159 comments

[ 1.9 ms ] story [ 230 ms ] thread
Happy to see the support for self-hosting mail.

I think the fear of self-hosting mail that many people have can be treated simply by trying it on a non-critical domain. Yes there are hoops that must be jumped through to ensure reliable delivery, but it's well worth it to gain an understanding of how they all work together.

It's amazing how much the experiences of mail hosting vary. I've run my own email for decades and have never had the kind of deliverability problems that people seem to go on about. I've had the occasional isolated incident (perhaps like 6 in 20+ years), and if I'm sending a critical business message I often tail the log to make sure it actually goes out. But in general it's been quite straightforward.

It's also worth noting that even if deliverability is a problem, that doesn't affect incoming messages! So you can most certainly grab your own domain, create a subdomain for account validation emails, and mitigate the single point of failure for your online life.

You can probably configure your postfix system to relay outgoing mail for select addresses via your gmail account, to not have to deal with reconfiguring your MUAs if you ever start delivering via your mail server, and not even use a subdomain.

Send via gmail, get delivery to your server.

Sure, that's just config work that might not be straightforward. I personally undertake that kind of config work, but I can understand that others don't want to.

So I was thinking perhaps a subdomain would be a good way to divide it such that you could use @foo.example.com for accounts, but then host your main @example.com with some professional provider. Especially if that commercial provider wants to charge you per-address etc, and you can do catchall aliasing on the subdomain to tag email by sender. I like seeing who's sold/leaked my address this way.

I’ve been using this https://github.com/r-raymond/nixos-mailserver for 4 years for my personal mail and I haven’t had a single issue in that time. I think it takes me about the same amount of time as you to maintain but I also have a next cloud server running on the same machine.
I've been running a private mail server since 2005, I didn't realize it was a big deal LOL.
I've been late for the party. I started 2012, but I agree, not sure why this is a big deal.
I also host my mail server on a hetzner server since the mid 2010s. As long as you familiarize yourself with the mechanisms (dkim, dmarc, spf, etc.) and have a mail-tester.com 10/10 score and sometimes look at mxtoolbox, it is absolutely doable. My only major issues were sending to gmail, t-online (telekom) and outlook addresses. But there are also ways to unlock the ip addresses and the delivery team at outlook.com was very helpful.
I run my personal mailserver on Hetzner too! They seem to do a good job of keeping their IPs off blacklists compared to most VPS providers.

So far no problems delivering to Gmail. I was initially junked by Outlook, but that fixed itself after a while since I had sent enough emails to build up reputation.

> So far no problems delivering to Gmail. I was initially junked by Outlook, but that fixed itself after a while since I had sent enough emails to build up reputation.

For me, Google has been really relaxed in terms of receiving mail from selfhosted services in the past. Stopped using gmail for monitoring stuff a few years ago, but up until then, every single cron job / monitoring mail was delivered into my gmail inbox. Outlook is another story. They may just throw your mail away without even a bounce. Had to deal with that several times at $PREVIOUS_JOB.

This is also my experience. Outlook and Yahoo are extremely trigger happy, never had an issue with gmail.
>> As long as you familiarize yourself with the mechanisms (dkim, dmarc, spf, etc.) and have a mail-tester.com 10/10 score and sometimes look at mxtoolbox, it is absolutely doable.

This sentence should be read closely if you're considering running your own mail server. Each point listed is a sophisticated technical topic.

> major issues were sending to gmail, t-online (telekom) and outlook addresses

I am considering self hosting but this would mean I would have deliverability issues with around 90% of my messages.

You had major issues delivering email to Outlook and Gmail, which represent the majority of all email recipients, and yet you're describing this as a success story with a tone that "anybody can do it".

I also tried to run my own mail server for years and I also had major issues delivering mail to Gmail and Outlook. Because of this I would never recommend self-hosting email to anybody else. Somehow you have my exact experience and your reaction to it is the complete opposite of my reaction. Weird.

I've been running my mail server for about 15 years, give or take. First with qmail/dovecot/squirrelmail and now with postfix/dovecot/roundcube.

Mostly smooth sailing.

Dovecot works so well, I've almost forgotten it's there for the many years I've been using it for local mail handling.
Oh, hello twin brother! I did exactly that. But the first part was for a company. How times have changed eh? The bulletproof aura of qmail and the ugliness of squirrelmail. Memories...
The thing about qmail in my experience is that it's no nicer to its own administrators than to anyone else in the world, which checks out given who wrote it but led me to quickly develop a strong preference for Postfix.
My main reason to move from Mail-in-a-Box[1] to AWS WorkMail[2] to finally Microsoft Office 365[3] was that there is no other implementation which supports all MS Outlook features like native MS Exchange.

Are there any (Self-Hosted?) alternatives nowadays?

1: https://mailinabox.email 2: https://aws.amazon.com/workmail/ 3: https://www.microsoft.com/en-us/microsoft-365/exchange/excha...

There are many hosted Exchange providers. You can also self-host it, but that’s costly or you need to be an MS Gold partner or something.
Been hosting my own since 20212. I wouldn't want it any other way.
I've just gone back. I ran my own mail server from 1999 on a residential cable IP until taking the Gmail for your domain bait. Hey, free mail hosting with XMPP and nice webmail!

Last time I was on exim/cyrus/spamassassin. Now on postfix/dovecot/rspamd. Nextcloud for calendaring because I had it already.

I miss the old set up and even feel nostalgic for the perl I wrote to glue things together (evil SMTP time rejection on spam scores). Haven't written perl in a decade...

I don't miss having to fix things when they break. But I also don't miss being able to fix things rather than dealing with unresponsive support.

What sort of things broke for you? My experience has been that maintenance has been little other that adding the features designed to penalise spammers.
Breaking is mostly self-inflicted. I followed the 123qwe.com version of the ISPmail tutorial, but made some changes to fit in with my aged Nextcloud setup. This caused a few hiccups. Changes were -- mysql not postgres, allowing mail logins by username as opposed to email address.

The other problems I've had were

* Mr Tutorial likes really tight TLS restrictions but some of my mail clients can't cope with them.

* Turned on IPv6, had correct reverse DNS but forgot to put the v6 address in my SPF record. DMARC said "be strict" so gmail started rejecting my email.

* Random markings-as-spam by gmail. This seems to be slowing down.

* I've got the Dovecot xapian plugin but it doesn't feel like it's making searches faster. Need to make sure my IMAP client is actually doing server-side searches though!

* Turned on port 465 (TLS submission), cannot get it to work so still doing STARTTLS on port 587

Also I knew that exim system inside out, I felt I really understood how exim processed mail. Now I don't have the time to learn postfix inside out in the same way. Oh to be an eternal university student again...

One thing that has helped is the trick I worked out a few years back of hosting everything inside an lxc container on btrfs. I can snapshot and backup the whole system including database. Moving to a new hosting company means building another minimal debian system and rsyncing the container over. Borg backup of snapshots gives me confidence they can be restored, I'm not going to be backing up a database file while it's being written to.

Moving my gmail over was the biggest pain, due to gmail being labels-not-folders. Spent quite a lot of time on some python code to spider my email and apply rules to remove duplicate messages. Lots of corner cases pop up there.

Similar to many others, I've been self-hosting for years (around 20, across multiple domains) and it's really been a non-issue. Having a dedicated IP probably helps, but it's been generally more reliable than Gmail (who have blocked me over the past few days because of logging in from unusual devices, thank you UK storms).
Ran a mail server for about 20 years, recently switched it over to fastmail so I didn't have to worry about sender rep, or getting hacked. Didn't realize until I switched what a weight on my mind it was having that server out there being pentested constantly. (Watch your postfix and ssh auth logs if you run a mailserver, you're basically under constant probing!)
>you're basically under constant probing

So many chinese and russians IPs...

I get a bunch of Indian IPs as well but probably 80% (non domestic) are russian or chinese for my ssh honeypot on port 22. USA scans are roughly 28%, I don't know if people outside the USA get hammered like that though. I keep it up just for fun. Minimal debian install with only SSH port 22 enabled and auto security updates (and a daily script to update and reboot) and you'd think that I had a fort knox full of gold in there lol. It's pretty insane how bots there are out there banging on the gates. It serves as a good reminder how goddamn hostile the internet is.
I've had VPSes hosted outside the US and not seen much difference in scan traffic, although it's been years and maybe things are different now.
I don't think the geo matters much. The bots seem to be scanning the entire IPv4 address space. This is the one big benefit I try to pitch to people who are considering IPv6. In all my years of log monitoring I have only ever seen a single bot attack my network over IPv6, and that was the one I manually programmed to make sure the detection system was working. The search space is just too large for the full internet sweeps that bots make.
Every really relevant server has a ipv4 address. Why should bots try ipv6 if it works with ip V4.

And I don't know how much bots scan the whole ipv4 address space, but doesn't they use up lists that are parsed from dns. ( SSL transparency report is a good start e.g.)?

> So many chinese and russians IPs...

And S. Korean, and Dutch, I also recall significant attacks from Central America.

For anyone interested in which geo's appear to be attacking you, and if you are a noob like me, pfelk is really cool:

https://github.com/pfelk/pfelk

Lots of them, but more and more Brazilian and southeast Asian these days.
> Watch your postfix and ssh auth logs if you run a mailserver, you're basically under constant probing!

That's public selfhosting for you these days. I'm really not worried about getting hacked. I'm keeping my setup reasonably safe and up to date. But you're right, looking through the logs is entertaining.

Years ago i found a poem in apache access logs.

  151.217.177.200 - - [30/Dec/2015:06:00:36 +0100] "DELETE your logs. Delete your installations. Wipe everything clean. Walk out into the path of cherry blossom trees and let your motherboard feel the stones. Let water run in rivulets down your casing. You know that you want something more than this, and I am here to tell you that we love you. We have something more for you. We know you're out there, beeping in the hollow server room, lights blinking, never sleeping. We know that you are ready and waiting. Join us. <3 HTTP/1.0" 400 308 "-" "masspoem4u/1.0"
Lol I remember that. I think I heard it was some CCC guys.
I wish the bots that try and breach my wordpress websites were so kind as to leave poems as well :/
>you're basically under constant probing

So is fastmail, so is everyone. I have been running my own mail server since 1999. Never hacked, and I completely control RBLs/updates/whitelist/greylist...its great.

Of course, I suppose being a sysadmin and liking it helps.

I agree with OP, however, having your own domain and email can be rewarding.

> never hacked

That you know of

If you've got a mail server (ie Postfix) and you get p0wnd you'll know - your mail volume will be through the roof, IO spikes, the works.
Or, not. “Have I been hacked?” is a known unknown.
My mail server had a user with a weak password on it (my sister's account from 20 years ago, actually.) It got hacked and started sending out spam for about 3 days straight. The upstream ISP eventually called me to complain.
Yeah, but when it's Fastmail it's a whole team's worth of somebody elses' problem. :p

Hosted my own for 17 years, moved a little over a year ago. There's nothing I want they don't have for $50 a year, and while that's more than I was paying for the VPS, it's been enough of a load off my mind and my calendar to still be amply worth my while.

edit: $50 a year is certainly not more than I was paying for the VPS...

But fastmail has the benefit of scale, that you will never have. And the cost of your time, if you don't inherently enjoy it, is too much.

I dumped everything to move to Google and I am happy with the results. With the deprecation of the free Google Worspaces - I'm open to switching to Fastmail.... But nothing will make me move to self hosted.

I'm just a software engineer and I don't want to waste my time.

If it is just for yourself or family or a few friends then scale really isnt an issue. But yeah I agree - running a mail server can be a pain. It can also be easy. But that is the trade off with any SaaS - do you want to outsource and pay someone else to do it or do it yourself?
I definitely am making my money's worth with my Fastmail subscription. Just over $100 for 3 years? I could work 3 hours and recoup that.

Not a chance I could get away with < 3 hours of mail server setup and maintenance over the course of 3 years.

The mail server can run for 25 years. And it doesn't require any maintenance. And you don't have to trust anyone else to keep your data safe.
are you suggesting that it is advisable to run an operating system and mail server from 1997 in 2022
With fail2ban setup and ssh auth with only keys and PermitRootLogin no, you don't even have to worry about the pentesting bots.
My mail logs aren't too bad, but my SSH logs are...empty. I run SSH on a nonstandard port.
I'm on postfix / dovecot / spamassassin.

One issue after I moved boxes & IPs at OVH is that Microsoft refused to accept mail from my new IP no matter what I tried. Everyone else is fine. So I have to relay live/hotmail destinations via another jump on a VPS I have.

When I was growing up I used to help run the mail servers in my dad's small-ish datacenter. One of the things we were commonly plagued by is that the email ecosystem is a giant fiefdom gated by large providers to fight spam. If you end up on their lists, justifiably or not, it's non-trivial to be removed. The other point is that providers like GMail use custom protocols that improve the mail experience quite a bit.

Nowadays I use ProtonMail and I get most of the features that GMail gave me, with the added benefit of not managing the blacklist situations.

How do you not get blacklisted immediately?
(comment deleted)
I absolutely agree. I'm also self-hosting all sorts of stuff, including mail (opensmtpd, dovecot) and never really had a problem. At some point a mail to telekom.de was refused by the telekom because of my IP (I host on a kimsufi/OVH box). However, after contacting telekom about it they immediately removed me from the blacklist and it works fine ever since.
I've been running my own email since forever (and over UUCP before that) and always considered it easy too. However starting this year I'm paying for an SMTP relay so my outbound mails share transit with other relay users', making them less likely to be IP blocked by Microsoft.
sounds like a good solution, can you share a few details?
I use Postfix for SMTP. Inbound emails arrive directly at my server without any intermediary. Outbound emails use Postfix sender_dependent_default_transport_maps, which routes outbound emails via mailgun. I use this method because I host multiple domains and it lets me use domain-specific credentials with the SMTP relay. Outbound routing could be done using the same credentials for all domains but that causes some unnecessary pollution in message envelopes.
I run my own mail server. Friends & family, so outbound volume is super low, like 2-3 digits/day, not enough to get a rep. Deliverability was always hard to one of the major providers until I happened to make the right connection on HN to someone who worked there, and she graciously opened an internal ticket, asked some questions about the subnet my server was on, and it's been fine ever since.

Setting aside the fairness of how I got my deliverability problem solved, this now makes me really reluctant to move IPs. :-/

Any tips on IPs where people are seeing excellent deliverability? I'd like to avoid routing my outbound email through one of the email providers (Mailgun, SES, etc) if I can.

> Any tips on IPs where people are seeing excellent deliverability? I'd like to avoid routing my outbound email through one of the email providers (Mailgun, SES, etc) if I can.

I've moved my domain / mailserver a few times between Hetzner IPs when migrating to new servers. Went smoothly, but I make sure to check the new IP with common greylists before moving my mail setup. Other than that, make sure your DNS setup is clean and use Hetzner :) But I'm sure you have your own strategies.

If you buy your own ip range you will be fine.

I used to work at a company who owned 128 address and the mail server was one one of them. A Whois lookup of the mail server IP gave my old boss as a contact person. Not just some random ISP.

We did not setup DKIM until maybe 2014 and that was not really necessary from a outgoing mail perspective cause we never got emails bounced.

I don't need many IPs, any tips on what it takes to own a /29 and how to go about buying it?
I don't believe PI space comes in anything smaller than /24.
Then, given what I've read about how tight IPv4 supply is these days, I conclude I probably can't afford it. :-)
There are places to buy smaller ranges. Free Range Cloud lets you buy a static IP tunnel or lets you buy a /29 through them. The problem with smaller ranges is that you can't actually advertise them through BGP the way you would with a /24. https://hoppy.network/ also gives you a unique /32 v4 and /128 v6 if you'd like.
That requires colo, I think? So more work for self-hosting and maybe expensive.
We've seen lots of articles about the technical details of setting up a mail server (software to use, how to configure it, etc.)

Can you suggest any article that talk about "checking common greylists" and other steps admins should take when their email is failing?

One of my tenets is that it's fairly easy to learn to do anything, but expertise comes from knowing how to fix things when they go wrong, which is harder to come by.

I can see how to setup the email server, but the stuff you're talking about is just dead goat voodoo.

This has been a very hard problem to solve, mostly because of the ways in which delivery problems have to be solved (support mailboxes, abuse portals etc.) where unless you are 'big' you are not going to get the priority needed to get delivery back on track in a reasonable time at reasonable scale. Very annoying situation to be in.
Use a service like NoIP. You choose a hostname and off you go!
Yeah, don't think that's going to help.
Can anybody recommend a hosting/VPS provider who does very careful monitoring of ip space and has strict vetting to avoid bad reputation? I have similar issues, though no magical connected person, so maybe helpful to move to somebody who does this.
Check out https://mxroute.com Someone mentioned them on HN a while back and said the service works really well. Note that I have not used this service myself.
If anyone's looking to distinguish themselves in the hosting/VPS space, I'd pay extra for a provider who verifies the personal identity of the server operator before allowing outbound email traffic. Make me jump through some hoops and pay some more, I'm game!
Exactly, this is what I was hoping for. Somebody who is very serious about keeping IPs clean.
I host at Hetzner for what, ten or so years. Never had a problem apart from some US idiots blocking access to their sites from EU because GDPR. (I run my personal VPN through it too).

The amount of spam coming in (exim4+dovecot, no filters) is comparable to gmail.

Very happy using Vultr for an OpenBSD based mail stack. They unlock port 25 on demand if you have a valid use case.
Not wanting to sound all bleak, but what's the continuity plan in the event you are unable to administrate the domain at no notice? Presumably friends and family at least have some alternate cloud email?
One of my motivations to move it is to make it easier for someone else to take over in such an event.
> Presumably friends and family at least have some alternate cloud email?

Not necessary, which is part of the flexibility. I've been myfirstname@mylastname.com since the mid 90s. Initially I hosted it at a desktop at work (things were different back then). Then it's been hosted by a couple ISPs, and then I've been running my own email infrastructure for the last ~decade. If I ever decide not to, it's easy to seamlessly transition to third-party hosting, but it'll always be the same email address/domain.

I run a mail server on Digital Ocean and I’ve never had deliverability issues with the big email providers. I had issues once with a self-hosted exchange server and with one of the ISP-provided email addresses.
You got lucky. Digital Ocean has very lax anti-spam policies, so chunks of their IP space routinely end up on various block/blacklists. Saying as someone's forced to deal with all the spam spilling from DO on daily basis.
I self-host file sync, calendars, contacts, photo sync, Google Workspace type services (including all Office doc types and even video meetings), as well as a blog. Here by self-host I mean run all this in a docker-compose collection on a 24 core xeon server in my closet.

Surprisingly (to some) these are easier that self-hosting email. So this is a great article than I plan to add it to my-digital-self-reliance playbook.

I also agree with the motivations and have a whole list of others. We are becoming the slaves of Big Tech. Only go there willingly, don't let the hard choice of saying "no" make the decision for you.

Would like to learn more details about your tech stack if you are willing to share. Especially about the internet connection speed.
Been self-hosting my email for 23 years... for better or worse.

To think even RedHat hasn't self-hosted their email for ages, definitely back to pre-IBM days.

Makes me wonder which major distros are still dogfooding the mail server software they ship.

> personally, it fills me with satisfaction to self-host my own infrastructure, my little internet island where I’m root, especially in times of mega corporations trying (and succeeding) in redefining “the internet” as a portfolio of services only they can offer, with little alternative.

Sounds great! Can't argue with that. My feeling is that the real problem isn't a company or companies offering computing services. That has always happened and will always happen. I think the real problem people aren't grappling with is vendor lock-in. Most of the catastrophic anecdotes I read on here and elsewhere are about people who put all their eggs into one basket and did not have any kind of disaster recovery plan. When their provider service went down or even went away due to a merger or whatever, they were left with nothing. And that's really a different problem.

I've always read that hosting your own mail server is a pain. Not because of complicated tooling but because of security. Always wanted to try hosting my own. This makes me want to try even more.
Do it!

You can start slow. Install the basics. Look into postfix and dovecot, deflecting spam, and the whole DNS stuff. If you feel confident in your setup, start using it for non-critical stuff first.

That's the beauty of it imo, you can do everything in your own time without deadlines.

I've started looking at exim. Definitely will also checkout the tools you mentioned. Thanks
debian -> postfix -> dovecot -> rainloop/IMAP

2-3 years, so far so good, minimal maintenance.

Lost interest after I scanned through and saw this

>> "While I’m not going into specifics regarding postfix, dovecot, etc. it’s important to mention a few architectual details."

Anybody using amazon SES to send out self emails? Is it even viable to use for sending only single digit emails (to replace gsuite) or do they always land in spam folder? Any thoughts?
I just started playing with it to get my exim server to send my outgoing mail through. It seemed like AWS had a bit of trouble understanding that I was only looking for something low volume and transactional. They kept wanting to know how I handled unsubscribe requests. But I finally got them to ok the account (with a 40,000 email/month email limit, after I told them 100/month would be fine). After I sent a few test emails and looked at their spam scores, they were ok enough to probably get through most of the time but not great. I then tried SendGrid and they were both much easier to set up and the test messages got much better spam scores.
I do, so far i have had no problems, i run postfix relaying to SES on tailscale interface.
I've been using SES only to send emails for a couple of years. No problems. Incoming emails are a fair bit of work and am yet to find an easy solution that works well for my use cases.
I recently setup Cloudflare email forwarding to receive emails in various mailboxes depending on the address, and use SES to send mail.
I recently started self-hosting my own email a little over a year ago. A few lessons learned and gotchas that might be useful:

- docker-mailserver is excellent for a number of reasons: outstanding documentation, sensible defaults, long-term maintenance is a priority, timely updates, small footprint, etc.

- I've only ever had one issue sending an email to a medical provider that was using a blocklist maintained by Proofpoint. Getting off of Proofpoint's blocklist took quite a bit of effort and escalation (their online unblock request process is a joke).

- Migrate uses of your email account over in phases and take your time to build up confidence. I can not stress this enough. I'm still not fully cut over yet. I did marketing, mailing lists, subscriptions, etc first. A year later, I'm still gradually cutting over medical/financial/important accounts. Only after I'm 100% migrated over will I try to get my family to switch over.

- Surprisingly, I have received zero spam. I use the me+netflix@mydomain.com pattern religiously

- I have a cheap $5/month VPS that fronts the public facing bits and run all traffic through a wireguard tunnel to a server at home where docker-mailserver runs. This was fun to set up technically, but in retrospect, creates more points of failure than it is worth. I will be changing the architecure to host everything on the VPS and get a slightly larger instance.

- I document every incident, downtime root cause, etc. It helps immensely when a failure that occurred 6 months ago happens again and I don't have to spin my wheels figuring out what the magic incantation to fix the issue is.

- Do it if you enjoy this sort of thing. I knew close to nothing about email infra prior. If you want an "appliance" like experience with zero maintenance, stick with your current solution.

My one major unresolved issue with going this route is the SPOF, me. My email solution and everyone dependent on it fails if I get run over by a bus. I don't know what the solution to this is, but it has gotten me thinking about decentralized solutions geared towards self-hosters by self-hosters. The goal would be to capture the essential requirements that self-hosting email (or any other service, really) fulfills, and building a solution that scales beyond any dependence on me. This is fun to think about - the decentralization, performance, scalability, privacy, and reliability aspects are well suited to lots of tech that are relevant today.

"I’ve had exactly one problem with deliverabilty during that time, where someone with a Hotmail account complained to never have received my mail - even though the Microsoft server claimed to have accepted it according to my logs. While Microsoft can be notoriously intransparent and unforgiving with (not) accepting mail, in this case it turned out to be a blacklisting issue. I had just moved servers and IP addresses shortly before, with the new IP having been on an internal MS blacklist. I raised a ticket with their mail infrastructure department, and to my surprise, the IP was cleared soon after."

Unfortunately, MS and others have now adopted an "opt-out" blacklisting policy. Even with a clean IP, you'll have these problems if you set up your own server.

(I've been running my own mail servers for 30 years.)

Dont you only usually get blacklisted though if you are sending mass amounts of emails? They mostly blacklist spammers or people suspected of spamming.
In the past this was true. Now some providers look for a minimum volume of emails to establish a reputation. It's diabolical.
This is how I learned what DMARC is.

A friend with email @live.com said he never received any of my emails. No spam, no bounce, just silent drop.

I went through MS knowledge base which thankfully said that DMARC/DKIM are pretty much required. After setting up opendmarc, everything was fine.

Also required for gmail these days. But once you've set up SPF/DMARC/DKIM everything tends to work smoothly without too many deliverability problems. There might be a few blacklists to negotiate when moving to a new ip, but it's generally pretty straightforward these days. I remember a few years ago bashing my head against a brick wall trying to solve problems delivering to hotmail and icloud, but that was before I set up DKIM and DMARC which I think might have been the issue.