1w ago

My two cent about emails servers field. Over a two decades...

Hi,

It had been twenty year that I stopped my couples of self-hosted email servers.. ( That did run on a 10 years span )

Now, I'm digging to relaunch one.. OMG the GAFAM etc... did well screw us !!

I think those two post summarize well what happened...

On the technical level email are OLD ! ~1982(SMTP), and since then few revisions were released, but they only build ~~extra thing~~ complexity on top of it !! and the last revision date was in 2008 ! ( 17 year ago... )

And they are complex because of this build-up,
\ For the example, the list of the daemons running in docker-mailserver give a clue...

Postfix
Dovecot
Rspamd
Amavis
SpamAssassin
ClamAV
OpenDKIM
OpenDMARC
Fail2ban
Fetchmail
Getmail6
Postscreen
Postgrey
Support for LetsEncrypt, manual and self-signed certificates
SASLauthd with LDAP authentication
OAuth2 authentication

On the mass level, the GAFAM managed to convince the mass that email server (and more broadly any self-hosted (aka computing) ) is complicated, so "let's us do" that could be understand as "Let's us own your technology"

For a time I was thinking "maybe I should get away from email, that only belong the GAFAM now... and maybe found an alternative... ?" But If I found an alternative, I must convince the others to do the same... slower... way slower...

No ! , the first step is to have more and more people re-owing their technology ! So having more and more self-hosted email server again..

To reverse the tendency, instead of feeling like a black sheep (and be censored) to not have a GAFAM email. It will be people that use a GAFAM email that will pointed out ! to have deleted ( or move email to SPAM without reason etc..) your email from YourEmail@MyLittleHosting.MyPlace

If you use a none GAFAM email ( like me ), and someone tell you:
\ "hoo sorry I didn't get it"
\ "Sorry, I didn't see it, it felt in my SPAM folder" (with a tone that's your fault because you use something else than everyone else (aka GAFAM))

Please note, that legally, is their responsibility ! Whenever it was automated or not !
\ If your MTA[^MTA] did send your email the the recipient MTA it's their sole responsibility...\

and if the attempt has been blocked before reaching the destination MTA, by a firewall or something else on their side (even on ISP level), no matter if they own it or not, it's also their responsibility :) )

[^MTA]: Mail Transfer Agent Handles the transfer of emails between servers using SMTP

28 comments

The issues with IP reputation, and mail providers like Microsoft and Google choosing to make massive, sweeping email blackholes with no recourse are the real problem.
Hosting your own email is not really all that hard.
It does require some understanding of how SMTP works, and how to avoid things like backscatter - but its all very tractable.
I run my own mailserver on Linode. Granted it is a single user instance, and I don't send that much email, but I have had very few issues.
The few times I have had an issue is usually places just flat out not accepting email addresses with custom domains. (Looking at you, AutoZone... Looking at you.)
- Yeah. Hosting your email is easy! Resolving being labeled as spam is not. (Filtering incoming spam is also hit or miss, but more just an annoyance than a problem.)
  
  The only time I've been marked as spam (apart from being on a blocklist by default due to a residential IP, which can be resolved in minutes and a simple form) was as I sent a mail to my work account
  Which was to be expected with no text content and only an attachment at a rather larger and sensitive company.

Almost every scam email I get comes from a gmail address. If a business is not sending emails from their own domain, I automatically assume it's a scam.
- This right here. If you are promoting your biz with a generic email address, it goes in the junk folder. It's 2025 people. Legit businesses use legit email addresses. I as hardnosed about my texts or phone calls. If you are not on my extensive list of friends, family, business associets or aquaintances, and you don't leave a message, you get banned as spam.

There was a recent thread on reddit about this, where I wrote this comment (copied here):
I've been hosting my own email for a long time (almost 25 years).
Today it's better than it was, but there are some hurdles:
Microsoft has their own system, but it's reasonably easy to get listed
Google does their own thing, and it's IMPOSSIBLE to get anywhere
UCEPROTECTL3 is just a fucking extortion scam
When I switched providers, I found out I was in a "bad IP neighbourhood". Microsoft wanted a letter from my VPS provider saying that I am in control of the IP I wanted listed, and that was not too hard to get. Also, Microsoft's blacklist management is sane - you can log in, see the status, raise issues and get a hold of people. A little frustrating, but workable.
Google, on the other hand... You can't participate in their spam system unless you have a minimum volume of email, which means little guys like me who send maybe 50-100 emails a day end up in gmail's junk folders by default and there's abso-fucking-lutely nothing you can do about it. There's no one to report it to, there's no way to fight it... they simply don't care. And whether an email gets flagged as junk or not seems completely random. It has nothing to do with the content as far as I can tell. All you can do is contact people from your personal gmail and ask them to check spam/whitelist. It's been years and I'm still waiting for the "eventually your domain will get whitelisted globally" bullshit to happen.
That leaves UCEPROTECTL3. Fuck these guys sideways. They block entire ASes and no, you can't get an exception made. You can pay them to get whitelisted which is why I call them an extortion scam. They're the only blacklist I'm on and I'll be fucked if I'll pay them to get off it. Bunch of fucking pretentious scammers.
Everything else is pretty easy: DNS, DMARC, DKIM, SPF... it's hoops to jump through but not overly difficult. Ensuring you've got SMTPS set up and constraining the encryption protocols to get it tight takes some iterative work, but nothing too difficult.
I totally understand why people give up. This is a huge problem with these gigantic monolithic companies -- they hold way too much power over the internet and there's no way to hold them accountable.
- In a moment of weakness and angry clients I once paid uce.
  Shortly thereafter my credit card got stolen. That is the one time in my life that has ever happened. It was my business card which rarely get used.
  Coincidence? Up to the reader.
- Yeah Microsoft for what's worth does play ball, you can open complaints and they'll actually read those and act fast. Google is a total pain to deal with, even if you're on some type of google partnership they'll not do much.
- That leaves UCEPROTECTL3
  Is anyone still using them?
  
  That's an excellent question. I only know of them because mxtoolbox and other checkers list them.

I've been using email since it was text-based.
I think email for the average person is kind of dead. I rarely use it for personal comms, and it's more of a repository of receipts and the occasional password reset.
I reluctantly use it for person-to-business.
Work? That's not my concern. I use the tools that they manage.
Email is practically dead to me - it's not encrypted, and plenty of encrypted systems exist that provide equivalent, and in some ways, better functionality for personal use.
I wish companies would start embracing them.
- email does still seem like the least bad way of receiving stuff from corpos though. I'd rather get emails than whatsapp messages or nonfree apps' push notification.
  
  Yes, this. And with WhatsApp or an dedicated app they're either directly on your phone. Or have your (personal) phone number. Which isn't great. With eMail you can just have another spam address. And that's more complicated with phone numbers and most people don't have a second one dedicated to spam and advertisements...
  
  It's a tough call, I don't disagree at all with the concerns you pose.
  However... Email is every bit as another data point for tracking you, and worse it's in the clear. Every email address I've ever used over the years is in databases with IP addresses, timestamps, locatiin/region data, last used, associated device ID's, etc... Plus any analysis from content that was ever done. Yahoo/Google, etc certainly know lots about the user of those addresses, even ones that aren't their addresses.
  I'd happily use an encrypted system(s). I'd simply create multiple accounts, and isolate them in different ways.
  For example, my healthcare org sends nothing through email except a notification that you have some kind of update. You then log in to their system to view the info. I do wish they'd develop an app for iOS/Android, it's a bit of a nuisance otherwise. In their defense, App dev with sensitive info isn't their forte, so at least they aren't opening that Pandora's box.

Just checked one more time that emails from my server are accepted by Gmail. What am I doing wrong?
the list of the daemons running in docker-mailserver
Awful. Who heeds both rspamd and spamassassin simultaneously? fetchmail and getmail6? More than a half of these components are not required to get a working mail server. But I agree that setting up the another half is rather complicated. So I'm planning to give a try to mox when I'll need to set up a new mail server.

I've been running mail servers for about thirty years; my personal ones and production for 100K+ users.
The personal one is a pain for the reasons you mentioned. I use sendmail instead of postfix, but I was able to use some rules to push certain messages through other relays.
I signed up for Amazon SES and have so far stayed in their free tier. Mail coming from one of my addresses always goes through SES, and mail from any address to certain domains (aol.com, gmail.com, etc.) go through SES as well.
It allows me to ensure delivery for my important mails, but leave things up to chance for less important ones.
It's the best solution I've been able to come up with for a really annoying situation. Big Tech ruined it all.

FWIW, I have no issues sending mails/having them be received from my self-hosted to Google mail
- I also self hosted for years (using tuta mail with my own domain now), and have never had issues with my deliverability either.
  
  Though now that I think about it, I did have to register my domain with Google in some way to stop being flagged as spam iirc.

Don't agree. Being hosting my email server for 20+ years without issues.
Yes you need to study, no its not difficult at all.
Check https://wiki.gardiol.org/doku.php?id=email%3Astart it's really that, and guess what? It works!
So, yes its getting more complicated but its still well at the grasp of a home hoster.
Do you want it as simple as docker compose up? Grab mailcow.