Ask HN: As a lazy but concerned user, how do you run your own email server?

17 points by Cilvic ↗ HN
What the easiest to have secure email server (open source & auto-updated, not necessarily free) running on a VPS. I've been looking into:

* https://yunohost.org/ (has email server, open source and free, GNU AGPL v.3)

* sandstorm.io which hinted at email server, but seems to be stalling

* http://cloudron.com/ which seems interesting but couldn't find much reviews

Yunohost covers the bill, but I'm surprised it has no tracktion on HN, no comments/reviews.

Are there alternatives I'm missing? What are your recommendations?

Background: Given how important email has become as authorization and how sometimes account access is hacked or revoked + how the email data usually stays with the provider I'd like to run my own server.

15 comments

[ 2.6 ms ] story [ 33.9 ms ] thread
I run my own email server and have done for ~25 years, but what do you mean by 'secure'?

SMTP isn't a secure transport.

Having your email stored on someone else's computers (ie the cloud) is not necessarily 'secure'.

Having a well-constructed and well-managed host somewhere you physically control seems to me the most 'secure' arrangement, which is what I have always had. Currently for the cost of a Raspberry Pi and occasional 'apt-get update' etc.

Thanks! I meant "more secure" = safer from (i) data mining/advertising and (ii) being locked out, than compared to gmail.

But also quite secure from discovered security vulnerabilities. For example wordpress auto-updates and doesn't rely on me doing 'apt-get update'.

I didn't mean secure as in "I want to keep out the NSA or anybody who's going after me in particular".

Also regarding the "well-constructed" and "well-managed" this is something I'm not versed to do / would prefer to use something existing / pay a subscription as long as I still stay in control in the sense "if everything goes wrong I can root into the machine and make changes".
The problem is not setting up your own email server (this is relatively easy), it is getting all your mail into other people's inboxes. Basically the big players these days (I am looking at you Microsoft) just treat any mail coming from a private server as spam. Even more frustratingly they don't do it consistently, just frequently enough that you can't rely on anyone getting your email.

After running my own email server for 15 years I gave up a couple of years ago and paid for someone else to solve the nightmare of dealing with the big email gatekeepers.

Thanks for sharing, didn't think of this. I'd be fine paying mailgun or similar for sending actually. I'm worried about receiving and losing access to accounts because I can't confirm my identity.
Run it in AWS. They keep their IP ranges comparatively clean.

Other hosting services, yes, you may as well not bother. I haven't found another one yet that is reliable enough at keeping deliverability from their IP ranges in good enough order.

Also make sure you set up SPF and DKIM right from the outset.

I ran into problems with an IP address I had owned for 15 years. Clean IP's will help, but they don't solve the problem completely. The real nightmare are the emails that just go missing - they don't even end up in the spam folder. If you are running some sort of mailing list it doesn't really matter, but if you are sending important transactional emails the it really does.

Apart from SPF and DKIM also make sure you also set your reverse DNS name and also set up DMARC.

I pay for protonmail. Works like a charm, got even an app. 50 bucks a year, totally worth it.
I pay for protonmail. Works like a charm, got even an app. 50 bucks a year, totally worth it.
I pay for protonmail. Works like a charm, got even an app. 50 bucks a year, totally worth it.
You could try an all-in-one solution like iRedMail[0] or Mail-in-a-Box[1]. Those supposedly do most of the leg work for you and set up a commonly used stack (Postfix, Dovecot, SpamAssassin, Roundcube, etc). I've never used either of them since I just install everything piecemeal, but I imagine there is an ease of use tradeoff compared to setting the same stack up yourself. In other words, it'll be easier to set up initially, but the downside is that you wont learn the ins and outs of the individual components. So if something breaks or you need to make an adjustment you're going to have a more difficult time at that point.

That said, there are some things you should be aware of when running a mail server:

1. You need to make sure that the IP address and domain name that SMTP is bound to is not on a blacklist[2]. You also need to consider the trustworthiness of your host because you could very well get caught in the cross-fire if one of their other customers gets them range banned. Certain cloud providers that make it very easy to change IP will more than likely have all of their addresses on some blacklist or another.

2. You also need to make sure you have matching forward (A record) and reverse (PTR record) DNS records for that IP address. This is called Forward-confirmed reverse DNS, aka FCrDNS. Many mail servers will reject email from servers that do not have or have mismatching records for FCrDNS.

3. You must set up SPF and DKIM. Many mail servers will either reject mail from servers without these, or at least weight heavily against it.

4. You probably want to make sure TLS is set up properly, otherwise your mail is going to travel the internet in plaintext.

5. The IP address you're sending from is going to start off with no reputation. The volume, type of mail, and how many people mark your mail as spam is going to decide whether other mail servers start filtering you or not. You may have no problems here. If you're unlucky, you will need to try to reach out to whichever major mail provider is filtering your mail. Many of them have a ticketing system for this, but you'll be at the mercy of whomever is working that ticket. There are also various whitelists that might be worth trying your server on. They're usually very selective and will probably reject your request.

6. You really, really need to make sure you've got your policies set up correctly because you do not want to accidentally set up an open relay[3] that will be used to spam other people.

7. Greylisting is a very, very effective means of spam filtering. The downside is that mail from new servers wont be delivered instantaneously and will instead be delivered whenever their mail server tries to deliver it again. Other than that, most spam is malformed in some way so some basic DNS checks will filter a ton of it. There are also free RBL and DNSBL lists that will pick up the slack.

[0] http://www.iredmail.org/ [1] https://mailinabox.email/ [2] https://mxtoolbox.com/blacklists.aspx [3] https://en.wikipedia.org/wiki/Open_mail_relay

You should fix the link for cloudron, it's https://cloudron.io

The problem there is as they moved from beta - you need to pay them 8$/mo to get catch-all email and updates..

Fwiw, I can vouch for cloudron. been using it as my primary email server for over a year now. Works really well