail access, just pure IMAP. Together, the two programs add up to a mail
server much simpler than most today.

~~~
zdw
Depends what you mean by "ancient C code" \- if it's basically Sendmail you're
complaining about (and given the m4 mention, that seems likely), then there
have always been other options.

Both qmail and postfix have security models pretty similar to the ones you
describe - the process that accepts the mail in either has almost no
privileges. See here for how postfix does this:
[http://www.postfix.org/OVERVIEW.html](http://www.postfix.org/OVERVIEW.html)

~~~
seanp2k2
Yep, qmail may be old but it can do all the new tricks, and it can work like
you say. [https://cr.yp.to/qmail.html](https://cr.yp.to/qmail.html) steep
learning curve but it'll do it all and the design is great once you "get it".

------
upofadown
It would be interesting to know exactly how one could get owned by running
just an email server. It's been forever since there has been any server that
could be attacked with just SMTP. IMAP has a login, as does that buggy PHP
webmail program.

There just isn't much of an attack surface there.

The real problems are spam and convincing other mail servers to accept your
email.

~~~
ashitlerferad
There have been remote code execution exploits in mail servers before, Exim
most recently. There probably are more hiding somewhere in one of the many
layers that are needed for modern email servers.

~~~
rlpb
That isn't difficult to manage though, unless you consider running _any_
server to be insecure. Use your distribution's MTA package and turn on
automatic security updates. Done.

~~~
AstralStorm
Unless they are too slow, then you get to pick up the pieces.

Since a server is a much juicier and visible target than any client, expect
attacks.

~~~
zAy0LfpBZLC8mAC
> Since a server is a much juicier and visible target than any client, expect
> attacks.

Why do you think that?

Isn't a web browser that has access to your gmail inbox just as juicy as your
self-hosted imap server?

I don't really see why a "server" would somehow be inherently a more
interesting target. Google's servers, sure, they give you acess to billions of
mailboxes, but your own private email server?

------
Annatar
I'm in the process of setting up my own e-mail infrastructure. I have maildir,
certificates, IMAP, SASL, TLS, and antivirus working, with anti SPAM and the
web GUI left to do. I built and configured the MTA and the IMAP server to use
a SQL database to do their table lookups. On a platform where I had to
architect, compile, link, and package everything myself, because I didn't want
Sendmail so I ripped it out and then had to seamlessly integrate the MTA of my
choice with the OS. (I used to admin Sendmail for a living back in the day
when SASL and TLS were science fiction.)

It's a nightmare. I postponed this for 15 years knowing how bad it will be.
It's far worse than that. During the last two years while I've been trying to
figure it all out, I seriously thought about ditching e-mail altogether. The
last year was spent reading various documentation.

The DNS MX records aren't even in yet, and I already see port scans and hack
attempts on port 25, probing for security flaws and configuration errors,
already trying to exploit my MTA infrastructure.

And before I go live, I have to recompile OpenSSL, SASL, antivirus and the MTA
at the minimum, to get all the security fixes rolled in. I'm not even done
yet, and the antivirus engine is already complaining that it's outdated.

It's a nightmare.

~~~
zAy0LfpBZLC8mAC
> The DNS MX records aren't even in yet, and I already see port scans and hack
> attempts on port 25, probing for security flaws and configuration errors,
> already trying to exploit my MTA infrastructure.

So? How many webservers are constantly _trying_ to exploit your web browser
infrastructure? It's just that you don't have a log file that's telling you
about it, but that doesn't mean it's not happening. And in any case, it
doesn't really matter. Just because someone is testing whether your web
browser is some ancient internet explorer, doesnt mean there is an actual risk
to you, unless you are running an ancient internet explorer.

> I'm not even done yet, and the antivirus engine is already complaining that
> it's outdated.

Just forget about antivirus, it's snakeoil anyhow?

------
ikeboy
That chart has some issues [http://danluu.com/dunning-
kruger/](http://danluu.com/dunning-kruger/)

------
themgt
Every time I read an article like this (the "I am certainly not writing this
to defend Hillary Clinton, [but let me use the piece to subtly defend Hillary
Clinton]"), I check the author's professional associations:

 _Nat Meysenburg is a technologist at New America’s Open Technology Institute_

Ahh yes, "New America", who runs that again? Oh right, long-time Clinton
lackey Anne Marie-Slaughter who was "devasted" when she thought Hillary
criticized her a little bit that one time [0], along with Google's Eric
Schmidt who runs a stealth startup for Hillary [1] named "The Groundwork"
complete with an Illuminati-esque logo [2]

[0] [http://www.politico.com/story/2015/11/hillary-clinton-
emails...](http://www.politico.com/story/2015/11/hillary-clinton-emails-
slaughter-216285)

[1] [http://qz.com/520652/groundwork-eric-schmidt-startup-
working...](http://qz.com/520652/groundwork-eric-schmidt-startup-working-for-
hillary-clinton-campaign/)

[2] [http://thegroundwork.com](http://thegroundwork.com)

~~~
rtpg
Isn't it a little cruel to these people's agency to reduce them to "Clinton
lackeys"?

Not to mention that it's pretty normal to feel at least a bit bad when someone
you were working for and admire says you're whining whenever you talk about
your difficulties.

Plus I'm pretty sure Schmidt is beholden to no-one at this point. "Fuck You"
money is an understatement....

Though I can get these people rationalising a defence due to emotions, I don't
think there's a big web of conspiracy. Popular people get defended by a lot of
people...

~~~
lugg
I enjoyed how you attacked his use of the word lacky while ignoring his
accusation.

Kind of like how he was explaining how the author didn't outright defend
Hillary, but subtley did defend Hillary.

------
Joof
He really doesn't describe why it can't be done other than some vagueries. I'm
willing to bet a good chunk of people here could run a fairly secure email
server (it's not like Google hides it's emails from the NSA anyway.)

------
Normal_gaussian
I'm toying with setting up my own email server so that I can use all the
prefixes for my domains. Ideally it would make managing my actual mail so much
easier.

However. I know setting it up is a PITA. And if I move to it I am stuck with
it.

The various mailinabox solutions sound great, but I can't quite tell if they
do what I want _and_ email is too damn complex to vet myself. And they need an
entire bloody box because they don't play nice with containers apparently (on
last google) - all to securely parse some text files. Overkill or what.

------
gregatragenet3
I haven't found a cloud email service which will let me keep my procmail
filters. (A group-3)

~~~
regecks
Fastmail lets you write sieve filters. Not exactly the same but you could port
them over, right?

------
baby
Came here thinking I would learn something. Learned literally nothing reading
this article.

Reminded me of this other gem article: [http://www.clickhole.com/blogpost/if-
black-lives-matter-isnt...](http://www.clickhole.com/blogpost/if-black-lives-
matter-isnt-racist-hate-group-then--4610)

Basically trying to prove a point with very... umm... poor arguments :)

