Hacker News new | comments | show | ask | jobs | submit login
Ask HN: cheap ways to host your own email server?
53 points by _vya7 on Jan 24, 2014 | hide | past | web | favorite | 52 comments
What are some relatively-cheap ways of hosting your own secure email server that's easy to bring back up in case of power outages or other common reasons for downtime?

This was initially inspired by and posted on the "Gmail is down" thread, but it got drowned out quickly by our collective lack of organization. (Why didn't we just start with a "me too" thread that people could respond to?)




Buy a domain on a service that allows API-based DNS updates.

Put up a RPI at home. postfix + dovecot + roundcube should do the trick.

Add FW forwardings for 80/443/25 (or allow IPv6 to pass through)

Update DNS records every N minutes. (cron, nsupdate, dyndns clients, amazon command line tools....). You will need SPF/DKIM.

The RFC for SMTP says Mail Servers have to retry for 7 days before giving up on mail delivery. This should be plenty for your home server. There are also commercial Mail relay and backup MX services (sometimes even as a free offer for buying domains on website X).

You can backup the SD-Card whenever you want. Your Mail stays at locations you control.

I currently have a root server, but I'm heavily considering "in-housing" those services because of the NSA activities.

EDIT: it's 7 days PS: Some old firewalls block dynamic IPs for mail delivery. I'm not sure how common this is today, especially as SPAM and botnets have evolved a lot.


Do NOT host at home.

For one, this violates every second provider's ToS, if not every single one.

For two, lots of providers block incoming SMTP connections on TCP/25. More importantly, they may start blocking it without notice and you'll have no clue that they did.

For three, you will most likely end up on a RBL (blacklist) in no time solely because you come from a "consumer" IP range.

I mean, hosting at home is technically simple, but in the end it created more problems that it solves. Get a hosted server and use it instead.


1. My ISP send me a router that has a feature to host a internet accessible fileserver. Out-of-the-box. ISPs in germany do not promote home-hosting but they give you devices that do it.

2. Incoming / Outgoing TCP/25 blocking: Not a problem with ISPs in Germany.

3. Blacklisting: At most a problem if you send mails. Plus GMAIL requires SPF/DKIM for just about evey IP, so yes, you are on a blacklist unless you do some DNS magic. BUT once you do the magic it will override IP block - unless the other side has a shitty setup....


Re #3 - it is safe to assume that a shitty setup is a norm rather than an exception. Gmail is the exception. Everyone else just run postfix + rbl_filter and would have none of these modern SPF nonsense.


Not everyone is in the US.


> PS: Some old firewalls block dynamic IPs for mail delivery. I'm not sure how common this is today, especially as SPAM and botnets have evolved a lot.

The problem is not that firewalls block dynamic IPs, but that a lot of mail servers, to deal with spam servers, started accepting mail only from some trusted smarthosts.

So there might be some server that will reject your mails. (I don't honestly know how much SPF makes things better.)

However, your ISP SMTP server will accept mail from its IP range (as they know how to find you if you abuse the service) and will relay mail for you. So probably your best bet is setup outgoing mail to go through it (Internet site with Smarthost, or something like that).

Ah, and don't forget to setup your server for SSL!


Most ISPs block outbound tcp port 25, which is why you'll likely need to setup your ISP's smtp server as a smarthost for a consumer connection.

FWIW running a personal mail server on Linode for 8 years, I've never had a remote mail server refuse acceptance due to my IP address not being on some protocartel whitelist.

I have had a few annoying false positives from Mailavenger, but clearly that's not my config that's broken :>


s/most/some/

If an ISP blocks port 25 then it means they'll have a bunch of support calls from people who's email client doesn't send email because SMTP is blocked. So, in my experience not many ISPs do that anymore. Besides it isn't actually an effective way to stop spam.


Well I currently see both Sonic.net and Verizon blocking outbound tcp/25, which is the extent of my limited sample. According to RFC4409, mail submission is supposed to be done on tcp/587 these days. And no matter how effective at actually stopping spam in general, I suspect tcp/25 is blocked out of a desire to not end up on IP blacklists due to botnetted customers.


If you're okay having your outgoing mail go through another hop, something like mailgun.com has a free plan if you send less than 10k emails per month.


I think a lot of IP blocks show up in blacklists just by virtue of belonging to cable companies.


I've been running my mail server from my home for months. There is one block list that my IP range is on due to the nature of it running from my home. But, I tested with the big free providers and haven't found a single email provider that blocks me as a result.


You might try Sovereign: https://github.com/al3x/sovereign

A large dollop of group experience wrapped up in Ansible recipes for your cheap VPS.


Nice, but using a VPS kind of defeats most of the point of self-hosting.

There is still a third party that can give away your data, block your service and delete your emails pushing a virtual button.


IMHO, it's a good first step. First cloud hardware, next own hardware + dynDNS[1].

[1] http://minireference.com/blog/a-scriptable-future-for-the-we...


Launch a Docker container and use its private-namespaced address as the host for the script...


For future reference (it's not ready yet):

https://www.mailpile.is/

(Features--privacy, encryption--are supposed to satisfy the most discerning HN reader.)


Go to work for an ISP. My mail server doesn't cost me anything. =)

On a serious note, I've considered publishing the kickstart + deploy scripts I use for setting up mail servers. I'd have to do a bit of clean-up but I think it would be useful for a lot of people. I'll try to get to that in the very near future.


Yes plz do that when you have a chance. There are some good HOWTOs out there, but it is always good to see more examples.


I use a managed cPanel host and setup "catch-all" email addresses on my domains to forward to my gmail account. In the event of an outage or Google deciding to delete my gmail account I could change the forwarder or simply begin to use cPanel's built in mail clients. Having your email hosted at your own domain is one of the easiest things to do to gain control over something you normally let somebody else manage.

As to running your own email server? Don't bother. Unless you plan to stay on top of exploits, DKIM keys and SPF records you'll wind up with serious mail delivery problems.


I've run my own mail server for many years, and delivery problems are very, very rare.

DKIM & SPF are marginally useful (at best) for ensuring delivery. You're much better off registering your server with http://www.dnswl.org/


DKIM and SPF are not that hard to set up. And it's a low enough barrier for entry considering that's all we have to stop spammers.

Edit: not sure about SenderID, to be honest.


When was the last time anyone had to patch their qmail instance? When was the last time qmail even needed to be patched?


qmail was once a great piece of software. Then it stopped being maintained, and it lived in a licensing no-man's land for quite a while that effectively prevented new maintainers and viable forks from existing.

It's no longer current technology and fails to comply with RFC changes that have happened since it was released, including but not limited to 6522, which standardizes bounce messages.

It still does very well at the job it was originally designed to do, but it's no longer a modern, usable tool. It doesn't belong in the modern email toolbox any longer.


Where do people get these misguided notions about email? You don't need dkim or spf at all, few people check either, and they are just to prevent backscatter. Running your own mail server is trivially easy.


Sorry but that's not true at all. DKIM keys, spf records and gmail: https://support.google.com/mail/answer/81126?hl=en

Recent Exim exploit: http://www.exploit-db.com/exploits/25970/

Dovecot exploit: https://www.rapid7.com/db/modules/exploit/linux/smtp/exim4_d...

I found a few Sendmail exploits as well but nothing from this year. Sure this stuff is easy to install but there is a reason managed email exists.


That "Exim exploit"-link is a little misleading -- that's not a bug in the software, but in (third party) documentation:

https://www.redteam-pentesting.de/de/advisories/rt-sa-2013-0...

By that metric all software on your servers are insecure (consider the number of "just do: 'wget http://trollol.com/pwn.sh|sudo bash -'"-type advice you find looking at install-instruction for random github projects).


If you are going to say "that's not true at all" you need to present an argument for why I am wrong. You posted something completely irrelevant, and a couple of exploits. There are security vulnerabilities found in all kinds of software, so what?


Can you point to a trivially easy set of instructions please? ;-)


And to some document giving confidence that it wouldn't be dangerously insecure or vulnerable to common threats?



apt-get install postfix openldap dovecot

I really don't know what the deal is with email, but since the mid 90s there's been this weird thing where everyone wants to follow some kind of step by step guide. But it is just simple software like anything else. If you can setup a webserver or a database server or anything else you can setup a mail server.


I found the guide "A Hacker's Replacement for Gmail" [1] extremely helpful in setting up my own email server. I run mine on a VPS which still makes me liable to 3rd party screw-ups or snooping, but it's a nice compromise between a massive service like Gmail and running a home server behind Dynamic DNS.

[1] http://dbpmail.net/essays/2013-06-29-hackers-replacement-for...


I wrote up a post [1] about running my own mail server a few months ago. I ran into issues with my emails being rejected by certain ISPs (AOL for instance) even though I (supposedly) had set up SPF and DKIM. Ended up moving to Outlook.com using my domain. Hope you have better luck!

[1] http://farhan.org/running-my-own-mail-server.html


What is the point of self-hosting if you send all your email through a 3rd party?


They only have your outbound mail (which admittedly may include quotes from inbound mail), and are (ostensibly) not storing it long-term.

I've been running a split setup like this for a year or two. I found that my free-with-apartment internet connection, amazingly, gave a fairly static IP (it was DHCP but usually the same) and unfirewalled inbound ports, so I set up a mailserver for inbound mail and IMAP storage. I figured the IP might be on anti-spam blacklists, firewalled on port 25, or shut down if the ISP saw me mailing out, so I sent outbound mail through Dreamhost. It was nice to have the full copy of my mail in my house, with backups and spam filtering under my control. Sending outbound through a 3rd party wasn't ideal, but I thought a decent compromise to avoid having to talk to the ISP and risk the free public IP being taken away (I wouldn't have even known who to contact anyway.)

As a bonus, I set the Dreamhost mail server as a backup MX with the same email address I host myself, so they catch mail for me if my server or connection goes down.

I now have official "small business" ISP service that includes several public IPs, so I am transitioning to sending my own mail, now that it's definitely kosher and I'll have support.


Doubtful that anything you do yourself, especially "relatively-cheap" is going to have better uptime and less hassle than gmail (or other major provider), despite today's brief outage.


I would love to see some instructions to deploy something on a custom server or VPS.

I'm currently using NameCheap's e-mail service because setting up the software was too complicated.


I loved this [0] guide. You may not need the encrypted partition part of it so you can leave it out but I've followed it multiple times, all successfully.

[0] http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-ho...


I mentioned the other day that I'd been thinking of writing a HOWTO for setting up a VPS as a mail server. Now I don't have to; your link is quite close to what I'd have written -- same VPS host, same SMTP and IMAP servers, very similar configurations -- except much better written, and also useful for people who care about at-rest encryption the way I don't. (I also do TLS via stunnel instead of natively in postfix and dovecot, for reasons I no longer remember, but it works quite well so I haven't bothered changing it.)

Thanks for linking this! I'm planning on rebuilding my mail host pretty soon, since most of it's been untouched for almost a decade and I'm a much better sysadmin now than I used to be; that's not least evident in how I didn't bother to document anything the first time around, so having this HOWTO handy will save me a lot of time.

(Edit on further reading: I tried Z-push, but the version I tried didn't support message flags, which I require; push also annoyed me and sucked more battery life than it was worth, so I disabled it and got rid of Z-push. And I don't see the need for Solr; Dovecot, I'm not sure what version but I set it up something like five years ago, gives me full-text message search for free.)


Try something like iRedmail: http://www.iredmail.org


It would be great if there was some PaaS-type mail service provider. I'd like to get away from hosting it with a single VPS, and running multiple VPSes for redundancy seems frustratingly expensive for such low-intensity load like a personal email server.

Ideally, I'd sign up with one or two services and have each listed as an MX for my domain so there's always some service online to take the email. I can write my own app to hit both services and unify the two streams.


That sounds pretty cool actually. Assuming two servers had equal weight in MX records, such that mail had a 50/50 chance of going to either, you could unify it via fetchmail, or similar, if you polled both backends directly.

Usually it is a pain if you have mail going to more than one host - ie. no shared storage amongst all the hosts that receive mails, but if you were looking for redundancy and didn't mind the "manual fixup" this would be almost trivial to setup with 2+ VPS from different providers.


Mailgun's api allows you to send and receive email using your own domain - I really like it, and it's free while your volumes are down.


It's a funny coincidence that this happened today as just yesterday I created a personal email for my custom domain with Zoho[0]. While not quite the same as having your own mail server it is nice to have at least one email not on Gmail.

0 - https://personal.zoho.com


use Virtualmin (http://www.virtualmin.com/), it will configure postfix/smtp, dovecot/imap, dns & web hosting.

Its abit like cPanel & Plesk, but you don't need to use the control panel if you know what you are doing.


Would anyone be interested if we did offer an alternative to Gmail? I've been noticing more and more of my friends wanting to move to something new, but not having better alternatives to move to.


My cheap solution a few years ago was:

1 year micro EC2 instance. This runs bind and dovecot/postfix. This could probably be done even cheaper with a home hosted RPI, but depends on your ISP's smtp relay rules.

free gTLD from dot.tk

done!


My Synology NAS comes with a relatively easy to setup mail server. I wouldn't call it cheap, as a mail server alone; but all of the other functionality has made it well worth the price.


Just get a digital ocean VPS for 5 bucks and configure it.


Yeah, that or you can get an EC2 micro instance free for a year on AWS.


dovecot+postfix is all that is to it, but to ensure it doesn't land in spam you'll have to do a bunch of things (like contacting your ISP) http://www.codinghorror.com/blog/2010/04/so-youd-like-to-sen...




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: