Conversation

“self-hosting email is hard” no it isn’t and you should do it

7
2
2
@mia I needed this kick in the pants
1
0
1
@mia Yeah, in fact much less hard than dealing with connecting an email client to the Google/O365/… horrors.
0
0
1

@georgia lmk if you have any questions about it; i basically set it up from scratch so i’m familiar with how all the pieces fit together

0
0
2

@mia I would, but my family is very against port forwarding. Any of the servers I wanna do, I can't. Furthermore, I think the electricity would be high. I made the mistake of giving my RPi5 to a friend in exchange for a Dell Optiplex, which uses a fuck ton of power.

1
0
0

@doraii that’s okay, the attitude still counts. btw did you try forwarding ports via upnp yet, or has your family disabled that as well?

fwiw i believe self-hosting email from a home ISP with dynamic address pools might be a bit of an uphill battle where you can’t expect your outgoing mail to be delivered to users of some of the big providers (as in, not even the spam folder). idk how bad it is nowadays.

3
0
0

@mia Yeah, UPnP is out of the question too. In fact, I believe my router doesn't have it at all, or it's disabled by default.

I've heard the things about big providers not accepting self-hosted email. For now, I'm using Proton, but I might switch to Tuta. Luckily, I don't really use e-mail for anything other than site 2FA.

0
0
1

@mia receive-only is honestly very simple
sending can be more annoying, but is also manageable

I just think it sucks there are no good clients / webmail

1
0
0
Edited 4 months ago

@aetios the nice thing about email is that your stuff can go down for weeks and other servers will keep trying to deliver mail. you still receive stuff oncet it’s back up

2
0
2

@privateger kmail is very good actually. idk about webmail though, haven’t used that in 20 years

0
0
1
@aetios @mia In fact email greylisting works via "huh, unknown server, tempfail it in case it's a basic spam script"
2
0
1

@aetios asking questions is okay even if you feel like you should be able to figure it out yourself

0
0
0

@lanodan @aetios yep. that btw is the main reason why email that should be instant sometimes takes 10-15 minutes to arrive in your inbox

0
0
0

@aetios that’s why i said it neocat_pat_happy

0
0
0

@mia SO TRUE

ive been selfhosting my email for ages now without issue, despite everyone screaming at me not to

1
0
0

@mia “but keeping up your ip reputation is a fulltime job” what no it isnt wtf are you talking about

0
1
0

@mia @doraii I thought any self-hosting made deliverability an issue these days? Is that not the case? Would love to be hosting my own TBH

1
0
0

@Lacey @doraii it’s not the case in my experience.

and even if it were, i would still do it and encourage others to join.

1
0
0

@Lacey @doraii hetzner but i’ve also set it up for other people with other providers.

used to host from home with some free dynamic dns service when i was a teen and it worked fine, but those days were different

0
0
0

@mia

IIRC it's not quite "weeks" (more like 2–6 days depending on sending-server configuration) but it's still nice to know that servers will retry. Also, annoyingly some mail-hosts (particularly the big-name ones) will re-send from a different IP address which makes gray-trapping more challenging ☹

(but yes, still totally worth running your own mail-server)

@aetios

0
0
1

@lanodan

Annoying though when the big senders re-send from different addresses.

10.0.0.1: Hi, I've got some mail for you
My gray-trapping server: um, try again in a few minutes (notes 10.0.0.1 as the sender)
10.0.0.2: Hey, here's that message I tried to deliver to you earlier
MGTS: Um, I have no record of you trying to send so try again in a few minutes (notes 10.0.0.2 as the sender)
10.0.0.3: Hey, here's that message I've tried twice to deliver to you
MGTS: Um, I have no record of you trying to send so try again in a few minutes (notes 10.0.0.3 as the sender)

[sigh, glaring particularly at Outlook.com, I recall @pitrh blogged about this annoyance a while back but I can't disinter his post to link to]

@mia @aetios

2
0
1
@gumnos @lanodan @pitrh @mia @aetios modern greylisting/greytrapping essentially requires you track not based by IP address but an entire subnet (/24 or /64). it's a mess. It's been like this since idk... at least 2012 to my memory.
1
0
1

@feld

I really wish I could dig up the @pitrh where he goes into detail on the pain Outlook-dot-com and such cause by resending from different addresses, but my web-search-fu is failing me. 😑

1
0
0
@gumnos @pitrh I even had issues once at old ISP_JOB where Google would send to us on ipv6, get greylisted, and retry in the future with ipv4
0
0
0

@mia I'm told changing my oil isn't heard either, but I have other things to do with my day. :)

1
0
0
Yeah, the exemptions I had to make to OpenBSD's spamd greylister due to Gmail retrying from different IPs was: exhausting, to understate it.

IMHO, ARIN et al should be revoking IP allocations to such entities. It's egregiously wasteful and abusive.

Especially now: Alphabet Inc./Google are a friggin convicted monopoly. They did not play nicely, they should have their "toys" taken away.

CC: @lanodan@queer.hacktivis.me @pitrh@mastodon.social @mia@shrimptest.0x0.st @aetios@sns.minovsky.space
1
0
0

@teajaygrey @aetios @lanodan @gumnos skill issue on part of the greylister; half-assed in typical openbsd fashion. this isn’t new or uniqe to large senders; there never was any guarantee that MX records won’t change from one attempt to the next either. there’s a reason SPF, DMARC and DKIM were introduced.

1
0
1

@aetios @lanodan @teajaygrey @gumnos rspamd does it right (and also ensures proper form for outgoing mail), btw. you can use that on openbsd as well.

1
0
0
I also have a fallback server in another location that acts as a backup. When the main server is back, the backup sends everything it has received to it.
0
0
1

@mia @doraii Hosting an email server on residential internet is pretty much a non-starter these days. Most of the big providers will just drop stuff coming from those ranges.

But in the fuzzy definitions of self-hosting, having a VM on Linode/Hertzner/Digital Ocean/1&1/et al for mail services works nicely. Your own domains, all the accounts you want for a fixed price

https://mailinabox.email is a great place to start if you don't already have a background in setting up mail servers

1
0
0

@erik

Just check that your VPS-hosting service allows for inbound/outbound mail. Some filter, and of those, some will open up port 25 traffic if you submit a ticket, others just give the big 🚫

@mia @doraii

1
0
0

@gumnos @erik @doraii setting up the stack from scratch is also easier than it used to be. postfix no longer defaults to open relay mode, dovecot can also be its auth backend instead of having to use some awkward cyrus-sasl setup, and rspamd just works and also takes care of signing outgoing mail.
still more complicated than it needs to be for a small self-hoster, but some progress has actually been made

0
0
0
rspamd came out in 2008? I wasn't working for the company where I deployed spamd by early 2009. So yeah, maybe I could have overhauled it; if they hadn't terminated me? It was just one of no fewer than 3 spam mitigations deployed at that employer.

To say that the burden of contending with abusive behavior, should continue to be shouldered, by those attempting to mitigate the abuses? Is beyond exhausting.

"skill issue on part of the greylister; half-assed in typical openbsd fashion." seems, unnecessarily condescending.

"there never was any guarantee that MX records won’t change from one attempt to the next either." Sure, there's no guarantee; it's still awful behavior.

"this isn’t new or uniqe to large senders" (FWIW, the employer where I deployed spamd, was online before Google and so was I, yet somehow: none of my past employers demonstrated such abusive use of MXes. Typo nitpick: "uniqe" I think you meant to write: "unique".)

If we lived in a timeline that wasn't never ending enshittification, then this part of RFC1855 would have been made manifest:

"Never send chain letters via electronic mail. Chain letters
are forbidden on the Internet. Your network privileges
will be revoked."

By the time DKIM, SPF, DMARC, etc. came into being, the shark had long since been jumped. The S in SMTP became demeaned. Nothing about any of that is OK nor will it ever be OK.

Phrased another way: the inmates are running the asylum.
1
0
0

@teajaygrey yeah, alright, should’ve watched my tone there. sorry.

still though, it’s how it goes in an open network: you can never assume the rules won’t be broken by both good and bad actors, which is especially true when you’re building systems for dealing with abuse in the first place. every assumption and every part of every interpretation of every spec will be violated, and it takes some degree of street smarts to figure out how to defend against that and maintain network integrity—which is something you won’t find too often in post-hacker techie circles.

0
0
0

@mia been doing this since 2014 or so. Server is at home, ingress is via L2TP link with a fixed IP from Andrews&Armold and the requisite DNS records just make it work. exim, spamassasin and clamav at the moment. Not had any blocking issues for quite a while that I recall...

@phlash

1
0
1

@Slash909uk @phlash recommend giving rspamd a try, it needs almost no config beyond plugging it into your MTA. i switched to it from SA a few years ago, it’s a lot better and also takes care of some other things like greylisting and DKIM/ARC signatures for outgoing mail.

0
0
0