Personally, I think the use of proof-of-work like methods can mitigate the problem by a large extent, making it computationally expensive to spam users. This was one of the original goals of what has now become the "blockchain" revolution. Is anyone aware of any projects that are still implementing similar (open) systems?
> When you need to explain to people why they can't send you that 100 MB video attachment which they sent to other people just fine but only your address is bouncing and why don't you fix your email already.
The maximum attachment size for Gmail is still conservative 25 MB and they basically dictate what is currently to be expected in terms of attachments going through.
According to this page the incoming limit "depends on several factors" and can be as high as 150MB.
EDIT:
> When someone decides to run a persistent brute force attack from a botnet, eating up 100% of your CPU and you have no meaningful ways to block it.
postscreen? http://www.postfix.org/POSTSCREEN_README.html
BTW, there is soo much FUD in your comment, check http://www.postfix.org/ before claiming "someone will hack your email"
""" First of all, thank you for your interest in the Postfix project.
What is Postfix? It is Wietse Venema's mail server that started life at IBM research as an alternative to the widely-used Sendmail program. Now at Google, Wietse continues to support Postfix.
Postfix attempts to be fast, easy to administer, and secure. """
When I was in my twenties, I would have empathized with your point. I used to host my own web servers, but back then, my main priorities were curiosity, privacy and independence.
Not just that, I opened accounts for friends and family.
A decade later, I made all my hosting someone elses‘ problem, because I had different priorities.
There‘s nothing like the sound of a friend shouting in your ear because he trusted you with his mail address and he‘s running into weird errors. Or trying to get an important email delivered after a 10h crunch shift when you just want to bring your kids to bed instead.
I‘m thankful for all those learnings, but nowadays, I‘m old enough to just want mail to frickin work, that‘s why Google does it for me on a custom domain.
If other email providers are blocking you, smarthost through an email provider.
If you're getting brute forced, learn how to set up and run blocklistd or fail2ban.
Not getting 100 meg attachments is an issue that other email providers have, not people who run their own servers. If your server doesn't have any free disk space, that's on you. If it does, then set confMAX_MESSAGE_SIZE to whatever you want.
If by "standard X" you're talking about SPF or DKIM, there are lots of tutorials.
If your email software is vulnerable because of issues with your distro, you're doing things wrong.
The point is if you can't, don't. If you don't want to think about issues like these, then you shouldn't be running servers, anyway, so you're definitely not the target audience.
If you can, then these things aren't issues.
What about updating OS/packages/CVE when on holiday? Note that many CVEs are usually sent only to top-tier providers.
As a sidenote: The two RCEs this year were enough for me to judge the quality of this software.
If a whois entry of the attacker's IP/domain can RCE your intrusion blocking software, I mean...really?
Can someone please explain what this means?
If you're really properly securing your mail server, it would likely be isolated behind a firewall and only have a LAN ip of some kind and utilize UUCP for transport to another LAN machine that does not have WAN access, and then, only allow POP3/IMAP access to machines in the LAN or connected to the LAN via VPN tunnel. Finally, you would want to setup a backup system of some kind for this machine to periodically backup via rsync when the inotify/fswatch file modification triggers.
Next, you'd have a separate SMTP machine. For things like critical deliverability, you can't rely on SMTP to 'retry' albeit it's how they are supposed to act, so it would make sense to have multiple SMTP machines across multiple different backbones in different physical locations with backup power and the like with different MX priorities set.
The initial configuration and running a mail server are incredibly easy.
It's running it securely that increases the difficulty on order of magnitude (because you essentially have to setup a proper security protocol across multiple machines (a network) - defense in depth).
That said, it's easily doable if you're already running complex infrastructure. Hopefully, you're getting paid for your time and costs for doing so.
If not, then I hope you need to rely upon the protection of needing a home-invasion warrant vs a simple-subpoena since a machine at your home can't really just be 'subpoenad' while a machine at some datacenter business can. This of course assumes you're even running the machine at home because if you're doing all this on some VM the value of doing so diminishes ever so quickly.
EDIT: Just to be clear, you can't simply rely on fail2ban and some other on-machine script / snort / daemon / kernel feature to protect you. There are bugs in software/systems and 0days are very real (as well as the market places for them).
Yes, if you choose to run a service it will need to be maintained, and occasional issues will come up.
If my custom media server or private photo site setup fails, it is not a big deal. But if I can’t login to a shopping site or my family can’t checkin to a flight because the two-factor auth email disappeared in to thin air, I am the “horrible IT person” who spoiled Christmas - end of story.
1. I have tested both sides running their own SMTP on small, i.e., less than 100, peer-to-peer overlay network and it works. "OTT email". Interesting question for the reader is how does spam enter this system. If the spammer is not a peer on the network, then they cannot send mail to the other peers.
If only one sides runs their own SMTP, that only solves one side of the equation. Almost every HN discussion of user-controlled e-mail focuses only on users controlling one side, while ignoring the other and leaving it to third parties. That can still have benefits such as not storing mail with a third party, but obviously only focusing on one side, e.g., the receiving side, will fall short of true "user-controlled e-mail".
User-controlled e-mail is a solvable problem for most users, i.e., those whose contacts in a given context, e.g., personal, school, or work, are under 100. User-controlled e-mail is an unsolvable problem for people who want to send e-mail to 100s of people, e.g., people they do not know, or people who want to recieve e-mail from any random person/organisation, treating their address like a phone number on a bathroom wall. Maybe, for most users, that is actually a good thing. (Given the attitudes toward "spam", it appears most users generally do not appreciate unsolicited mail.) There could be separate systems for unsolicited mail. We already have such systems in place.
I was thinking of stopping to use gmail and hotmail, and run my own webmail client on a droplet. I don't like the idea of all my documents being tracked. Is there anything that competes with them that I could deploy.
Initial setup of my mail server and related bits took a few days. Ongoing maintenance over the years? None, basically.
No it isn't and no you didn't.
The article doesn't even cover basic stuff like email rules and spam filtering (incl. tuning and spam learning). It doesn't "look after itself" like the author wanted (article doesn't mention any update strategy). The author acknowledges that email servers are "open to attack" but this setup doesn't seem to include any security improvements over traditional setups. In fact, maintaining this looks harder due to the amount of custom scripts and lack of good documentation.
And of course it doesn't cover any of the things that actually make Gmail special like labels, having a consistent set of apps for web and mobile, push notifications (esp. on iOS), really good spam filtering, really good search (incl. OCR for attachments), high availability, image proxying, smart suggestions, datacenter security, Google doing code and infrastructure audits all the time, using reproducible builds, ...
It's great that the author is experimenting and learning, but if I had any private data hosted by the author, I would be worried now.
Merry Christmas to you as well.
Such negativity for just showing something I knocked up in half an hour. - something that I thought might be helpful, with experiences on how to make it more Gmail like.
Attacking the writing is fine, but insinuating my custody of private data is at question is pretty shitty
GP's feedback is direct but quite right imo. I trust the author had only best intentions in mind but "Knocking something out in half an hour" and sharing, but good privacy and security engineering requires probably much more time. Quite frankly, the wording of the article can be insulting even for folks that are working on that problem professionally for several years.
Were it presented differently, it would get different feedback I'm sure. More like "hey HN, i made the first three steps what would be next?" -- i.e. efforts towards trying to understand the problem better.
What you did is a basic setup which was covered in O'Reilly's TCP/IP book back in 1996. World has changed since.
Please learn from the community here.
I hate labels.
At $WORK we use Gmail and I get a lot of automated stuff (cron, etc). I want these types of message to go into folders. I don't want it in my "all" / archive area because they just clutter up searching for other things.
Perhaps labels work for other people / general public, but for me 'traditional' folders is how things work best.
Serioulys! gmail labels are a very poor mis-implementation of folders that just make a mess of sorting email.
[1] - http://www.gabacho-net.jp/en/anti-spam/anti-spam-system.html [No HTTPS, Sorry]
I mean gmail has the most limited frustrating filtering (lack thereof) rules of any email system I've used. Any self-hosted solution will be infinitely better.
> Gmail special like labels
How is that special?
Also, gmail spam filtering is not very good. You know how every business has that "check your spam folder" bit? Because gmail is so terrible about it. It is easy to do much better with a self-hosted solution, put an end to the false positives of gmail.
Seems that you like gmail, but in my experience it's one of the worst mainstream email implementations ever. Doing better is a trivial bar.
Contrast that with every corporate email spam filter I've ever been subject to, which vary from "shit" to "OK", and Gmail is completely in another league.
EDIT: go check it out :-) https://www.rainloop.net/
EDIT 2: I don't understand why other comments are so agressive against the author for sharing how he runs his own mail server, I'm not sure if it comes from one's frustration, failures, unreasonable expectations about email, but I noticed that everything related to servers or email receives this hate (here on HN, eh?). Come on, let's start a new year where we appreciate someone sharing their experience in running a mail server :-)
Happy Holidays!
The author has been running his own mail server for less than half a week.
There's no suggestion in the post that his setup is robust or 'Gmail-like', as claimed in the title.
If they don’t like it, stay with Gmail, I don’t care. I would just rather live in a world where the internet isn’t controlled by 2 or 3 big companies. Hacking a server for email and making it work like gmail was the aim, and I did it in less than an hour. Some people on here are pissed that I didn’t consider every eventuality, and filtering, and spam and this and that. Fine, but attacks on me as a person reflect more on who you are as a person.
If you don’t like how I wrote or setup the server, do one and make one yourself - or just stay with Gmail
I don't understand why so much frustration coming against owning your own stuff.
It was more annoying to set up DNS than the mailserver itself, is there a good way to automate that as well?
[0] https://gitlab.com/simple-nixos-mailserver/nixos-mailserver
[1] https://www.mail-tester.com/
[2] https://github.com/siraben/dotfiles/blob/master/server/mails...
siraben.dev doesn't seem to be registered anywhere so I don't know if there's one for your provider.
Like some other commentors here the point is mostly to learn and have something semi-useful at the same time (I've had some pleasant exchanges over my own email already.)
[0] https://utcc.utoronto.ca/~cks/space/blog/sysadmin/EmailServe...
Source: https://docs.digitalocean.com/support/why-is-smtp-blocked/
An issue I have experienced is that one email provider (who provides a white label service so that small regional ISPs can include a free email account to their customers) has blocked anything coming from DO's IP block. Ultimately my solution is to route those emails (and only those emails) through mailgun.com. The other 99.9% of my outbound email gets delivered directly to the final email server with no issues.
Me. It is my consistent experience that traffic from DO's netblock rarely (actually never IRL) brings good tidings.
I don't know what those accounts are but you shouldn't make statements that are only partially true.
Exchange ActiveSync, multi domain + multi aliases with catchalls, (temporary) aliases, mail delivery rules, TLS requirements, you name it, all configurable in the web UI. There's even a built in DNS checking tool to verify that all the necessary records are set up right.
I would think, if anything, that what Gmail has that typical email servers do not is somewhat decent webmail, but that can't be it because webmail isn't even mentioned.
Or is this another one of those instances where people use "Linux" to refer to all things Unix? I genuinely would like to know.
https://support.apple.com/guide/icloud/add-a-custom-domain-m...
Since I am in a time of moving to other city to study on university, I decided to abandon my mail server and migrate to iCloud... so now I am moving every of my service@domain.tld to prefix+service@domain.tld (tagging system that doesn't parse properly on some sites). It's no fun, but at least I'll take off my head caring whether my server is on fire, as it's now Apple's issue.
For majority of people best middle ground is to buy a cheap domain and a cheap cPanel/web hosting and just use that to host emails. You'll be done in 5min, it will cost you a cup of coffee and you won't have the headache maintaining anything other than passwords.
Curious, what are those in your opinion?
I ended up throwing in the towel with Hey mail, and have really found love for email again.
They see [for lack of a better word] infinite times more spam and ham than you'll ever be able to train your little Spam Assassin database, and millions of users to sort through it.
Email without spam control is not a pleasant experience.
Well I certainly do, more effectively. I don't do anything special, it's just that gmail isn't that good.
gmail gets a ton of false positives and to add insult to injury they also let spam through occasionally.
My self-hosted infrastructure lets spam through at about the same rate as gmail, but my false-positive rate is orders of magnitude superior.
I'm not sure what a Gmail server is. I was expecting this to include a web ui, admin ui, and the things that actually make Gmail hard to move away from. The docker-mailserver container doesn't seem to include something like that or am I just not seeing it?
The killer feature for Gmail has always been the spam protection and the fact that the emails I sent actually get delivered.
edit: does the described setup include a UI at all?
- https://github.com/modoboa/modoboa
are better replacement. They are battery included with a webUI
I've been using mailinabox for years now, and it is really good in the sense that it gets out of my way.
I've included it in my ansible setup, so the basis, distro, os updates, firewalls, backups are cositent with my other servers.
That took some effort: mailinabox is opnionated (and that is good. It is the main reason it works well and is secure), which can be a bit confronting if your opninions are very different.
^: uptimerobot.com specifically doesn't warn you if your site works but is using an expired certificate, be careful there
I might get things wrong, so be it - I’ll use it to learn and be better next time.
[1] https://jschumacher.info/2021/05/running-a-private-mail-serv...
Many of us run our own small email servers quite successfully, even in 2021. Every time there's a post about it on HN, all these commenters come forward to say it's a fools errand, that it's nearly impossible, nobody should try it, anybody who says it's a good idea is a lying idiot, etc.
Sure, it's not for everyone and there are pitfalls that require effort and sometimes creative solutions to overcome. We should celebrate these projects like we do with other similarly challenging projects that get posted.
