First thought: oh, huh, a self-hosted CVE generator.
In seriousness, installing Roundcube on my own server circa 2006 was the cause of the first and only time I’ve had a server hacked. It’s probably improved since then or it wouldn’t still be around, but it put me off ever hosting my own email. The risks only get worse the further away you get from personal/hobby use.
I've used https://mailu.io. It works well, but your biggest problem is going to be getting over the spam filter hurdles of the email giants of the world. Even if everything is properly configured (including dkim / spf / whatever else they've added) your messages will get plopped in the spam folder.
My experience is, that the „quality“ of the mail server‘s IP really matters. The worst experience I got was with digital ocean. A lot of providers just don’t accept email from their IP ranges. Some of them just completely block all DO IPs on router level, and refuse unblocking.
For my current server I had to switch IPs a few times, until I got one that was not blocked by any of the major providers. Unblocking a once blacklisted IP seems to be practically impossible.
And hotmail or outlook.com just mark a lot of email as spam. I see it now as a problem of the recipients. Office365 just accepts the same emails, it seems to be a strategy of the free mail providers, to give their non-paying customers a worse experience.
We got a /24 at our data center and the reputation was, unfortunately, poor. I went through all of the public reputation lists and asked to be removed. It took about three months of incremental effort, but the reputation for the entire /24 is clean now.
This is with a "real" mail server, and not mailu.io, but the idea is the same.
I just went to my cloud provider of my choosing and started to add floating IPs. After a few tries I got a good one. I went through the unblocking process once, and I decided not to do it again. Especially Microsoft gave me a hard time, they started to request documents and then let me wait a few weeks until they replied: we don’t unblock, and we don’t tell you why.
Is it possible that Microsoft distrusts your IP range? Some providers are known not to be very responsive to abuse reports. And then whole IP ranges get (soft) blacklisted, and individual IPs can’t be unblocked, without having a very strong case.
>>First thought: oh, huh, a self-hosted CVE generator.
Haha, same. I've run my own mail servers, got the tshirt, and don't want to have to do it again. Point your domain to one of a bazillian email services instead.
There is also basic forms of protection you should put in front of everything you make public, in order to reduce the attack surface. Firewall that blocks everything by default, strip all headers unless you veto them manually, aggressive rate-limiting you increase the limit only for specific IPs and so on.
Putting up any type of software on a unprotected server even in 2006 is begging for trouble.
Define “unprotected”. The particular server had a firewall and fail2ban along with other measures. But Roundcube is a webmail service, so you’re leaving 443 open in any case. No amount of firewalls or rate limiting will help you if the thing you’re running is a web service that turns out to have a SQL injection vulnerability in one of its endpoints.
Email servers in particular are going to be under attack all day long just from normal email activity, and that’s before you throw in any kind of web interface. It can be a big help to point your MX records at some other filtering service, but at that point why are you bothering hosting your own?
I use http basic auth in front of every https internet exposed service.
The services may have their own auth system on top of that, but htpasswd in front solves the vast majority of problems. Can’t exploit an SQL injection vulnerability if you can’t reach the endpoint in the first place.
I’m less concerned about apache2 and nginx http basic auth vulnerabilities. They’ll get fixed much quicker than random webapps.
That's what I do. Mailcow on an isolated machine, 25/587 open on firewall port forwarding to it, the rest of the various services it offers are only accessible via my home network (https, imaps, there's probably more). Then, I am always on my home network.
I started out with a different variation of this that was the same, except instead of using my (thankfully static) home IP in my MX record, I got some cheap hetzner/lightsail/whatever, then routed the incoming 25/587 across a 2 node wg network to the real mail server. It worked fine but ultimately I decided I'd rather expose my real IP in the MX record than pay $5/mo not to.
Of course, the secret to making this work without tearing my hair out is that my outgoing mail server only delivers mail to the relay I pay to deliver my mail to the 3 or 4 corporate behemoths who have taken over a once great decentralized service. I have no interest in tending to my deliverability or making appeals to Microsoft or whoever. Also at a personal mail volume with 0 transactional mail, it's very inexpensive.
Some https services are internet exposed with http basic auth as a first line auth requirement. Some services are available to friends, or I want access to from devices I can’t VPN from.
Funnily enough Roundcube isn't even one of the mail protocols. Its software connecting to the mail servers via a GUI over HTTP(S).
You don't have to give the entire world access to your web server. You could even use something like AuthPF to allow yourself to access it. Or a VPN like Wireguard. I do the latter now, but I used to do the former. Although back then I just used Mutt over SSH usually. Way faster than the web software I ran back then (probably Apache with Horde). What remains is all the stuff required for sending and receiving email. SMTP, IMAP, and the stuff to deal with spam (some kind of tarpitting as well as SPF/DKIM). In fact even the IMAP server could run behind Wireguard. So its only SMTPd and SPF/DKIM. There are some very secure SMTPd written, with great track records. Back in the days I ran Qmail with Courier-IMAP but I don't think SPF and DKIM existed back then.
I’m hosting mail servers for over a decade now. They are all very low frequency, so probably not a lot of attackers find them. I try to enable as many automatic updates as possible, because I don’t operate them professionally. Just every few months I check if all updates are installed, and if there is something wrong. So far I only had two hacked accounts (probably the users got phished or used compromised public PCs while logging in to webmail - the country of the attacker was the same where they were on holiday).
So far no break-ins that I noticed. But it is for sure possible that somebody broke in without me noticing (and did nothing worth noticing).
Hm. Been running mailinabox since 2012 or so, no issues. I like the idea of consolodating executables a bit and simplifying the system, so I'll have a look at poste.io.
In seriousness, installing Roundcube on my own server circa 2006 was the cause of the first and only time I’ve had a server hacked. It’s probably improved since then or it wouldn’t still be around, but it put me off ever hosting my own email. The risks only get worse the further away you get from personal/hobby use.