It became a self fulfilling prophecy. Our email would trigger a rule in big co's third party security app, which would then report to a centralized rule breaker clearing house automatically. Clients couldn't receive our emails, we would dive in, submit appeal to clearing house, get clear and a week later do it all again.
Everything was configured properly on our end. We passed all the online validation engines. IPs were our own personally owned block and pristine.
It became too much.
Switched to office365 and all problems magically disappeared. Sent emails to same big cos with third party email security and haven't had a single issue.
I was there for 10 years, and this was only a problem in the final ~2 years of my employment, which roughly lines up with your 4 years remark.
It's not about setting up perfect signed email and all the new techs. It's not about having the same clean IP for a decade. It's just the same old network effect combined with profit motive. The obvious change in the last few years (I've run a mailserver for 9) is managerial not technical.
In my humble opinion, leaving email to mega-corp alone can be a freedom risk, even if a small one.
People make a big deal of SPF/DKIM etc. I think you should, for the sake of best practice. But you can set yourself up with gsuite or Office 365 and pay no attention to these things, and you can fully expect mail to get through to everyone. You can even setup a broken SPF record that disallows office 365 email and for the most part, everyone will still get your email.
Things worked fine, but I think 2 years ago I realized that my e-mail started going to a spam folder. Fortunately adding SPF/DKIM appeared to fix it, but it feels like it is getting harder and harder now to have own mail server.
I would probably gave up, but it's infuriating to me that from courts rulings if your mail is handled by 3rd party, the 4th amendment no longer applies.
However if a domain signs up for Google Apps, magically you get whitelisted, even if you are handling your own email, funny thing that.
I guess Google's customers are just more trustworthy...
I wish. I've been having issues with being sent to spam when replying to a colleague on the same domain which is on Google. The email never left their servers, everybody was authenticated, and the emails were within an hour of each other, so it's pretty obvious that it's a reply. Still: off to spam it went.
We now have a filter rule to always consider our own domain as not spam, because it's just too unreliable otherwise.
If you get an incoming email “from” yourself and it is not marked as spam, it will be put into your sent label.
At least one person claims to have been incorrectly fired because of this. Their employer found incriminating emails in the person’s sent box, and considered it a closed case.
In that time I've had a single incident (earlier this year) where spammers got it and sent 20k spam mails in less that 24h mails. Luckily I noticed this and stopped it pretty quickly.
I had mails to some destinations bounce for around a week after that.
Beyond that incident, it's very rare to have trouble delivering mail - I think maybe once in the past 5 years there was a company who I had trouble with.
Having said all that, the spam incident this year highlighted how fragile hosting your own mail server can be if things go wrong, and I felt really bad about the spam mails sent from my server - continuing to run it almost feels like a liability, and when time permits I plan to move our mailboxes to O365
They don't refuse delivery, but that is entirely meaningless when nobody ever checks the Spam box anyways (which is also hidden by default)
Hmm, I just tried what you suggested, with 2 different accounts never sent to, and the emails got through fine.
We use SPF and DKIM, but otherwise it's a fairly standard Postfix/Dovecot install (albeit a very old one).
I have a pet theory that big email platforms care deeply about the IP "neighborhood" the sending email server lives in. So a small email server set up perfectly in Digital Ocean IP space would struggle, while an email server set up OK in (for example) CenturyLink Enterprise IP space would get through.
People here are speaking about how gmail will "effectively spambox your mails by default". That's not been my experience (from setting up multiple small customers). Anyway, at least I've never heard of gmail just eating your e-mails. They either get rejected or accepted and put somewhere (maybe the spam folder, but at least somewhere).
Office365 / hosted Exchange / Outlook Protection or whatever is it called these days... they should be routed to /dev/null by everyone.
They just won't track your reputation unless you send them more than 100 mails per day. Does this sound bad? There's more: if they don't have reputation info from you (because they refuse to track it due to the low volume), your mails will go to spam inboxes even when their filters indicate that the message is not spam.
And there's more! Don't dare to ever get a bad reputation (i.e.: a user managing to get hacked and their account used to send a couple hundred spam e-mails before triggering your countermeasures). If this happens you are 100% fucked. Now they will DROP your e-mails. Hear, hear: their servers will accept your mails and just DELETE them. No spam folder, nothing.
You will try every possible thing: set up everything for their feedback loop, sign up in their "Smart Network Data Services" to track your reputation (it will be empty except for that day)... and finally contacting them at their sender support.
Do you want to know what they will reply? That you should be patient and let your reputation build up over time. What a joke! How on earth can your reputation improve when users cannot mark your mails as "not spam" because they (outlook, not the users) are simply DELETING them without a trace?
Oh, there's a way out of all this though: obtain a "Return Path Certification" . That is, pay them an absurd amount of money and your mails are guaranteed to get to the users' inbox unless you are clearly spamming (all of the above assumed you are NOT).
Up to this final point you could think they just do their best and all that I've explained is collateral damage. That last "pay and we let you off the hook" is what clearly signals to me that this is an elaborate scheme to get small players to either pay them anyway or just give up and use a big-provider service.
It is mine. I used to have to take a proactive approach to email - send an email, and if I don't hear back in a timely manner, I check their MX records. If it's Google, I'd contact them out of band - yep... spamholed.
These days, if it's important I'll contact out of band. If not, meh... I'm not going to bother just because of Google Knows Best. I'm over pandering to Google.
For this reason one of the necessities of survival as an email sender is to classify your own outbound messages, to see if recipients might think they are spammy. If they just look spammy but you still want to send them, you need sacrificial IP addresses on separate netblocks that are dedicated to spam, so the reputation of your main IPs isn't polluted.
If there's any possibility that any of your users could get their account hijacked, or there could be malware on any device permitted to send messages, you need outbound classification.
Edit: or, alternatively, tried fighting this using anti-racketeering laws? The payment aspect sounds like a protection racket scheme to me...
I run VoIP PBXes and they occasionally need to send an email, usually for voicemail to email but occasionally for other alerts.
By default they just send straight to the internet, sending from firstname.lastname@example.org, forward and reverse DNS mapping back to their own addresses, etc. but no other setup.
This works perfectly fine with Gmail and Gsuite accounts, but Office 365 occasionally decides it hates one of our servers. Even if the client has the sending address whitelisted, it still just gets hard blocked for no apparent reason.
Gmail, I can fire up a telnet session right now and send myself an email from my home IP address just typing raw SMTP commands in to a console. It's going to work, and unless I'm spoofing a real email address it's not even going to end up in spam.
Could you name the cost?
TLDR: Minimum tier was $400 signup + $1,375/year for up to 100,000 mails/year.
What was too marketing for them? A 100% opt-in list that reminded customers when a product was in stock. Fully made in-house, with captcha, privacy policies, opt-out, and with the user typing their email and name, the complete works for a one-time reminder email.
Nope far too marketing related for them.
It's harder to sign up for a Gmail account than it is to register a domain and get some hosting. And Google has their own protections against sending large amounts of mail built-in. The system is as it is now because spammers will abuse it otherwise.
The big email players are accepting mail from universities and large companies with misconfigured email servers. If you use the same rules that Google and Microsoft use to refuse emails, you will be bouncing emails from valid domains. If you don't apply them, you end up accepting spam. The big players are able to deal with the spam using specialised teams and I suspect advanced algos including machine learning.
IF the big players applied their famous rules to everybody equally, everybody, including universities, big companies etc... Would quickly configure thier mail servers properly, which WOULD reduce spam, possibly eliminate it.
Being able to keep inboxes fairly free of spam in a world full of spammers is what distinguis big email providers and enable them to sell their services.
I remember when I imagined big companies might use their considerable resources to put together something like that. Then I found out it's just a handful of random engineers cobbling together crap and hiding it behind a fancy domain name.
It is probable that Office365's entire spam filtering system is a very large and ugly spreadsheet that gets passed around between a few teams using a ticketing system.
Relevant wikipedia page: https://en.wikipedia.org/wiki/Exchange_Online_Protection
Originally, the product started out as an acquisition, and there's still some legacy code that references the old Forefront name. There's about 50 people on the team.
DKIM/DMARC/ARC is worked on by two engineers.
Right now, Google is refusing to deliver email from logwatch - giving me the "Message rejected. See https://support.google.com/mail/answer/69585 for more information." so those are going to /dev/null with no recourse to fix it because Google literally doesn't like the content of the email.
The fact that I can't hit a button and tell Google that yes indeed I'm not trying to spam myself is ridiculous.
That said, my outcoming mail traffic is almost non-existent outside of few test emails, LoL.
After setting gmail to forward everything, I noticed it was sending 33% of my legitimate email to spam.
They don’t let you disable the spam filter, but you can set up an escoteric filter that prevents it from actually putting stuff in spam.
I honestly don’t understand how people cope with gmail. Fastmail is cheap and orders of magnitude better.
I like the idea of hosting my own email but even if I get around to doing that I will still need a backup. Fastmail is probably where I will go.
In 2005 you would get 100 spams to an unfiltered, widely published address, these days it is more like 2-5.
The continued lockdowns and protocol changes of gmail and yahoo are a sign of being overstaffed, "feature" oriented and yes, the attempt to shut down competition and the free exchange of mail.
It's getting impossible to read emails, too many. If it were not for them being used to their email address and me being lazy, I would move them off to gmail.
A person from Gmail even posted on HN a while ago, stating they'll look into this and do better. That was about a year ago and the situation is exactly the same or worse.
You don't have to throw out the baby with the bathwater (:
The IMAP/POP3 server is yours, and all the email is stored on something you control.
No real issues. Sure, you make it on a spam blacklist once in a while, but at least you know when it's going to be fixed, instead of dealing with zero response (or denial) from a big hosted mail provider.
Besides, not all of "our email" comes out of our office, our CRM and ERP products send mail on our behalf, and they have problems delivering mail more than we do.
a) a docker container (or other standardized, easy to deploy technology) with a "mail server in a box implementing best practices"
b) a test for the stuff that Docker can't cover like DNS config, ideally with scripts to set it up on the most popular providers and clear copy&paste instructions for the rest.
People shouldn't need to fully understand DKIM, SPF, etc. - they should just be able to click a button, copy&paste generated DNS records, and be up and running.
Otherwise, commercial providers are just the only option that makes operational sense for most cases, _even if you know how to do it right_, because doing everything right manually step by step is still to much work to be worth it in many cases.
None of this seems _hard_, it's just tedious.
It’s pretty good, I use it for my own server. It still requires some config, but better than running all the services from scratch.
Email has serious economies of scale and keeping such a critical system operational, on a small scale, was going to be some deal of stress.
So I just went with my hosting providers Plesk-fronted setup, which matches your para.3 description.
To me maddy would feel like sleeping on live electrical wires, only they are insulated by a thin layer of paper. Hope the isolation does not get scratched anywhere while you sleep. Even a non-dockerized, traditional setup like postfix+dovecot has better isolation.
Depending on how many targeted attacks you get in a day, you may pull apart the monlithic server and run inbound processing, filtering, IMAP access and outbound queueing as separate processes or even on separate systems.
(Probably i should put a better wording on
> you may pull apart the monlithic server and run inbound processing, filtering, IMAP access and outbound queueing as separate processes or even on separate systems.
Can this be done without forking source code? E.g. just configuring two instances.
Thanks for the link to FAQ. Actually, simple, no bloat’ little dependency software definitely has some appeal.
This page shows how to configure maddy to only handle SMTP:
You can follow it but swap Dovecot for another maddy instance, configured as shown here:
This works because maddy implements both client and server
for Dovecot's SASL delegation protocol.
Alternatively you can configure pass_table to read from shared
SQL database. Hm, maddy-tables(5) man page is not rendered on
the website but you can look at sql_query module.
That being said, my project greatly benefits from Go concurrency features and simple I/O primitives. Also there are libraries written by emersion for nearly everything.
I think that is overkill for self hosting. Also as the author says below, Go is more memory safe than C/C++ in that there is no use after free and buffers are bounds checked.
A machine which has IMAP open tends to look like it has some good stuff.
I just forward incoming emails to an internal SMTP server which also serves as IMAP server, so MX records won't simply reveal your IMAP server as well.
A simple `docker-compose up -d` does the job. Then you just have to configure your records (SPF, MX, DMARC, ...) and it's all set.
A really nice work from the mailcow's team !
I oppose this. People should know what they are configuring. This applies to all stuff related to mailservers.
You probably learn more by setting it up the "hard" way (without containers) so that in case of failure you at least have a little insight in how the components work.
If it breaks, then you get someone else to fix it / get a better product is all they need to know.
But if you want ... it's like having a drivers license.
Or: you only "drive" self-driving cars. In case of emergency you don't know what to do. Perhaps an even better analogy.
(This is admittedly a very small deployment for two users and 3-4 domains on a $5/month VPS).
A lot of the other stuff I evaluated at the time (3-4 years ago) came with yet more stuff.
Automatically checks DKIM, SPF and DMARC settings for your domain, comes with docker and can be upgraded by running a single script, and has a webgui and spam protection.
* Setup ARC (RFC8617) for all mailing lists and forwarding.
* Sign up for the Google & Microsoft postmaster tools. They're not great, but it's better than nothing.
* Implement RFC8058 / RFC2369 unsubscribe mechanisms.
* Use an outbound suppression list to ensure that unsubscribe requests or unwanted mail complaints have lasting effect.
* Article touches on DMARC reporting, for which I suggest Postmark's free monitoring tool at https://dmarc.postmarkapp.com/
* From time to time run your domain name(s) and IP address(es) through a panel of reputation services. Check out any red flags (some of them matter, some don't).
And for content:
* Re-evaluate email templates. Many out there are hot garbage, practically inviting users to hit the junk button, which just hurts sender reputation. Ensure there's always a plaintext part. Don't use tracking/opening pixels. Write validating HTML. Minimise size. Don't bury the unsubscribe link, put it at the top, and make sure it clearly works without hostile barriers like "are you sure" pages or sign-in.
* In the very first paragraph, and without scrolling on a mobile, we must explain, honestly and concisely, why we are contacting someone, and why they might want to read the rest, because we have no entitlement to someone's attention.
* Run all mailers through a spam scoring tool as part of CI/CD, because a high score is a bug.
In addition, Google's sender guidelines are well worth reading, they're more than just self-serving gatekeeping: https://support.google.com/mail/answer/81126?hl=en
Some mail delivery systems start to notice that your domain name is being used as part of a lot of spam / bogus emails, so you can have perfect IP history / no spam and STILL start triggering some random filters (no big players but smaller protection product filters).
So the game must be absolutely never ending for everyone and the inbox a valuable target - especially now that unsolicited phone calls really do seem to get ignored these days - I feel like spammers killed the golden goose on phone calls and the telcos let them.
I will say DKIM / DMARC is working well, except google (which we now use for outbound) gives us transient SPF errors even though we are 100% using their IPs. Not sure why that is (ie, SPF failure on an IP that should clear)
Ie, if you are paying for google apps, have credit card on file, meet their rate limiting rules for outbound with SPF / Dkim etc then you are probably OK. Some random IP doing direct mail? Much less likely to be OK.
Given govt has done such a bad job in this space, these big corps are essentially picking up the slack / trust that you'd normally say govt was responsible for. Gives them a metric ton of power, and they don't tax so have no money to provide any corresponding service.
In my organization we have ~10 linux VM and they are all configured to send email to an exim MTA. For example monitoring stuff. The system mail name is set to vmName.srv.domain.name (domain.name is replaced by our actual domain and this resolve to a local address) so it's quite common to receive mail from root@vmName.srv.domain.name. This cause no issue when it's delivered to the local Cyrus server but when it's transfered to a Gmail address for some reason Gmail reject the email because the headers are bad.
I am considering rewriting the address to user.vmName.email@example.com in exim when receiving email from local VMs and I am wondering if this could be a bad idea.
I'm going to redo this mail server from scratch soon because it has been left untouched for something like 6 years. Some software was compiled on it with shared libraries which then were updated but the software was not recompiled. It's a dumpster fire and I'm actually surprised most of our emails seem to go through.
I would also add to the article that's it's a good idea to have some rate limit on outbound email, outbound email spam checks and to check that the user sending email has the right to use that address.
Each user can also have many alternative addresses that map to an unique mailbox
Those mailings lists are used a lot internally and managed with internally developed tools. This make migrating to an external service difficult.
That's the classic example of some critical piece of infrastructure that nobody dare to touch because it works... until it doesn't anymore.
That's why we don't use external services to receive email. I'll consider using mailJet if setting up exim & related stuff correctly to send email in 2020 proves too painful.
I am assuming you have some budget for this.
@vmName.srv.domain.name is not configured so it goes to spam.
Yet, my IP address predictably ends up on Microsoft's "blacklist" every two months or so because of "spam behaviour or user complaints". I am rather sure that neither is true. Every time I have to fill in their appeal form, get unlocked immediately but have to do the same dance again two months later.
They have every right to reject a mail server but at least they shouldn't lie about the reason. My server's IP address gets blacklisted again and again even during months I don't send any mail to Microsoft addresses.
I'll do it though i'm not FastMail!
I'm working on a SES backed email client so SES takes care of deliverability (assuming the user does the basic DKIM, MX, TXT set ups) so it will work out much cheaper to send and receive mails than a FastMail/GSuite type solution.
Plus you'll get unlimited disposable emails for free, a shared inbox (if you want to share an inbox with your family to help stay on top of every one's schedules, for exam), and while the client I have built is pretty rudimentary, i'll be adding bells and whistles to make it better.
Github @ https://github.com/saiorama/ses-email-client
Landing page to submit a request @ https://shared-inbox.landen.co/
Note to others - I'm open to collaborating to take back email from the big guys. Hit me up via Github.
If the point is to take back email from the big guys, building on top of AWS SES seems to do exactly the opposite of that.
It's built on a completely proprietary service, which you have very little control over. If you're having issues with it, you're SOL unless you're paying for an AWS Support Plan, which is already well over the cost of Fastmail etc.
And on top of that, now you are stuck on a specific web email client as well, instead of POP, SMTP and IMAP which all of email has been running on for decades.
because I could! Isn't that the point of tech - to be able to build whatever you want, whenever you want, for any reason you want, in any form or shape you want without asking for permission?
The hexagon nut in your car is built on a technology that you don't know or own. That doesn't mean your ability of tinker with your car is subject to the whims and fancies of a nut manufacturer or the hexagon spanner manufacturer. You just trust that when you need a hexagon nut of a certain spec, you can shop for one. SES is exactly that hexagon nut to me. If you consider how easily an MX record can be created/changed, how am I losing anything by attaching myself to SES's email service?
AWS Support Plan - of all AWS technologies under the AWS sun, SES seems to be one service whose support needs are minimal and outages aren't going to end my productivity. Email is async so that delivery delays by a day or two aren't really an issue (to me). Email is federated so if AWS wants to be taken seriously is needs to interoperate with other systems a high degree of reliability.
a) The web client i am stuck on is mine. I can stay stuck on it or enhance it or shut it down or let it lie for long stretches of time.
b) What S3 provides is even more basic than POP/IMAP/SMTP - it gives you the literal email files which are the bedrock of email to do as you please. I like my chances of building something amazing with the raw data rather than having to have my emails intermediated by a GMail or a FastMail.
Well yes, if it makes you happy, absolutely, do it.
But another reason we are all here is to discuss the merits and problems of various technological approaches.
> The hexagon nut in your car is built on a technology that you don't know or own.
This just isn't true – the hexagon nut is completely open. I can go look up the length, shaft diameter, thread pitch, etc. Countless different manufacturers make one to the exact size. I could even make one myself with a lathe if I were so inclined.
SES is proprietary. I could not replace SES with something else.
> If you consider how easily an MX record can be created/changed, how am I losing anything by attaching myself to SES's email service?
Because if you wanted to move away from SES, you would have to completely rebuild how your client receives, stores, and sends email.
If you build your client on POP/IMAP/SMTP, then you can just change your MX settings, and your POP/IMAP/SMTP settings, and you can move all of your email to AWS, or Fastmail, or Gmail, or your own machine, in the time it takes DNS to propagate.
P.S. I'm coming out with a fully-fledged email service built on top of my R&D with Forward Email.
(This is the first time I've become aware of Forward Email despite having run my own forwarding email server for years -- you should do more/better marketing/outreach!)
And we're completely open-source, store zero logs, and store zero metadata too. All source code is on GitHub as well.
I formerly worked at DuckDuckGo, and take privacy very seriously.
You can delete your account at any time.
Reading through the about and FAQ they also seem to be driven by decent principles.
I use SORBS on a rather busy mail server with thousands of messages sent to and from Gmail daily. Aside from very occasional SORBS rejections, which happen more often with Outlook.com and Yahoo, this simply isn't the case.
I still don't understand your statements. That's simply not true. It's not even close to being true.
Whatever the opposite of a disclaimer is: I was the tech lead of gmail delivery SRE for four years, so it's likely that I know more about this topic than anyone on this board.
I'm also trying to build my own email client for SES @ https://github.com/saiorama/ses-email-client. Happy to collaborate in case you want to work on this issue.
Almost more important than monitoring failed logons, monitor successful logons, for instance by country. If it is a small mail server, chances are your users are in a handful of countries. If you suddenly see a successful logon from vietnam or brazil, you probably want to be notified ASAP.
(Microsoft actually offer a custom domain email solution for families that doesn’t charge per user provided you host your domain with GoDaddy, but it has some limitations, eg with respect to aliases, so that wasn’t quite right for me.)
I did so with some trepidation, having been told by multiple people that I shouldn’t. Maybe I got lucky and had an IP with good reputation, but I was able to send mail to Gmail, Outlook, Yahoo and specific email lists after a few rounds of configuration.
The only problem I had was with Apple’s iCloud email, but engaging with ProofPoint soon fixed that.
Overall it wasn’t too bad an experience. I’d class myself as beginner level in that I’ve done this for myself ages ago (but never in a professional capacity).
Just leaving this anecdote out here as a small counterpoint to all the horror stories out there. If you’ve got an IP address with a poor reputation I can imagine it’d be a much more difficult exercise.
This year though, most of my dodgy SMTP traffic is coming 3 new problem children - Gmail(spam), Amazon(spam, other) and Microsoft Azure(other).
"Other" here is anything besides spam, like dictionary attacks, transactionless connections or service probes.
The idea was to accept emails sent to a unique, per-user address and forward all attachments to the user’s cloud storage account.
I looked into using mail services like SES and Mailgun, but given the average expected email size and the fact that I would primarily receiving mail, the additional cost didn’t make sense. Along the way, I ended up learning quite a bit about Postfix filters, virtual domains, SPF, and DKIM.
I also learned how quickly spammers can detect open relays. Apparently, while copy-pasting a config from somewhere, I had a slightly incorrect 172.x subnet listed as part of “mynetworks”. As a result, a spammer with a machine belonging to this subnet was able to use my server as an open relay. Long story short, it took me quite a while to root cause the issue and get my domain off the blacklists!
I have been running my own UNIX mailserver since 1997. I have consistently and loudly evangelized this practice, especially here on HN, and pushed back against the notion that it was too difficult or too time-consuming to implement and maintain one's own mailserver.
Having just recently made the major transition from relying solely on clean IP space and proper DNS records (which, in the last 18 months, has become increasingly untenable) I have changed my mind.
I will continue to run my own mailserver, for activist, ideological reasons, but I must now agree that it is too difficult and complicated - and fragile.
In no particular order, some of the things that I find overly complex and disturbing are:
- The DKIM implementations are very, very over-engineered. I understand, in principle, why we want DKIM to be a pluggable component that can be used as a general building block in various implementations, blah blah blah, but there is no reason that DKIM can't just be a feature, with a corresponding blob of config lines, in sendmail or OpenSMTPd or whatever. Having to pkg-install, and track, and maintain, whatever DKIM implementation you choose, along with all of its various dependencies, etc., is a big truckload of complexity and fragility that I just can't see ever appreciating. And the irony ? A popular DKIM implementation is to use the bundled DKIM functionality built into rspamd (!) ... so it ended up being just a feature anyway.
- The whole SSL component ... I appreciate this, I understand this, and for many use-cases I just don't care. I don't currently need encrypted email and if someone makes a decision to disallow sending to addresses/domains that don't support it, fine. Of course, if all of gmail decides not to, now I have another giant truckload of complexity and fragility that I need to implement and maintain. My mailserver should be an extremely tight, stripped down host with as few packages and daemons possible. Instead, I am now installing a big list of packages just so that letsencrypt can fire up a temporary web server to clicky click make my certificates.
- Now my mailserver is running a database (Redis) which is required to run rspamd, which is required to implement DKIM, without which I cannot send mail to yahoo.com addresses. True story.
So much complexity and fragility ...
 About 18 months ago yahoo.com stopped, with no errors or bounces, delivering mail from an 11 year clean IP with proper DNS/MX entries. I implemented DKIM and the problem is solved.
 My mailserver is a FreeBSD jail and previously ran only sendmail - and nothing else. Now I am running OpenSMTPd, rspamd, redis ... and once in a while I am running a webserver to communicate with letsencrypt.
 Speaking of letsencrypt ... requesting, generating and implementing SSL certs (even for use on the web) is simply creating, and trading, blocks of plain old ASCII text. I haven't looked into this, but is there an "expert mode" somewhere in letsencrypt where I don't have to run webserver instances and ... I can just run openssl command lines and cut and paste blobs of ASCII ?
I think of it as a process of punctuated equilibrium.
Every several years (or ten), it requires a flurry of activity to update to new preferred daemons, or new hardware.
Between these brief periods, everything is stable and solid. I don't have to think about it at all. In 25 years, I've rebuilt things 5 or 6 times. After the first few times, it has been more of a chore than an adventure, but it's still worth it to me, for now.
One development that might change my mind about that: Ubiquitous and non-vendor-dependent MFA. If email was not the security mechanism of last resort (or the skeleton key), then I might consider outsourcing it.
Re: Rspamd: It works well, but I did not enjoy the configuration effort. And yes, I never wanted Redis on my mailserver, but there it is -- along with an astonishing amount of RAM usage, which offends me in theory even if it has no practical impact. On the positive side, after the initial few hours of effort to get things set up, I have spent zero hours maintaining any of it, so I can't reasonably complain.
Re: letsencrypt: I use dehydrated for certificate renewal, and I run a temporary webserver as you describe. Not a full dedicated webserver package, just python (or ruby) which is already installed. It's launched from the same script that automates the license renewal. Not elegant, but adequate. You could probably get away with netcat.
Of course you can validate by DNS instead of HTTP. But that's not always convenient either.
I think you are correct and this is a decent description of how this has worked.
I don't begrudge the every 5-10 year burst of activity/implementation. What I begrudge is the increased complexity. We're both talking about Redis as a hard requirement for rspamd which is the typical recipe for implementing DKIM which is required for email. That's a lot of moving parts.
Currently I'm using postfix, dovecot, and rspamd, with several users using pine and mutt locally. Every time I do a major server upgrade, I re-evaluate the configuration.
My mail server also runs a web server for some static sites, so the letsencrypt part was simple.
Regarding letsencrypt, you can use DNS challenges. See https://letsencrypt.org/docs/challenge-types/ .
If that happens on the wrong email provider you're out of luck. One of the mail servers I have a hand in has been blocked by one of those difficult providers for the past 2 months and we sent them 4 mails/week before the block on average :)
I have DKIM set up just fine without running Redis or rspamd so this part is purely down to your choices.
> Speaking of letsencrypt
Let's Encrypt is a website/service. There are many clients and you can write your own. At some point Let's encrypt will need to verify that you control the domain so you will need to be able to either host something via HTTP or have sufficient dynamic control over the DNS server. Neither DNS nor HTTP needs to be hosted on the same host as your mail server though.
Postfix+opendkim+opendmarc works fine and it is very simple to setup as well.
There are all valid points and I question my decision to run my mailserver, but in the spirit of the Internet I continue to do so.
Let's Encrypt provides an ACME service. So, you will want to (run something that can) speak ACME, a somewhat RESTful HTTP API documented in RFC 8555 - https://tools.ietf.org/html/rfc8555. You can use a web service to do this part, but then you're relying on some random web service and you have to manually do a bunch of steps to renew at least every 90 days which I'm going to assume you agree sucks.
There are lots of people who have built such tools that can look after this for you automatically, perhaps you would like https://acme.sh/ which as its name might suggest is a shell script.
Let's Encrypt offers three of the (increasingly misnamed) Ten Blessed Methods, you can prove control over a DNS name by doing any of these three things:
1. Running an HTTP server on port 80 which can answer certain well-known requests in a specific way acknowledging your ACME keys. This server needn't have any privileges, acme.sh can help you spin one up that will basically say "Yes, rsync is allowed this certificate" for any request. Except instead of "rsync" it's a key only you have, so your server answering this way never helps any bad guys so long as you keep your ACME keys secure. [You may not be aware you have "ACME keys" the software you've used probably just minted some and squirreled them away in a dot directory]. With that server in place, your requests for a certificate for that name will always work, because the key matches, Let's Encrypt will call your server, make up a random nonce and ask if that's authorised and for who, your HTTP server will always answer "rsync is authorised" so it works, tidy.
2. ALPN on port 443. A TLS server answering port 443 can accept a special ACME-only ALPN protocol choice from the Let's Encrypt servers and use that to prove control. You almost certainly don't want this unless you implement web servers (which run on port 443 with TLS already)
3. DNS queries for a magic name that can't be a hostname. The queries ask for _acme-challenge which has an underscore in it. Underscores are allowed in DNS but can't be hostnames, which is fine because this isn't a hostname. Your ACME client will need to write to DNS, it can either have a way to write to your actual DNS, or you can use a CNAME to redirect the names you need to another DNS server and give the ACME client control over that. [Edited to fix DNS name mistake]
You can insulate the ACME client from the server completely with either the trick I described in (1) or using DNS like (3) and using a Certificate Signing Request, CSR, which is one of the many ASCII text blobs you can get from OpenSSL. If you're comfortable re-using a private key for longer periods than the 90-days assumed in Let's Encrypt (a 2048-bit RSA key seems safe to me for the usual lifetime of a mailserver) you can even re-use the same CSR again and again to request each new certificate without sending any data from the mail server to the system calling Let's Encrypt.
You will need to arrange to get each new certificate installed (the private keys don't change in this scenario). But certificates are public documents, if it came to it the mail server can (this is very silly but it would actually work) just wait until 24h after the certificate should have been issued and then go get it from https://crt.sh/ -- In reality you can probably find some sensible way to get this public information back to the mail server each time the certificate is renewed.
I worked at a SaaS company that had about 50 sales reps. They were sending emails day and night, eventually getting the main corporate domain flagged. The product's transactional emails (signup, confirmation, etc.) would be flagged as spam, until we moved them to their own domain.
Sometimes when businesses send sensitive documents they use a third party "secure" service, if the realtor's domain isn't configured correctly (common) to allow that third party to masquerade, it would correctly be flagged as spam.
Plus I get actual spam (and even generated blackmail) with personal information in it (inc. old passwords), farmed from one of a dozen service break-ins over the last 20+ years (thanks Adobe, amongst others).
Trust me when i say you can have a 100% flawless email setup in every technical respect (the full works from this article and more) and still end up spam boxed by Gmail approximately 100% of the time.
Conversely, people that Gmail feels are important wont get spamboxed for minor technical reasons either...
Sorry for going off topic but everyone should host their own web site(s) and stop putting their content on other people's platforms.
- It's a hobby and I enjoy it
- It like fiddling around with advanced features, like wildcard addresses, server side filtering (via dovecot-sieve), and other fun stuff. For instance, a friend once was mulling on facebook on detecting tone of email and rejecting ones that were too mean. I made a simple python script that attempted this and had her try it out. It was funny. (See previous point about hobby)
- I figure that being on your own server you're at least slightly less likely to be a victim of a big internal platform hack like twitter's recent one, or state-run ones.
- It feels slightly badass.
I don't recommend it to people who don't want to do it for fun.
* Docker-based e-mail setup, with comments about their experience, like https://github.com/tomav/docker-mailserver (which incidentally IIRC was recently looking for a new maintainer).
* ...ideally that would have one host running SMTP facing the big bad public Internet and therefore minimalistic, and a separate more isolated host that runs the IMAP server. (My current setup does that with, looking for hints but perhaps I have more to share than to learn this time.) -- https://foxcpp.dev/maddy/ mentioned in this conversation may simplify things but with IMAP and SMTP inside one process you'll get a hard time doing this separation, not a good point for security.
* perhaps advanced mail routing like user-selectable option to automatically create mailboxes, per mailing-list and envelope address, although technically we could start another conversation about this. (My current setup does that, looking for hints but perhaps I have more to share than to learn this time. One pain point is many senders generate uninformative List-Id or even change them at each message, even Mozilla for example, making things messy.)
My current setup runs Postfix for SMTP on one host, doing all the rejection of spam and forwards approved messages via LMTP to another machine holds the private mailboxes contents to be served via IMAP by Dovecot. Plus custom recipient delimiter instead of the traditional "+". And all point above except being Dockerized.
I was an early contributor to Sovereign and used it for many years, but I found that we kept adding features to it and it got too large for my liking. Now I use docker-mailserver:
It’s not worth the pain.
Many things on that list are not necessary to get emails accepted by the big players. There are many email servers with bad or outdated configurations that still work. To keep emails flowing to outlook/hotmail/live etc you need to sign up to SNDS and their junk mail reporting program and if you haven't sent emails there regularly enough to maintain a reputation expect to be blocked for no reason. If that happens there are ways to escalate the issue.
The basics you must do is secure your email server. Don't relay email. Have all senders authenticated over secure connection. Web email forms are a bad idea. You don't want to have to recover from being on everyone's block list. If you do any sort of mass mailing you would probably be better off moving it to a specialised email marketing platform. I handle some application related emails myself and you have to be prepared to check delivery problems and follow up. The ones I do are B2B, opt-in, relatively low volume, small number of business email systems who can whitelist and are expecting emails which is just about manageable.
The bare minimum to be a good email sender is to have your mail name, hostname and reverse ip all match up and to advertise SPF. I would recommend also signing with DKIM, advertising a DMARC record as these are very widely checked and not that hard. They generally will give a slight negative spam score although the downside is you get the occasional business that doesn't know how to configure their mail system to work with third party filter (eg mimecast). They may reject emails according to your dmarc policy for correctly recognising that your email has been intercepted and tampered with but usually those sort of mistakes get discovered and fixed. If you use an intermediary like this to validate your emails you have to turn off validation of these things on your own server.
It probably won't be long until MTA-STS is as widely supported by big emailers and used as a reputation signal so it doesn't hurt to set up a sensible cipher suite and a certificate on your server even if you don't care if emails are sent over tls or not. These addons are mainly a hassle because they all rely on dealing with lots of separate services - mail servers, certificate authorities, web servers, dns servers but this is because smtp didn't anticipate the abuses of the modern world.
I have dnssec and DANE as well but it is just for my own amusement like trying to collect all the moons in Mario Odyssey. No big email providers even look at it as far as I know.