
How to run your own mail server (2017) - starbugs
https://www.c0ffee.net/blog/mail-server-guide/
======
dpcan
Then you realize the true pain of having a near-zero reputation when trying to
email anything to people on Gmail, Yahoo, Live, etc, etc. Expect to go to spam
even if you have DKIM, SPF, and no relaying. If anyone actually knows the
secret to not having your own mail-server's mail go to spam on these bigger
systems, please tell, I've Googled it for years with no success.

~~~
wpietri
Agreed! I've been running my own mail server for 20+ years, and I would not
recommend that anybody do this on a lark. Deliverability to GMail is a huge
problem for me and has been for years. I even asked friends at Google to find
out what the story was. All I got back is that the mail group was so
careful/paranoid it wouldn't talk to them either.

I would long ago have switched over to a vendor, but I use qmail-style tagging
for sub-addresses (that is, instead of user+sub@domain, I use user-
sub@domain). Almost nobody supports that. Especially not GMail (where my
friends _could_ tell me that was tagged as WONTFIX).

If anybody has solved this, please do let me know (on here, via Twitter, or
the email address in my bio). It's maddening.

~~~
BenjiWiebe
Funny. I'm somewhat new to the game but my email server has had very few
problems delivering anywhere (hosting a small business' email, and personal
email for the employees.) I've got spf, dkim, and dmarc. I use tls on
everything. Got a static ip (linode) with rdns. I've never had a problem
delivering to gmail. For a while i had problems delivering to Hotmail/outlook,
but participating in some sort of junk mail reporting program (JMRP i think it
was) fixed that issue. Now, if i have deliverability problems, it's cause
something broke, or my tls cert expired, or i added a new ip that the email
server decided to start using. (Sorry for formatting, on mobile)

~~~
Aaronstotle
Which mailserver are you using? I'd love to try hosting my own email.

~~~
berkes
I would advice to try with mailinabox.email . It is very opinionated, which,
for a beginner, is a good thing with mail.

I'd encourage everyone to try this on a tiny droplet or linode with an
unimportant domain (don't just migrate your entire companies' exchange into it
on a Friday afternoon). It takes you an hour tops, after which you can poke
around and see all the moving parts that make a good mailserver tick.

You'll also be contributing to a stronger, more resilient internet, by making
it a tiny bit more decentralized.

------
chrisdone
My email server (@chrisdone.com) has been running for a year and a half and is
written in Haskell, saves all mail into a postgresql database, has a web
interface and an Emacs interface.
[https://github.com/chrisdone/duta](https://github.com/chrisdone/duta)

I redirected my gmail account to forward all emails to this new domain, and
changed all my account emails to theservicename@chrisdone.com e.g. for github
it’s git@chrisdone.com. Once I’m done, Gmail won’t be receiving any new mail.

It has SPF which has captured most spam. I haven’t implemented sending yet. I
thought this would be a problem initially, but after a year I’ve realized I
rarely send personal email out. But I’ll do it one day just for completeness.

I’ve found two bugs of my server, which were easy to debug because mail
sending is very robust. I fixed the bug, and the sender server tried again the
next day automatically.

I did it for exactly the same reasons as the author, to control my own data. I
wrote my own because existing open source offferings are silly complicated,
but receiving mail is not.

Duta is easy to deploy with docker machine and DigitalOcean. My current setup
has been deployed like this. It connects to a managed DO Postgres database,
which runs separately, has monitoring and backups, so it’s easy to redeploy
the mail server without worrying about losing my data.

------
mlrotter
I feel like if people are gonna take back email this process needs to be
easier; like a single application with a web front-end.

Hosting email is a pain! This is why everyone seems to outsource their email
hosting.

Read the comments in the 2017 discussion. Favorite quote: "I run my own mail
infrastructure. To say the least I wouldn't recommend it even to my worst
enemies. It's horrible."
[https://news.ycombinator.com/item?id=16238937](https://news.ycombinator.com/item?id=16238937)

~~~
baroffoos
I have been running a mailinabox email server for over a year now. You
basically just run the install script, tell it your domain name and set the
server as the name server for your domain name and its all done. The thing
does everything for you including renewing certificates. It then sends you a
monthly status email and an email whenever something needs your attention like
the certbot renewal failing.

So far in the past year the only manual intervention after setting it up was
updating it from ubuntu 14 to 18

------
jjirsa
EVERYONE did this for decades.

Then EVERYONE stopped because it's awful. Modern ISPs don't like SMTP floating
around, (DKIM, DMARC, SPF) are a pain to maintain over time, exploits will
happen, and your free off-the-shelf virus and spam filters suck compared to
the big companies seeing billions of messages per day.

~~~
pixelHD
I had my own mail server running for close to a year after which i gave up
because i started seeing issues delivering mail to gmail and apple mail
accounts. I had to keep tinkering with the DKIM/DMARC/SPF entries to make sure
i'm compliant with gmail/outlook/etc. At somepoint i gave up because it wasn't
worth the investment of time.

FWIW, i used mail cow [0], which was a delight to setup and use. And it comes
bundled with a decent-ish material design webclient.

I would love to go back to hosting my own mail server though. As of now, i
shut it down, and use gsuite.

[0]: [https://mailcow.email/](https://mailcow.email/)

~~~
number6
Still running my mailcow. I don't care if people don't get my mail. I can show
them that i handed the over to their server - everything else is their
concern. At least legally. If you can't read my mail cause you misconfigured
your spam filter I can't help.

~~~
jjirsa
> I don't care if people don't get my mail

This is the type of nonsense I expect from HN. Well done.

~~~
madez
When someone in a company agrees on a meeting in their office with someone
from outside the company, and the visitor arrives at time well-dressed and is
rejected by the companies security without any explanation, then who is at
fault? It is not the visitor, it is the awful cooperation between the person
in the company and their companies security.

It is entirely reasonable to show how you've handed your mail to gmail and
they refused it without actionable explanation, so it is a problem between the
recipient and gmail.

~~~
jjirsa
GMail being at fault isn't going to make up for a missed invitation (or RSVP)
to a special event, or not getting a note of congratulations on an
accomplishment, or not getting a message of condolences.

Assigning blame is done after the fact to make up for a mistake.

Just avoid the mistake.

~~~
madez
If one completely disregards political consequences, and generally anything
but personal short-term benefit, I agree with your reasoning. Otherwise, I see
not how that would be possible. And I think arguing just for short-term
practicality is deeply flawed; by that you'd also cooperate with a murdering
dictator if it helped you personally.

------
pinjiz
The key to get high delivery rates to GMail and Office 365 is to setup DMARC.
When you have a proper DMARC configuration (and at least SPF) your delivery
problems will suddenly go away.

Hosting your own mail server is not rocket science, but you need to have solid
sysadmin skills and a good understanding of email as a whole.

If anyone is interested in doing this: Start simple with only Postfix and
Dovecot, don't use a database for username/mailbox configuration as most
tutorials suggest (start with text files instead). You can also start with
OpenSMTPD and Dovecot if you think that Postfix is too complicated.

And if your setup is finally running, make sure to setup proper monitoring
(e.g. make sure your mail server is running and answering SMTP connections).
You can use free tools like uptimerobot.com for that and get notified before
you loose mail.

~~~
garaetjjte
DMARC is used for reporting and enforcing SPF/DKIM, I doubt it is used by
anything as spam/ham signal.

~~~
icelancer
It is. Check mail-tester.com for a decent checklist.

------
chheplo
I have been using Mail-in-a-Box
[https://mailinabox.email/](https://mailinabox.email/) successfully for many
years now, for both my personal account and my company. The only problem is
that occasionally Gmail and Outlook mark my sent email as SPAM to the
receiver.

~~~
TMWNN
>The only problem is that occasionally Gmail and Outlook mark my sent email as
SPAM to the receiver.

This is exactly the problem people are talking about!

------
systemfreund
I'd like to point to another smtp server, which I am using and is much easier
to set up than postfix in my opinion, especially for small servers like mine:
[https://www.opensmtpd.org/](https://www.opensmtpd.org/)

I'm running a personal mailserver (opensmptd, dovecot, dkim, spf, dmarc,
spamassassin) for some years now and although I initially had problems with
deliverability to google there aren't any (apparent) issues so far.

Also I don't understand why people keep emphasizing google's spam filter being
so much better than anything else. For my personal server SpamAssassin has
proved itself to be more than sufficient, its spam filtering performance is on
par with Gmail's (I have a Gmail account aswell), at least for me.

Of course, Gmails spam filter works better for the billions of accounts they
manage, but in order to handle the spam of a tiny mail server I'm probably not
the only person who is satisfied with SpamAssassin.

~~~
perlgod
Author here. I actually use OpenSMTPD currently, but I haven't bothered to
write a full article about it.

Details of my current setup are here:

[https://github.com/cullum/dank-selfhosted](https://github.com/cullum/dank-
selfhosted)

Though this will be out of date soon since I'm moving everything over to
Illumos...I have a fondness for dying operating systems I guess!

------
Naac
A ( somewhat ) happy medium between hosting your own email ( and dealing with
getting IP blocked ) and fully entrusting youtself to Google is to use webmail
as provided by your domain name registrar.

For example, gandi.net provides web mail on your own domain. Even, better, it
has support for wildcard email just like google does.

~~~
starbugs
gandi.net doesn't support external domains. I'd be thankful for any
recommendations that aren't totally overpriced and allow for external domains.

~~~
cosmojg
Personally, I use Migadu[1] for sending and receiving mail with my own domain.
I've yet to find anything that provides more bang for my buck.

[1]
[https://www.migadu.com/en/index.html](https://www.migadu.com/en/index.html)

~~~
kej
Thanks for this; pricing tiers based on outgoing email volume instead of
number of domains or mailboxes is perfect for a lot of situations.

------
gerdesj
Great write up. I will almost certainly learn something from it in review.

I have run my own company email for around 20 years and other people's for
over 30. I'm in the UK.

No matter how technically competent your setup, if your IP is blacklisted by
one of the big lists eg Spamhaus then you are screwed. So you need to avoid
that. Avoidance tactics involve properly configured MX, A and PTR DNS records.
Then you'll need a proper SPF TXT record. Can you do DKIM? DMARC?

Oh and please avoid sending spam to people - it ticks them off and get's you
blacklisted.

------
rubyn00bie
Kudos to the author for this, this is an endeavor of madness IMHO...

The only thing I've ever failed to setup was a functioning mail server using
Postfix and Dovecot (it was like ~2007/8). It was a circle of configuration
hell I would wish on no one and since then I've never understood why anyone
would want to run their own mail server. Pure, unadulterated, hell... I
honestly don't even know why we have email at all it's so shit (obviously I
do, but hopefully the sentiment I'm expressing is clear).

Granted, if you know how to do it, once it's "running" things mostly work
(I've known plenty of people who didn't fail as miserably as I did)... but as
others have mentioned actually sending emails and not being labeled as SPAM is
almost impossible. Plus, making sure your service is literally ALWAYS
available, is really quite tricky. It's pretty damn easy to miss some emails.

I keep hoping some other protocol will take off so we can free ourselves from
email, but it looks like the chance of that ever happening is probably zero.

~~~
parliament32
>It was a circle of configuration hell I would wish on no one

>actually sending emails and not being labeled as SPAM is almost impossible

Anecdotal, but I really didn't have any issues with either of the above. Just
don't use a tainted IP (protip: basically every cheap VPS provider's IP space
is tainted) and set up SPF/DKIM properly. Following a tutorial is probably the
way to go if you're not familiar with Postfix/Dovecot. And as you mentioned,
once you have it up and running it's basically zero maintenance.

>making sure your service is literally ALWAYS available, is really quite
tricky. It's pretty damn easy to miss some emails.

Mail standards actually make it really hard to miss emails. Every mail service
will, by default, retry delivering mail for 4 days (!). This is the default in
MTAs and the big boys (Gmail, etc) do the same. If you want to be more HA you
can set up backup MXes but that's overkill for a personal server.

------
nvr219
Fastmail has been better for my emotional well being than self hosting.

------
joshmn
Always nice to see this posted. Previously discussed in 2017:
[https://news.ycombinator.com/item?id=16238937](https://news.ycombinator.com/item?id=16238937)

~~~
marpstar
This topic (though not always this particular article) seems to come up on HN
every 6-9 months, and the discussion is ALWAYS the same: "Yeah, you can, but
you'll have to deal with X, Y, and Z. Probably not worth it for most people
but interesting to know that you can."

------
efesak
These tutorials are nice but you can just hack
[https://hub.docker.com/r/analogic/poste.io](https://hub.docker.com/r/analogic/poste.io)
(shameless ad) or any other containerized solution. You will get fully working
solution in couple minutes and it will be somewhat easy to keep mailserver
updated...

~~~
tacon
This. I have been running my own mail server since UUCP bang paths and
sendmail. I am slowly preparing to migrate to a containerized solution for
exactly this reason. Managing the updates of all the parts going forward is
just too heavy a load, while swapping in a new container is easy. The initial
configuration is painful, just because there are so many options to decide on,
but those decisions are all there anyway, whether you realize them on day one
or not. I am planning to use this image[0].

[0] [https://hub.docker.com/r/tvial/docker-
mailserver/](https://hub.docker.com/r/tvial/docker-mailserver/)

------
kuczmama
I wrote about this back in October 2017, it talks about setting up mailcow. I
think it's far simpler than this article.

[https://blog.mkucz.com/2017/10/how-to-host-your-own-email-
se...](https://blog.mkucz.com/2017/10/how-to-host-your-own-email-server.html)

------
jacobsenscott
Offlineimap + mu + mu4e is my current setup. I use gmail, but pull it all down
with offlineimap. So it is all backed up even if I lose access to google. MU
indexes your mail and gives you very fast search - much better than gmail's
search. And mu4e lets you read your email in emacs.

------
jolmg
In the diagram, the program that connects via IMAP to the MDA can also be a
standalone MRA[1]. With a standalone MRA, the MUA doesn't need to know the
protocol used by the MDA. It just reads the mail from a local mailbox (using
formats like Maildir or mbox) where the MRA wrote it.

Does anyone know if there are MTAs that can pickup mail from a local directory
to send out and MUAs that don't need to use SMTP to send out mail, but have
the support to rather just write it to a directory?

I was wondering if the sending of email could also be handled by a standalone
program separate from the MUA like it can be done with the receiving of mail.

[1]
[https://en.wikipedia.org/wiki/Mail_retrieval_agent](https://en.wikipedia.org/wiki/Mail_retrieval_agent)

------
raimue
One thing that would still be missing is SRS [1], in case you want to forward
mails to an email address handled by a different mail server.

Your mail server must not use the original from address in the envelope from,
as that would very likely trigger SPF record checks at the receiving end. When
forwarding mails, it is therefore strictly necessary to rewrite the envelope
from address with SRS.

For this postfix setup, postsrsd [2] can be used to implement SRS with only a
few more configuration options.

[1]
[https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme](https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme)

[2]
[https://github.com/roehling/postsrsd](https://github.com/roehling/postsrsd)

------
n3storm
Every now and then this comes out.

I would like this to be true (really) and it can be true only if only you are
the only mail system user.

As soon as you give an email account to a non techie and non email politeness
aware user you are doomed. Like your windowsxp user mum with a compromised
outlook express sending crap to full addressbook. Your friend is sending last
penis graphic joke to their (gmail/msn) friends. Dad has used email to
register to many dark sites and now all *@yourdomain.com receive viagra offers
and they ask you to stop receiving that. Girlfriend is trying to send a 1GB
video to her workmates.

But then, one user mail system does worth the effort?

------
jakeogh
I exited gmail a few days before the "hey lets read your mail and generate
ads" took effect. It would great if someone someone else decided to use it and
fix it up for their use case:

[https://github.com/jakeogh/gpgmda](https://github.com/jakeogh/gpgmda)
[https://github.com/jakeogh/gpgmda-client](https://github.com/jakeogh/gpgmda-
client)

Alot and xapian are awesome.

Anyone from github: please check #439658 and let me gen the cookie via ssh. I
didnt enable 2FA.

------
linsomniac
Does anyone use Hashcash? I haven't run my own personal mail server in 5+
years, but I used to feel like Hashcash really helped keep my messages out of
spam folders. It seems like SpamAssassin is really the only filter that
implements it, and I don't know how prevalent that is today. But I used to
spend 10-60 seconds computing a hashcash on every outgoing message that left
my server, and has basically no problem with getting caught as spam. But I
also had a domain and IP address with like 20 years reputation behind it...

------
theonemind
I've had a relatively trouble-free experience running my own email server for
years by just setting up outgoing email to relay through through the gandi
SMTP I got with my domain registration. Email providers don't verify the the
reputation of what they want to _send_ to very rigorously, so I don't have any
problem receiving my mail.

It depends on why you want to run an email server, I suppose. I just didn't
want google collecting, analyzing, and indefinitely storing my incoming mail
(left gmail).

------
thrownaway954
If you're running Windows, you can download SmarterMail. It's free for 10
mailboxes. Has mail, calendar, collaboration and a slew of more stuff.

[https://www.smartertools.com/smartermail/downloads](https://www.smartertools.com/smartermail/downloads)

[https://www.smartertools.com/smartermail/business-email-
serv...](https://www.smartertools.com/smartermail/business-email-server)

~~~
jaywalk
Wow, that takes me back. I remember setting up and using all three of the
SmarterTools products 15+ years ago. They were fantastic.

------
ram_rar
Hosting email is definitely a pain. You could do all the validations with DKIM
, SPF , ARC etc. Its not helpful if the reputation score of the server is low.

I have been thinking about this for a while , there should be a way to
decouple email server and storage into 2 different services, where I could
authorize email server to grab the data from storage. The storage service
itself should have zero knowledge encryption. This way, I could just switch
between email services.

------
dev_dull
Before you get too far down this rabbit hole (like I did) for a home mail
server, make sure that your ISP supports inbound/outbound mail traffic. Mine
blocks it permanently, and I've been unsuccessful at getting it changed. In
fact, I can't even get the tech support people to understand the traffic is
blocked before it reaches my house and it's not a "firewall" thing.

------
breakall
Should you host your own email server? Yes! It’s a really fun learning
project. There are tons of resources out there to make it do-able, so go for
it!

------
poolpOrg
Hello,

Main developer from the OpenSMTPD project here.

I also wrote an article a few weeks ago about running your own mail server
which is located here:

[https://poolp.org/posts/2019-09-14/setting-up-a-mail-
server-...](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-
opensmtpd-dovecot-and-rspamd/#begintech)

------
Angostura
I suppose its worth mentioning that there are two kinds of mail server you can
run.

I've often thought of running my own IMAP server (I like syncing, but I want
to retain all my e-mails and not worry about quotas).

As for SMTP - I'm happy for my ISP to handle that.

------
dddddaviddddd
I've been doing this for inbound email on my domains, and outbound mail from
daemons and system services. I don't think relying on your personal email
server for all email is practical (deliverability), but there are good use
cases.

------
rodrigo975
[https://poolp.org/posts/2019-08-30/you-should-not-run-
your-m...](https://poolp.org/posts/2019-08-30/you-should-not-run-your-mail-
server-because-mail-is-hard/)

My 2 cents.

------
scarejunba
Used to host my own everything. One day went on holiday, thing went down due
to complex sequence of events, got no email. Disaster.

From then on, MX'd my shit to aspmx.l.google.com. and called it a day.

Any hosted solution is probably better than this.

~~~
sjustinas
I've been running my own email since about 8 months ago. I have Google's MX
(that I used before) on backup (with a lower priority). Will not help me with
every sort of fuckup possible, but it will at least deliver the mail if my
server is down.

------
georgeoliver
> "Getting off GMail is one of the best ways to take back your data in the
> face of dragnet surveillance."

Is running your own mail server one of the best ways to get off GMail?

------
johnchristopher
There's something that isn't really clear to me:

Would Google still suspect my mail of being spam If I bring my own domain to
Gsuite or rackspace (for instance) ?

~~~
aidenn0
Not if you use Google's SMTP servers.

~~~
Karunamon
Judging from some of the experiences upthread, even that isn't enough. Billing
messages from google themselves and gsuite-to-gsuite messages getting spammed.

~~~
aidenn0
Any source can have some fraction their messages treated as spam; I was just
saying that if you take a random IP address and set it up as SMTP, you will
have trouble getting _any_ messages through, even if DKIM &c. are setup
correctly.

If you send too few messages, you're untrusted.

------
sgt
Been running my own personal mail server (mostly postfix) for 19 years and 6
months. Low volume, but also extremely few issues.

------
sreitshamer
mailinabox ftw. After the first couple of months I've had zero delivery
problems.

------
adontz
Always wonder if any of these guides will ever include decent web-mail?

~~~
pharrington
Writing one yourself is it's own fun project!

~~~
q3k
Fun is a very curious way of putting it, considering how batshit crazy IMAP
is. The rest of the involved email standards are also a huge dumpster fire.

I'll let Ricardo Signes do the talking:
[https://www.youtube.com/watch?v=JENdgiAPD6c](https://www.youtube.com/watch?v=JENdgiAPD6c)

~~~
yellowapple
Why would you need to deal with IMAP at all for a webmail client? If the mail
server is the one hosting the webmail frontend, you could read the Maildir or
mbox (or whatever you're using to store emails) directly. IMAP's only really
relevant for locally-installed clients (i.e. the exact thing webmail's
supposed to replace).

~~~
q3k
If I were to write a webmail client for either myself or as a non-toy-project,
I would definitely want to be able to host the webmail backend somewhere else
than the MTA/MDA, and especially not give the webmail full access to every
user's email.

That leaves you with either using some protocol that already exists (IMAP or
now JMAP as another persion mentioned in the thread) or coming up with my own.

~~~
yellowapple
There are still a couple options here besides IMAP:

\- Use server-local users, and have the webmail prompt for those credentials
and use them to browse that user's Maildir via SFTP. "Good enough" for small-
scale operations. Probably not the best choice for large-scale operations, but
likely "good enough" for small-scale.

\- Store the emails in a SQL database (e.g. Postgres), with row-level
permissions to SQL users for each address, and have the webmail prompt for
credentials for those SQL users and use those to connect to the DB and query
messages. Probably the ideal choice for large-scale operations.

Both of these options seem more reasonable to me than trying to do anything
with IMAP.

------
rdevnull
why not use [https://wildduck.email](https://wildduck.email) ? I have been
using it for years and never had to look back.

------
akulbe
Rule #1 of hosting your own mail server:

Don't do it.

------
mraza007
I was looking for something like this

------
Naac
2017 should be added to the title.

------
MrCharismatist
Step 1) Don't.

Step 2) Dude, seriously.

Don't do this. It not only will drive you crazy, it's getting worse.

------
OrgNet
probably should switch to something like Matrix instead...

------
xwdv
Although you _can_ run your own mail server, it’s a bit like rolling your own
crypto.

~~~
megous
It really is not. At most it can be tedious, because it has large surface area
of protocols and formats. Most of them other than SMTP and message format are
optional.

Minimal mail system involves just postfix with config in a bunch of files,
delivering mail to a folder on the server, and pretty much everything on top,
like SPF,DKIM,DMARC,... is optional.

You can ssh to your server from anywhere and run mutt there, or install a
webmail if you're into web stuff. That's pretty much all that's needed for a
basic thing. Security wise, there's not much to do wrong in this setup. Mail
server is open for reception by default as it should be and submission is only
allowed from localhost.

Webmail can be protected via HTTP auth and ssl. As long as your password is
secure, noone will get there that way.

Rolling your own crypto is a much bigger can of worms.

~~~
magashna
Confirming your emails are getting through to providers like gmail is the hard
part

~~~
megous
It's not the hard part, it's simply impossible to ensure from your side. You
can have everytrhing righy, and they'll still block you based on IP address.

------
benbristow
Alternatively pay for a GSuite account for like £3 a month (Or Office 365) and
all of this is handled for you with superior spam filtering, search, webmail,
no manual administration and no issues with email delivery due to other
filters thinking your server is a bit dodgy.

It's too much effort to run your own email server well.

~~~
q3k
Of even better, use some smaller alternative that is not Google (mailbox.org,
protonmail, fastmail, ...).

GMail's de-facto monopoly on email (and especially spam filtering) is a threat
to the Internet.

~~~
derrick_jensen
I'd recommend Rackspace. $3 per user per month, and allowed me to bring my own
domain. Haven't had any issues after setting everything up.

I tried registering this domain through G Suite and Zoho first, but they both
said my domain had a TLD that's commonly used by spammers, and refused to bind
it. Zoho eventually made an exception but took over a week for them to get
back to me.

~~~
q3k
Huh, that's the first time I hear of rejection due to a TLD. What is it?

~~~
Boulth
I guess that would be .tk

~~~
q3k
Oh. Right.

