Ask HN: As a lazy but concerned user, how do you run your own email server?
What the easiest to have secure email server (open source & auto-updated, not necessarily free) running on a VPS. I've been looking into:
* https://yunohost.org/ (has email server, open source and free, GNU AGPL v.3)
* sandstorm.io which hinted at email server, but seems to be stalling
* http://cloudron.com/ which seems interesting but couldn't find much reviews
Yunohost covers the bill, but I'm surprised it has no tracktion on HN, no comments/reviews.
Are there alternatives I'm missing? What are your recommendations?
Background: Given how important email has become as authorization and how sometimes account access is hacked or revoked + how the email data usually stays with the provider I'd like to run my own server.
15 comments
[ 2.6 ms ] story [ 33.9 ms ] threadSMTP isn't a secure transport.
Having your email stored on someone else's computers (ie the cloud) is not necessarily 'secure'.
Having a well-constructed and well-managed host somewhere you physically control seems to me the most 'secure' arrangement, which is what I have always had. Currently for the cost of a Raspberry Pi and occasional 'apt-get update' etc.
But also quite secure from discovered security vulnerabilities. For example wordpress auto-updates and doesn't rely on me doing 'apt-get update'.
I didn't mean secure as in "I want to keep out the NSA or anybody who's going after me in particular".
After running my own email server for 15 years I gave up a couple of years ago and paid for someone else to solve the nightmare of dealing with the big email gatekeepers.
Other hosting services, yes, you may as well not bother. I haven't found another one yet that is reliable enough at keeping deliverability from their IP ranges in good enough order.
Also make sure you set up SPF and DKIM right from the outset.
Apart from SPF and DKIM also make sure you also set your reverse DNS name and also set up DMARC.
That said, there are some things you should be aware of when running a mail server:
1. You need to make sure that the IP address and domain name that SMTP is bound to is not on a blacklist[2]. You also need to consider the trustworthiness of your host because you could very well get caught in the cross-fire if one of their other customers gets them range banned. Certain cloud providers that make it very easy to change IP will more than likely have all of their addresses on some blacklist or another.
2. You also need to make sure you have matching forward (A record) and reverse (PTR record) DNS records for that IP address. This is called Forward-confirmed reverse DNS, aka FCrDNS. Many mail servers will reject email from servers that do not have or have mismatching records for FCrDNS.
3. You must set up SPF and DKIM. Many mail servers will either reject mail from servers without these, or at least weight heavily against it.
4. You probably want to make sure TLS is set up properly, otherwise your mail is going to travel the internet in plaintext.
5. The IP address you're sending from is going to start off with no reputation. The volume, type of mail, and how many people mark your mail as spam is going to decide whether other mail servers start filtering you or not. You may have no problems here. If you're unlucky, you will need to try to reach out to whichever major mail provider is filtering your mail. Many of them have a ticketing system for this, but you'll be at the mercy of whomever is working that ticket. There are also various whitelists that might be worth trying your server on. They're usually very selective and will probably reject your request.
6. You really, really need to make sure you've got your policies set up correctly because you do not want to accidentally set up an open relay[3] that will be used to spam other people.
7. Greylisting is a very, very effective means of spam filtering. The downside is that mail from new servers wont be delivered instantaneously and will instead be delivered whenever their mail server tries to deliver it again. Other than that, most spam is malformed in some way so some basic DNS checks will filter a ton of it. There are also free RBL and DNSBL lists that will pick up the slack.
[0] http://www.iredmail.org/ [1] https://mailinabox.email/ [2] https://mxtoolbox.com/blacklists.aspx [3] https://en.wikipedia.org/wiki/Open_mail_relay
The problem there is as they moved from beta - you need to pay them 8$/mo to get catch-all email and updates..