this post was submitted on 29 Jan 2024
14 points (85.0% liked)

Selfhosted

40134 readers
543 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hey-ho 👋

What is the best approach for selfhosting an email server with static IP or blocked port 25?

I've done it many times in many different ways, now doing it again and want to hear what is the best approach these days

My port 25 isn't even probably blocked, I just prefer to use my vps to help it with this stuff

Any suggestions?

top 23 comments
sorted by: hot top controversial new old
[–] [email protected] 16 points 9 months ago* (last edited 9 months ago) (3 children)

Hosting email with mailcow dockerized worked pretty good on my netcup vps, but before you go into hosting email ask yourself a few questions:

  • Will you use your selfhosted mail for important things? (Banking, official correspondence and so on)
  • Can you promise a near 100% uptime? Otherwise, some email might not reach you.
  • How important is the Mail you send? Some (stupid) Blocklists generally block all IP ranges that are sold out by vps companies and other kinds of IAAS.
  • If you register any accounts with your selfhosted mail, can you guarantee yourself that your email account is secure? Don't underestimate what an attacker can do with a compromised Mail account.

I personally ended up scrapping my email server eventually. Nowadays I pay a company to do the mail hosting, you just need to set some DNS records and they do everything else. Personally, I'm with proton, but there are many good alternatives.

[–] [email protected] 6 points 9 months ago

Ya I had to bail on hosting email, getting off of block lists and verifying that people even get your outbound email is near impossible at this point.

[–] [email protected] 3 points 9 months ago (1 children)

As i said i already have experience of hosting email, many different ways, etc

Will you use your selfhosted mail for important things? (Banking, official correspondence and so on)

I'm barely using email because have really few services that require an email (foss and selfhosting evangelism)

Can you promise a near 100% uptime? Otherwise, some email might not reach you.

I can promise you anything under these stars. And some of it would be true because my specialization is 0 downtime systems

How important is the Mail you send? Some (stupid) Blocklists generally block all IP ranges that are sold out by vps companies and other kinds of IAAS.

Never had any problems with the big hosters like do, linode, vultr, hetzner

If you register any accounts with your selfhosted mail, can you guarantee yourself that your email account is secure? Don't underestimate what an attacker can do with a compromised Mail account.

Selfhosting for many years, never got hacked because I take security seriously

Nowadays I pay a company to do the mail hosting

I'm trying not to pay companies when not necessary, and especially not for a "setup service"

[–] [email protected] 2 points 9 months ago

Alright, you seem to have a good grasp on what you're doing. Good luck have fun. I really hope it works for you.

[–] [email protected] 1 points 9 months ago

Can you promise a near 100% uptime? Otherwise, some email might not reach you. Just lol. Mail get queued just fine by everyone. If you really concern , setup second MX.

[–] [email protected] 6 points 9 months ago* (last edited 9 months ago) (1 children)

email is one of the only services i just gave up on (after rolling my own exchange for over a decade). its too annoyingly complex, tedious to do correctly for just yourself. its not worth it.

[–] [email protected] 1 points 9 months ago (2 children)

I do it not really for myself, slow and steady i'm converting everyone I know to using my services

Sounds impossible, but some people already are using almost the whole suite and are happy. More and more people are asking if they can join.

The global sentiment is moving towards "tired of google", "tired of paying for bad services"

[–] [email protected] 4 points 9 months ago (1 children)

Self hosting email on non-mission critical domain for learning purposes might be okay if your intention is to get into the industry. Self hosting email for others on more production like setting you’re going to find yourself in a world of pain.

All it takes is one missed email (be it not making into their intended recipient’s inbox, or them not receiving an important notice in their inbox) and you’re never going to hear the end of it.

You’d also be liable for content your users send out from your servers — and I don’t mean the spam type, though if you get your IP blacklisted, your provider may want to have a word with you.

I’d strongly advise against going down this path, but if you do, be sure to have ways to legally shield yourself from any sort of potential liabilities.

[–] [email protected] 1 points 9 months ago (1 children)

No problem, the world of pain is my hometown

[–] [email protected] 3 points 9 months ago (2 children)

I do not understand why everyone calling hosting email difficult? IT is like 5 RFC you need to read and implement. Sofware wise you will need mail agent, something for DKIM ( if it not build in in agent), "local delivery agent" ( probably presenting it as IMAP) + mail reader of your choice. Nothing too complex

[–] [email protected] 1 points 9 months ago

The complex part isn't the hosting part. Its the security part, the reputation management part, the uptime part, the troubleshooting delivery part and basically every other aspect other than running postfix+dovecot

[–] [email protected] 1 points 9 months ago* (last edited 9 months ago)

It's not complicated until your reputation drops for a multitude of reasons, many not even directly your fault.

Neighboring bad acting IPs, too many automated emails sent out while you were testing, compromised account, or pretty much any number of things means everyone on your domain is hosed. And email is critical.

[–] [email protected] 1 points 9 months ago

Hosting your own email is a bad idea. Hosting OTHER PEOPLE'S email is a REALLY BAD idea. Self-hosting mail on a vanity domain is a good exercise to learn how SMTP, DNS, IMAP and other protocols interact.

If you don't like Google, Apple, or Microsoft then sign them up with Proton or another hosted provider. You don't want to be the reason someone lost income because they missed out on a critical email from a client or their job application was blocked because it was sent from a host with poor reputation.

[–] [email protected] 4 points 9 months ago* (last edited 9 months ago) (1 children)

You can selfhost the email server wherever you want. But you've to use some external system to deliver the email or you'll end up in spam because your residential IP is most likely dynamic and already flagged by most email providers.

One way to do it is to get a VPS somewhere and setup Wireguard on it. Then configure your local system to bind to the Wireguard interface and IP so all email send and received using the tunnel. Dovecot doesn't care what interface it is running on, Postfix has specific options that you can change in master.cf to accommodate the fact that it will be binding to the VPN IP and the real IP is the VPS public IP.

  1. Setup a install of Dovecot / Postfix / Rspamd on your local server: https://workaround.org/ispmail-bookworm/
  2. Start by setting up a Wireguard tunnel between your local server and the VPS: https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04
  3. Create a outgoing transport for the email that uses the WG tunnel and is aware of the VPS public IP:
out-wg      unix  -       -       n       -       -       smtp
 -o proxy_interfaces=188.xxx.xxx.xxx # the real public IP of the VPS
 -o smtp_bind_address=10.0.0.2 # the IP that your local server has on the WG interface
 -o inet_interfaces=10.0.0.2 # same as above
 -o myhostname=server.example.org # should match the PTR / reverse DNS entry on the VPS IP
 -o smtp_helo_name=server.example.org # should match the PTR / reverse DNS entry on the VPS IP
 -o syslog_name=smtp-wg
  1. Set your VPS firewall to NAT/forward incoming traffic on port 25, 587, 465 and 993 to the local server (wireguard client 10.0.0.2);
  2. Change main.cf to use the transport by adding: default_transport = out-wg.

That's everything you need to get it going. Use https://www.mail-tester.com/ to debug if DKIM and everything else is properly setup at the end.

[–] [email protected] 2 points 9 months ago

Very nice walkthrough. Gonna bookmark this.

[–] [email protected] 3 points 9 months ago* (last edited 9 months ago)

I've setup my email via a VPN to my own server.

  • DNS, mail, business web, cusromer web on VPSes (2, 1 primary, 1 secondary DNS only)
  • Personal email, incoming and outgoing via VPS, personal websites (all static) on local system (RPi 4 8GB)

This gives the advantage that your outgoing email always comes from the VPS ip address (pick a VPS provider that is trusted) and when your line is down, incoming email is cached on your VPS. It's a tad of double work, but pretty secure. Even connecting to my employer to work from home is not a big issue. (and that connection is limited to it's own vlan)

Also, with this method, you can route the mail into your network via port 26 when 25 is blocked or even set an outgoing vpn to your VPS and route the email that way. You'll be provider independent at home. (I even have a private ipv6 /48 via a tunnel broker)

You'll need to work a lot on your knowledge though, without DNSSEC, SPF, DKIM and DMARC the big 2 (Google and hotmail) will refuse your email.

[–] [email protected] 2 points 9 months ago

Do not try to host outbound mail on residential IP blocks, delivery will be really bad. Cheap VPS is same story. You best bet is VPS from some not well know provider, they may be avoid to be in blacklist in M$ and Google. Inbound mail is fine anywhere as so long as you can have port 25 open. DDNS works too.

[–] [email protected] 1 points 9 months ago* (last edited 9 months ago) (1 children)

I think mail forwarders are still a good way to go. It's hard to predict how Internet providers will react to email running in their networks.

These days I have an ec2 at AWS for my mail server and use SES for outbound mail. I'm thinking of moving "receiving" back into my network with a simple chat forwarding service but keep SES for outbound. They handle all the SPF and DKIM things and ensure their networks aren't on blacklists.

[–] [email protected] 1 points 9 months ago (1 children)

react to email running in their networks.

Is email dangerous? (I have no idea how email works so please don't bombard me with acronyms)

[–] [email protected] 2 points 9 months ago (1 children)

It's spam they're concerned about. Spam email is kinda "big business" and one way they thrive is by using bots to just scan for poorly-configured or vulnerable systems to hack and install an app that will let them send email from your system. By compromising hundreds or thousands of individual machines it makes it hard for mail providers to block them individually. It also uses a ton of bandwidth on internet service providers networks.

So some time ago service providers started to simply block port 25 (used to send email) on their networks except to certain services. I think they've backed off a bit now but inbound port 25 can often be blocked still. It may even be against their TOS in some cases.

[–] [email protected] 1 points 9 months ago

Oh wow, thanks for the explanation.

[–] [email protected] 1 points 9 months ago* (last edited 9 months ago)

This is the approach I use, not sure if it'll work for your use case but I can assure you it works for at least a few users. It's all sort of manual set up but from your comments it sounds like you're just doing this for friends and family and not on an enterprise level. I admire your efforts!

First off, I have a purelymail account on which I set up domains and accounts for each user. I have mine set up so [email protected] all goes to the user1 mailbox (and [email protected] goes to the user2 inbox regardless of domain, etc.) but you can set up some pretty complex routing if you want - and if you know a bit of sieve there's even that. Purelymail handles the actual email sending/receiving so I'm putting a lot of trust in them, but it seems like they have a good track record and I don't think I could do better on my own. Plus they're dirt cheap. My big concern with email is always deliverability. Anyway, you'll see this is all set up in such a way that I'm using purelymail now, but I'm not tied down to them.

Second, I use this image (linking to the repo and not the docker hub version so you can inspect the Docker file for opsec reasons. In my set up I build it from source because I have a couple modifications) which is a dovecot IMAP server + getmail. This is python getmail not go-getmail and not fetchmail. The repo itself has some pretty straightforward instructions but the way it works is basically that users inside the docker container each map to a mail directory. So each user's credentials is actually a Linux username and password within the container. I have mine set up so it's like user1, user2, etc. (which confused my users initially because automatic set up forms are never set up this way) but you could set it up however you need. Then, there's a Cron set up to run getmail which you have to configure yourself within a cron.d folder that you mount on the container. For mine I have it configured to use POP3 so that when it gets stuff off purelymail it's automatically deleted.

Finally, you just set up your mail clients to use this IMAP server and purelymail's SMTP but if you know how to set up a forwarder you can always have it relay through purelymail. Purelymail even has the ability to relay emails to your SMTP server.

[–] [email protected] 0 points 9 months ago* (last edited 9 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
IMAP Internet Message Access Protocol for email
IP Internet Protocol
NAT Network Address Translation
POP3 Post Office Protocol v3, for email; contrast IMAP
RPi Raspberry Pi brand of SBC
SBC Single-Board Computer
SMTP Simple Mail Transfer Protocol
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)

9 acronyms in this thread; the most compressed thread commented on today has 9 acronyms.

[Thread #461 for this sub, first seen 29th Jan 2024, 13:05] [FAQ] [Full list] [Contact] [Source code]