Hacker News new | past | comments | ask | show | jobs | submit login
Dank-selfhosted: automated deployment of email, web, DNS, XMPP, ZNC on OpenBSD (github.com)
402 points by indigodaddy 4 months ago | hide | past | web | favorite | 84 comments

This reminds me another OpenBSD-based project, but just for hosting emails — caesonia[1], which was recently discussed here[2].

[1]: https://github.com/vedetta-com/caesonia

[2]: https://news.ycombinator.com/item?id=16392096

edit: formatting

Their default Prosody config looks pretty nice; having an easy way to deploy a local chat service that has reasonable defaults like stream management, carbons (messages you sent are mirrored across all your clients), history, and HTTP-based file sharing is really nice.

Indeed, it would be great to have a standalone recipe / how to for setting that up. From the scripts there is no black magic involved, except a tiny bit for the integration with LE certificates.

> it would be great to have a standalone recipe / how to for setting that up.

You could probably distill that from their scripts. Be the change you want to see in the world!

Looks like this is similar to other self hosting projects like FreedomBone and NextCloud. It's great to see more tools to take back control over our data.

Similarly Cloudron.io and Sandstorm.io are very impressive and easy to use projects.

Sandstorm is great but apps really don't get updated anymore sadly. The founders also now have day jobs with CF, so probably don't get oodles of time to work on it.

Cloudron I've heard is excellent, completely dockerizes and automates everything with a slick webui, has lots of apps, however I just am unwilling to pay $15 a month for it.

Will likely roll my own apps/services with Rancher/haproxy/LE (or traefik as the reverse proxy/SSL term) on my sufficiently beefy Netcup rootserver KVM instance (at 8G should handle everything I want to do, but will likely use up most of it's resources which is fine).

The situation with that first thing you talk about, pretty sure it’s a direct result of the situation with that second thing you mention.

Yep funny to see such a A/B test situation play out and people want neither

I've been looking for a solution like this for years and was ready to pull out my CC when I saw the $15, assuming a "/y". But I have to say, "/m", wow. Between that and "free", it's not really A/B, more like A/Z with a lot of letters in between.

I've been using Cloudron.io for months now and have nothing but good things to say. Actively developed, good support, large selection of apps.

Cloudron has a free plan (two apps tho)

Given that truly decentralized mass-market application/data hosting is not on the immediate horizon, the Sandstorm model is IMO really the best answer to how the average person can control their data. It brings the security and permissions model of mobile apps to the server side and makes it about a safe/hassle free to host web apps as it is to obtain and install mobile apps.

In return it places some restrictions on how developers build apps, which unfortunately means that it can't take advantage of all of the existing open source apps out there without extra work. But hopefully as people start to prioritize having control over their data, the app ecosystem will pick up steam.

Has anyone used Kubeapps? It looks open source, wonder how it compares with Sandstorm and Cloudron?

Using mailcow for hosting your own mail server is a awesome and smooth experience

Awesome Self-Hosted vs Dank Self-Hosted

Ha. I'm not sure of the intent, but I like this as a naming pattern for different kinds of projects.

Maybe awesome is friendly and optimistic.

Whereas dank is a little more "Really not suited for the general public, no automated password reset, no web GUIs..."

Probably is trivial but I figured I'd ask anyway.

A one click "email" server which allows you to receive emails from anywhere but only send emails to addresses on the current server. If I don't send emails, I don't need to worry about people not being able to receive my emails, right?

That's correct. For outgoing, assuming you setup certs and DNS correctly, the main challenge is your IP that's in an ISP CIDR which gets marked as spam.

I have a small instance on AWS that forwards my outgoing email and it works great.

I was thinking of a mail server for not very technical people that is easy to install and update.

The use case I'm thinking is let's say I have a domain like foo.bar. Each user gets a sub domain like user1.foo.bar. User 1 can send emails to anyone with an email address of .foo.bar but nobody else.

User 1 can get emails from anyone at anything* at user 1 dot foo dot bar

For example, facebook at user 1 dot foo dot bar

The main benefit this project would have is zero customization. No setting is customizable and the whole thing is an appliance that keeps itself up to date.


Could there or is there also be a self-hosted version of a facebook clone? For exemple, you'd configure others server and they would all talk to each other, giving access to someones shared album, wall and profile.

Diaspora is what you're thinking of. Mastodon is a federated twitter clone.

wordpress plus buddypress - both free / open source. I've been wanting to find someone that could package those together with a few other plugins and settings to shore them up (added security and anti-spam settings) and make it a one click deploy for people via the popular services like DO, vultr, etc.

I think it would be easy to get one person in a family to pay for hosting while another person keeps an eye on updates and backups. Same with groups of friends, even if most are broke / not willing to pay, if just one would pay it would be trivial to host a few hundred friends on one install and a few hundred family members on another.

Buddypress is mature enough with enough plugins to do most of what fbook and similar offer all for free. Only thing I don't really know is what kind of mobile notifications options are out there and people would expect or need, as I don't use fbk the same way others do.

But groups, pics, vids, messaging, profiles, privacy settings, these things are fairly easy with BP really.

getaether.net is kinda sorta what you might be looking for. There was a recent HN post on it.

Self hosted email, chat, messaging, calls is the future. Individuals will own host and run their own services for these on public clouds. There is no reason for giant corporations to own these services.

I admire your enthusiasm, but most users don’t want to think about or manage these things. Convenience and consistency of experience is the reason for giant corporations to own these services, and unless there is a compelling shift in consumer preferences, that seems unlikely to change.

A million upvotes. $50/year for FastMail to host my email is worth more to me than spending even one hour a year debugging mail server issues on my own hosted instance. Not even once!

It doesn't need to be that difficult. For example, you do not need a CS degree to own a TV, or a smart-fridge, it just works.

Can you open source your tv and smart fridge designs so we can get in on the action?

An intro to your parts suppliers and negotiating mates rates would also help.

There are a couple recent SwiftOnSecurity tweets about this I thought I'd share:

"Your email address is your identity. We are talking the rest of your life. I’ve done custom hosting for 10 years. My first email host got acquired by a conglomerate. That has not been pleasant or confidence-instilling."

"Need to remember, having your own domain means you need to stay financially capable at all times. You end up in hospital and bills lapse and domain scooped by a squatter? Get ready to start over in life like you’re 12. People do not appreciate what it means to have free email."

I would like to believe I'm savvy and diligent to self-host my own email. Odds are I probably am.

But the downside is colossal. One small fuckup on my part, and I lose access to my key to, basically, every institution I engage with. Irreversibly. Even if it never happens, the thought that it could would be a constantly pressing weight in my mind.

I hosted our e-mail server a few years ago and it was a massive pain, because I could never be certain if e-mails were being delivered.

99% of the time it was fine, but then we'd occasionally run into some odd spam vendor who had blacklisted our IP address (presumably from someone who had used it to spam a decade prior).

Maintaining our own spam filters was a bit of a pain.

For our business, I'm pretty happy shelling out $50 a month to have someone else (Google) take care of everything. I'm basically paying that for the security of knowing my e-mails are actually being delivered. Pretty sure most people feel the same.

I have been having the same issues. 99% of my emails go through but every now and then gmail marks one of mine as spam. I generally don't care as usually its other people emailing me because they want something and its their loss if they don't get the email.

My server sends and receives properly. Not my problem if others have misconfigured email servers

You're 100% sure that you're getting your complete email set from your provider? No misguided spam filter dead heading your emails here and there?


Well, I obviously have no control over what recipients do or do not mark as spam, so it's not an absolute guarantee.

But of all the options available, self-hosted was the least reliable.

Yes, because I want my grandmother to self host her email on a server. Sure I could do it for her, but what if I died first? It’s not as cut dry as you make it out to be.

EDIT: I get some grandmothers/fathers could be proficient in this, and power to them for being so. Mine are not, and I’m not going to waste their time teaching them when they’re mostly concerned with living out the remainder of the lives with family, etc.

You use the phrase “public cloud” like cloud is a mundane municipal, state or federal resource like NPR or the office that distributes license plates.

It is a sleight of hand that the big cloud corps have gotten people using the word “public” to describe them.

Future? Self hosting was common place in the 90’s.

And it's far less common nowadays per capita.

Common? For organizations yes (much more so than today), but most users only had dialup at home even in the late 90s

You could get dedicated dialup lines with static IP's. Also, real hard core users, of which I knew several, had dedicated ISDN and 56k lines for much of the 90's. There were also people who self hosted off their university residential network. This was very, very common.

I am a sysadmin and the last thing I want is to have to manage my own services in my free time.

MailChannels offers five free inbound filtering domains with each outbound mail relay account. If you’re self hosting your mailboxes, this could be an easy way to handle the inbound and outbound spam control and delivery part.

Email delivery issues usually come up in discussions around self-hosting. If there was a credible collective email delivery relay, I would pay to be a part of it. Is there anything like that today?

^^^ self-hosted email that can still legally circumvent ISP restrictions and enjoy gmail like deliverability/whiltelisting, by freedom minded sysadmins that self-police abuse in their network.

Here I am talking with myself...

I suppose hosted SMTP from a hosted service like SES or Mandrill could work, as long as inbound email was handled directly by my own server. There is also the matter of spam, but it appears there are many battletested solutions for that. The last thing I need is wondering if my emails hit the spam folder or not. I worked for a company with email delivery issues associated with the corporate domain once... it was difficult to do business.

I would not put all of this on the same machine.

Edit: To clarify - if one line of code is fd in any of the daemons you’re running you’ll lose everything.

Practice defense in depth.

Minimize the damage possible.

OpenBSD's standard practice is for all daemons to run as unprivileged users in chroots (after using pledge and - nowadays - unveil to restrict themselves further). If one line of code is fd in any of the daemons, it will by default be constrained to that daemon.

Absolutely, and pledge is amazing.

That being said, for example, let’s say pledge or unveil have one line of code that is fd.

You mean as opposed to your container/virtualization having one line of code that is "fd"?

The point of my statement is you have tens upon thousands of lines of code, systems are complex.

You can’t put all your eggs in a basket given the probability that something is fd.

Downvoting my statement is fine as long as it’s noobs learning from this script and not someone who is running critical infrastructure. :)

"You can’t put all your eggs in a basket given the probability that something is fd."

But you'd be doing that no matter what unless you're running each daemon on a different physical machine. That basket's just called "Xen" now instead of "OpenBSD". Worse, if the hypervisor has a bug that can be triggered from unprivileged guest code (i.e. as a non-root user in the guest OS), then any layers added in the guest are moot.

I can see how that kind of makes sense. But if you ask people to run it from multiple machines chances are they will throw their hands up and say too hard and not self host at all?

Agreed and that would be a reason not to self host at all, if security is critical, because it IS difficult.

For example, driving is convenient. That doesn’t mean someone who has never driven before should just drive. It’s definitely better for them to taxi.

It’s a hard problem - we have to make things easier for people.

When King Sejong saw that people were illiterate, he didn’t try to force everyone to suddenly learn a difficult language - he just made an easier one.

Now korea is 99.9% literate.

what is `fd` in this context?

I think he meant "f'd" as in fucked


Hosted our family email server and Wordpress blog running OpenBSD on an Old World Mac using DynamiC DNS from home back in 2003. Specifically, I ranOpenBSD 3.4 on my G3 Blue & White with a Sonnet Tempo ATA 133 PCI Card. That was about 15 years ago. I was self-hosting. :-)

Imagine could get away with running this on 1G with light usage/load? Also don't see webmail here, but imagine shouldn't be too difficult to add (I don't have much exposure to the OpenBSD landscape).

For webmail you could use rainloop or squirrel which can use the web server and the email server for example!

Yep, Roundcube seems to work this days, I've been using it for a while (lightly, only once a week)

Isn't DJB's Qmail, djbdns etc was exactly this? But at least it was small codebase. Is anyone still running qmail? Wonder if someone has thought of running email entirely on their smartphone.

"You're crazy enough to run your own mail server :-)"

Looks good for moving away from the widely used centralization services (CF/aws for DNS, google for email, etc), my only question is how this is #1 on HN with 12 points.

Hacker News uses points, (inverse) time since posting, and (inverse) number of comments to decide the position of an item.

Lots of points in a short time with few or no comments will push an item to the top.

Probably because it was posted 25 minutes ago.

This is wonderful. Bravo, and thank you!


No RBLs? I see cullum hasn't spent any time running a mail server.

Heads up you should probably never host your own email on the same server as your web/worker servers if you’re worried about IP leakage. Your IP is exposed on outbound mail. Using SMTP services like SendGrid won’t help, either.

What's the problem with leaking your IP address? If you host a website or any kind of API there, your IP is public anyway?

Not if it's behind a CDN, if you were to host a website that someone might consider a DDoS target (frankly anything can be these days), then it can be wise to keep the host's true IP off the record

If your security is only achieved by hiding your IP I have bad news for you.

Obfuscating your IP is a foundational part of strong security for websites in certain industries. For example: the video game industry has a lot of wannabe hackers and script kiddies, DDoSes are cheaper and larger than ever, which makes running services in that industry extremely expensive without proper IP security. I know the purists think the internet should be open and transparent, but some of us also build services in reality.

*weak security

One can scan the whole IPv4 address space in probably an hour, so you'll find any service you want to find. You might say, "I have a CDN in front of it", but that is just basic firewalling (or reverse proxying) and not really worth of being called "IP obfuscation".

Presumably the CDN would be whitelisted and scanners would therefore be unable to determine which of the many unresponsive IPs host the service in question.

It may be weak security to keep a bit of cash in my cars glovebox rather than in plain sight, but let me tell you how effective it is at keeping my windows from getting smashed...

Firewall only lets in traffic from the CDN, so you wouldn’t find anything. It’s almost like making sure this can’t happen is my job.

Yes, that's what I wrote.

maybe the commenter has the scenario of bare metal server at home in mind?

I was going to ask this as well, surely there shouldn't be a problem with this?

Your IP is exposed on outbound mail.

That reminds me of the good old days of the Interwebs: Your computer is currently broadcasting an IP address!


Excellent concepts!

^ cloudflare warns you if you leak your public IP

As usual from OpenBSD folks, quality README.

Great project!

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact