Hacker News new | past | comments | ask | show | jobs | submit login
Helm: Personal Email Server (thehelm.com)
846 points by keehun on Oct 17, 2018 | hide | past | favorite | 575 comments

Interesting product with great potential. Their website doesn't seem to address my two main concerns:

1. How do they ensure high, non-spam delivery rates to the main email services like Gmail, Fastmail, Yahoo, and Microsoft?

2. How would the product work in case Helm the company/service goes away (or even just service outage)? Can the device work on its own without the need for their web service (perhaps with lower delivery rate/higher spam score)?

They claim:

>> We’ve designed your Helm to ensure as little information about you as possible is communicated back to us. That’s why the only account you create is directly with your server, not with us, and why only encrypted data passes through our servers.

But how does that work with sending emails? (Please excuse my ignorance on this matter.)

Hi keehun - thanks for posting this on HN! I'm the co-founder and CEO of Helm.

1 - First, we cross reference IP addresses we assign to gateway against known blacklists. This helps ensure emails will be delivered. We also fully support email authentication (DMARC, DKIM, SPF) and configure reverse DNS as well. Lastly, the IP address for a gateway stays fixed so the domain and IP will build reputation over time. Helm servers require the service to work to get around the residential internet connection challenges in the US (port blocking, dynamic IPs, untrusted IPs)

2 - We will be doing 2 things - first, we will publish as open source what is required for people to be able to run their own gateways with their own AWS account in the event Helm has to shut down. Second, the unit economics on the service are positive so as long as we have customers, my co-founder and I are dedicated to running the service. We take a page from Garry Tan and Posthaven in this regard.

3 - The way this works for sending emails, your devices that you compose emails on will connect directly with your Helm server over TLS. Your Helm server will then initiate a TLS session with the server hosting your recipient's email. So we as a company have no visibility to any of that data - at rest, or in transit. I hope this helps - I'm happy to explain this in more detail as needed.

>> 3 - The way this works for sending emails, your devices that you compose emails on will connect directly with your Helm server over TLS. Your Helm server will then initiate a TLS session with the server hosting your recipient's email.

If my helm server connects directly with the recipient's email server won't it create problems with SPF validation? Home networks usually don't have a fixed IP address so I am not sure how SPF will work.

> Your Helm server will then initiate a TLS session with the server hosting your recipient's email

I'm not sure how Helm doesn't see the metadata:

* For outbound (as described) and inbound mail, do all mail servers support TLS connections? I was under them impression that many still communicate unencrypted.

* How does Helm avoid seeing the metadata, who is communicating with whom and when?

WRT to TLS, see here: https://transparencyreport.google.com/safer-email/overview?h...

It seems that Helm has no obligation or business need to log any metadata if they are providing each customer with a dedicated relay. Any abuse will come from that relay IP and can trivially be attributed to the correct customer.

> Helm has no obligation or business need to log any metadata

The point of Helm is to provide privacy (and end-user control) through technical means, if I understand correctly. If it's just a matter of trusting motives, I don't need a home server.

I disagree. Seizing data stored on a server in your house is much, much more difficult that seizing data stored on a cloud server.

I can see that going both ways.

The feds know that Apple (for example) are fully lawyered up, and that they need all their legally required paperwork with it's "i"s dotted and "t"s crossed before Apple will even look at their request for your data. While we know they _will_ hand over legally required data when they can and the paperwork is OKed by their legal department, they also very publicly go head to head with law enforcement when those requests are legally questionable or technically impossible.

I suspect an overly broad probable cause warrant to seize all the electronic devices in your house is gonna be much easier to slip past an leo friendly judge and whatever legal representation you can muster up when they dawn-raid you - than "slipping one past" Apple's legal team.

Having said that, if you've got the feds interested in your digital comms, you probably want to be getting your security advice from a much more private and trustworthy source than randoms on Hackernews...

Also, if the feds raide your home you will know that your data was compromised. Apple won/can't tell you..

> Also, if the feds raide your home you will know that your data was compromised.

Not necessarily: https://en.m.wikipedia.org/wiki/Sneak_and_peek_warrant

nope. it's only fractionally more difficult as "the man" has to physically come to your house.

additionally, email is more usefully between 2+ parties. For normal people, the other parties are very likely to be using a cloud email provider. I would not be surprised to learn that it is common to issue a warrant not for a specific recipient, but for anyone that has corresponded with a specific person, ie for the sender instead of the receiver -> google, give me all emails sent by user@foo to any user on your server.

this is actually a big problem of SMTP and a big weakness of helm. i didn't study the product but it seems that it would be difficult for a user to know (and prove) that another user is a helm'er. if data seizure is the issue you care about, protonmail and other such services are a better solution.

Not really. If you are under investigation, seizing your server is as simple as a search warrant. The challenge is accessing the data - if you've encrypted it well, it's impossible to access. However, on your own server, you may get complacent and allow some data leakage.

Major providers like Gmail and ICloud will have a longer and more convoluted process to provide your data to state actors, but analysing that data is going to be far easier since it will come in a standard format.

If your goal is to make your data difficult to seize, a better option is probably to self-host on either a cheap VPS or a corporate-grade cloud service. That keeps the data out of reach of a warrant on your home, and keeps it unreadable after they've actually jumped through the hoops to seize it from your provider.

On a VPS, full disk encryption is not effective because the keys can be dumped from the hypervisor.

Not to mention having to wake up in the middle of the night when the VPS provider decides to reboot your VM so you can decrypt the volume on boot. Been there, done that for years.

not a problem for SMTP, which is store-and-forward.

According to this page (https://thehelm.com/pages/technology), the following is logged.

* Name, address, payment information, domain, DNS records

* Device diagnostics (such as temperature), software versions, enabled services, connection status, connection type, serial number

* Anything related to customer support, including information customers provide

So plenty of information to uniquely identify a system. The last bullet is a little concerning as it seems to be a catch-all.

The last bullet isn't intended to be a catch-all but to reflect the fact that we can't control what customers provide us via customer support.

I don't see what the issue with uniquely identifying a system is. The main metadata of concern is what other mail servers are being interacted with.

If everything has to go through their relay, they can pretty easily see what mail servers are being interacted with.


Please see my other questions here. https://news.ycombinator.com/item?id=18243685

Yes, but they don't have to log that, and given the way the system is described there's no reason it would by default.

It sounds like the hardware device is an SMTP server that sends the email itself directly over encrypted SMTP.

So, what's the subscription for?

Regarding #3, let's work through two use cases. A) I'm at home and B) I'm on the road.

A) I can connect directly, no biggie.

B) I am assuming that you would require a port opened/forwarded in the firewall to work in this case. Is this correct?

Hi newman314, we have a gateway server that we as a company manage the gives you remove access back to your Helm. We do this without requiring you to poke holes in your firewall because the Helm establishes an outbound VPN connection to the gateway.


Please see my other questions here. https://news.ycombinator.com/item?id=18243685

A) I can connect directly

Can you? you'll probably need your own DNS resolver because if the clients are configured for my.custom.domain.com, it's not going to resolve to and your connection is down. So you can have the box do that, but generally, split horizon DNS is a thing you don't want to set up in a set it and forget it install.

Yeah, as somebody who has run their own mail server for years, #1 is a huge concern. It has been a real struggle for me despite having a server I own in a rack with net-neighbors I know.

Another big one for me is the failure modes. What do I do when my home connection is down? How about when my connection is down and I'm traveling? What happens when the hardware fails? How about when the hardware fails 5 years from now?

Having email just down for a couple days while you wait for new hardware to would be a very bad experience.

So if they route everything through the same set of EC2 instances, that might actually take care of the SPAM issue. I run my own e-mail server and have run into that same issue of not being able to send to gmail/microsoft addresses (unless I contact the person via Facebook/Twitter/Reddit/etc. and tell them to check their spam folder):


The way most of these providers deal with spam is they slowly white-list IP addresses. When a company like Mailchip or Mailgun spin up a new server, it's always in a large subnet range they've purchased and they slowly start sending low priority e-mail through it to existing/known receivers and throttle it up to full speed.

If you're running a personal server that sends like 5 or 6 e-mails a days, well that's an issue.

The big players make it difficult to run a small personal server, but running a dedicated business or corporate server that sends 100s of e-mails per day is typically fine once it's well established.

You know what would be a better product? A relay SMTP server that works with Google/Microsoft/Amazon/Fastmail et. al. to pump e-mail from personal servers and ensures it won't get caught in spam filters.

"You know what would be a better product? A relay SMTP server that works with Google/Microsoft/Amazon/Fastmail et. al. to pump e-mail from personal servers and ensures it won't get caught in spam filters."

That's basically Sendgrid or Mailgun or even Fastmail itself. They can all relay SMTP for arbitrary domains.

It's actually a totally different product vs Sendgrid/Mailgun/etc.

Such a product would need to have a ToS that states it can only be used for low volume personal and business correspondence, and have per-account rate limiting to enforce that. Doing it this way is necessary to avoid having mail treated as bulk.

I've tried relaying through mailgun to get mail to outlook.com, it does not work.

Rate-limiting would be interesting. If the cost of the service was specifically high enough to be unscalable. Like, $10 per month and you can send 200 emails per day. That’s expensive compared to anything else but fine for personal use.

fastmail already is available for $10 per month, so I guess problem solved?

Do they handle a send-only smarthost configuration that allows arbitrary from addresses within a domain?

As far as I can tell, yeah.

Pretty soon email will require stamps, like paper mail. I wonder if they will sell forever stamps?

Jk, I just thought it was funny that we pay for services which were always seen as a free alternative to paper mail and stamps were a thing of the past.

Proof of Work basically was invented to cope with email spam. That's more or less a stamp.


If you have a KvK in The Netherlands your PII details are public, and you will start receiving physical spam from companies despite such spam not being free to send. I never receive spam from individuals though; only companies.

On top of that, the costs of electricity are not the same everywhere (they are very expensive in The Netherlands, for example, than in the USA, and China is very cheap). Nor is it widely stable available everywhere (examples include India and Africa). Proof of Work is basically a waste of energy as well.

How about https://postmarkapp.com/ ? It is more tailored to "transactional emails", but seems pretty close to what you describe

But this is exactly what I use mailgun for. The free price point kind of enforces that.

Maybe it's just been so long I'm whitelisted?

More likely you actually set it up correctly, with DKIM and stuff, and the parent didn’t.

I had everything set up correctly, including DMARC. I've been doing this a long, long time.

> The big players make it difficult to run a small personal server

how so? the way i see it, only by making it too easy to use them. if you mean, they reject mail from (eg) dynamically assigned home subscriber IP addresses, you can blame spammers for that, not the big email players.

There's little to no additional security from having email on-site, and much hassle. Assuming you use google or outlook, the advertising bogeyman is just that - a bogeyman.

this is a super niche product, with a lot of useless industro-consumer design thrown in. it's doomed as a business and then where are you? back to gmail.

According to their FAQ, you are basically on your own since your device is the MX server:

> While offline, emails sent to you will not be delivered. This does not, however, mean that they are lost. If your email server becomes unreachable for any reason, the sender’s email server will periodically retry sending the email at a later time. Email servers are generally configured to retry rapidly at first and then back off and increase the time between retries.

> Once your email server comes back online and a retry is performed, you will successfully receive the sent email. If your email server is offline for an extended period of time, the sending server will eventually give up and send a bounce message to the person who sent you the email.

the sounds exactly like the nightmare the GP proposed. what happens when you're on vacation? or even not on vacation but the supply chain is borked or UPS loses your package? even if helm is self-configuring from stored cloud config, this is still a pain and being without email for even a day is painful. 3-5 days (more likely) is intolerable. and if it's longer mail will start to bounce.

> Another big one for me is the failure modes. What do I do when my home connection is down? How about when my connection is down and I'm traveling? What happens when the hardware fails? How about when the hardware fails 5 years from now?

This is the big obstacle preventing me (and I assume others) from moving away from cloud. Cloud services just work, everywhere, all the time (effectively). I'd love to get the privacy benefits of bringing my data "in-house" but I'm not sure I want to take on the equivalent of a part-time sysadmin job.

Hey bootsz, when your connection is down, you'll still have a local cache of your messages, contacts and calendar events. Email has retry built in and sending servers typically retry for at least 48-72 hours. The hardware has no moving parts so it should last for a long time, but when there is an inevitable failure, there are encrypted backups that can be downloaded to a replacement device and decrypted using keys only you have access to.

Yeah. Even though I've had my own collocated hardware since Bubble 1.0, I'm looking to move all of that to the cloud. When your own hardware works, it works reliably for years. But when something breaks it's an urgent fire drill, [1] and I'm entirely over those.

[1] Unless you have warm spares for everything, but that means you're paying twice as much and still will have a non-urgent fire drill to replace the failed hardware so you're back to n+1.

> Yeah, as somebody who has run their own mail server for years, #1 is a huge concern.

Perhaps relay the email out via your ISP account? I do that and it works well.

> Having email just down for a couple days while you wait for new hardware to would be a very bad experience.

Perhaps set up a fallback MX that directs traffic to e.g. a Mailfence account when your primary MX is down? Works for me. Also, mail servers can be cheap hardware (an old x220 will do).

Last point especially. It would be like having all business contact go through IRC with no bouncer and no way to even tell if you were online.

> 1. How do they ensure high, non-spam delivery rates to the main email services like Gmail, Fastmail, Yahoo, and Microsoft?

I run mail servers. I believe the idea that mail delivery is a problem for small mail providers is largely a myth. If you act somewhat reasonable (that is: if someone complains to you don't ignore it, don't send spam, check your logs for indications someone might put you on a blocklist) it's no big problem.

I think the myth comes largely from people who are actually spammers, but don't see themselves as that.

I can't speak for outside the UK, but here the ISPs hand out non-static[1] IP addresses to residential customers. These IP ranges are in the spam-block lists that a lot of the other mail providers use. As such sending any email directly from your ISP given IP address is hit-and-miss affair. You don't even get any bounce notifications, the emails just disappear and never arrive at their destination, so you have no idea that something is wrong.

Some ISPs allow you to pay for a proper static IP to get around this problem, but again some of the ranges are still in the block lists. The only way I could guarantee that my IP wasn't blacklisted was to switch to a business account with my ISP and thus have IPs from a different range.

If you are stuck on a non-static IP, the easiest way around the problem is to send via the SMTP smarthost that your ISP hosts.


[1] They are technically dynamic IPs, but are sticky in that you keep the same IP unless your router goes offline for more than a couple of hours.

In my personal experience, it was certainly a problem for a while when lists like SORBS and their notoriously hostile de-listing procedures were all over the place. Listed an entire IP block assigned to a data center I had hardware in as "residential" and it took weeks to get it addressed.

And more recently, I'm still unable to send email to Verizon.net email addresses from a VPS because they too insist it's in a residential IP block. (it's not.)

For the first few weeks I had a VPS and moved a small business to it, sending anything to Gmail was a hassle as it was all automatically going to the spam folder. The typical responses from others was "find a new provider" even though checking blacklists showed the one I chose was just fine.

I too have run mail servers, and have seen enough to realize that it's definitely not a myth. It's just that there are enough spammers making a mess of things for the rest of us, which is unfortunate.

Same experience. Mostly fine to run your own server. I check the blocklist status of the IP before moving/setting up a new server.

We end up on Hotmail/Outlook's blocklist about once a year. They remove it within 1-2 hours after opening a ticket.

I lost $150 because a certain mail didn't arrive in time (an intercity bus trip ticket) when I couldn't actually afford to lose that money. I had to borrow money from a friend. Those 1-2 hours were quite valuable!

Running your own mailserver is easy enough if you have an IP that isn't blacklisted. Most residential IP's will be on the Spamhaus PBL which will cause issues. You can run a mailserver on a $5/month VPS without issue as long as you have a dedicated IP and you check for blacklist entries before you start.

There are very good open source projects, namely rspamd etc.

That helps check that you don't receive spam (and even so, rspamd is much weaker when applied to only one account). It doesn't fix sending other people what looks like spam.

I recall one of the major bulk mail services (perhaps Campaign Monitor?) has a service where you can feed your intended outbound mail into a large range of spam checking services before you send it, to alert you to problems in your mail that are likely to trigger spam filters.

(On the other side of that problem though, if my email account starts sending mail "what looks like spam", it's almost certainly because my account's been compromised and is actually sending spam. There's a _start_ difference between typical personal person-to-person email and spam. I suspect _some_ business email might blur the line there - but part of me thinks if your business email is blurring the line about being "spammy", then it deserves to get filtered...)

While I see others here who have had trouble with deliverability, I'd just like to say that I have never had a failed delivery to GMail/Google Apps, Yahoo, or Microsoft. There are tools online which will receive email from you and help you configure your system properly for full deliverability.

I suspect whatever this Helm thing is, they manage to do things right on that front as well; everything else I don't know.

I read the whole tech page and some of the comments here. I might be willing to pay for this service, but not in its current form. I wouldn't want to spend 500USD on a proprietary hardware in addition to paying a subscription fee. What needs to happen to convince me to pay:

Open up the hardware component as a platform for anyone to extend (allowing direct ssh, or using my own hardware). It's fine to not open source the email server code. But I would like to utilize the hardware to do other things, like file storage, etc. Instead of waiting for your company to build other features, I would rather have community contributed (preferably open source) plugins that integrates with your ecosystem and runs on the hardware.

This is extremely valuable feedback and worth strongly considering.

When the iPhone came out, it didn't support apps - just built-in features like Mail and Mobile Safari. I agree with you that an app store for Helm could be valuable.

This could be especially valuable as a way to build email apps for enterprise. Especially if there were a good API that returned email data in JMAP format.

I know Nylas tries to do this, but their model doesn't really work for me.

Why JMAP over something universal like JSON?

JMAP returns data in JSON, but with a standardized schema. It's better than the current status quo, where each email provider returns API data in JSON but using their own schema, meaning you need to build different endpoints and methods to work with each email provider. The spec is about to be finalized, so there is no reason why email providers who haven't yet released an API shouldn't be using it.

Seems similar to https://ciceronetech.com/about, I know they were building similar app style features on their similar style box.

Hey paraditedc - thanks for your feedback. We will be launching a developer program next year. We are very interested in a community of people like you hacking on Helm to build new services/features.

Related feedback, you might to launch it well before the year 1st subscription year ends, otherwise customers who bought the setup assuming they won't opt for subscription and would still be able to use the device will left with no option for possibly a long time.

Thanks balladeer - we will definitely be launching the developer program in less than one year from now.

Honestly, I would rather see it as a paid add-on to something like a synology or qnap..

To be fair - building a business like Helm while needing to deal with other people's hardware and their software updates which you wouldn't find out broke your product until your customers start screaming about their email not working - wouldn't be fun. I could easily see how someone could want to do that and seriously consider it, then discard it as an option (or at least as part of their MVP launch options).

So make a supported hardware list,docker container, etc. The hardware is interesting, but the types of people who would buy this either already have racks in their houses and just want someone else to manage their stuff, or want to manage their own hardware because they want to make sure they have their own hardware components locked down. It's a neat project to be sure, and it's not terribly expensive for the hardware, but the real money maker is the ongoing support and security for the service, which is functionally really similar to a cloud service without a lot of the benefits.

Have a look at https://cloudron.io. They let you run apps on your own hardware - email being one of them

This looks interesting, but seems like their email server requires port 25, or some email relay (which is expected since everything is run locally).

Also, it is not clear how it works without a static IP from my ISP.


Indeed, the dynamic IP setting is not documented. But there was a blog post about it at https://cloudron.io/blog/2018-04-13-home-server.html

Also only 1 year warranty

Don't most ISPs ban residential accounts from running something like this?

Comcast terms:

> use or run dedicated, stand-alone equipment or servers from the Premises that provide network content or any other services to anyone outside of your Premises local area network (“Premises LAN”), also commonly referred to as public services or servers. Examples of prohibited equipment and servers include, but are not limited to, email, web hosting, file sharing, and proxy services and servers

Verizon terms:

> You also may not exceed the bandwidth usage limitations that Verizon may establish from time to time for the Service, or use the Service to host any type of server.

AT&T terms:

> using such account for the purpose of operating a server of any type;





hey jawns, great question. I'm Giri Sreenivas, co-founder and CEO of Helm. To answer your question, ISPs block port 25 and email service providers typically reject emails coming from residential IP blocks.

To build a plug and play solution, we knew that our server could not require listening for inbound connections on a residential internet connection. So we set about looking into how we could route traffic to and from a home server but we needed to do this in a way that prevented us from being able to spy on traffic. We investigated solutions like sshuttle and eventually settled on the combination of a simple iptables configuration combined with a VPN connection. Helm establishes an outbound VPN connection to a dedicated EC2 instance with an iptables configuration that routes packets to and from the connected Helm server. The EC2 instance also has a static IP address associated with it.

It's important to stop here and explain that the only way this architecture is viable while adhering to our design tenet of knowing as little about our customers as possible is because of the Let's Encrypt project. Every Helm server has a unique domain associated with it and trusted certificates for that domain are fetched from Let's Encrypt. We strive to ensure that all inbound and outbound traffic routed through the EC2 instance is using TLS with these certificates from Let's Encrypt. This way, our EC2 instance is effectively just an extra hop on the Internet.

I hope that answers your question, let me know!

If you are proxying the content with a VPN with a static IP on an EC2 instance you cannot police people sending out spam as you cannot see and meter the SMTP traffic. So does everyone get a dedicated instance and IP? If that is the case people are going to have issues getting their email accepted by almost all providers due to the IP being new and on a cloud provider block. If it is a subset of IPs that you create a reputation for and comply with DKIM, SPF etc how are you going to keep it from getting ruined by bad actors?

I am glad you are doing this because running a mail server is non trivial. I have done it for a long time now and love the fact that I own my email identity. It is one of the few things left you can own online.

I think this is the biggest problem. If there are a lot of bad actors, you drag down the whole system, but if you try to prevent bad actors you run into a lot of issues.

A hard problem, and I don't envy anyone trying to solve it.

Hi graybolt, I'm Dirk, co-founder and CTO at Helm. Each Helm Personal Server is assigned their own IP address. We make sure to only use IP addresses that haven't been put on blacklists. If people abuse the service by sending spam it will only affect the reputation of their assigned IP and won't cause harm to the reputation of other Helms.

Yeah that isn't sufficient. Most people are going to get their email rejected or spam filtered from many sources. Having an IP that is not blacklisted is not sufficient to have it have enough reputation to be accepted by large providers.

How do you plan to protect users from themselves? I.e. 2 charater passwords.

If you're spending $500 on something to help keep your stuff private and secure, you're probably not a 2 character password kind of guy.

Oh boy, I know people with a fiber drop, 25tb raids with baby server farms and single character password. I think you highly underestimate the lazyness and/or stupidity of people. That doesn't even cover fishing.

Secondly, I think you underestimate the time intensive work that goes into clearing up an IP. I've run mail servers with users in the thousands. It's basically a full time job to keep a single ip clean. And that's with a half or less percentage of clueless users. I'm unsure how this will scale to hundreds of IPs let alone the thousands(x100) that would probably be needed to make creating your own hardware profitable.

Third, you're going to need to reach incompetent customers to make this profitable.

No offense, but given that you are making a product that has a much higher potential to enable bad actors than usual, isn't it kind of you/your company's job to try to solve it?

EDIT: Just realized I responded to the wrong person :(

The person you are replying too isn't the CEO. Just another new user (that's why the username is in green).

You learn something new every day, I always assumed the green meant OP, like how reddit uses blue. I didn't even notice the change in username Thanks!

Thanks for teaching!

Spammers can already get mail servers without a problem. This doesn’t make that easier, because it’s already as easy as it can be.

No, it's not. In fact it's your job to try and police yourself. But you probably on someone else to control you don't you?

I mean, my thought is that if a high volume of spam causes other email servers to block Helm, then it makes it unusable to the good actors in the system. I didn't see the CEO address this.

Or, maybe I just misunderstand smtp idk

Yeah, that's how I understand the issue too. I don't think there's an easy way to do things, either you end up blocking some people with a legitimate use case or you end up becoming a spam farm.

There's an easy way to make Helm entirely uninteresting to spammers and that is for the server to limit the number of outbound emails that can be sent at a number that normal people would never exceed but that doesn't allow enough volume to be interesting to a spammer. There are much easier/cheaper alternatives for spammers today too.

Thanks for the question and your support!

It's interesting that Amazon is portrayed as the "massive corporate server" provider that stores your email "outside your home" on your homepage, yet you use AWS EC2 instances to pipe email traffic to/from Helm.

I understand that it's just an encrypted VPN connection, and are not actually storing email on the EC2 instances. But is there any way for your customers to ensure that? Can your customers shell into the Helm and/or EC2 instance(s)?

We will be making public the configuration for these instances as part of what we publish in open source. We haven't considered allowing customers remote access to the gateway but we will based on your suggestion. Thanks!

If you _do_ "consider it", I hope you discard it as an awful idea pretty much immediately.

I'd suggest allowing customers who're concerned to run their own instances with your code on it (perhaps a Docker image?) - but giving random customers shell access to gateways you're responsible for (at least to Amazon) - would be insane...

Signal/WhisperSystems are doing some interesting work on how to prove the code running on their servers is identical to their published and auditable code - might be worth checking that out (for a post MVP roadmap idea).

Yeah, there'a a lot of confusion about "the cloud". Consumer SaaS (Gmail, Facebook, Alexa, etc.) is "evil" and privacy-invading but B2B IaaS (EC2, GCP, etc.) is not bad. Often these services come from the same companies so we can't simply claim that Amazon or Google are wholly good or evil when it comes to privacy.

I believe you will be more successful if you establish two things, first your own ASIN with a couple of class C IPV4 blocks and an IPV6 block.

Then you create an infrastructure for relaying the mail from your boxes to the Internet. Then you work with the various spam agencies to create both a way to respond to spam complaints and to detect and throttle or cut off spam senders. You'll find that spammers will offer to pay you a premium to "look the other way" but don't take it, many good companies died going down that road. Without the spammers it will be harder to make your numbers but concentrate on keeping your efficiency high and ultimately you will be better off.

You don't talk a lot about data protection on site for things like disk failure. What do you do in that regard to keep people from losing all of their mail if the disk goes tits up?

and to detect and throttle or cut off spam senders

Isn't throttling outbound email count/day from the start the only real solution?

In my experience you can't know what is 'normal' until you have seen it, so fixing the rate at the start would be unduly onerous.

People have lives which can sometimes look spammy, like you are made the coordinator of the school potluck and suddenly you're sending email to 150 parents asking them to volunteer to bring food. But after that event you go back to your regular rate.

Because this isn't a "PC" in the sense that it is more difficult to be overtaken by a virus and start sending spam without your knowledge, and as a mail service provider you know that email originating from the device has to come from a specific domain, you have a lot more tools to detect that someone is being a bad actor or not.

No, the way the big boys get around this is outbound email filtering. Limits yes, session and connection heuristics, reading your outbound email to see if you're selling dick pills.

> hey jawns, great question. I'm Giri Sreenivas, co-founder and CEO of Helm. To answer your question, ISPs block port 25 and email service providers typically reject emails coming from residential IP blocks.

> To build a plug and play solution, we knew that our server could not require listening for inbound connections on a residential internet connection. So we set about looking into how we could route traffic to and from a home server but we needed to do this in a way that prevented us from being able to spy on traffic. We investigated solutions like sshuttle and eventually settled on the combination of a simple iptables configuration combined with a VPN connection. Helm establishes an outbound VPN connection to a dedicated EC2 instance with an iptables configuration that routes packets to and from the connected Helm server. The EC2 instance also has a static IP address associated with it.

> It's important to stop here and explain that the only way this architecture is viable while adhering to our design tenet of knowing as little about our customers as possible is because of the Let's Encrypt project. Every Helm server has a unique domain associated with it and trusted certificates for that domain are fetched from Let's Encrypt. We strive to ensure that all inbound and outbound traffic routed through the EC2 instance is using TLS with these certificates from Let's Encrypt. This way, our EC2 instance is effectively just an extra hop on the Internet.

> I hope that answers your question, let me know!

This doesn't seme to address the question of whether this violates the ToS, regardless of whether this is technically feasible.

Gray area IMHO. Isn't Dropcam basically a server streaming video to my phone?

I'm pretty sure that video feed is actually sent to your phone through a Dropcam cloud server. Your Dropcam is a client which connects to the cloud server, as is your phone.

Arguably that's the exact same architecture Helm are describing. The EC2 instance your Helm box VPNs into is (arguably) "the server" - in that it's the "public service" endpoint. A good lawyer could eloquently argue that the Helm device on your residential internet connection is no more "running as a server" than the Dropbox or Google Drive apps on your laptop or phone...

(Note: I've been doing a similar home-rolled version of this, where I have a mail server under my couch that opens a reverse ssh tunnel and forwards port 25 and 465 from whichever transient EC2/Azure/DigitalOcean/Hertzner/CloudAtCost VPS Ive got listed as my MX records. A little bit of Route53 API automation, some Ansible to set up the ssh tunnelling, and some "canary" gmail and live.com email addresses to check outbound deliverability when I go to switch VPSs... It's been running pretty much untouched since 2014 or so...)

Ha, but that's "okay" because it's a big company. They never have problems with being used for spam - of course I'm being sarcastic.

If I host a Quake 3 server I’m in violation of the TOS.

It can be argued that using a browser or any other client violates that language by sending responses to requests.

The ISP won’t do squat if it’s encrypted; they have no idea who is being connected to and what’s being sent.

A TOS is as broad and vague as they can make it. A good lawyer could undermine such language if it went to court.

Ultimately the TOS exists so the provider can discontinue your service, so it doesn't have to be super tight legally.

We don't believe it does. ISPs will only see encrypted traffic (a VPN tunnel to the gateway) so it's unclear how they will figure it's associated with a server.

Whether or not ISPs can figure it out is completely orthogonal to whether or not it's allowed.

For the most advanced of users, would you opensource the server so that we can host our own gateway servers instead of relying on Helm? That would solve the "what happens if Helm goes down" question and "how do we trust Helm" question.

Still wouldn't solve "how do I know my emails won't end up in spam" but at least we're getting closer (to at least what I would want to pay for.)

wouldn't that be postfix and a caldav server?

Also the fact that we can't run servers from our home connections is ripe for a challenge if we ever get net neutrality protections back.

The 2015 Order said this, "A person engaged in the provision of broadband Internet access service, insofar as such person is so engaged, shall not block lawful content, applications, services, or nonharmful devices, subject to reasonable network management."

I would argue that banning personal email servers or personal servers at all is not reasonable network management (e.g. a nest thermometer or a smart microwave or an Alexa/Siri thing is a server), and if we're looking to explore home appliances that decentralize the web, we need to ensure that broadband providers' policies don't block them. Google Fiber screwed this up too.

doesn't matter if we are contractually allowed to run them or not. The dynamic IPs of consumer ISPs are all blacklisted by the spam blockers. So, you could receive mail, but no-one would ever receive yours.

But you pay for this EC2 instance, and all traffic flows through it.

Honest question: What stops a malicious employee on your end sshing to this server and dumping plaintext messages from memory? What stops a court from ordering you to do that?

Even if you disable remote access, what stops someone from adding a new LaunchConfiguation that enables it silently on the next instance rotation in spite of whatever configuration is in place today?

At the end of the day it seems like you -can- spy on the traffic just as easily as you could if you were running the smtp services on an ec2 instance directly.

Given that, what is the value proposition here?

(Or if I am totally wrong, by all means call me out accordingly)

Because traffic to and from the server will be over TLS, there won't be plaintext messages in memory on the gateway. We specifically designed to avoid the problems you have outlined.

In all honesty, couldn't this be a question to Amazon for anything that ever runs on any EC2 instance? What makes you not distrust any cloud vendor when they manage every bit of your information including keys.

Although, if they have to route stuff through EC2 instances anyway, I could just start jedieaston's homegrown EC2 email service, let customers pay me $100 a year to get them a domain name and spin up a email server in a EC2 instance and give them a login, then they don't have to have a box at their house which is liable to ISP and power outages. And you get the same amount of privacy that you get with this box (so about as much as you trust Amazon).

I -do- distrust all cloud vendors. My keys all reside in physically controlled HSMs.

Well the E-Mail server still runs locally. While they could intercept traffic on their VPN endpoint, the traffic should be encrypted (TLS). However, I am not to sure if all e-mail servers speak TLS to each other.

Well if it does VPN first, then initiates the SMTP connection with TLS on the local smtp server all the way to the RX mail server, then this works out fine.

A lot of mail servers don't support this though, so it would be on the client to also be able to ensure it will not relay mail except to TLS endpoints verified by a well known CA.

In my experience this is rarely the case, but if it is and Helm is willing to tell end users "sorry I can't safely send mail to this endpoint" then I could see some value to this approach.

Yes - we initiate a VPN connection first to the gateway, then inbound/outbound connections are over TLS. Over 92% of email traffic is over TLS and we will be exposing an option in the future where customers can require it or reject emails.

Since most email's not encrypted, how is having each Helm user's email hop through your server any better for them in terms of privacy than just hosting their email on a remote mail provider in the first place?

You could still record every incoming and outgoing email as it goes through your server, couldn't you?

I really don't see the advantage of Helm.

Most (gmail claims ~90%) email is encrypted with opportunistic TLS in transit and can't be passively monitored.


Further, "the provider could intercept email" and "the provider stores all email" are very very different.

What's going on there with the "Support for encryption in transit" section?

Overwhelmingly at 0% in most regions which they say are:

> domains in terms of volume of email to and from Gmail, in alphabetical order

Something doesn't add up there.

The table does not include the "green" domains by default, you have to select it.

This is transport encryption, not actual email encryption.

Outgoing email from EC2 nodes isn't trusted by recipient domains either. That's why AWS wants you to use SES instead.

Amazon invests in ensuring their Elastic IPs are not on blacklists. Less than 2% of IPs we get through AWS are ever on a blacklist and when they are, we cycle through until we get one that isn't.

I'm not sure how they can invest in that.

I've seen amazon ec2 ips being used for ddos attacks and I blacklist the entire range for many of my websites/projects. The vast majority of visitors we get from there are abusive.

Thank you for this very informative reply. (I hope you'll put this information in a more prominent place on your site.)

I found the answer by clicking Technology from the top menu, and the explanation is the very first paragraph to be read.

“To a unique gateway” with a static IP is hardly an actual answer. Under whose AWS account is this server provisioned? Who has root?

It was enough to answer user jawns' question.

if your company folds and the cloud service goes offline, does that render my helm useless? that wouldn't make me feel like i "own [my] email".

Two things: we will run the service in perpetuity as long as there are subscribers and we will be open sourcing what is required to run the service on your own.

I thought that sending email from EC2 instance was not allowed and only option was using their SES service.

You can send email from an EC2 instance but good luck getting anyone to accept it. A lot of email providers block EC2 wholesale, or if they do accept it you are going to have to have a long standing reputation.

What do you mean by blocking "wholesale"? I started hosting an email server in EC2 and the worst I've had is my emails going to a spam folder if that person hasn't received an email from my address yet (and never after they've marked me as not being spam). That happened surprisingly rarely and didn't feel like much worse than I would get by just sending people email from gmail with an address they don't know. I don't think things are as bas as you make them out to be.

edit: I guess I should be clear that I have an elastic IP (which is free) and setup reverse DNS and DKIM and SPF, but I think those are fairly standard now a days (I don't know honestly I've only run an email server for a few months).

Deliverability is a moving target, so you can’t really rely on your delivery metrics from last week.

Why? The SPAM Scoring Industry is a kind of monoculture that will impede or cancel delivery of messages. Most big email providers outsource SPAM scoring to a third party like Symantec or Brightworks. And when your email is found offensive by Brightworks with one of their clients, you’re banned on all of their clients. Part of how SPAM scorers gather intel us by hooking into the CFL system so they get a notification when a user hits the junk button to delete an email. Another way is by checking for mass duplication in your emails. Another way is tracking open rates via the email provider’s UI sending metrics to the scorer’s APIs.

And then there’s the CIDR block lists they coordinate and distribute as a courtesy for their customers. So you might be able to deliver to @gmail.com and then @yahoo.com won’t even take a connection from your server’s IP.

Why does all this happen? According to my friend who works for a midrange ISP on their email service, they have about 120PB to store real email. And the amount of SPAM they reject outright (never reaches any box, not even the junk box) is 93% of all their email traffic. They simply can’t afford to store all the SPAM.

It depends on whom you send to. Like ironically I sent an abuse complaint to Verizon for a spammer and got rejected because they blocked all of Digital Ocean's IP space. Yahoo was particularly difficult too sending me a response saying they won't take my mail immediately on a single email to my brother. I had to go through a lot to get that fixed. Again this was due to being on cloud provider IP space.

GMail is more reasonable with perhaps being spam filtered but never blocked outright. I have also been blocked by government labs and academic institutions. I also have complied with RDNS, DKIM, SPF and got a top score on mx toolbox. Now that I have been up for a while I have had less issues besides with the ones that block cloud provider spaces.

Microsoft is the toughest one. Fortunately, I don't have friends that use outlook.com or w/e

Does your email get blocked if it is sent to a business on O365?

haven't tried in a while. It can, they dont' follow all the rules and do a little more blocking in the interest of their users or based off a ML spam detection or something.

Some things that should be delivered are not. I'd have to dig back into this to see what the exact issue is.

unfortunately DO does not seem to be as active as Amazon in maintaining the reputation of their IPs.

This is very consistent with what our experience has been with Elastic IPs combined with email authentication and blacklist monitoring.

> I guess I should be clear that I have an elastic IP (which is free)

Free when in use, you pay for it when it is not in use.

You can send email using EC2 instances, including mass commercial campaigns (aka "legal spam"...).

However, there are a few things to do, more specifically, you must contact AWS to get "clean" IP ranges (fresh IPs, never allocated to instances), sign some agreements and pay additional fees.

It's not exactly as simple as an API call to create an ec2 instance, but it's doable.

With random IPs, there is a good chance indeed that it is already burnt by a previous allocation.

This is not a god situation. So, EC2 are handy and flexible servers, but not really because some arbitrary internet services are banned, and in all of a sudden your whole setup depends on the cloud provider. Talk about tight coupling. We go backwards. This is really sad.

> I thought that sending email from EC2 instance was not allowed and only option was using their SES service.

Amazon EC2 throttles traffic on port 25 of all EC2 instances by default, but you can request that this throttle be removed: https://aws.amazon.com/premiumsupport/knowledge-center/ec2-p...

Doubt that AWS would allow anyone to send on behalf of 3 parties like Helm appears to do though.

I'm pretty sure it's allowed, it's just that you'll get caught in every spam filter. I don't know if they've considered that problem, or they're just hoping that using the same IPs long-term will fix the problem in reputation-based blacklists.

I guess email can be sent from the residential connection but recieved through EC2?

You can request email sending support when you set up reverse DNS.

That EC2 instance is going to need whitelisting and constant vigilance that you're not sending commercial email or they'll block that port too. What prevents me from deploying a few hundred Helms to send spam?

commercial means spam? I can't use this for my non-spam business? MyStartup.com? A few 100 helms would cost a lot (500*200 = 100k), no one will spend that much for spam farm, you'd do it on the cheap.

What VPN solution are you using? Wireguard or something else?

Do you have a plan to help make email security features easy to consume: SPF, DMARC, MTA-STS etc.?

Is there a way to opt out on the information that is collected?

I looked on your site but it does not show a logical architecture which might be useful for some of us.

We are using StrongSwan right now. We've taken a close look at WireGuard but have not yet completed our evaluation.

We automatically configure SPF, DKIM and DMARC for our customers. We are also investigating MTA-STS.

Device diagnostics are opt-in by default so they are not collected. Customer data like shipping and billing information is not opt-out unfortunately as we need to be able to process payments, ship the unit and track warranty coverage.

Appreciate the feedback on wanting more architectural details. This will be coming in a series of technical posts explaining how we designed and built the product. Stay tuned and thanks for your questions!

What else runs on that EC2 instance?

I would first try using port 587 and only afterwards route through Amazon or something.

Holy crap, US ISPs are completely absurd. This definitely isn't a thing (or at least not enforced in any way) in Canada; most of my friends run on-prem web services out of their basements or closets.

It's not enforced. I've had HTTP and SSH available on Comcast and Verizon lines for... decades, I guess. No one cares.

SMTP is more problematic because of spam: outbound traffic on port 25 is blocked, so a true home mail server won't work without a reachable gateway mail server somewhere else. That's basically what the linked product is: they manage the protocol side of the service on your behalf, and forward all the content to your local device which connects to them via some internal protocol.

AT&T in the midwest US just blocked port 25 a few months ago. My nightly e-mails for system updates stopped coming in, and now I either have to shuttle them through an authenticated submission port or pump them over a VPN to my e-mail server. :-/

You can pay $50 and they will open it once again for you. I only know that after much trial and error troubleshooting why my public NTP service doesn’t work (port 123 also blocked).

Can the normal customer service do that? And is it $50 a month or a one time fee? Were you able to unlock outgoing port 25? (Fellow AT&T user here)

It’s a $50 one time fee. You need to call their “premium” service. Not sure if they do it per port or what, but I asked them to open all my ports and verified 25 is accessible (123 udp inbound still blocked for unexplained reasons).

They’re still clueless. I tried to explain that it’s being blocked by AT&T and not my router but eventually I just gave up. Their process involves a logmein session where they take control and mess with your router. Gahd it’s awful.

They also randomly added my “device” (home server) to the DMZ so all of its ports were exposed. Be very careful.

>123 udp inbound still blocked for unexplained reasons

NTP was part of a massive DRDoS not too long ago. It's possible they pruned it somewhere much further up the network under the (not insane) assumption that most customers don't need to run their own time servers that answer public queries.

An ISP I worked for blocked port 25 in 2009, but it was easily reenabled by the customer checking a box in their online portal.

Considering how easily it is to setup authenticated SMTP and how effective it is at reducng spam for the ISP, I'm Surprised it took AT&T this long.

Assuming you control both sides, which sounds like you do, just run it on a different port in addition to 25.

Ironically it doesn’t look like they restrict sending mail in the above quote, only serving it. If that’s a violation, so would be using your browser.

In the US it's standard that residential accounts don't get to do that, but business accounts (which are usually double the price for the same speed but come with better/quicker support, particularly when physical lines are down, and an open connection) are allowed to run on-prem. And usually with a residential account you don't get a static IP as an option, but if you're lucky you can pay extra for one.

> And usually with a residential account you don't get a static IP as an option, but if you're lucky you can pay extra for one.

I use a VPS as a proxy. SSH with AutoSSH. I use a VPS ($15/yr), map the ports from the VPS to the server at home.

For example, when you hit 80/443 on the VPS, it's routed to a reverse proxy in the apartment, then to the correct service.

Not a bad setup.

I tried to get a business account once at Comcast, and they wouldn't give me one that terminated at an apartment. : /

That's weird, I honestly wouldn't have expected that. They gave me a little resistance with one terminating at a home but ultimately they did it. They probably start to weigh the pros/cons (ie the money) of business level service to large residential buildings and decide it isn't worth it. Maybe too many variables once the line enters the building?

Maybe the building part. But I've never had any issue - at three homes - with Comcast Business being run into my home garage.

Read your terms of service. The same section is definitely present for all Canadian ISPs as well.

"The residential Shaw Services are designed for personal Internet use. You may not use the residential Shaw Services for commercial purposes. You may not run a server in connection with the Shaw Services nor may you provide network services to others via the Shaw Services. Examples of prohibited servers and services include but are not limited to mail, http, ftp, irc, dhcp servers, and multi-user interactive forums. Some business services may be exempt from these limitations."


In Ontario, Canada I know that Bell, Rogers, and Teksavvy all block outbound TCP 25 for their residential service. I can't comment on inbound TCP port 25 though.

I'm so glad to be living in Europe.

When it comes to consumer internet services, the US is a 3rd world country, which is kinda odd considering most of the western world does their business there.

I just checked the terms on my 300/300 fiber connection, as well as my (backup, company paid) 25/5 ADSL.

They're almost identical:

* no spamming. * no racism/unethical behavior. * no portscanning. * no illegal downloads/uploads.

Besides that i can use it for whatever i like. They block port 25 though, and you can only get it opened by purchasing a commercial connection. It has a dynamic IP address that only changes when i reboot my modem, which happens once every 2 years or so, so practically static IP :)

The ADSL has all ports open and a staic IP.

The telcos only enforce the server rule if you are causing problems like doing something illegal, torrenting, or maxing out your bandwidth 24/7. I’ve had multiple servers running over the years and never had any issues with Comcast or AT&T.

Generally they don’t care if it’s for personal use. I’ve heard of them shutting people down for something they saw as business related. They didn’t really get shut down, it was more like a friendly “We see what you’re doing and a business plan would allow you to do it for $30 more a month”.

What ISP do you have that you can get upgrade to a business account with the same speeds for only $30 extra a month? AT&T would charge me $300/mo for the same speeds that I currently pay $80/mo for.

You are comparing the most expensive plan. This was probably 8 years ago so I’m thinking 10-15mbit. The business plan was the entry level one.

With AT&T, I was able to call and get port 25 opened up so I could send email. to me it seems like they do it to prevent malware spamming from people's homes.

This is no different than the US. No one has 25 open, and the server clause is only enforced if you try to do something in the 'unethical behavior/illigal file transfer' department. But in America, a 35$ internet connection needs a leagal contract to help mitigate the lawsuits and grey areas.

>no racism/unethical behavior

That seems to have potential for abuse.

I don't think any ISP has any control (or terms) about it. It's just that law enforcement agencies can ask them for logs on that basis. Whether or not hate speech laws can/are abused is a different thing. But it's a general legislation problem, not a net neutrality one.

I don't know what the rest of the country looks like, but I have home Comcast in the US and have been self-hosting a server on port 80 with a similar more-or-less static IP as you've described for well-over a decade. Many of my friends have the same setup. It never even occurred to me that Comcast cared. All ports are open (maybe not 25, I haven't checked.)

I guess the terms of service allows them to shut someone down if they felt like it, but I wouldn't really worry about it. If you have a site that generates so much traffic they even took notice, I presume you'd want to be on a real hosted environment anyway.

I know a lot of ISPs in europe who block SMTP ports to prevent SPAM.

It's true but at least mine (free.fr) lets you enable it through the administration interface for no additional fee. It's disabled by default though, and it's probably better that way.

I'm so glad to be living in Europe.

Germany's third biggest city, I can only get 50/10 Mbit, maybe 100/20 - no fiber in sight. No static IP and no guarantees anyone will accept mail from this dialup subnet.


In Germany, with Unitymedia Buisness, I get symmetric 100Mbit/sec over coax (even in mid-size cities), a static IPv4 adresse and excellent customer service. Price tag: 35EUR/month.

I just checked, it's not available :P

From my experience, at least in Munich it's hit or miss which of the 2 cable company services your building - it's not even on the street level.

Also I'm not really complaining. Say what you will about Deutsche Telekom, but I've been a happy customer since 1998. Everytime I had a different ISP (mainly M-Net) I had more problems than uptime. This is more expensive, but I'm having less than one noticeable downtime every 2 years...

In US, I have access to the same plan at same price point. But I have a semetric 1000Mbps for 85 USD. I can get a static IP but I see no need with DNS. Not sure how the customer service is, I haven't called in 2.5 years that I've had the link.

Canada. 100$/month for 150down/12 up residential. Never seen more than 50 down. Regular outages (for 30min every few days). If the US is third-world in terms of service, canada is an uncontacted amazon tribe.

In Canada. 100 CAD/month. 150 both up and down.

If you are in a major city, it might be time to check the other ISP in town. I'm glad I did.

I'm on Vancouver island. The provincial capital. There is only the one cable provider (shaw). No other landline options in my neighborhood.

Vermont. 60/6 for $100/mo. And I’m a lucky one. I have friends with 3mbit dsl and there are pockets of dialup

Seems like a similar price I saw on AT&T FTTP plans and Comcast’s cable internet plans for 100mbit.

Static IP might cost extra.

I pay AT&T $80 a month for symmetrical 1Gb FTTP with no data cap.

Italy (Milan): 1Gbps/200Mbps FTTH. About 30€/month.

Not available, in Berlin.

No static IP is a good default for private customers, I think, due to privacy concerns. Static IP opt-in would be nice.

I guess, you are glad leaving in Germany. A country with a bad state in terms of Internet.

> They block port 25 though

They don't explicitly disallow it in their TOS, they just make it impossible by disabling the underlying tech.

And this > no racism/unethical behavior. * no portscanning. * no illegal downloads/uploads

"unethical" behavior is the most arbitrary, un-objective clause one can ever have. Your ISP may find your hosting an email server "unethical", and this clause allows them to ban you.

Europe is NOT superior in any way

unethical behavior is my (bad) translation. The original Danish wording is restricted to hate speech.

They also specifically disallow distribution/downloading of child pornography and leaks like "fappening", which i translated to "illegal downloads/uploads".

The list of things that are disallowed is very specifically worded in Danish, as legalese usually is. Furthermore it is also customary in Denmark to allow all traffic. in or outbound.

All "metadata" is logged for 5 years, mandated by law, so every IP i connect to is there along with port, duration, protocol (if available).

Emphasis added:

> provide network content or any other services to anyone outside of your Premises local area network

I'm not sure if Verizon has the same intention, but if they take their own wording exceptionally strict, you would be in the wrong whenever you play a multiplayer game and end up being the host.

Generally in my own experience they don't want you hosting a service opened to the general public running all the time. I think running an open mail relay would get you banned very quick. It seems like this product is intended to be used purely for yourself.

I’ve talked both Verizon and Frontier about servers and both have basically said the same thing, if it’s private and locked off it’s fine. Meaning as long as it’s not public.

Now the terms still would give them an out if they decided they didn’t want you, but honestly as long as you’re not hurting the network they’d rather take your money.

I've run my own email server out of att, comcast home, comcast business, and centurylink. All I've ever had to do was call them up and ask them to open the ports.

Presumably there's a legal argument that you aren't providing a public service. Helm is tunneling SMTP connections from their cloud-based servers to your device over an encrypted connection, so you could claim you're really consuming their service, not providing your own. But I wonder how much VC money you need to outlast Comcast in court...

My suggestion is to run an email server inside your home that connects to a single server on the internet (like a VPS) that routes your mail for you. It's a bit more complex to setup but much more secure and reliable and almost certainly won't violate ISP rules as long as you keep it secure.

You are misleading us by editing out the rest of the sentence. What you stated is for dial-up service.

AT&T terms: >• with respect to dial-up accounts, using any software or device designed to defeat system time-out limits or to allow Customer's account to stay logged on while Customer is not actively using the IP Services or using such account for the purpose of operating a server of any type;

I have many servers on att internet, including email.

This is pretty important distinction.

First, anyone who has talked with me for any length of time will have no doubt heard my rant that data belongs at the edge :-) so I'm a big fan.

And yes, the no servers clause is an issue, it was raised initially by people doing peer to peer torrenting, and some folks running servers.

Enforcement is a bit tricky though because folks like Comcast and Verizon get so much value from being able to see all of your Internet traffic that they won't actually cut you off for running a local server but they will be passive aggressive about it. For example, they will start changing your IP every couple of hours (they set the DHCP lease time to be low and force the DHCP server to always give you a different IP).

The common solution is a VPN tunnel which is what Helm is doing, but that tunnel has to end up somewhere so that can be a problem if that 'somewhere' is commonly used by bad actors. (Like say in Ukrainian data centers)

I expect that this restriction will go the way of paid SMS messages eventually but for now it is going to be troublesome.

I've run public-facing servers on residential connections numerous times. (I did once yesterday just so I could watch my 3D printer from remotely.) If you aren't hogging bandwidth or committing crimes, it's unlikely they will care.

Also IANAL but "services to anyone outside" does not sound like it includes un-firewalled, password-protected, services for personal use. The word used is "anyone outside" not "any machine outside". The resident themself would presumably be an insider regardless of their physical or network location.

Also I think a reverse proxy with end-to-end encryption could solve the problem with no public-facing open ports. That doesn't count as a server in my book.

Hmm, the terms for my CenturyLink fiber connection explicitly allow running servers (with some reasonable limitations): "Service may be used to host a server, personal or commercial, as long as such server is used pursuant to the terms and conditions of this Agreement applicable to Service and not for any malicious purposes. Malicious purposes include without limitation Spam, viruses, worms, Trojans, Denial of Service (DoS), etc."[1]

1: http://www.centurylink.com/legal/en/highspeedinternetsubscri...

Came here to say this. Aside from some customer support issues, I've had a very great experience with CenturyLink fiber. I have multiple static IPs and run a plethora of externally available services. I actually moved everything from Linode and digital ocean to my house and bought a APC battery backup and outside me unplugging my stuff to move it around, I've had no downtime at all.

Meanwhile, my ISP's customer service gave me a few pointers on how to get my self-hosted website to work with a dynamic IP address.

My Dutch ISP gives me a static IPv4 address (besides an IPv6 netblock) and allows me to purchase additional IPv4 addresses. They also offer various levels of port filtering, from no filtering to filtering port 53, etc.

(Combined with fiber, it's ideal for a small home server.)

Comcast in the US doesn't give residential accounts a static IP, nor do they give you the option to purchase one. You have to sign up for a business account with a 2 year contract term and a pretty draconian cancellation policy (basically the entire rest of the term is due when you cancel).

To be pedantic, when you provide content to Facebook, you are serving them data, right? When you upload pictures to Dropbox, you are serving, right? Slingbox? Security webcam? Facetime?

I don't think there is a good enough definition of "server" or "serving" for such restrictions to be enforceable except is an arbitrary way.

I have an MUA that retrieves email from a server and sends email to a server. It might run in a browser and interact with GMail. It might be a mobile app or Thunderbird or Outlook. It might be sendmail or postfix or Exchange. Which of these are "servers"? Which are banned and which are ok?

Usually an ISP defines it as something that allows ingress unsolicited connections. i.e. put a stateful firewall in front of it and if it requires ingress allow rules to function, it's a server.

If your ISP doesn't let you run your own mail server, they're not an ISP.

Comcast doesn't let me run my own mail server, but I think Comcast is still an ISP.

Sure. But good luck getting your mail accepted by other mail servers, coming from a broadband IP address.

I do this all the time. I'm sure some people have issues, but my experience is that this is largely overblown

Never heard about that in Kazakhstan. I'm hosting HTTP without any problems (though those are only my personal files, so no significant traffic, but considering that my torrent upload is tens of terabytes/month, probably nobody would notice that). Didn't try E-mail, doesn't make sense without reverse-PTR DNS record, and I don't know how to configure it.

That's not a real Internet.

For AT&T, that restriction is only on dial-up accounts:

> with respect to dial-up accounts, using any software or device designed to defeat system time-out limits or to allow Customer's account to stay logged on while Customer is not actively using the IP Services or using such account for the purpose of operating a server of any type;

AFAIK, AT&T does not prohibit running a server on broadband accounts.

What's being done by Helm is not much different than using Back to my Mac or Plex or SlingTV.

In any case, these ToS are over-broad and most customers probably violate them every day, especially the copyright provisions. The ToS are not enforced to the letter but allow the ISP to terminate an account if the violations are egregious. I don't think running a Helm server would get you booted.

OK, tangental but concerning. According to that Comcast quote, are you not actually allowed to host a personal website using bandwidth that you pay for? Or is it specifically forbidding "public" web hosting, where "anybody" is allowed to host their own sites?

I think it's the former; you can't host any site that is supposed to be accessed by the general public, only something like a control panel for your NAS or security system or such.

This serves to protect them technically (residential systems are not designed to withstand a large number of inbound requests), legally (you can't sue them for failing to serve your site) and of course to promote their more expensive business lines.

Even if they don't block, if you run an email server on an ISP ip block, a lot of other mail servers will refuse you connections.

If you're going to tin your own mail server, it's paying for a good VPS. Beside the guaranteed static IP, being on an IP block with a good reputation, good VPS provider have redundant power sources and console access over the web, which you are unlikely to have either from home.

I use AT&T and they removed the port 25 block on request. In my experience, they do not enforce any policies regarding self-hosting. I think they have boilerplate that they would use if one were to continuously saturate their upstream, but I've never seen them doing anything to affect my personal services.

It's not necesarily banned, but very often port 25 will be blocked. Additionally it's pretty likely your email will be marked as spam if it comes from a residential IP. They must have thought about this though, so maybe they have their own SMTP servers that emails go through.

Apparently so:

"Helm connects securely to a unique gateway, which is assigned a static IP address so Helm is reachable by other mail servers and secure TLS sessions can be established."

Which I dont see the point of then. That way they are your gatekeeper of your mail/files etc. Not much of an improvement.

Agreed. I don't see how this is any different from a regular email server, with a local client that pulls emails over IMAP and deletes them remotely.

In my country, ISPs block SMTP outbound traffic by default but you can toggle it yourself. I thought it was pretty universal behavior. I mean, if you're using your actual domestic line to send spam, it'll be reported to your ISP pretty fast.

Most games on consoles setup listen servers, which is essentially the same thing.

You are correct. However I think in practice you can get away with it if you keep bandwidth low. I've been running a OwnCloud/NextCloud server from my residential Comcast account for years with no issues.

Meanwhile, I installed backblaze on my home machine, which started backing up around 500gb of my disk, and summarily got a message from my provider that outbound traffic of 30gb is an ‘inconceivable’ amount of traffic during normal use, and if I could please stop, or else (lawyers).

I wonder what happens if nextcloud does a full sync to a new device.

What provider? That behavior deserves a name-and-shame.

As far as what happens with a full sync: it's not really doable outside of the LAN for several reasons. One is I have a data cap from Comcast of 1 TB/month. Another is the upload speed is only 10 Mbps. That's actually one of the reasons I went to self hosting.

> if I could please stop, or else (lawyers).

Lawyers, really? Why wouldn't they just cancel your account?

Yes. Many also block ports, like incoming port 25 (SMTP.) I have a "business" cable internet account and have been hosting my servers for years. It is obviously more expensive.

The AT&T one only has to do with dial-up accounts and is mainly about maintaining a connection with dial-up when not actively using it.

Just another reminder, terms of service are bullshit. Most people here likely violate the terms by using ngrok.

Which totalitarian state do you live in?

One of the reasons you need net neutrality.

Frightening to see this downvoted here.

Even if you could send it, someone has to receive that email on the other end and the residential ips are usually blacklisted.

Plus they tend to block the ports you need to run something like this.

Each Helm gets its own gateway server with static IP address that the Helm establishes a VPN connection with. Port 25 is open on the gateway and the packets are forwarded to the Helm. This is how we work around residential ISPs blocking port 25.

This doesn't necessarily mean you're not violating their ToS.

I never understand why people think having your files physically in their homes is somehow more secure than a data center.

- You run the risk of hardware failure, which would take days to recover. When your warranty expires, it'd cost you, too.

- Disk failure may lose all your data.

- Fire, theft, or hurricanes may destroy it.

- You still give access to your data to a company, which controls software updates and the EC2 proxy (in this case).

- Many home ISPs have shitty upload connectivity, so your email won't work that well on the go.

- Internet and power outages mean you won't send or receive any email.

- You lose the knowledge email providers get from scale, including ever-evolving spam filters, and a guaranteed clean outgoing IP.

If you really want to control your data, just spin up something like ownCloud (not sure if that's the best solution, just an example). Companies like DigitalOcean make it as simple as point and click.

I'm the first and biggest investor in Helm and I'm on the board. I created email-based Posterous previously (YC funded) and was a YC partner for 5 years. I funded this team because they're high integrity software engineers first, and we built this out of need— a company like this needs to exist because for this to work, you need both great user experience as well as great software.

Helm actually solves this exactly - they already have continuity of service coming in the pipeline, and the product as-it-ships will support encrypted backup/restore out of box, similar to how your iPhone supports iCloud backup.

I've run my own mail servers for Posterous before and it was probably 2 to 10 hours a month of maintenance, software updates, etc. And that's not something normals can do.

The company itself is run by folks who are committed to running this as a sustainable long term business that takes are of its customers and is super responsive to the community. As a board member I promise you we'll do that.

> I funded this team because they're high integrity software engineers first, and we built this out of need

I looked for the founders bio, a company contact info. There is nothing on their site. All I saw was a letter in the "About" section by the founder.

You might have gotten to know these guys after various meetings and due diligence process. There is nothing on their website that sells me on trusting them or the company.

I had to go the "Careers" section to see the location of the company.

When you're in the business of selling trust, you really need to focus on selling trust first and not technology (maybe they're connected ultimately) but I just don't feel I can trust this company based on the materials provided on their website.

Hope this feedback is meaningful.

How would material on a website provide trust, without a means to verify that information?

While names, locations etc doesn't necessarily make something trustworthy - the absence of them do feel way more sketchy.

What other way is there? Have a button to “let the CEO call me and pinky promise me that the website info is truthful, complete and correct”? Would you believe it then?

That's obviously not what he's suggesting? He's just saying (and correct me if I'm wrong) that, for a company whose business is based in no small part on trust, it's a bit weird to not have any information about any of the people involved in the project.

Hey, since you're here already, I have some questions (in case you're able/allowed to answer them):

What's the base operating system and hardware architecture the box is based on? It says "Linux" on the page but doesn't go into specifics.

Why not just use regular hardware, e.g. Intel NUCs, or even allow people to run your software on their own hardware (like OwnCloud does)?

In Germany there was/is a startup, Protonet (https://protonet.com/), that had almost the exact same idea a while ago. They went bankrupt though and one of the reasons was that it cost a ton of money to design and produce their own hardware, which also looked very cool (orange hexagon!) but didn't provide much added value beyond what a normal, boring-looking compact PC could provide (at 500 € less than their box for the same specs). They also marketed their own OS, which was based on a modified Linux distribution, modified open-source software and a shiny management layer on top as well. They found out that developing and maintaining a Linux fork isn't so easy either, so they eventually canned it. So what's different about Helm in your opinion?

We spin our own build of Linux using Yocto.

We are using an ARM-based SoC from NXP. We chose this to ensure that the device can only run signed, trusted code by implementing secure boot and signature verification of software updates. We will make a developer program available in the future.

I didn't use Protonet so I shouldn't speculate about what's similar or different about the products. I think we are in a time right now where people have a strong desire to own their data and are looking for a viable alternative to the cloud. They key, beyond building something very private and secure, is in nailing the experience and we're excited to share more about that.

Cool, thanks for sharing that info! While I think your approach is a bit extreme I hope you'll succeed, we need more solutions that put privacy, security and transparency first. It would be awesome if one could run your software on regular hardware though, as I really prefer a securely hosted server at a local data center to a computer sitting in my living room. Also, one year of limited warranty seems rather short for a product that is supposed hold my most important data.

Thanks for your encouragement! I appreciate the feedback and keep tabs on our GitHub for what we open source down the road.

We spin our own build of Linux...We are using an ARM-based SoC from NXP.

Okay, so that narrows it down to the i.MX family.

We chose this to ensure that the device can only run signed, trusted code by implementing secure boot and signature verification of software updates.

Maybe read this?


From the technical specs, it's almost certainly the i.MX 8, which as far as I know is not affected or listed on any of the errata for that vulnerability.

I missed the part on the tech page that listed the A72, so yeah it's an iMX8.

Hopefully the HAB fix is the reason for the 8. Otherwise this seems like overkill for the work involved.

Good guess and we looked at the i.MX but did not select that line of SoCs. We are using the Layerscape line of SoCs from NXP

You say Helm solves or will solve all these problems.

But if I don't actually need to be able to reach the box in order to use my email - if it will work even when the box is offline, powered-down, stolen, or destroyed - then what, exactly, is the point of the $500 box itself?

It's not privacy, it seems. If it were private, how could it work when the box is offline?

I'm not opposed to a "pay for your email instead of it being ad-and-surveillance-supported" model. I just don't see the point of paying $500 for a box that you're telling me the service will function just fine without.

Stolen? The data is secure - keys are stored in secure enclave, and storage is encrypted.

Down? There's continuity of service if you have a 2nd box online, and it's as easy to restore from a live backup as an iPhone from iCloud.

Email is the first app, and there will be more.

>if you have a 2nd box online

For $1000 I get 2 boxes I can't use for anything else right now (and still not very reliable inside my home), whereas with Fastmail (for example) I can get an email service for 20 years @ $50/yr that is very reliable. I'm not sure of the value proposition for this thing.

Why do I need to buy a physical box? Cant they give me a dedicated EC2 Micro instance instead? Solve the ISP issue, and the speed/ connectivity/ power etc?

It's easier to convince someone that it's securely 'theirs' with hardware than if it seems like just another cloud email service?

How about a VM that I can host at a location of my choice? On prem, ec2, or a dedi somewhere?

But then they spend a lot of time being a hardware company, no?

So? It's a necessity of establishing trust with the customers.

I like the idea as I run my own home server for about ten years now (Nextcloud (calendar, address book, file-sync), DynDNS, XMPP, NFS, IMAP, ...). At first, I thought how you are going to send emails from consumer IP-ranges, but then I read that you are using a gateway with a static IP address. Cool.

I think it is a great idea to have a device which is as simple to use as a router but focused on typical cloud services. As security is a critical aspect of the whole idea, the subscription service is a smart move too. Maybe you should offer a monthly subscription too (consumer friendly).

Are there any plans to start shipping to Europe in the near future?

Thanks for your comment! Yes - we are working on making the product available in Europe early next year. Please sign up for our mailing list on our website and we'll keep you posted!

I like the idea. But can it handle multiple domains? Also, if I put one in my brother's house, can it connect the two and use them as fail over? That will eliminate my worry about outage and backups.

I believe multiple devices are in the roadmap... I know because I ordered a 2nd one for my office so I would have self-backup and instant recovery.

For now, a single domain per server. And yes, mirroring support is coming with 2 servers so you will have the fail over that you mentioned.

If I can trust someone to do off-site cloud backups of my e-mail, why can't I trust the same person to run a Fastmail-like service so I don't have to have a $500 server in my house to get e-mail?

Because with Helm only you hold the encryption keys.

But that's completely orthogonal to owning a piece of hardware. You could run a managed cloud e-mail service where only the users hold the encryption keys, too. How is this a hardware problem?

> You could run a managed cloud e-mail service where only the users hold the encryption keys, too. How is this a hardware problem?

This is the key question, in my mind. There's only one reason I'd want to own the hardware—to manage/add/create my own services and handle my own backups because I don't trust a company's involvement in these[0].

If this is so tightly controlled that I can't add my own services and I can't restore a backup without Helm's involvement, why do I even want the hardware?

[0] I don't mean that I don't trust them in a privacy sense. I mean that I don't trust them to make sure the backups are actually working and able to be decrypted and restored. Or be able to be restored without their software/hardware. There doesn't seem to be any transparency wrt/ these concerns.

This is a valuable and useful criticism and we're going to talk about this at our next board meeting.

How do you know who to trust? You surely have to trust someone. It feels generally true that we can trust Apple since we pay them for hardware and their ongoing business interest is in protecting their revenue streams through their hardware and iOS app store, which means you are aligned.

Generally for Helm that's a good case. That's why we charge money for this hardware and software: it aligns interest.

Free cloud services are not truly free and that's what most people seem to be OK with... but not all people.

This is the classic trade-off. Open source software you can read the code but usability suffers. For the people on HN, most people can run their own servers, but for normal people that's not an option.

Apple has managed to create a computing environment that is highly usable for normal people. This is what Helm is trying to do too.

So, we're in agreement that this sort of thing should 1) be paid for, 2) not readable by the provider, and 3) maintenance-free for the user.

I still don't understand why this is a hardware play. There are advantages to owning the hardware but none of those advantages seem to apply here.

The hardware feels like a bit of an albatross.

I don't see how we should automatically trust them because we "own" the hardware. If its not open source and able to be verified by third parties, what does it matter if we have the "keys"? $500 for proprietary hardware just seems odd considering the goal here.

How could it NOT be a hardware play? Then how else can you verify and trust that you know what code is running in some datacenter in who knows where?

It doesn't matter what code is running server side, as long as decryption happens client side and the keys are never transmitted to the server.

If you want to truly control your data, you've got to control your hardware too. See: Lavabit.

But going all the way to the end of that tradeoff is so expensive. It seems like a Helm VM would be 90% as secure and also 90% cheaper.

But with Helm, we don't control the hardware, do we?

What’s the intersection between people without the know-how to run their own servers and the people who understand what tech companies do with data well enough to feel that this is a big enough need?

In my experience, the average person doesn’t really understand what GMail or Facebook or whoever do with data or the extent of their knowledge about individuals. Even basic things like lookalike audiences or retargeting across the web regularly blow people’s minds.

I hope this project is successful, partly because that would show that people do understand these things enough to view Helm as solving an urgent need. I wonder if we’re there yet.

We use duplicity for backups so there's nothing proprietary in our approach. There will be more transparency coming in a series of technical posts about how the product works, what open source software we use, etc. Appreciate the feedback - we'll keep this in mind as we move forward.

I understand that this is a new product launch and you can't have all answers to all questions front-and-center on the website on day one. With that in mind, kudos to you and garry for being so active in these threads.

I definitely look forward to these posts!


One key principle for Helm is that you always hold your encryption keys to all your data— Helm and outside parties should never get access to that. So the backups are encrypted, and the Helm device itself stores your data in an encrypted fashion on its storage, and has a secure enclave such that those keys never enter user memory space.

Hosted services like protonmail (great option) support some key management but that's rare. Most everyone stores all your data in the clear, and that sets you up for Facebook-style hacks where people just steal a database en masse, and/or leave you open to warrantless wiretap which has been a problem for email services broadly in the past.

I want to point out that email is just the first part of what Helm wants to do. What is super valuable is that Helm can run its own software and add things like distributed anonymized VPN, or file sharing, and these things are all federated in a way that wasn't possible before.

Not everyone is going to care about this, but enough people should. People reading this thread should care: decentralization and federation of this sort is the way we maintain an open Internet. You can take down individual nodes but you can't take down millions of them. That's the ultimate goal of Helm.

Remember, there's no such thing as a cloud, it's just someone else's computer.

> You can take down individual nodes but you can't take down millions of them.

This statement indicates a lot of passion (and I side with it in spirit), but it feels irrelevant and out of place wrt/ this product.

My data is only (available from) my own private Helm server. If mine gets taken down, the existence of millions of other "nodes" doesn't help me. Helm the company can help me with new hardware and my backups, presuming that they're allowed to—but what if they aren't. Then we're back in the same place.

I mean, assuming we’re talking about a government trying to shut down or snoop on an email service –

They’re probably not going to go door to door confiscating millions of devices; the cost to do that would be astronomical. You’d still be at risk if they were targeting you personally, but not if they were targeting all Helm users en masse. That’s a big improvement. And even if you were targeted personally, you’d at least be in a position to defend against surreptitious snooping, assuming that took the form of agents physically entering your home to hijack the device.

Of course, there’s a lot of counterfactuals baked into that scenario. Helm does not currently have millions of users, for one. For another, the EC2-based proxy service run by Helm is a single point of failure that someone could take down, though supposedly Helm will release tools to replace it with your own server. And most problematically, the closed-source software could be silently subverted by Helm in an update, with no reasonable means for the user to detect this, even in theory.

Still, it’s a lot better on that front than most cloud email services.

Yes, this is what protonmail.com offers.

You're right. It's because devices / IOT make more sales than completely open source software - e.g. it's more valuable to invest in.

Then the keys are on the premises of the cloud company. Also data has to be at one time unencrypted in computer's memory. When there is a physical access to the computer you can't do much to ensure your data's safety.

With public key encryption, a cloud provider doesn't need your private keys to encrypt data that can be only viewed by you—they need your public key.

In the parent, the private keys are not on the premises of the cloud company.

I may not understand how things work, but how can a SMTP server function without private keys? How can it pass the hand shake? Does parent describes different scenario?

Doesn't Helm have RCE on the device at all times? Doesn't all e-mail come in on an EC2 instance, and go out over an EC2 instance?

Does it matter if Helm is pushing auto-updates?

It matters as long as Helm as a company is not compromised. This is true of Apple devices too, and when pushed, they stood up.

Hey cwyers - this is a good question. Our offsite backups use keys that only a Helm customer has access to. They are created during the setup process and stored on a USB thumb drive we include in the box as well as your phone. We will be publishing how this is done using duplicity so people can see the details of how it works.

I don't understand why you're so upset about this. If you don't think the product is a good value for your time and money, that's fine: don't purchase it.

I think Helm comes with some obvious trade-offs, but the product looks nice and I think (judging from other HN comments) there's a market for it. I don't know if it's a large market for this to be a success, but it seems interesting at least, and at first blush the product looks well-made.

I don't think this product is exactly for me as my main email, but it could be interesting as a side email service, or one for really sensitive emails. Depending on the price point, I'd consider purchasing. If the price point is too high or the maintenance costs are too large, then I won't. What's the big deal? That trade-off not working for you or me doesn't mean the product shouldn't exist.

Because it bothers me when someone sells a "secure" product where the security measures are unrelated to the threat model. The Helm server is connected to the open Internet, which means that physical possession of the Helm server is not the only or even main thing necessary to secure it from compromise. Because of how it works, the server still has a dependency on cloud providers -- you need cloud backups and the public endpoint for the ssh tunnel to get around ISP packet sniffing. Since I still need to trust other people's servers for this to work, why the focus on owning your own server?

How would you realistically completely remove the need for the relay server while still allowing the customer to run the server on a typical home internet connection?

Flip it around: don't run the server on a typical home internet connection but instead run it in a data center.

Would it be possible to elaborate more on the problems pointed out by the OP of this thread? Like clean outgoing IP? Moreover what happens exactly when the box melts? Because sooner or later some box will crash. Where will the service run in case of disaster? How long will I stay without email?

It's hilarious how solvable most of these problems are, and yet they aren't even closed to be solved.

Like, backups. Everyone knows how this can be done. Have automated scheduled backups. Encrypt them. Send to offsite storage. This should be handled through a generic backup protocol so you can choose your provider and be sure the app doesn't siphon your personal data.

Users should not need to manually fuck around to set this up for every computer and every app they use. This should be absolutely standard. Preferably built at OS level. I know Ubuntu had something of this sort, but IIRC it wasn't based on an open standard where you could choose your own storage provider. Windows? Hah.

Instead, developers strip users of all control over their data claiming it's for their own good, and push everything to a myriad proprietary cloud solution through random protocols with dubious security implications.

Same thing with file transfer. You'd think it'd be a solved, easy thing by now--a gigantic datacenter/cellphone network is not the optimum solution to allow two people or two businesses to transfer a file between them.

I agree with you absolutely here. Yes, literally Helm does this: encrypted automatic backups.

You say Helm literally does this. But what the grandparent was asking for wasn't just backups. They suggest (as I see it) an open standard for backups, ubiquitously implemented so it's easy to switch your provider and easy to set up new devices.

Does Helm use one of those? I suspect not, because I don't know of any such ubiquitously implemented open standard for automatic encrypted backups.

So: is Helm going to put in the effort to define such an open standard and push for it to become ubiquitous?

Even if Helm implements automatic encrypted backups, it's still contributing to a fragmented world siloed into incompatible apps and platforms. Making your siloed service better than others won't fix that problem.

>I don't know of any such ubiquitously implemented open standard for automatic encrypted backups

Here is a question for the parent poster and anyone else. Do you think it would be worthwhile to gather some people and try to design such open protocol? Without having an implementation first? Or would that be just a waste of everyone's time?

Redundancy redundancy redundancy. See e.g. Unison, rsync, sanoid or https://syncthing.net - runs on anything, does a good job.

> You still give access to your data to a company, which controls software updates and the EC2 proxy (in this case).

Because you read all code changes every time you `pkg upgrade` or `dpkg dist-update`.

> Many home ISPs have shitty upload connectivity, so your email won't work that well on the go.

Is that really an issue? I probably use <100kB personnal email per day anyway. Even in the US, 100kB/day upload is not unheard of.

Also, the "on-the-go" issue is DL speed: from your device to your server. How long your server takes to send the mail is mostly irrelevant - instantaneous transmission should be done by phone.

> Internet and power outages mean you won't send or receive any email.

More comments around here about sending servers that MUST retry, and fail only after a few days.

> You lose the knowledge email providers get from scale, including ever-evolving spam filters, and a guaranteed clean outgoing IP.

That could be a real issue, but the ever-evolving filters at my ISP clearly can't spot (nor stop) the spam I receive anyway.

The outgoing IP shouldn't be a problem if you've registered it in your DNS, and it matches the SMTP or whatever subdomain.

> Also, the "on-the-go" issue is DL speed: from your device to your server. How long your server takes to send the mail is mostly irrelevant - instantaneous transmission should be done by phone.

Not commenting on the rest: you download incoming mail from your server, i.e. your home uplink. If someone sends you a photo or zip file, that’s the bottle neck.

Not to mention syncing email with the brain dead protocol that is IMAP…

The cloud ultimately is someone else's computer, abstracted away to feel good. Data loss occurs in the cloud too and it sucks.

It's also dangerous to say because you don't understand or see the value in something, that there possibly can't be any.

Today's home connectivity + LTE fail over is reasonable to rely on. One could put a vps proxy in front of it if you really wanted.

Running a home appliance is not out of the question or unreasonable. I have a Mac mini server that is coming on 8 years of age and zero issues.

Today, the combination of Ubuntu, docker, and ready to go setups make it super easy. Offsite backups are not an issue anymore. Running owncloud is good for files locally, but email is worth it in some cases.

We own a lot of appliances at home that have a lifecycle to maintain already.

The reality is the above issues have a much lower chance of happening than 10-15 years ago.

Hardware is far more reliable and than it was, my 15 year old servers pulled from my data center were still working when I virtualized.

A discovery I made was owning a PDU (like an APC Masterswitch) cleans the electricity so much enough that attached equipment don't seem to fail. I ran my own email server in a datacentre for clients for a long time because it was the norm.

With Home Automation adoption increasing I suspect a home appliance of some kind will become a reality anyways. If personal data became a feature of it, that would be useful.

So what happens when you are traveling and there's a power issue or maybe some other connection issue that knocks this box out of service? Looks like you'll be stuck without email until you can physically get back to this box. This isn't a scenario you worry about with regular email.

The challenge with email is that once you give out any mail address to people, you are on the hook to ensure that it's a functional address. Not something you can just try for 6 months and then easily move on from. And if you decide to move on from this service, will the average person be able to easily migrate that custom domain to a different email provider? (Yes, technically this is possible, but can normal users do it easily? Is it part of the service that Helm provides?)

What do you do when gmail goes down?

Not sure if you have spent any time around data centres, but they have to deal with power outages just the same. My power doesn't go out often, how about you?

Backup batteries (UPS') are trivially cheap as well, especially for equipment that sips electricity. Everyone should have one on their internet connection and wifi anyways. A $200 ups can give a few hours of power.

Your offsite worries could be alleivated by mirroring 2 devices, or mirror one to a cloud. Realistically, incoming email is queued for redelivery from 24 to 48 hours until it can be delivered. Beyond that, outgoing email can be sent thru a third party temporarily (migadu, etc). Next question?

Migrating email isn't hard. Most services have import feature. I suspect you may not have done this before.

An upcoming release should have continuity of service with a 2nd box, which is not a perfect solution I realize.

It is a perfectly serviceable solution. What do we do when Gmail goes down? :)

If there was a way to run a zero knowledge vm in the cloud that was fully encrypted that might be an option too.

Yeah, there is no convenient backup policy that doesn't obviate most of the purported benefits of this device. You have to store your backups somewhere off-site to have any kind of data safety, and unless you're dumping out to tapes or some other physical media and stashing your backups in a safety deposit box, that's going to be a server somewhere.

Developers and devops folks can certainly do this, I know I have had to do that before for my production data.

Part of the point (and the impressive software that has been built here) is that backups happen transparently, and if anything ever happens to the Helm you can get another one and get back up and running by restoring from online backups. It's the same principle: things can happen to your iPhone but you can get up and running with a new one easily.

I'm skeptical of this device, but don't follow your reasoning. One of the device's concerns is security and privacy -- what security or privacy am I giving up by giving my backups to Tarsnap?

This was my first thought as well. My email IS very important to me which is exactly why I will never host it locally. The only content I host locally-only is stuff I would be annoyed to lose but could replace, the only content I host locally with online backup is stuff I can do without for a couple of days while I recover. Email falls into neither of those categories, I need it to be up all the time. I have considered fastmail or similar but I will never trust my home connection.

I've been running my email on Helm for the past month with no dropouts of service - it's worked with no issues this whole time, and we use Comcast in SF, so it's not the best upstream there is.

Mind sharing your domain? I'd love to peek at what they do DNS-wise. lvh at latacora dot com if you don't just want to hand it to all of HN :) The e-mail in your profile is hosted by Google, which makes sense because it looks like work email.

I'm easy to find on the internet. me@garrytan.com

Neat! Who's Privacy Labs, Inc?

Oh that's the actual legal name of the company that created Helm.

I think just about every internet connection can run email just fine.

Not necessarily. Incoming email: port 25 is blocked on many residential connections. Outgoing email: If you send email from a residential IP block you're likely going to be flagged as spam.

If I understand correctly, incoming e-mail actually goes to some EC2 host.

With this service, yes. That is because not every internet connection can actually successfully run an email server, which proves my point...

I wasn't debating your point; I was pointing out how this service accomplishes it without tripping over that problem. FWIW: I'm not sure that's actually how it works.

The device talks to an AWS EC2 proxy IP that Helm makes sure isn't on an IP blacklist. All traffic that goes through that is TLS encrypted using Lets Encrypt keys.

Like Spamhaus?

Elsewhere in the thread, Giri says it uses a VPN connection. Is it TLS + something else?

helm.garrytan.com:3333 for example responds with a self-signed localhost cert, not LE keys. IMAPS (still not sure why that’s there but I asked that in a different comment so let's have that thread there) and 8443 do answer with LE though :)

I think the only times I lost data in the last 10 years or so was because someone accidentally deleted stuff on a shared Dropbox (luckily I had a local backup, so only the most recent changes got lost). Oh and I lost some photos that I uploaded to a Facebook clone because they more or less shut down.

Data loss is more or less a solved problem. You don't need Google for that. ;-)

On the other hand, even without putting my tin hat on: I get customized ads best on my email contents, WTF?! Everybody can see based on the browser ads what kind of sites I'm surfing to.

> Internet and power outages mean you won't send or receive any email.

Except if you have a charged battery and LTE. ;-) In fact just a charged battery is needed when network is down to read old mails.

> Fire, theft, or hurricanes may destroy it.

Solved problem. Encryption...

I'm not sure you understood how helm works. Your answers don't seem to relate to the concerns of a self-hosted solution.

Can you be more specific?

The original post was about the perils of hosting your mails at home. I'm not clear what your answer is about.

For example, in a power outage, Helm won't work. You say it's not a problem with a charged battery and LTE. I think you're talking about a cell phone and I don't understand how that's related. Sure, one could run Helm on a UPS with LTE backup. But then that's extra infrastructure against the promised simplicity.

Also I don't see how encryption prevents the device from being physically destroyed.

> For example, in a power outage, Helm won't work.

I mean you can connect it to a Uninterupptible Power Supply "USP".

It's not clear if they have a high power USB connector to connect USB batteries, however:

"Built-in battery backup for safe shutdown

On mode: 10 W

Standby: 0.4 W"


> LTE backup. But then that's extra infrastructure against

> the promised simplicity.

There are low-cost routers with USB ports that allow plugging in an LTE stick.

> Also I don't see how encryption prevents the device from

> being physically destroyed.

You can create a backup and store it on an untrusted storage (cloud for instance).

I'm surprised these devices didn't take off 5 years ago already, as this is technology wise almost a step backwards into the 90s. But I think it's worth it, and in fact you don't need helm to set up a system like this yourself. Get a Raspi, stuff an LTE stick and a juicy USB storage into it together with external USB-battery in passthrough and you even have a superior device.

You are introducing a lot of moving parts to go from 99% to 99.5% availability. And you can't get much better than this at home. In that vein, for most people, the availability of a Raspi solution would be 0%. They just can't handle it.

If you can accept the bad availability Helm looks like a fine solution to get your mail out of the cloud.

Agreed. For a service that is about security, it honestly leaves me feeling very vulnerable, and I wouldn't consider it for that reason. I'm concerned about my emails being delivered, increased spam, a thief (or government employee) walking out of my home with my email server, my modem needing a reboot while I'm on vacation and not being able to send or receive emails, and my neighbor accidentally burning down my apartment, taking my email with it.

I'm a Fastmail user and pretty happy with the service. But, what's the real world benefits of Helm over an encrypted email service, like ProtonMail?

Using a hardware root of trust, secure boot and a Secure Enclave for managing keys used for full disk encryption, it will be very difficult to extract decrypted data from a Helm server. The keys never leave the Secure Enclave, they aren't available to the application processor or memory.

Most cloud-based email services hold email in the clear - we believe this means you don't really own your data. Encrypted email services have challenges around search, access via proprietary protocols and the risks of running highly sensitive operations in client-side javascript.

Hang on: are you suggesting cloud e-mail services don't use FDE?

They may but they also hold the keys.

I mean, sure? You can use encryption to get security and privacy features but "FDE" isn't it. FDE is more important for Helm but that's a problem of their own design: suddenly the e-mail is in a box in my kitchen and it's a lot easier to walk out with a box in my kitchen than it is to walk out with a drive from us-east-2a :-) For anything in the cloud it's a belt-and-suspenders/compliance thing.

How many people have access to drives in us-east-2a? Do you know? Can you verify?

Assuming the software works flawlessly (if it doesn't, it doesn't matter where it runs) you'll need RAM and storage access to recover the keys and the data. If you're in the cloud, you won't notice when insiders or state agencies take a peek. If the device is in your home, you can set it up so you notice.

It all depends on the threat model.

> How many people have access to drives in us-east-2a? Do you know? Can you verify?

AWS, like every non-clownshoes provider, is transparent about the security controls on its datacenters. It has those verified by independent third parties and auditors (for relevant compliance standards). They have published whitepapers and compliance/audit reports, and continue to.

The odds that someone compromises a Helm update and the odds that someone walks out of us-east2a with a drive are not in the same ballpark.

To reiterate, because somehow I'm in the "FDE is an important threat model!" corner: it is not. Walking away with a Helm is not the easiest way to read e-mail on that thing, especially not for an organization capable of dragnet surveillance in general.

> The odds that someone compromises a Helm update and the odds that someone walks out of us-east2a with a drive are not in the same ballpark.

Sure, but why are you comparing a software compromise against physical access? There are attacks that work against cloud providers which don't work against Helm. If somebody can compromise a Helm update they essentially got root. And that is a step up from just read access to storage.

Here's how I see it: There is a provider that runs my mail infrastructure. They can either run it on AWS, or host it at my home. If the data is in my home I don't have to trust Amazon. I still have to trust my mail provider ultimately, but using AWS doesn't improve on that.

Because we started talking about FDE specifically?

I don't get why you're so hung up about physical access. But at least I think I understand how we got there:

gsreenivas: Most cloud-based email services hold email in the clear

lvh: are you suggesting cloud e-mail services don't use FDE?

lolc: They may but they also hold the keys.

lvh: it's a lot easier to walk out with a box in my kitchen than it is to walk out with a drive from us-east-2a

lolc: How many people have access to drives in us-east-2a?

In that last quote I should have said "storage", because I didn't mean physical access only. So apologies if that set you on the wrong track.

I'm curious about how you arrived at the conclusion that we are capable of dragnet surveillance. Connections to/from the Helm server use TLS end to end.

That (organizations) was in reference to state level actors, which is what GP was talking about.

EDIT: removed bit about 993/587 because you're answering that elsewhere.

gotcha - thanks for clarifying

You can always put your encrypted backup on a cloud storage. This way you're left with only the key to be concerned with.

I fail to see the point here -- data centers suffer partially or entirely from each point you referenced

I mean, the risks exist in the sense they are not absolutely zero, but can you seriously compare an average home to a data center in terms of physical security, connectivity, fire suppression, etc.?

no one said you can only keep one copy of anything you own.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact