Selfhosted Email by Maddy on Oracle Cloud | Better HN

Selfhosted Email by Maddy on Oracle Cloud | Better HN

47 comments

teddyh2y ago

> And the finally ~all means if the sender connect fullfill the rule of SPF, the email delivered should be move to trash.

No it doesn’t. “-all” would mean that. What “~all” means is that it merely suggests that the mail might be invalid.

Or, to quote RFC 7208:

A "softfail" result ought to be treated as somewhere between "fail" and "neutral"/"none". The ADMD believes the host is not authorized but is not willing to make a strong policy statement. Receiving software SHOULD NOT reject the message based solely on this result, but MAY subject the message to closer scrutiny than normal.

The ADMD wants to discourage the use of this host and thus desires limited feedback when a "softfail" result occurs. For example, the recipient's MUA could highlight the "softfail" status, or the receiving MTA could give the sender a message using greylisting [RFC6647], with a note the first time the message is received, but accept it on a later attempt based on receiver policy.

teddyh2y ago

> apt-get install gcc libc6-dev make

Note: There’s an easier, more canonical way to do that:

  apt install build-essential

teddyh2y ago

> If you need a web interface, you may be intrested in Roundcube or Squirrelmail.

I thought RainLoop was the new hot thing. (<https://www.rainloop.net/>)

rascul2y ago

I understand Squirrelmail to be basically dead for over a decade.

teddyh2y ago

It was removed from Debian in 2016. But there seems to be some recent activity: <https://squirrelmail.org/>, <https://sourceforge.net/projects/squirrelmail/>

teddyh2y ago

Mentions, but does not cover, DANE and TLSA. It does cover the stupider alternative, MTA-STS, which is basically DANE for people who are politically against DNSSEC.

xyzzy_plugh2y ago

I don't know, I find that most people are against DNSSEC for non-political reasons. Did Chrome drop support for political reasons? No.

Covering MTA-STS is practical. The fact they do so wins them points towards having built something that works in the real world.

teddyh2y ago

Chrome has no business “supporting” DNSSEC in the first place; it should all be handled by the operating system and the resolver. So I don’t think this is a point against DNSSEC.

My guess is that people are against DNSSEC because it’s difficult. You know how people are saying “It’s always DNS”? People hate dealing with DNS, because they don’t understand it. And DNSSEC is then another dimension of difficulty on top of that. But DANE is clearly the technically better solution. I mean, MTA-STS requires a file to be served from an HTTP server to even work. So now you need an HTTP server in addition to your SMTP server!

In any case, you should not, probably, deal with DNSSEC yourself! Note how the article does not cover running your own DNS server, but instead vaguely talks about editing DNS records. And if you have your DNS hosted by somebody else, DNSSEC is their problem. And once you have DNSSEC provided for you, you can use DANE and TLSA records without issue, without having to host an HTTP server for MTA-STS.

uncletOP2y ago

I would like to add the DANE and TLSA part. However, I do not understand how it works currently.

teddyh2y ago

If someone wants to send e-mail to user@example.net, they first look up the MX records of example.net. Say, for example, that the MX record for example.net contains the mail server “mailserver.example.com”. (Note the different domain name.) The e-mail sender then looks up the TLSA records of the DNS name “_25._tcp.mailserver.example.com”. The TLSA records contain hashes of keys. The communication to the mail server must support TLS, and must use one of the keys which are listed by the TLSA records, otherwise the communication is regarded as insecure or under attack, and is considered to have failed, similar to if a server cannot be reached.

Also, for DANE to work, both the MX lookup and the TLSA lookups must support DNSSEC! Note well that this means that, in this example, both the domains “example.net” and “example.com” must be signed by DNSSEC for DANE to work.

One wrinkle is that if you use ACME to renew your certificates, you have to add a step in your process so that every time a new certificate is generated, the TLSA records in the DNS are also updated. Note also that DNS TTL values make it so that you should not use a new certificate until it’s guaranteed that everybody has had a chance to see the new TLSA record corresponting to that certificate in the DNS. The normal method for dealing with this is to always have two TLSA records, one for the certificate which you are using, and one for a new certificate which you are not using yet, and make sure that the times are set so that you don’t use the new certificate until the TTL has expired for the resource record set which did not have the TLSA record for that new certificate.

EDIT: Actually, read the response from user “mjl-”; it has more detail, and is obviously from a person which has more practical experience.

mjl-2y ago

First, DANE requires that your DNS is protected with DNSSEC. Your MX records need to be DNSSEC-protected because otherwise any attacker that can give a sender fake MX records can cause an email message to be delivered to a mail server of their choice. The IP lookups to connect to your MX host needs to be DNSSEC-protected, and your TLSA records need to be DNSSEC-protected. For self-hosters, this is usually all the same domain.

Second, your MX host needs DNS records of type TLSA that specify the public keys that are in your TLS certificates that your MX host (mail server) offers during STARTTLS. This is the most common mode for DANE, called DANE-EE (EE = end entity). In this mode, only the public key of the certificate matters. Expiration, hostname match, issuing party of certificates: all ignored. If your MX target is mx.example.com, the TLSA record(s) must be under: _25._tcp.mx.example.com. They will look like this:

3 1 1 5c046ff012891b5f0d6176024c5c25ff486a7c12b8000fdf8b418ab3ecf6d309

3 1 1 cec87fb33d2a7499ca78e824e59b77531ac1fdec7378fc81fce7e5d213a364ab

In these records, "3 1 1" means:

Usage "dane-ee" (3), Selector "spki" (1), Matchtype "sha2-256" (1)

Where spki means "subject public key info", i.e. only the public key matters. So, the last component is the sha2-256 hash of the public key. A mail server can have multiple certificates (e.g. RSA and ECDSA). Each must have a TLSA record.

Keep in mind that when you renew your certificate, you could be reusing your private key or be generating a new private key. A new private key brings a new public key. A new public key requires an updated TLSA record. Keep in mind DNS TTLs in that case. You would have to keep both the old and new TLSA records during the TTL period. I would recommend you don't generate a new private key for each new certificate. If the private key stays the same, the TLSA records don't need to be changed.

MTA-STS requires that the MX host TLS certificate can be verified against the common pool of certificate authorities, i.e. PKIX/WebPKI. DANE and MTA-STS can cooexist. I would recommend setting up both DANE and MTA-STS, using ACME with Let's Encrypt with fixed private keys (not newly generated when fetching a new certificate, I know certbot has an option for this mode), and publishing TLSA records (with the hashes of the public keys of those fixed private keys).

Keep in mind some sending mail servers only implement DANE, and others only MTA-STS. Implementing both gets most protection. Some mail servers implement neither, and are sending email without protection.

averageRoyalty2y ago

Quite a lot of critical responses here.

Personally I think this is a great write-up. Most people in tech these days appear to look down their nose and say 'oh no, you can't host your own mail server anymore'.

This write-up goes to show that it's not as complex as people seem to think.

I'd be curious to see a follow up from the author to address the other claim of this crowd - that the big mail providers mark you as spam due to no existing reputation on the IP, despite all the processes and policy being correct.

This seems risky, Oracle Cloud shuts down VPS they deem to be "inactive", in other words, not under any load or traffic. This would fit that category.

dizhn2y ago

That is the free tier. The fix is very simple. You add a credit card but not go over the free tier usage limits. Then they don't touch your stuff and you still don't pay anything. (Free tier applies to everyone including paying customers)

brnt2y ago

And then, poof, something goes wrong, Oracle bills you a kilodollar and now you need to fight _Oracle_ if you want any recourse.

No thanks.

rascul2y ago

But then Oracle has your credit card number.

sodality22y ago

They also shut down the VPSs they deem to be “too active” as in using too much resources, if you’re on the always free tier

SXX2y ago

Though there are no other cloud hosting providers that give you VPS with public IP and 24GB RAM for free. Oracle did shutdown my VM like 2 times in 3 years, but considering I paid them $0 it's borderline awesome service.

tomgs2y ago

Love the intro to self-hosting your email, but aren't you going to be flagged as spam by the main providers anyhow?

teddyh2y ago

If, by “self-host” you mean “hosted by the cheapest VPS I could find, using an IP address range from the wrong side of the metaphorical rail road tracks”, then yes. If by “self-host” you mean “hosted by myself in a server rack in my house, possibly using a VPN to a respected IP connectivity provider”, then no.

uncletOP2y ago

Actually, I have tested sending mail to Gmail or other Mail Service Provider, and have not found any one flagged my email as spam.

You can partially mitigate it by making sure DMARC, DKIM, and SPF are configured right. There are tools online you can use to verify they're setup right, don't remember which sites though.

goku122y ago

I have used mxtoolbox.com in the past. However, I don't know how reputed they are.

Note that the 'big mail providers' won't accept your mails even after you apply every known trick in the book. This is especially true for the two biggest ones that provide free services and hosted services on customers domains.

fiddlerwoaroof2y ago

I’ve had pretty good luck running my own on digital ocean for several years now.

teddyh2y ago

Quite a lot of typos. “platintext”?

> The p= means the police.

Whoop whoop.

uncletOP2y ago

Fixed. Sorry, I am not a native english speaker.

teddyh2y ago

More typos: ”Staic”, “domian”, “PRT record”, “fullfill”, “ploice”, and “intrested”.

wiradikusuma2y ago

Asking again here (different thread) but still about email:

Is making email hosting with cute name still a thing? I own a couple of cute domain names (something like love.com or pretty.com, but obviously not those), so I'm thinking if I can do a hotmail on those domains.

mndgs2y ago

Good God, the length of the text ..

j / k navigate · click thread line to collapse