Ask HN: Why is it still so hard to host your own email/calendar that just works?
It seems to me that email and calendar data are so personal that you shouldn't have to trust someone else to store and handle it for you. Yet when I try to find a way to host it for myself I get scared of the trickiness of the setup or the amount of maintenance required. Am I just looking for all the wrong things or is it in this day and age not possible, even for a reasonably tech savvy person, to host your own email and calendar securely? With securely I mean secure from all adversaries except for maybe nation-state adversaries.
[edit]
Like many people have pointed out in the comments an even bigger problem is being blacklisted by other ISPs. Any ideas how to deal with this while still maintaining control of where your emails are stored?
84 comments
[ 2.7 ms ] story [ 161 ms ] threadThe real trouble is keeping your domain off blacklists and managing security updates.
After 15 years of hosting my own email server without issue I had to make the business decision a bit over a year ago that I can't afford to have 5% of my emails go missing and so now use an external service.
http://www.ubuntu.com/usn/
2. Their packaging team screws up packages regularly.
3. They have insane defaults of many package configurations.
4. They tend to do things their way rather than the standard way and come up with their own tools rather than using standard, well tested tooling / packages.
I could go on and on, but it's not a distro I'd ever let run on one of our servers, we used to run 100% Debian until CentOS 7 came out and in our eyes left it for dead when paired with the correct yum repos.
This serverfault question helps to illustrate the problem
http://serverfault.com/questions/434703/why-does-hotmail-sti...
The problem? Not enough traffic causing a low sender score. Hotmail isn't the only one; large and small ISPs across the world do it.
[1] Original post, now defunct: http://liminality.xyz/the-hostile-email-landscape/
[2] Thank you archive.org: https://web.archive.org/web/20151121132739/http://liminality...?
[3] https://news.ycombinator.com/item?id=10405681
[4] https://lobste.rs/s/ckfyqd/the_hostile_email_landscape
And this is exactly the kind of service they were looking for, very difficult to have with a massive business company (have you ever opened a ticket with OVH?)
Then of course, the technical challenges to setup and maintain such services are high and a control-panel all-included package or a docker with everything in it is just a very small part of the work required.
https://news.ycombinator.com/item?id=10405945
https://news.ycombinator.com/item?id=10498988
Basically, you could conceivably get past all the technical set up. There may even be Docker containers or virtual images to jumpstart most of the set up. Or you can follow some step-by-step instructions.[1]
However, the problem is that SMTP servers originating from residential IP addresses by default are treated as home computers that have been hijacked by a malware spam bot. Using Bayesian reasoning, this is a rational filter because the number of zombie home computers sending unwanted spam vastly outnumbers any tiny amount of "good" people setting up legitimate SMTP servers.
Given today's realities of distrust-by-default (unknown SMTP server is guilty until proven innocent), it looks like the best strategy for a "personal" SMTP server is to pay for a virtual machine at a hosting provider (Rackspace, etc) whose IP address ranges are not blacklisted. You could then run encrypted email storage there so Rackspace has no visibility into private emails.
[1]http://arstechnica.com/information-technology/2014/02/how-to...
A part from the obvious basics (IP reverse lookup working, TLS support, SMTP auth for your users..) you can also set up DKIM [1] and SPF [2] that help a lot and are well supported by big providers like gmail.
But more importantly not ending up in a blacklist is important, so if you have users using your service you should monitor the volume of outgoing emails to avoid someone using your server to spam.
There are a few tools that you can use to check your SMTP server MXToolbox and CheckTLS are the two I often use. [3]
I agree though that managing an SMTP server is challenging, I had a couple of issues I had to work on that I am sure would never have happened to a big provider.
[1] http://www.dkim.org
[2] http://www.openspf.org
[3] http://mxtoolbox.com http://www.checktls.com/testreceiver.html
What's next, then? There have been lots of replacements for all of the old school protocols like IM and IRC. Even newsgroups have been (adequately?) replaced by forums and link aggregates and facebook. But, I've seen no attempt to replace email. I've seen lots of attempts to enhance email, but none to replace it completely.
People outside of tech bubbles.
Defiantly there is a trend away from email outside of business, but in B2B email still rules. The ability to have a record of what was originally said and agreed to has saved my backside more than once.
I use it constantly, as I have for years: one mailbox for work, one for personal stuff. My whole life flows through email, it sometimes seems. How else would it work?
Email for me, as I alluded to in my previous comment, is mostly about interacting with automated systems. If I need to reset a password, I'll get an email with a link. My car insurance company and web host will occasionally email me asking me for payment. Google emails me to let me know I've logged in using a computer it doesn't recognize (like my phone).
There is obviously a problem here, there is so much talk about privacy and confidentiality and then you give all your communication in the hands of one company.
What I am trying to say is that there is a fundamental technical difference between emails and <faceslaktter>: The first is based on a distributed, well defined (RFCs??), open protocols and formats. The second? It is an application, running on the premises of some company...
> I get a photographer, video maker or someone working in fashion (I am sure there are other cases, I know those) using facebook or <x social tool> for business communication because it is trendy or it is more convenient
You know that's 99% of the world, right? You just described everybody but people who work in tech. How am I supposed to communicate with people who don't check their email?
> The first is based on a distributed, well defined (RFCs??), open protocols and formats.
Insecure open protocols and buggy formats. You know all emails travel in the open air, right? This was the primary reason I suggested we replace it, with a system that is secure, easy to use and that people can control.
I get that too, people not replying, but I don't think this is only a technical problem unfortunately. With IM systems where you easily get notifications on your phone you have more chance to get a faster response, also when receiving large amounts of emails one tends to skip many of them.. frustrating, for the sender, but that happens to me too from time to time.
I do work in tech though, also in academia, and email is still the first choice (well, from my experience, also I am in Europe.. maybe this counts?)
As for the technical aspect, SMTP and mail transfer protocols are part of a distributed system, and a distributed system must be open, this of course leads to the SPAM issue, but after what, more than 30 years? we have a couple of strong server side implementations that work well. And let's not forget TLS... emails travel in the "open air" as every other protocol that does not use encryption.
I agree that a redesign would be helpful to eliminate some basic issues we still have with emails, but it looks like that at the moment most are busy inventing new proprietary protocols for new way to chat and send emoji around...
IMO Inbox by Google fixed that issue for me.
Well, until you have done everything, — DKIM, SPF and checks are green… And gmail is continuing put your e-mail to spam every now and then :/
For instance, I have a client (person) who now and then sends out a newsletter to some hundreds of addresses. He does that directly from the webmail. I always catch him because I have an alert on the mail queue, and every single time I check it I notice that the messages have been delayed because the remote server has a filter on "too many recipients at the same time" or "server sending too fast" or similar.
This affects the way the remote server will consider further emails from your server, and change its "behaviour" temporarily. I use Postgray [1] that does very similar checks, and it is a great deterrent for incoming spammers. So I completely understand this strict checks from the point of view of a sys admin.
Then there is the email content and headers that are checked by spam filters... but that's another story...
[1] http://postgrey.schweikert.ch
https://www.exratione.com/2016/05/a-mailserver-on-ubuntu-16-...
But: you must then also use a host that is going to give you a decent chance at a non-polluted IP address. The host of the server appears to be a big factor in the hidden part of the anti-spam ecosystem used by the big email providers like Gmail and Hotmail. This means that trial and error and experience in the ever-changing field is the only way to make a good choice. Expect to be moving around a bit as you figure things out. AWS EC2 is the best choice that I know of. Digital Ocean is the worse choice that I know of.
A possible approach is to set up your mailserver so that it relays outbound messages via AWS SES. SES has all of the advantages of a big service that puts in time to ensure deliverability, with few of the downsides, such as large cost.
For calendar apps, you might look at Horde (see an old setup example here https://www.exratione.com/2012/05/a-mailserver-on-ubuntu-120...) - I don't know how it matches up with other options. I moved away from it because I really didn't need a calendar as it turned out, and Horde is something like 10% application and 90% configuration system. It was a lot of work to get it set up and comfortable.
Granted, takes a bit to set up. Up-side is full control. I have a robust black-list too, keeps loads of spam from even entering the syatem
[1] https://www.google.com/transparencyreport/saferemail/
For me, philosophical reasons. I want to fight-back against the centralisation of Internet services. It's the same reason I run my own blog, host photos on my own server, pay slightly more for an unfiltered Internet connection and so on.
I can't 'win' on my own but its depressing that so many people are happy to jump on the centralisation because it's easy and convenient right now.
And what will happen in 10 years when you only have a choice of MegaCorp-1 or MegaCorp-2 handling all your online services, slicing and selling your personal data and bombarding you to consume more, because anyone running their own servers is a "digital terrorist"? Too late then.
My sentiments exactly. Right now email is something anyone can participate in as long as you are using software that follows the (open) standards. It is at its core an inclusive technology, despite the (disheartening) issues mentioned in this thread about the pitfalls and hazards of getting your own mail-server going. It would be a shame if we were to lose this.
On the other side of the spectrum we have the dominant instant messaging platforms, where you can only participate if you run their proprietary software and identify yourself with your pre-approved identifier (your phone number in most cases). Or the centralized social media platforms that censor according to their interpretation of what is permissible.
I understand that leaving all complexity and the burden of grokking something as abstract as networked software is something most people are glad to leave in the hands of Apple, or Microsoft, or Google; but it saddens me that those of us who do understand how this stuff works (at least in a broad sense) appear so willing to just accept the death of a free and open internet for a bit of convenience.
http://iredmail.com/
anybody has xp with one of these?
http://mailinabox.email
https://poste.io
edit: "awesome list" of things: https://github.com/Kickball/awesome-selfhosted#complete-solu...
See the projects on github, especially docker-mailserver for further info on complete features of this setup.
I am keeping a lower priority MX dns entry pointed to an independent provider as a failover, but this is standard practice, I believe.
What I really like about the docker-mailserver image is that it has no database and that it is designed for simple updates (that is, docker pull && docker-compose restart).
Rainloop is also new to me (I previously used roundcube) and again I am very positively surprised: it works over imaps, so multiple accounts can be combined under a single login, it supports 2FA, manages both plaintext and html, manages your contacts, it supports openPGP (still in beta, I've not tried it yet).
In practice hosting your own mail provides some control over how to respond to a subpoena. If someone sues you the bar for getting the data by physical force is much higher than it is for having a third party turn it over.
On the other hand the bar for compromising your server is usually much lower than it is for gmail.
I use Apple Server to host the email via SSL on a dedicated server, really easy to configure.
The key thing is deliverability - initially I had some problems with my email going into junk folders.
To get around this I send all email via a service called PostMarkApp (http://www.postmarkapp.com) which allows you to setup SPF and DKIM records on your domain and therefore ensure emails are authenticated.
I get pretty close to 100% deliverability.
PostMarkApp also shows you open / browser stats, so it's quite useful when I wonder if someone has read a particular email.
Not sure if this would be secure enough, but has worked well for me with almost zero maintenance after setup.
I use Apple Server to host the email via SSL on a dedicated server, really easy to configure.
The key thing is deliverability - initially I had some problems with my email going into junk folders.
To get around this I send all email via a service called PostMarkApp (http://www.postmarkapp.com) which allows you to setup SPF and DKIM records on your domain and therefore ensure emails are authenticated.
I get pretty close to 100% deliverability.
PostMarkApp also shows you open / browser stats, so it's quite useful when I wonder if someone has read a particular email.
Not sure if this would be secure enough, but has worked well for me with almost zero maintenance after setup.
Any recommendations on "the rest": calendar, notes, contacts?
I've looked at owncloud before, but that's a fairly large-footprint php project, are there any decent self-hosted alternatives, either as a suite or as separate programs?
[1] http://sabre.io/baikal/ [2] http://radicale.org/
Probably I'm blaming radicale for some of webdav's weirdness, but the whole process has been one of the most frustrating computing things I've done in years.
Calendars are similar to forms on the web. Again, no more issues than normal so I don't get it.
Setting up an email server that won't get blacklisted by the major providers within a week of you setting up is difficult, time consuming, and often expensive.
I experienced blacklisting when I switched to a newer dedicated server hardware recently, which meant new IP addresses. The only mail server that didn't accept mails from my new addresses was Hotmail / Outlook.com though. It was fixed after filling in their form and waiting a day. Never had trouble with Gmail.
If you have your own domain and you don't trust others with your conversations with others, I think you are better off hosting a chat server over an encrypted protocol, such as XMPP or IRC or https://blog.okturtles.com/2015/11/five-open-source-slack-al... . Persuading your contacts to use it is a problem though.
Calendar is a different thing though. As long as you have a CalDAV server and a CalDAV client you should be good to go.
Also related to selfhosting stuff: https://sandstorm.io/ is a project I've discovered some time ago and haven't been paying attention to, but it seems to have thrived pretty well.
And to fix the "ISP sucks" we have started to package an "just work out of the box" solution in the FFDN, a federation of local associative ISPs https://internetcu.be/
The trick is to use a "internet cleaning" VPN that gave you a static ip address and that this VPN is handled by an association in which you are a member and that you can trust.
Never had a single issue with blacklisting or non-delivery.
[1]: http://arstechnica.com/information-technology/2014/02/how-to...
This is an interesting problem of lack of standard. Hope http://seif.place will help with that :) .