Hacker News new | comments | show | ask | jobs | submit login
Show HN: OpenBSD Email Service – A free-email alternative (github.com)
215 points by h0r14 6 months ago | hide | past | web | favorite | 136 comments



I used to do this for a long time (with Ubuntu), but over the years there was always something popping up that required fixing, updating or other attention. Eventually I decided to let someone else worry about maintaining the mail services and spam filters and put my own focus on other things.


By way of a counter-anecdote: I've been running my own email for 8 years and spend almost no time on it. I can't recall having to do any maintenance at all in the last 3 years.


Yeah, I do the same - I plugged in Postfix, Dovecot and SpamAssassin and haven't had to touch it other than occasionally confirming backup scripts and automatic security updates are working.


Does you email get marked as SPAM by gmail?

I do something similar, but when I send an email to a person for the first time, it always ends up in the spam folder by GMail.


Just relay it out via a trusted host, in addition to setting up DKIM, SPF, etc.; that solved all the problems for me. My email server is working excellent for many years now (OpenBSD, OpenSMTPD, dovecot) with Rainloop as web-based frontend.


I have DKIM, SPF, etc. but still gets caught by spam. What do you mean by "trusted host"?


An email provider that is not blacklisted and allows relay. I currently use my ISP for that.

Taken from my smtpd.conf:

  table secrets { mylogin = [email]@ziggo.nl:[pass] }
  accept tagged DKIM for any relay via tls+auth://mylogin@smtp.ziggo.nl:587 auth <secrets>


Oh, I see, thanks!

It kind of defeats the purpose, since now the third-party will be able to read all my outgoing emails, and have control over them.


You're transiting over their network anyway -- the jig is already up even without relaying via their gateway.


Connecting directly to the remote (non-ISP) mailserver with TLS shouldn't reveal any message contents.

Relaying via the ISP's mail server though (even with TLS) seems like it would disclose the message contents.


Is DMARC included in your 'etc'? I think thats needed for gmail these days. If rdns, dkim, spf and dmarc are there, try checking your IPs reputation (senderscore) that could be it.


Thirded, only with qmail. I know mine is a tiny private server, but scaling up would only require more hardware and minimal increase in hours working on it. OTOH, I manage hosted mail solutions for three other domains, and those all require more time, because I'm supporting other people.


This used to work for me but lately, way too much spam. Looking to install rspamd but have not succeeded yet.


Same here. I have owned my domain and ran my email server for six years now. Investing a week worth of afternoons harls really paid off and i can do neat things like having infinite email addresses via a catch-all address.

By the way, give a look at mail-in-a-box, another cool project that implements a ready to use mail server with great functionalities.


Used to manage it all manually, set up https://mailcow.email/ after a server move a couple years ago. It's been great, running inside docker now via docker-compose alongside https://github.com/JrCs/docker-letsencrypt-nginx-proxy-compa... for automatic letsencrypt for the web interface along with my additional web services hosted on the same server. I had one minor hiccup when upgrading wherein I had to restart all docker containers, that's about it in terms of maintenance.


I did the same and used my catch-all extensively which I almost regret nowadays because it would make migration to a hosted service much more difficult if I ever wanted to. At least I know of no trustworthy commercial mail hoster which allows catch-all-addresses without requiring a much more expensive 'business' account.


I do this in fastmail with no issues. I'm on an older plan of around $40 a year I think but have zero regrets switching from gmail


For what it's worth, Zoho.com gives catch-all ability with their free tier as long as you supply your own domain.


Do you have the system updates on auto? How do you handle all of that?


On Debian and derivatives, you can install unattended-upgrades to get automatic security updates. See also apt-listchanges, which can send you an email detailing the changes applied.


Similar for RHEL/CentOS/other-EL based distributions too, using the "yum-cron" package.


I'm in your reverse situation, a long time free-email user. Given the latest news, I decided to self-host my email address and not have a 3rd party filter my Inbox.

I'm surprised how easy it is, and having fun with sieve scripts :)


Long time self-hosted email user, then long time Gmail user. Playing with your own server is fun, and I really enjoyed it. But things do go wrong, and they go wrong at the least convenient times. I've lost a whole day of a holiday trying to find a place with internet so I could log in and fix some small thing that had broken (I also hosted for a handful of other people, not all of whom were on holiday). And I've had that sinking feeling when you realise that that important email you've been waiting for has been sitting for a day and a half behind a crashed/misconfigured service somewhere.

Good luck with your endeavour, it is if nothing else a learning experience. But it's important to keep in mind that if email is a critical tool for you (it is for many people, ymmv), toying with it may not be the best idea.


I'm just now experiencing the direct opposite with Fastmail. Used it to avoid setting up my own mail server for a ~50 user gitlab instance. Went from trial user to paying for a full year and one day later my account is now blocked. Found this message in the first rejected email: "We couldn't figure out what the email is for. Please create your issue or comment through the web interface.". Can't send mail through webmail interface. Can't access IMAP nor SMTP. Support emails from their own support doesn't go through.

So, without any means to control it myself I'm now in the mercy of fastmail support unless I set up my own postfix/dovecot in the meantime. I guess it goes both ways.


… hang on, what plan did you ask for for this, and what kind of mail were you actually sending/receiving? As far as I'm aware, Fastmail charges per-user, and isn't advertised as suitable for sending automated mail through. It sounds very strange to use it as a replacement for “setting up a mail server for a GitLab instance”.


What ToS am I violating exactly? I’m _well_ within limits for both incoming and outgoing and all recipients sign up for receiving the emails. The gitlab wiki even uses fastmail as an example for smtp.


For record-keeping: got a reply two days later from support saying that they do not support sending notification emails, which this is classified as.


I try to find a balance - I run my own mail server on a digital ocean droplet, but I use gmail to fetch email from it, and I use gmail as my sender.

I get the best of both worlds; I don't have to worry about being blocked when I send things, and if I ever have issue with gmail, I can stop using them without losing my email address.


You know that some corporations consider GMail as spamhole and block mails sent from it. There is no perfect solution.


Gmail has 1 billion users. Blocking a massive chunk of all possible users seems sort of insane are you sure you didn't mistype yahoo?


I vaguely suspect that GP may refer to the fact that certain corporations block access to the Gmail web interface (and the other big providers) from their network, typically for auditing purposes, in a way to a personally run mail server might evade. In those cases, actually accessing your personal mail server would typically be a gross breach of conduct and lead to immediate termination for cause if caught. This, of course, has nothing at all to do with the deliverability of email from those services, even to these same organisations (they can audit what goes through their own servers, so that's fine).

But, that's a guess, and I obviously can speak on GPs behalf.


Yes and also they block receiving emails from GMail domain for security purposes. So if you want to email someone internal in big co, you have to do it from your own domain. I suppose it is not only for GMail. Probably Yahoo, Microsoft also but I only had one guy trying to use GMail sending mail to corporate users.


Before you said "spamhole", now it's security. In both cases it makes literally no sense to block Gmail and allow random personal domains. I suppose the setup could be based on whitelisting domains, and because Gmail is so big, they won't whitelist it, and it also won't receive emails from anything random, but from specific personal domains. But such a setup specifically isn't for communicating with the world at large, and not any kind of widespread practice.

Also, you should be using your own domain with Gmail (or any other provider) so you aren't tied to anyone, anyway.


Yeah, that seems rather unlikely. Do you have some references for that claim?


Who blocks Gmail?


Any sane corporate security? You can setup gmail account in 5 mins and start phishing people in corporate env. That is why receiving emails from generic domains is no go. I also had actual requirement where we did not allow people to register with gmail account, only non generic domain emails allowed. So that you use your company email for B2B product.


How big is your list of 'generic domains'? There are email providers that give you hundreds of domains to use, and only take 5 minutes to register.


Any? So Gmail users can't email any sane corporation?

Extraordinary claims require extraordinary evidence. Please provide just a single reference to this claim.


How did the service suddenly become misconfigured?


I don't remember the details, but it probably didn't become misconfigured, it would always have been misconfigured, just one particular combination of factors that hadn't been seen before suddenly got caught. I remember at one point that an org I did email for couldn't receive email from a particular other organisation. Turned out that I had configured our MTA to accept TLS, and theirs presented an invalid cert, so the connection was rejected. This wasn't the situation I referred to, because this caused email to bounce hard, so people just routed around (yay for having people have professional contacts send to their hotmail instead).

Or whatever. I remember the feeling, not the mistake that caused it.


It's fun until it becomes a chore. And until you realize you're always one step behind people trying to break through with spam or attacks.


I have almost the exact same setup as OP. I put close to no maintenance time in it. Adding all the extra configuration (SPF, DKIM, etc.) to let the world that you are not a filthy spammer is important, tho.


Same. It’s like I’m a small company. Single server with no active maintenance? Sounds great and why would we ever spend more on it? It works great! ... for a while.

Once that single server goes down it’s suddenly the biggest issue currently keeping us from doing anything. Whether it’s because of something I did or an upstream outage doesn’t matter, I’ve still got to troubleshoot it and try to work around it.

For $5/m you could have FastMail do it for you, or for free you could have Google do it. Yes there are trade offs, but they also have more infrastructure than you do for the same price.

Email is just one of those things I would rather outsource.


I think every FastMail proponent is single, as they are always touting how you get the same thing as running your own email server for $5/mo. But for people with a family it is rather expensive for email.


I'm the opposite. When it was just me I didn't mind running my own mail server and putting up with my self-inflicted downtimes. But when I started adding family members it added more pressure on me to ensure good uptimes etc. So for me, family members were the reason why I migrated to FastMail. I don't see it as being very costly for the quality of service they provide but YMMV.


This hasn't been an issue for me once I moved my mail server into a VPS (ran it from home for a long time). Been running in a VPS now for 10+ years and downtime has never been an issue. The main pain points have been clean IPs and migrating user accounts when I upgrade the server.


We literally just had this thread 3 weeks ago: https://news.ycombinator.com/item?id=16238937


There is also mail-in-a-box: https://github.com/mail-in-a-box/mailinabox


This. The hard part of hosting your own mail is emphatically dns and deliverability. Mail-in-a-box does all of the dns magic to ensure folks get your email. The rest is gravy.


MIAB is a great piece of software. I've been using it for a little longer than two years and it's a pleasure to use. Updating is easy and I've had no problems with it since the first install. It is rock-solid and reliable.


And also http://mailcow.email if you want something to quickly spin up in Docker with a bit more configuration available


LowEndTalk.com will help you find a super cheap VPS.

However I would advise using dedicated hardware for the server instead for improved privacy. There are two possible routes:

1) Rent a cheap dedicated server such as the Kimsufi line by OVH or the Personal line by Online.net. These cost below 10€ a month.

2) Run the email service on your box at home and use the cheapest VPS you can find just to tunnel a non-dialup IP address to that box using OpenVPN. The cheap VPS usually costs less than $10 per year.


I would prefer to go with the known name and well-established company, instead of LET, for email.

For example, Vultr offers $2.5/mo servers from two locations and they are proven, to be trusted hosting company. In case your IP has a bad reputation (you can test it right after spinning an Instance), you can just shut the server down and create a new one with fresh IP.

Problem with both Kimsufi and Online.net is that if you will get a bad reputation IP it is quite hard to get a new one. I have dealt with OVH and a blacklisted IP I have got on a new server and they were expecting me to contact blacklist providers and request whitelisting, which took time and resources.


When renting a dedicated box, a VNC-like interface is required to enter disk encryption password, which could be intercepted by the host. Moreover, this has to be done on each restart. I look at dedicated box more as an upgrade from VPS.

For privacy, I think user encrypted email messages provide the best option.

At home self-hosting through VPN is a good idea. It would involve maintaining hardware, which I traded for low cost VPS. With a replica backup MX, I am not married to any hosting provider, and can hop without downtime.


" a VNC-like interface is required to enter disk encryption password, which could be intercepted by the host. "

There's a rule in security that anyone in physical possession of your device should be assumed to have access to it. The host has the server whether physical or virtual. You're not safe from them. Trusting them is the tradeoff made for the cheap, hosted server.

" I look at dedicated box more as an upgrade from VPS."

Multiple VPS's share a physical box. A malicious VPS can look for secrets in another VPS using side channels. This isn't possible on bare metal: they have to compromise an app or get a shell first. The next concern would be endpoint security. OpenBSD covers that well. Then, there's host or peripheral firmware which is almost always a risk if a 3rd party is hosting things. Your attack surface does go down, though, when you're not sharing a box with an attacker. There's also the performance benefits.


Privacy from host is not possible, and you make a very good point about hardware access.

Virtual machine are secured by the shared host. I don't really expect top security from this end. A replica backup MX enables me to safely change hosts, if they behave badly.

OpenBSD defaults are what I base my endpoint security on, and keeping this updated is super easy.


"Virtual machine are secured by the shared host. "

Virtual machines are not secure in mainstream implementations. The tech they use has had a lot of vulnerabilities in the past. Google and Amazon even have their own custom versions for improving security. There's also no covert/side channel analysis done on those to even know what information leaks will be found in the future. Finally, hardware-level attacks are possible if you have malicious code running that bypass VM protection. Most popular recently is Meltdown/Spectre.

There's only been a few VMM's designed for security (two examples below). Most of them probably cost five to six digits to license. The FOSS ones are alpha or beta quality without the tools a big host would want for management. The VMM's focused on rapid development of features in unsafe languages don't look anything like the ones that passed pentesting. They also have highest marketshare due to those features. So, your host serving cheap VPS's is almost certainly not using a secure VMM: they're saving money using an insecure one on insecure hardware that they're patching as vulnerabilities are publicized. Like almost everyone does with their OS's for their beneficial features. ;)

http://www.cse.psu.edu/~trj1/papers/ieee-sp-vaxvmm.pdf

https://ghs.com/products/safety_critical/integrity-do-178b.h...


There's no need for a visual desktop just to enter the passphrase. You can also do it by logging into a minimal setup that is inside the initrd via SSH (dropbear). It is a standard debian feature.


Kimsufi IPs often end up on spam blacklists. Is DKIM etc. enough to circumvent that or wouldn't your connection with other mail servers not even come that far?


It depends on the email service provider. In general, you're in for a bad time. You can make it work, but you're always going to be fighting black lists and the occasional ESP who blocks your entire provider.


there's also scaleway with their arm servers, those are dedicated.


But the harddisk is attached via network, that means someone (the ISP) can create an copy at any time and you won't even notice it.


The hardest part to me is to get an IP address that's clean so your outgoing emails won't be marked as junks. Also, then you'll have to get help from ISP to update PTR records for your IP address, it's not worth.


Getting a clean IP and keeping it clean is a hassle. Some networks (eg. AT&T) use some sketchy blacklists that blacklists entire B-blocks and you have to get them to whitelist your IP. The problem is that after you finally get your IP in a nice state, then you are stuck with that IP. And with many of the cheaper VPS providers, that means you are stuck with that instance because the IPs are paired with the instances.

But some VPS providers allow you to have a reserved IP that you can use as your SMTP IP, keeping it independent of your server instance. I'm about to switch to vultr.com for this feature, which means cleaning another IP but hopefully the last one for a long time.


FYI: I have had very good experience using Centurylink (previously Qwest) for serving email from home. It is only $6/month extra to get a static IP with reverse DNS. In the 10+ years I have used them, the addresses blocks they allocate static IPs from have never shown up on a blacklist.

I know that for many people here DSL does not provide sufficient bandwidth to suffice as the primary home internet connection, and $60/month is pricey if you only plan on using the connection for email, especially compared to a VPS. It is much less expensive than paying for a business account with any of the other ISPs, though.


I guess I was lucky because I haven't encountered a "dirty" IP yet, but I only tested 6 VPS providers so far.

PTR records are updated from the VPS provider web interface, it takes a few seconds to activate.


The last time i rented a new server I checked the IP in the various blacklists. There was one blacklist that had listed the entire subnet the server was in. I asked them to whitelist my IP address in that subnet which they did. It took only a few minutes to write an email.


I had this sort of thing happen yesterday. Two IP addresses in my email server's /24 were flagged for spam so the whole range was blacklisted. I wasn't able to send email for about 8 hours until it was cleared for me. But this was 8 hours of outgoing email downtime in two years of running my own server.


It took quite a lot of knowledge what blacklists are out there and time to check them all. It's hardly "just a few minutes to write an e-mail".


https://mxtoolbox.com/blacklists.aspx takes a few seconds? Then to follow up is a few more minutes


There have been sites that check an IP against the vast majority of blacklists for well over a decade, and they've been free as well.

https://encrypted.google.com/search?hl=en&q=how%20to%20check...


I run RBL checks a few times a day in Nagios, so I don't get surprised.


I used http://multirbl.valli.org/ but who knows how many are out there, not including private lists.


It's the private lists that will get you. What do you do if Google has your IP address on an internal blacklist? Or your health insurance company? Or some random Barracuda-style e-mail filtering appliance? Nothing. You're screwed.


In that case, the IP is screwed. I plan change IP, or hop hosts if/when this happens. I opened 6 accounts on 6 different hosts, and only two are active for this reasons. So far so good :)


And for 12.50 I get exchange+office all hosted and I don't do a thing. Thanks best part is that clients get my emails, and I'm not wasting days trying to fight the brick wall that is Google, Yahoo, Apple, Microsoft,and every other isp that blocks by default.


I don't really think the downvotes are warranted on this one - given that the post title calls out the expense, I think a discussion on what you gain (and/or give up) for an additional $10/mo is well within bounds.


the point is being in control of your own software stack, nobody cares that you can use some hosted solution easily.


So basically, step 1: install SMTP and IMAP servers, step 2: configure them to run your domain, step 3: configure your DNS?


Step 4: wonder why the hell people aren't replying to your mails. Step 5: realize you've been blackholed by gmail and hotmail with no bounces and no explanation. Step 6: frustration. Step 7: tell people to add your e-mail address to their address book (wtf) and watch as things magically work for a while. Step 8: repeat.


My mail server routes via Amazon's SES, which provides an SMTP smarthost my instance of postfix can relay mail to. You authenticate each sending domain using DNS, and it even supports DKIM signing.

Until I did this, my deliverability, especially to GMail, was awful.


Assuming you're running your own mailserver because you like the idea of a decentralized web; isn't it kind of odd to then rely on Amazon?


Maybe, but in my case it would not be a valid assumption.


Have you seen any issues with the envelope from not matching the the email address?

ezmlm, for example, will not let you subscribe/unsubscribe


I've not run into any problems myself - even if I did, I think I'd rather be able to reliably email people with GMail accounts!


That's a smart way to work around a frustrating problem. It's a bummer there are so many loopholes to jump through.


I don't know why so many people on HN tell this story. Are the US IPs all total garbage?

I set up my mailserver, sent a testmail to Google, no spam or other stuff. I don't know if SPF or DKIM was even configured. (It now is of course)


Do you have a fixed or dynamic IP? When I tried sending email from my home network (which had a dynamic, if long-lasting IP), I discovered my ISP's addresses where on the PBL[1] and therefore getting rejected by many servers. This was in Europe, not the US.

[1] https://www.spamhaus.org/pbl/


SE Asia here and many IP blocks (/19) of my ISP are blacklisted, even blocks those are being used in datacenter in that bigger block.


/29

And of course, not hosted at home.


I'm in the US and I don't get this story either. I've had my mail server running on 3 different IPs, in my home, and have had no issues at all.


Heh. I think your steps 4-8 are all just “step 3 learning pains”. Configuring DNS for a “real email system” is often not trivial to figure out how to do. The steps are usually pretty “easy” (though getting a PTR record sometimes isn’t), but are frequently overlooked by beginners.


I wish that were the case.

I've been administering mail servers going back over 20 years and I wouldn't recommend it to anyone. The last 4 years or so, things have gotten a lot worse. Google and Microsoft are actively and deliberately making it harder for people to run their own mail servers.

Sure, setting up DKIM and SPF and whatnot isn't hard. But blackholing legitimate mail without any reason, without any form of notification or any possible appeal, well that's just appalling. And sure, Google & MS have tools to debug a subset of mail issues, but those don't even work unless your MTA is sending boatloads of mail to their servers.


This is exactly the problem you run into when sending mails to Gmail: For them there are only bulk senders and gmail address owners. In their whole documentation / faq they don’t even mention small businesses or regular people owning a mailserver to just get contact other human beings.

People at Google might be the smartest under the sun, but they don’t understand email: It’s primarily a way for people to communicate with each other. In Google’s eyes it’s only a way to deliver advertising to end users.

Edited for typo


> People at Google might be the smartest under the sun, but they don’t understand email

Oh no, they understand email very well. They're just arseholes who want to force "regular joe" and small business to use their services. This isn't some kind of accidental incompetence. There's no "whoops, sorry your mail isn't getting delivered, our bad!"-type situation going on. This is a deliberate strategy of making it as hard as possible for people to run their own mail servers.

Of course they hide behind the excuse that you might be a spammer. But given Google's massive resources, there's no way in hell they can't tell ham from spam.


Yeah. Not to mention a lot of SMTP pain is when a major provider decides to blackhole you, or you are spam blacklisted, neither of which is under your control. Even a large corporation that self-hosts mail may have to constantly call other companies to get on their good side so they can send mail again. (The bigger you are, the more often this happens, but it also happens to small timers)


I think Step 7 is a good idea. Initially, I asked some contacts to send me an email from Gmail and Protonmail, to which I replied. From then on, my emails work fine with them (negative spam score).


If you don't want to do everything by hand, check out https://github.com/sovereign/sovereign/


I'd rather not run heavy opaque Ansible magic that also adds IRC bouncer and checks kitchen sink to configure e-mail server.


All those features are in separate small files and have tags. You can enable and disable them one by one.


Yes, and for junk I chose rspamd for Bayes classification, very effective so far.


I've always wanted to host my own mail but every time I look it up they always recommend like 2GB of ram. I've thought about whether one in D / Rust would be easier to host, but are there any decent libs out there or someone know what mail setup I could have on a simple $5 a month digitalocean VPS?


OP recommendation is minimum 512 MB RAM. Giving it 1 GB for headroom still lets you run on the AWS EC2 Free Tier (i.e. t2.micro instance). Would that work?


If all you want is email (and not owncloud/nextcloud, your own webmail and some other services), 512 MB is plenty. If you can live without antivirus scanning of email you could get away with 256MB.


lowendbox.com lists plenty of cheap 2GB VPS


This is a nice writeup but my own personal modification of this model is to host an MDA at home where I've got plenty of space and it costs nothing. But then forward all mail to a proxy on a VPS that only does spam filtering and never saves mails on disk.


I'm always amazed at the negative comments on HN when the topic of self-hosting your email comes up - I saw many of the same replies when my mail server guide [1] got linked here a few weeks ago. Most people suggest to give all your email to some corporation.

If people want to create their own mail service, more power to them - this is supposed to be HACKER news!

[1] https://news.ycombinator.com/item?id=16238937


AND YET, every time the subject of messaging comes up everyone cries how what we really need is federation and not walled gardens.

And this is precisely why walled gardens are attractive. Because when you realize the work that you have to put in to make federation work you give up and go running back into your walled garden.


I'm one of those people who shouts in anger and frustration any time the subject comes up. Self hosting email is a pain in the arse. Google and MS are deliberately making it a pain in the arse. Spammers are making it a pain in the arse. Users with shitty passwords and compromised accounts are a pain in the arse.

But please, don't get me wrong. We need more decentralized email again. But what we need even more than that is less hotmail and less gmail. I feel much better telling someone to pay some $company a small fee for email hosting than I would telling them to suck it up and embrace the pain.


I have been self-hosting email (and anything else I can figure out how to self-host) for nearly 20 years. Still found useful things in your guide. Thanks.


If you have a lot of time to kill and don't need reliable email, self-hosting is fine. But it's a bit like building your own car. Fun hobby: not reliable.


Speak for yourself - I've hosted my own email for over half a decade and never had any issues whatsoever. Set it up once, keep paying your DNS/VPS provider, and update your box every now and then, and you won't have any issues.

Of course, it's more work than having Google or Fastmail do it, but so what? I'm sure a significant majority of HN readers already have a VPS and domain name of some kind. Setting aside a few hours to set up a mail server on it isn't the indentured servitude many of y'all make it out to be.


If you follow the guide in this post, you will have reliable email delivery without involving a possibly untrustworthy 3rd party. What part of it seemed overly time-consuming or difficult?

If you're worried about monitoring it for operation, make sure there is at least one automated email that passes in each direction once daily. Use pingdom free to check for basic up/down. That should suffice for a personal email system. Email senders will retry for days before giving up.

I say this as someone who has been hosting his own email on his own hardware on his own ISP connection (on OpenBSD no less!) for over a decade, and have never had a delivery issue


> you will have reliable email delivery without involving a possibly untrustworthy 3rd party

Only if you limit your email messages to parties that also use your personal email service.


Seriously. Who are these people who don't seem to know what DNSRBLs are, who don't know about IP blackholing, who don't know about spammers stealing private addresses and getting your domain blacklisted, or sending out too many mails at once and getting tagged as a spammer, or sharing your IP space, or not getting accepted from various domains for not having a high enough "reputation", etc?

I mean, I must not know what I'm talking about, having run personal and corporate mail systems for 15 years. Must be pretty easy to get the DNS extensions which aren't used uniformly across major mail carriers right. And hey, if your ISP gets blackholed it should be pretty easy to fix, right? And you just have to set up a separate system with automated tests to alert you when your service is down so you can get it back up in a few days before the bounces start going out. And certainly maintaining your own spam filters has never been difficult, to say nothing of software upgrades, maintenance outages, security patches, offsite backups, certificate renewals, and moving hosting providers.

But, yeah. Easy.


I've been running half a dozen domains since OpenBSD 2.5, over multiple hardware platforms and ISPs, and I have never felt any of the pain you're talking about.

I've never had a reputation problem, but I've been sure to test for open relay on my servers as step zero. Maybe I've been lucky over the 4 ISPs I've had, but I've always ended up with clean IPs. In any case, that would be something you'd catch during initial setup and have to deal with before sending out your first email. This may be super painful to deal with, but I don't have any experience (fortunately).

I update my server OS (openbsd) once every 6 months and use long-lived self-signed certs for STARTTLS mail delivery. Combined with DNSSEC and DANE it makes for a trustworthy setup. Certbot for any certs that are more important to have a chain of trust for.

I set up DNSSEC/DANE/DKIM/SPF once over a couple of days and have never had a problem. I don't even have any spam to filter out after having domains for decades and lots of friends and family members using it. Google sends regular reports verifying that no one is using my domains for spam campaigns (at least to gmail addresses).

There are free online services to help generate configs for, and test for the correct configuration of each part of these setups.

Removable hard drives and fsarchiver make for simple offsite backups (just store them at work). But if you don't have a good backup plan, whether you're running your own email system or not, you've got bigger problems.

I'm sure you're dealing with bigger and more sophisticated setups than my vanity domains, but I'm not talking about those. I sometimes don't touch the email side of my system for years. Once set up it just works.


The only reason a self-built car won't be reliable is because you don't know what you are doing. The same goes for email. If you take the time to understand what you are doing it is perfectly fine.


Works reliably for me since 1997.


Same here. I used to host out of my house. Now its on a server in a data center somewhere. Some of it is written in perl - which I have no problem reading (spamassassin).


You guys are reporting deliverability success precisely because you've (like me) been doing it for decades. The gmail filters know that your IP and sender domain are kosher. However if you were to set up a new domain and new server today the filters would default to "spammer" for your status.

Remember that the spam filters are aiming for "deliver no spam" rather than "deliver all legitimate email, but no spam" so your new server's messages being delivered helps the bonus prospects of nobody at Google.


The Internet is in a sad state of affairs when the consensus amung "hackers" is just to use gmail because gmail is so horrible to work with. I guess google is really becoming the new Microsoft.


I've moved between 3 different residential IPs in 5 years and I've never had that problem. I really don't get why other people think it's so hard.

Sure, my grandmother isn't likely to build her own mail-server, but anyone with a spare computer, and a spare afternoon can.


I set up my domain and email server only a couple years ago and it works well, but like some of the others here who've reported success, I'm not running a big operation.

hapless 6 months ago [flagged]

I wouldn't entrust my email to an operating system that lacks mandatory access control.

OpenBSD is a fascinating project, but it is _decades_ behind the state of the art in security.


Seriously? I'd recommend doing some more research before making that claim. Your example in a later comment speaks to the area of Privilege Separation, discussed (and implemented) ad nauseam throughout nearly every application that is maintained by the OpenBSD project.

http://niels.xtdnet.nl/papers/privsep.pdf

http://www.citi.umich.edu/u/provos/ssh/privsep.html

https://www.openbsd.org/papers/ven05-deraadt/index.html

https://www.openbsd.org/innovations.html


Privilege separation is also a nice feature, but it is not the same as MAC.

I would have much greater confidence in an OpenBSD project that included lomac or capsicum.


Why do you need ACLs to run a few services on their own server?


So that a root compromise in one service does not escalate to the entire server.

As a concrete example: my personal mail server (on a modern operating system) has its SMTP handling in a separate process from mailbox serving. If the SMTP process is compromised, and the attacker reaches uid=0, it doesn't matter -- no data from the mailboxes can be exfiltrated.

Only SMTP is broken, because mandatory access control prevents the SMTP "root" from doing anything the SMTP daemon would not ordinarily be permitted to do. The SMTP daemon is not empowered to read mailboxes, even if its uid is 0.


I think in this hypothetical scenario the uid 0 attacker can create its own node for /dev/rwd0 and use raw disk accesses to get around filesystem limits.


It's also hypothetical in that there's no known OpenSMTPd exploit that will allow you to get root, and barring a single CVE its record is pretty damn good.

https://www.cvedetails.com/cve/CVE-2015-7687/

Then you compare its record to Sendmail...


It's a matter of defense in depth.

OpenBSD robs you of one of the layers that is standard on every other operating system in the world: Linux, FreeBSD, Solaris, even Windows.


Blind reliance on ACLs/MAC is dangerous itself. I've had the benefit of working on all of the above and ACLs aren't something people get right the first time. Most don't even get it right the 10th time.

We use SELinux in my current place and while it's fine, things break/fail in odd ways and we're always tweaking it.

In the 6-7 years I did Windows administration, I trained a couple hundred people on ACLs and specifically how the SubInACL tool should be used -- for all but about a dozen of them who truly grokked it, that training was an ongoing process over the course of those years...

OpenBSD's advantage is in its simplicity, which ultimately is the best security. If you have a system that you can clearly reason about and design for where it might fail, you are better prepared for "when" shit happens -- because it's not "if". If your entire system is properly architected, this isn't actually an issue.


Chances are if you have your own server for email you also want to run some other services on it, like a blog. Those may be less secure.


For that particular example it should be pointed out that OpenBSD chroots the web server by default which ends up running as a non-privileged user. OpenSMTP does as much work as possible in multiple tasks running as a non-privileged user. So even ignoring the access control provided by the pledge system it is really unlikely that anything is going to escape to root or even be able to affect each other.


Sorry, I learned this lesson a long time ago. One service per machine. Especially this day and age where that's easy and cost-effective.


It's also not permitted to do that. Again, that's the point of mandatory access control.

It doesn't matter that you have uid=0, you do not have the granted capabilities to do new things.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: