I'm exploring some options to see if it's viable to self host my email account. Currently I have:
A home server that I can host the entire email stack but I cannot open the SMTP port there
An AWS account where I can create a VM with SMTP ports open to the internet and reverse DNS support, also I have a domain and AWS SES configured and approved to send emails
Ideally I would want to send and receive from my home server, but that is not possible, so I'm exploring some alternatives:
For receiving emails:
Cheap VM with postfix and my home server with dovecot, essentially forwarding all emails to my home server where I want them to be. I don't know if this setup works tho.
Keep everything in a VM, with the downside that I'll need to do extra work there as it will have all my data. If possible I don't want to go that route.
For sending emails:
Sending from the same VM receiving emails, and have everything managed
Use AWS SES to send emails in my behalf
Any input or opinion is appreciated. I'm currently exploring options, I haven't made any decisions, so if you have a better alternative feel fee to share.
I mean… you can, but beyond the technical aspect of setting up the hardware/services/DNS, you also have to deal with the unknowable black boxes that are the major email services. As a very small server, you’re gonna run into deliverability issues and have absolutely no feedback or recourse from the giants. There’s a decent chance that you’ll end up with a perfectly configured mail server that, through no fault of your own, fails to actually get your messages to their recipients.
(Sorry to be a bummer here! If you do go this route, I hope that everything works out well for you.)
As someone who runs a self-hosted mail service (for a few select clients) in AWS, this comment ring true in every way.
One thing that saved us beyond SPF and DKIM was DMARC DNS records and tooling for diagnosing deliverability issues. The tooling isn’t cheap however.
But even then, Microsoft will often blacklist huge ranges of Amazon EIPs and if you’re caught within the scope of that range it’s a slow process to fix.
Also, IP warming is a thing. You need to start slow and at the same time have relatively consistent traffic levels.
Is it worth it, not really no - and I don’t think I’d ever do it again.
I think this is largely why people complain that email hosting is so difficult. It's not the hosting, it's that so many people are doing it with a cloud hosting providers IP space. AWS, Azure, and Digital Ocean all tend to have their IPs in at the very least grey lists. Many home ISPs DHCP scopes too.
Getting a proper static IP, your own subnet from ARIN, or finding a colo with their own IP space will give people much better results.
Just passing along what I've read many times: that self hosting email can be difficult. Particularly sending, because the large providers tend to treat email from less known sources with more skepticism (such as by marking as spam), even with properly configured SPF and DKIM.
And if your server is down, you may miss any incoming mail for the duration. I don't know if other providers would try resending after a period of time if the receiver is unreachable, but I doubt it (just an educated guess).
I love self hosting services but email is something I've decided not to touch with a ten foot pole.
It’s harder than a beginner would expect, but also not as bad as everybody says. It’s doable and we shouldn’t discourage everybody from trying it (but don’t use it for anything important until you’re sure it works). Just make sure you set up SPF / DKIM / DMARC and rDNS properly and you’ll most likely be fine. If you’re scared or frustrated you can use a relay for send. Receiving is easy.
Just a quick add: even for my self hosted services, I configure Postfix with Mailgun for SMTP relay for alerts and whatnot just to ensure delivery to my external mail provider.
To be fair, the SMTP RFC (5321) says that senders MUST retry sending upon a failure (source), but it only specifies that they SHOULD have a retry of 30 minutes, and an even weaker recommendation to continue to try for 4-5 days before giving up.
I've been running my own email server for years, and while it's indeed difficult at first, it is possible and you don't have much to do to maintain it when it works. All the horror stories you hear come from the fact it's difficult to get right, and even when you get it right, you will have deliverability problems the first year, until your domain name gets established (and provided you don't use it for spam, obviously - and yes, marketing is spam).
What you need :
being willing and serious about reading lot of documentation
an IP that is not recognized as a home IP. So you'll need a "business ISP", or one that is not well known. You bypass this problem by using AWS.
choosing a well recognized TLD for your domain name, like .com, .org, .net, etc. Don't use one of those fancy new extensions (.shop, .biz, etc), they are associated with spammers.
learning how SPF works and getting it right (there are plenty of documentation and test tools for that)
same for DKIM
same for DMARC
Start using that for a year without making it your main address. Best is to use it for things not too mainstream, like FOSS mailing lists, discussing with people having their own mailserver, etc, those will not drop your mails randomly. When a year has gone with frequent usage, you can migrate to that email address or domain.
Regarding the architecture of your network : do you read your emails on several machines (like, on mobile and laptop)? If not, you can dramatically simplify your design by using pop3 instead of imap, connecting your client to the AWS server, downloading all your emails to computer and removing them from the server at the same time. There, you have all your mails locally and you don't need dovecot. :)
I self host everything except maps and email. Maps because it’s just not there and email because even if you set it up perfectly with DKIM and everything your IP can still land on a blacklist. You will spend more time doing blacklist appeals then it’s worth.
I will echo many others here: It's going to be rough getting good deliveries. While you are planning on running a proxy, that is basically the same as running an open port where your server is. While it may seem to be a good idea to send email from a random AWS address, it really isn't. Unless you are behind an IP that is specifically trusted as an email source, your traffic has a higher probability of getting dropped. (Many dynamic IP ranges for home internet connections are marked as invalid or untrusted sources, btw.)
Additionally, email servers are a hot commodity, especially if they are not blocked (yet) by the larger filter providers. All it takes is one or two reports or a poorly configured firewall/IDS to auto-trigger a submission of your IP address as "bad". By hot commodity, I mean you are going to get fuck tons of vulnerability scans. It's not the end of the world, but it's super annoying.
If I was operating as a Jr. Security Analyst again and saw and sus traffic coming from your address, I would submit a block and not think twice about it. Hell, most of those types of blocks are automated anyway.
However, if you do set one up and all is golden, great! It's worth the experience but something I won't ever do again. (Yes I did run my own email server before.)
you have the main problem in hand. You'll still need to do all the DKIM / rDNS stuff to be certain your mail is accepted, but using SES as the source gives you a significant leg up vs originating locally. I don't see why you can't run dovecot and postfix on separate systems, but a single VM isn't bad if it's properly secured. Hosting SMTP/IMAP is not that difficult but you need to make sure you don't accidentally misconfigure things and become an open relay - as with all internet facing systems, mail services are targeted constantly so you should use fail2ban to deter them.
If you are saying you can’t because your ISP blocks port 25 there are a few solutions that you can use that are free as long as you don’t send or receive over 2000 emails a month or something like that. I have used both of these solutions with my last ISP since they blocked port 25. I used http://ghettosmtp.com as a relay server. Wesley, the provider of the service is a pretty neat guy. I used https://www.smtp2go.com as my external outbound relay. They both worked great as a work around. I have ATT fiber now and 25 was blocked until I called in and requested it to be unblocked.
Anyways, I hope that helps. Let me know if you have any questions!