this post was submitted on 31 Jul 2023
90 points (97.9% liked)

Selfhosted

39904 readers
322 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
90
submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]
 

I just set up my first ever email server and I'm proud of myself! 😊 Do you have any advice to avoid common problems? I mean something beginners often do that they shouldn't. Thanks!

all 35 comments
sorted by: hot top controversial new old
[–] [email protected] 45 points 1 year ago (3 children)

You're in for a world of hurt. Email security is a pain in the ass. I used to do this full time and I'm so glad I don't have to anymore.

Not trying to discourage you, it's fun, it's cool, but it can be a real PITA.

[–] [email protected] 9 points 1 year ago* (last edited 1 year ago)

I run my own email server, but I use an outbound relay. I mostly get the good parts of self-hosting (having full control over storage of my emails) without the annoying parts (dealing with server reputation for sending emails).

[–] [email protected] 8 points 1 year ago* (last edited 1 year ago)

That's true, but only initially. Once you get SPF/DKIM right, that you domain name grows a few years old (enough to be considered established) and that you nailed your configuration, there is no issue anymore. I've been running my own Postfix on a Pi in my home for about 5 years, and It Just Works β„’. The only maintenance I do is updating the software (done when updating the rest of the OS), and I don't get shadowbanned mails anymore, even when sending to outlook.com (which is. by far, the worst peer when self-hosting emails).

EDIT : by the way, fun fact : it seems not as related to IP reputation as it's often said (well, unless the IP has bad reputation, of course). I changed my ISP late last year (thus changed my IP), I was very afraid I would lose my good reputation and have to start over with getting my mails shadowbanned, and… nothing happened. My mails just got delivered as usual. So I bet the domain name is at least as important as the IP.

[–] [email protected] 5 points 1 year ago (1 children)

Not trying to discourage you

Well, that's exactly what it sounds like :/

Don't listen to him OP, running your own email server is not "a world of hurt".

The initial configuration involves quite a few things (DNS records, DKIM, spam filters, ...) But it's definitely manageable. And when all this is setup, you don't have to touch it anymore, it just works!

I've been doing it for years now, and I'm not going back ! Congratulations on doing it, and good luck on keeping it running!

[–] [email protected] 1 points 1 year ago (2 children)

Take it from someone who's got over 15 years experience in the field... Or not. Your call :)

[–] [email protected] 5 points 1 year ago* (last edited 1 year ago) (1 children)

As someone who also has 15+ years of experience in the field and is currently infosec management, it's not that bad. Certainly not something I'd say "you're in for a world of hurt" about like somebody just bought a bad timeshare.

Especially if you're not hosting production email for a company and you're not leaving the server as an open relay, it isn't very painful at all.

You could also be less condescending, but as you said: your call. :)

[–] [email protected] 0 points 1 year ago* (last edited 1 year ago) (1 children)

Wasn't intending to come off condescending. IMO exposing your internal network to the internet without a proper firewall is a risk, one I wouldn't take unless I had a DMZ and a dedicated VLAN.

In addition, you'd have to be on top of patch management. And when you do that, there's a chance of something breaking too. My preference is not to have to muck around troubleshooting my own email server when a patch window goes bad since that's what I deal with all day anyway. There will always be zero days, I'll just pawn that off the the big boys.

[–] [email protected] 0 points 1 year ago

All of that is inherent in self hosting anything publicly accessible. You wouldn't start off a reply to someone setting up openvpn with "you're in for a world of hurt," would you?

[–] [email protected] 4 points 1 year ago

I've also been doing that for ~10 years. It's not the easiest service to run, but it's definitely not the one I had the most issues with. I would agree that in the professional field, there isn't much advantage to host it yourself, and I would advise going with hosted services in this case. But on a selfthosted community forum I see no reason to say such things to a new user trying it out, especially if they don't plan to host other people mailboxes.

I'd say the difficulty depends mostly on the stack you decide to run. I've tried Microsoft Exchange, which is very complex, postfix which is okay once you get the hang of the config file syntax, and opensmtpd which is delightful to configure given its simplicity. Docker also helps tremendously compared to what was available 15 years ago.

Actually delivering emails into inbox is another difficult aspect, but now there are just so many good resources to learn from that you can easily figure out what to do.

[–] [email protected] 24 points 1 year ago* (last edited 1 year ago) (1 children)

Congratulations! A mail server is quite demanding in terms of initial setup, but it's also very rewarding !

Here are a few pointers I can give you:

  • Using a good domain is important, some provider block entire TLDs for cheap domains (eg. .tk or .pw). I learnt it the hard way...
  • Set your MX records to A records, not CNAME
  • Ensure your PTR records match your A records for the mail server
  • Learn about SPF and DKIM
  • Set them up, and verify with mxtoolbox
  • Use the ip4: and/or ip6: selectors for SPF
  • Setup a spamfilter (I like spamassassin)
  • Leave it all running for a few weeks/months
  • Publish a DMARC policy on your DNS, and verify with mxtoolbox

This should limit a lot your likeliness to end up in spam folders (which is usually the hardest part about running your mail server)

[–] [email protected] 1 points 1 year ago (1 children)

What's the reason for using IPs instead of domain names for SPF and MX?

[–] [email protected] 1 points 1 year ago

Because it's the simplest form of mechanism for SPF, and the most understandable in my opinion.

a and mx mechanisms are just ip4/ip6 with extra resolving steps and more complex rules. For a selfhosted setup where you only have a single IP address, this is the most straightforward

As an example, try to guess which one of these SPF records will or will not pass SPF, given that the IP address sending emails is 1.2.3.1:

$ORIGIN domain.tld.
$TTL 1d

@        SOA      pluto.domain.tld. admin.domain.tld ([…])
          NS      pluto.domain.tld.
          NS      saturn.domain.tld.
          MX 10   mx.domain.tld.
           A      1.2.3.5
         TXT      "v=spf1 a -all"
         TXT      "v=spf1 mx -all"
         TXT      "v=spf1 ip4:1.2.3.1 -all"

jupiter    A      1.2.3.1
pluto      A      1.2.3.2
saturn     A      1.2.3.3
venus      A      1.2.3.4

mx     CNAME      jupiter.domain.tld.
[–] [email protected] 18 points 1 year ago (2 children)

Try using this and sent it a test mail: https://www.mail-tester.com/

It'll check blacklists, configuration, DNS and mail content itself for any issues

[–] [email protected] 8 points 1 year ago (2 children)

Cool, a bit basic but a good start. Getting 10/10 on that should be considered the baseline for having a working email solution for personal use. It verifies DMARC but ignores DNSSEC and DANE which are newer improvements to help prevent spoofing.

This test is pretty hardcore and full disclosure I don't pass it myself fully yet, and I've spent considerable time learning and testing so it's not a small task.

https://internet.nl/

[–] [email protected] 4 points 1 year ago

I've got 10 out of 10 πŸ˜ƒ

[–] [email protected] 3 points 1 year ago (1 children)

Mail-tester is just for outbound deliverability, nothing else. DNSSEC is really just for security practices. That doesn't really effect outbound deliverability though which is always a bigger concern for me.

[–] [email protected] 4 points 1 year ago (1 children)

I don't really agree. DANE, which builds on DNSSEC, will most likely be used to deny email outright or at least spam mark it in the near future. It provides much needed trust and security to a tool that in many ways is less secure than sending a physical letter. All it really needs is critical mass such that people are forced to implement it or risk their business critical email not reaching its recipient.

[–] [email protected] 4 points 1 year ago

I've never seen a message denied for DNSSEC. It may be a thing they do in the future, I do think all domains should use it but it's not something that'll deny a message.

[–] [email protected] 4 points 1 year ago

Mail tester is good, and I'll add MX Toolbox which can also check a lot of other DNS settings, and help with email deliverability.

[–] [email protected] 10 points 1 year ago

Make sure you are not an open relay.

If you also sent mail, make sure you have setup dkim and spf and dmarc

[–] [email protected] 7 points 1 year ago (2 children)

Let's hear the details! How did you do it?

[–] [email protected] 7 points 1 year ago* (last edited 1 year ago) (1 children)

Docker container with exposed ports. The container has postfix and rspamd for spam mitigation and some useful scripts for postfix management such as creating accounts, wiping data etc. Actually it comes preconfigured, the only thing you have to do is:

  • configure environment variables so it meets your needs
  • generste dkim key and set is as DNS record
  • set revDNS to the IP address
  • setup SPF (which is one, short DNS record)
[–] [email protected] 2 points 1 year ago (1 children)

Hmmm. I wonder what your password is? 😁

[–] [email protected] 2 points 1 year ago

1234, of course!

Just kidding πŸ˜… I use long, random passwords for each service, not reusing them ofc!

[–] [email protected] 2 points 1 year ago (2 children)

Well done! I tried again last week (3rd try) and gave up when I realised I would need a static ip to get myself off spam blocklists

[–] [email protected] 1 points 1 year ago (1 children)

You're better off using a hosting service where they allow you to change your PTR records. A static IP is the very beginning of your problems, you will likely be unable to send traffic on port 25 because residential ISPs block it.

If you really want control of your email server on your own network you can set up an SMTP relay using a hosting service and configure your local mail server to use it.

Here's something to get your started: https://community.mailcow.email/d/1275-the-ultimate-guide-to-run-your-own-smtp-relay-server

[–] [email protected] 4 points 1 year ago

Nah I'm out bro. Hosting plenty of stuff already and email is pretty critical

[–] [email protected] 0 points 1 year ago

If you have trouble where the email you send gets binned as spam by recipients, set up a SMTP server using aws SES and send through there instead.