this post was submitted on 27 Sep 2023
94 points (99.0% liked)

Selfhosted

40132 readers
600 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

So I've been running self-hosted email using Mailu for a couple of months (after migrating out of Google Workspace). Today it turned that although my server seems to be capable of sending and receiving emails, it also seems to be used by spammers. I've stumbled upon this accidentally by looking through logs. This seems to have been going on for all this time (first "unknown" access happened just a couple of hours after I've set everything up).

While browsing the logs there were just so many crazy things happening - the incoming connections were coming through some kind of proxy built-in to Mailu, so I couldn't even figure out what was their source IP. I have no idea why they could send emails without authorization - the server was not a relay. Every spammy email also got maximum spam score - which is great - but not very useful since SMTP agent ignored it and proceeded to send it out. Debugging was difficult because every service was running in a different container and they were all hooked up in a way that involved (in addition to the already mentioned proxy) bridges, virtual ethernet interfaces and a jungle of iptables-based NAT that was actually nft under the hood. Nothing in this architecture was actually documented anywhere, no network diagrams or anything - everything has to be inferred from netfilter rulesets. For some reason "docker compose" left some configuration mess during the "down" step and I couldn't "docker compose up" afterwards. This means that every change in configuration required a full OS reboot to be applied. Finally, the server kept retrying to send the spammy emails for hours so even after (hypothetically) fixing all the configuration issues, it would still be impossible to tell whether they really were fixed because the spammy emails that were submitted before the fix already got into the retry loop.

I have worked on obfuscation technologies and I'm honestly impressed by the state of email servers. I have temporarily moved back to Google Workspace but I'm still on the lookout for alternatives.

Do you know of any email server that could be described as simple? Ideally a single binary with sane defaults, similarly to what dnsmasq is for DNS+DHCP?

top 50 comments
sorted by: hot top controversial new old
[–] daFRAKKINpope@lemmy.world 26 points 1 year ago (2 children)

ProtonMail. 100%.

I set up custom DNS and catchall so yourcompanyname@saltycowboy.org is really how I filter spam.

Please note, saltycowboy.org isn't really my domain.

[–] __ghost__@lemmy.ml 9 points 1 year ago

So you're saying it's available? 👀

[–] Unforeseen@sh.itjust.works 2 points 1 year ago

I've also done the same, it's been great.

[–] slander@lemm.ee 19 points 1 year ago (1 children)

unless you realllllly enjoy self hosting your email, IMO it’s just not worth it anymore with the state of things. I use Fastmail and could not be happier.

[–] specseaweed@lemmy.world 3 points 1 year ago

Same here. Gave up and went fastmail. Love em.

[–] Cosmos7349@lemmy.world 15 points 1 year ago (2 children)

I use fastmail, and I enjoy it a lot. Their masked email is very nice as well, and integrates with bitwarden. So quite convenient to use my personal domain for stuff where my identity matters, and use masked @fastmail addresses for more disposable stuff.

The only thing that ticks me a tiny bit is that their mobile app doesn't have offline mode; but you can use imap client or w/e, so it's not too much of an issue.

Also hear good things about protonmail; I would consider it if I didn't already use/trust fastmail.

[–] fraydabson@sopuli.xyz 6 points 1 year ago

Another vote for Fastmail. In my recent effort to degoogle I switched to Fastmail and I love it.

[–] BitSound@lemmy.world 5 points 1 year ago

For mobile with fastmail, I use fairemail. Works great with it, and provides a nice merged view with my non-fastmail work emails.

im an old school email admin. i gave up on my personal exchange box for protonmail years ago.. multiple domains, lots of dns nonsense on my part. zero problems.

i highly recommend them.

[–] KairuByte@lemmy.dbzer0.com 8 points 1 year ago (5 children)

https://mxroute.com/ is what I went with. They have a $99 lifetime plan. Semi limited, but worth it imho.

[–] RegalPotoo@lemmy.world 2 points 1 year ago

I'd be super cautious about relying on any company that even offers a "lifetime" plan.

Offers like that are tools to raise cash - take money now for a service that you will provide people in the future. They tend to get used in one of two situations:

  • We need to raise money for investment in upgrades, so take the equivalent of ~2-3 years subscription from people up front, and count on the investment bringing in enough new customers paying regular rates that you can cover the cost of having the lifetime customers out of revenue
  • We need cash now or we aren't going to be able to pay salaries, and it won't matter that we've screwed our customers if we are bankrupt

Even in the best case, it'd be much simpler to raise cash through usual investment mechanisms, so you do have to wonder how viable their business strategy is if they can't get money that way

load more comments (4 replies)
[–] Decronym@lemmy.decronym.xyz 5 points 1 year ago* (last edited 7 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
Git Popular version control system, primarily for code
IMAP Internet Message Access Protocol for email
IP Internet Protocol
SMTP Simple Mail Transfer Protocol
SSL Secure Sockets Layer, for transparent encryption
TLS Transport Layer Security, supersedes SSL
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)

8 acronyms in this thread; the most compressed thread commented on today has 3 acronyms.

[Thread #169 for this sub, first seen 27th Sep 2023, 14:35] [FAQ] [Full list] [Contact] [Source code]

[–] aard@kyu.de 5 points 1 year ago

Nowadays I'd recommend a simple postfix + dovecot setup. If you care about a web-UI and possibly some groupware functions put SOGo on top.

[–] ChojinDSL@discuss.tchncs.de 5 points 1 year ago

I use mailcow for self hosting.

[–] emhl@feddit.de 4 points 1 year ago
[–] benmi@lm.inu.is 4 points 1 year ago (4 children)

I have used https://migadu.com/ for over a year now with no problems. Very happy with them. Setup is well documented.

[–] NightAuthor@lemmy.world 2 points 1 year ago

Most reasonable pricing I’ve seen for a family use case.

[–] otl@lemmy.sdf.org 2 points 1 year ago

This was the provider I went with after self-hosting my mail for 7+ years on an OpenBSD VPS. I feel like Migadu is an honest and good-value service.

[–] lemmyvore@feddit.nl 2 points 1 year ago* (last edited 1 year ago)

Great configuration, very flexible and fill of features. They make it easy to get all the DNS records you need to add to your domains and they have a diagnostic tool that checks that everything is set correctly. They even include wildcard aliases (which I'm not sure if it's mentioned in their public pages).

Should also note that they don't limit accounts, domains, aliases or any features, just overall mails and storage space. The only additional limitation on the lite account is inability to set account quotas.

load more comments (1 replies)
[–] Rearsays@lemmy.ml 4 points 1 year ago (3 children)

Just switch to mail in a box.

[–] RootBeerGuy@discuss.tchncs.de 3 points 1 year ago

Step 1: cut a hole in the box

load more comments (2 replies)
[–] eros@lemmy.world 4 points 1 year ago

I found myself in a similar situation last year. MXRoute's lifetime plan works well for those domains that just need basic email and not a lot of storage.

[–] cooopsspace@infosec.pub 4 points 1 year ago

Fasmail + domain

[–] Appoxo@lemmy.dbzer0.com 3 points 1 year ago (1 children)

Personally using Ionos.
Not bad experiences so far but you need to watch out at times and check your invoices.

[–] stown@lemmy.world 2 points 1 year ago

Same, IONOS is cheap and I had no issues when requesting they open port 25 for my mail relay server.

[–] techgearwhips@lemmy.world 3 points 1 year ago* (last edited 1 year ago)

Protonmail. That's what I use connected to my own domain.

[–] Chobbes@lemmy.world 3 points 1 year ago

Oh no! I'm sad to see that you've run into troubles :(.

There are other "fully put together" solutions like mailinabox and mailcow, that could be worth looking into for you. I haven't used them personally, but you might find them worth looking into. I'd never heard of mailu before, actually.

Totally understand the desire to just move to a hosted solution after running into these problems, but even if you do that I think you should keep running a mail server in the back of your mind for the future


you've already learned a lot about it I'm sure, and maybe with a bit more experience you'll be ready to tackle it again :).

I don't actually use any of the fully assembled solutions like mailinabox, and I wonder if in the future it might be a good idea to try configuring everything manually. You already have some familiarity with how mail works at this point, and having more control over the setup and how everything fits together might actually work out for you. Personally I'm running an OpenSMTPD + Dovecot mailserver and having a great time. I'd recommend it.

https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/

Either way, I think you should keep using a custom domain for e-mail because then you have options in the future :).

[–] pqdinfo@lemmy.world 3 points 1 year ago

I use Zimbra with an external email gateway that only accepts authenticated email. Zimbra is pretty heavy (it's intended to be a Microsoft Exchange replacement) but it at least has a huge amount of protection built-in to deal with spam and comes configured out of the box to not relay (well, outside of you setting up aliases and lists.)

That said, it's not hard to find "incoming email only" configurations that deliver to local mailboxes only, for most email servers. The thing to avoid is having a single server configuration that tries to do both - accepting external email and sending locally originated email out. The configurations do exist to do that, but they're confusing and tricky.

External email gateways... that bit is hard. I use a mail server I set up myself on a VPS. It does not listen on incoming port 25. It requires credentials. I did this largely because I was trying to send email out via Xfinity's customer email relay, but the latter kept upping the authentication requirements until one day Zimbra just couldn't be configured to use it any more. And each time they changed something, I wouldn't find out until I noticed people had clearly not received the emails I've sent out.

VPSes are problematic as some IPs are blocked due to spam. There's not much you can do about it if you're stuck with a bad IP, so if you can find a way to send outgoing email via your ISP's outgoing email server, do that. For Postfix, you can send out authenticated email using something like: in main.cf:

relayhost = [smtp.office365.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes

and in /etc/postfix/sasl_passwd:

[smtp.office365.com]:587 example@outlook.com:hunter2

So in summary:

  • Consider an email-in-a-box solution like Zimbra, I understand the wish to go for something light but it might make sense if your aim is just to control your own email
  • Regardless of whether you do or not, use separate servers for incoming/outgoing email.
  • For incoming email, lock it down to accept local email down if you're manually doing this rather than using an email-in-a-box solution like Zimbra.
  • For outgoing email, use authentication and avoid it listening on port 25. Consider either directly using your ISPs, or if that's not practical, configuring your outgoing email server to relay in turn to your ISP (see above for how to do this.)

Good luck.

[–] ninjan@lemmy.mildgrim.com 3 points 1 year ago (1 children)

I use iRedMail but would I call it simple? No. Mail is such old tech that simple really isn't the word for it. Archaic, ancient and dying fits better. But it will take decades more to actually die. iRedMail is available as a single container, which isn't correct from a container perspective but makes everything a lot easier in my opinion. Of the various solutions I've tried it's the one closest to the goal of "It just works". The biggest downside is the manual steps often needed to upgrade version. Not to time consuming but far from "It just works".

[–] elbarto777@lemmy.world 5 points 1 year ago (1 children)

Why should email die as opposed to evolve?

[–] ninjan@lemmy.mildgrim.com 5 points 1 year ago (2 children)

Eh, I guess it's a Ship of Theseus kind of thing. So much in the core is roten that if we change it you could argue it will be something different.

load more comments (2 replies)
[–] beirdobaggins@lemmy.world 3 points 1 year ago (1 children)

Moved from a junky setup where I was forwarding my domain mail to gmail. And sending mail through gmail using the smtp server provided by my web host.

I was having too many issues.

I switched to fastmail. It is quite good. And you can get some free basic web hosting included with your paid service.

[–] ssdfsdf3488sd@lemmy.world 2 points 1 year ago

This is what I did too, after self hosting and self hosting anonaddy for a while. I really like how it integrates into bitwarden to give me most of what I liked about anonaddy as an included thing. I also did it ofr the same reason. Too many Eh holes out there that just want to bang on the mail server all day.

I ended up on purelymail.com for my machine sending email (it's dirt cheap I think I will be under their minmimum and it will cost something like 10 dollars a year for unlimited unique email addresses for my services)..

[–] markstos@lemmy.world 2 points 7 months ago

I hosted email professionally for over a decade... and I can't recommend getting back into the business. At that time we were using Qmail, although I also have experience managing Exim and Postfix. About 90% of incoming email remains spam.

For outgoing email for things like server cron mail, a stub service like msmtpdcan be used to receive local mail and forward it to to a local service.

To receive and host email, Fastmail is good.

[–] rmdes@lemmy.world 2 points 1 year ago
[–] robert@lemm.ee 2 points 1 year ago* (last edited 1 year ago) (1 children)

I vote for maddy, but one important note for my setup: my family uses always-on VPN, so i only open port 25 for the world. Imap can be accessed only from vpn. In such case server can't be used as relay from internet. Maybe try that way?

[–] Socket462@feddit.it 2 points 1 year ago (1 children)

I am not saying your server is not secure, but just fencing off IMAP from the web is not enough to limit spammers from relaying mail through your server. They usually exploit a misconfigured SMTP server, which does run on port 25 (plain or start TLS mode)

load more comments (1 replies)
[–] ikidd@lemmy.world 2 points 1 year ago

Mailcow dockerized.

[–] Voroxpete@sh.itjust.works 2 points 1 year ago

Throwing my hat in for Protonmail.

load more comments
view more: next ›