hckrnws
Assuming this is not hosted on your home system, since ISPs may block the ports and also most of the dynamic ips allocated are blacklisted, the issue with postfix is that its difficult to have a single set and forget config if you intend to use it on multiple internal machines, like for getting your root email on each system to one mailbox. Ideally you want a single main.cf for all your internal machines and for the outgoing/incoming mailhost to be determined solely by your mx or internal dns alias, but this is next to impossible with a single postfix config without getting mail loops on the system that is the mailhost. Exim and sendmail at least separate out the submit config from the rest of the configuration. Also you would be insane to try this without fail2ban or something similar. Postfix does a reasonable job of handling attackers but it does so quietly -- so you may not see the activity.
Here is my advice to anyone wanting to test out self-hosting email. Start by using your self-hosted email to sign-up for accounts. You don't have to use the email address for your personal correspondence
Use Mail-in-a-box to get started [1]. You can literally set it up in a couple of hours by following the instructions and everything should just work.
After a few years, you can think about switching your personal correspondence to your new email.
I can recommend Stalwart [1] which is a complete mail service contained in a single binary, that doesn't really have any external dependencies, and is really easy to install and update.
I've looked (and tried) a few other projects in the past, but Stalwart was the easiest to setup, and I haven't had any issues with it so far.
It’s also what Thunderbird is using to build their paid email hosting. Seems like a very ambitious project mostly done by a single person – impressive!
I've been running MIAB for a few years now with generally good success as an outgoing sender using a rented cloud machine and a "clean" reputation IP. I've had to email the Microsoft postmaster on one occasion when my emails weren't reaching Outlook users, but they were surprisingly helpful and it's been working fine for years now. It's a good learning exercise in setting up stuff like DKIM/SPF/DMARC.
That said - receiving account sign-up emails is the absolute biggest pain in the backside with Mailinabox! The greylisting anti-spam feature relies on bouncing unknown senders and waiting for a retry. The trouble is, many legit sites just don't bother retrying. So email verification for new accounts and 2FA-type stuff often takes ages to come through, if at all. MIAB stubbornly has no easy, mail user-facing way to temporarily disable spam filtering and it's a real PITA at times.
Oh! That's what it is. I just thought some websites just took longer to send an email to my unknown domain.
I see that the only way to disable greylisting is to configure the underlying tool [1]. But it also means that SPAM will increase a lot.
[1] https://discourse.mailinabox.email/t/how-to-turn-off-edit-gr...
It's better to whitelist the domains you'll be getting mfa from.
Modern email providers, especially ones offered by ISPs often have the same problems that people criticize self-hosted providers for. Even Google has problems. For example, I regularly order via companies that use Shopify. Now, all of the shopify emails are going straight to spam in Gmail, despite constantly marking them as not spam. (These even pass dmarc/spf/dkim etc, so who knows what's going on here.)
Email delivery and receiving is not hard, but it's inevitably going to be imperfect, no matter the provider you use. There are so many bad actors out there, it's surprising that it works as well as it does.
I have self hosted my email for about twenty years; fr about ten or fifteen I just forwarded everything to Gmail but had to revert to local ( started with local mail in emacs, but switched to imapd to solve the airplane ticket in the airport issue) because so much important stuff was marked as spam. Like in the middle of a conversation between me and on other person their reply to my email (which I always bcc:ed ack to myself) would disappear. Self hosted is much better. It took few iteration to get spf etc working.
> These even pass dmarc/spf/dkim etc, so who knows what's going on here.
Those have nothing to do with being spam, right? Spam is about content, those are about authenticity. Anybody can send authentic trash, or unauthenticated gold.
That behaviour is the whole problem. If you use a self hosted or small time email provider you're much less likely to have email blocked or filtered by aggressive anti-not-gmail filters.
Hilarious Gmail addresses send tonnes of spam so filtering by provider doesn't do much there days anyway. But Google insists to continue
Bizarrely, I also find Gmail's spam algo is actually oversensitive to marketing emails from companies these days, which I never thought was something I would complain about. But like you said its super annoying when I actually want the emails.
Seems like we had the opposite problem 10ish years ago. But now the pendulum has swung a bit too far in the other direction.
Ultimately most of the spam I get these days is actually from individuals doing low volume cold outreach from personal email addresses...not companies sending bulk. The new gmail unsubscribe feature works great for marketing emails but is worthless against cold email spam -- which somehow rarely ever lands in spam.
Say I want to test the waters for selfhosting email, and I already have my how domains setup with SaaS like Google workspace and equivalent. Is there a way to setup mx records so that both google and my own server gets email for a while? This would be useful to test the waters over a few months before fully migrating
Not really, SMTP relays will only send messages once, to one server.
But it’s not receiving that is the problem, that is generally fine, if ports are open at ISP / network level. It is the sending that is often tricky. Sending email on the other hand can be done from multiple servers (if SPF correctly configured) And nothing prevents you from sending email directly from your own relay. You could try that, and reception would not be affected.
Not sure why someone would go through the pain of cobbling up a self hosted solution based on Postfix when you have fully integrated solutions like https://stalw.art/, which are a breeze to setup.
Because postfix is foss, will work with everything and for all time and if there's a problem with it you'll actually be able to fix it.
[dead]
Where is UUCP? Why are addresses not bang paths? Where is sendmail.cf?
Right. You better not self-host like it's 1984 because that would also mean you're an open relay. And vulnerable for pretty much anything you can think of.
Ditto. I was sorely disappointed to click through "1984" to find a subheading on "setting up postfix".
What about mail servers generally rejecting email (or marking as spam) from residential IP ranges? Decades of malware sending spam has spoiled self hosting emails.
I needed some minimal mail delivery for user registration confirmation and password recovery, and I finally caved and just use some free service. It's okay since those emails are really, really, sparse in my case. But it sucks that email, this one old and open technology, is not realistically self-hostable.
Yeah, hosting on or at least tunneling through a commercial IP address is definitely required in order not to be flagged as spam. Personally, I chose the latter option of hosting my MTA at home but tunneling its traffic through a VPS in a datacenter. It's been working pretty well ever since, although I'm not sure it's worth the effort versus just using a cheap hosted provider.
[flagged]
I self-hosted for well over 20 years, I did not throw the towel and I do not plan to. Self-hosting is a sign of pride. Neither my government nor my Prime Minister nor even my Ministry of Interior or Foreign Ministry can host their own email.
Last time I checked, only State Security self-hosted.
I was probably lucky, but I rarely had delivery problems. The last one was a couple years ago with Microsoft swallowing my emails and it was due to the combination of a fairly old exim and a TLS certificate verification quirk at *.protection.outlook.com. I found a fix in the form of a configuration option somewhere on SO.
In all fairness, there is very little maintenance involved, and whenever I have to do maintenance work, I take the opportunity to learn something new. Like this year, I decided to finally replace my aging Debian jessie setup by Arch Linux, and I rewrote all cron jobs as systemd timers.
I must admit that when I send a really important email, I check the mail server log if it went off without errors, but this does not bother me as checking logs manually once in a while is a good thing anyway.
Lastly, a piece of advice: treat self-hosting like a hobby and learn to enjoy it.
Oh and the very last thing: the person who designed Exim configuration for Debian deserves a special place in hell for all the hours wasted. If you set up Exim on Debian, just figure out how to use the upstream exim config and adapt it to your needs.
The Canadian government too. They let Microsoft do it. A company headquartered in a country threatening to annex Canada, and known to collaborate with their spy agencies.
> Neither my government nor my Prime Minister nor even my Ministry of Interior or Foreign Ministry can host their own email.
Can or wish to?
There was a blog posted to HN years ago describing a self hosted email setup in detail, and this was indeed the main issue. Everyone he emails is on a small number of big companies, and most of them don't like his server.
Edit:
"After self-hosting my email for twenty-three years I have thrown in the towel"
https://news.ycombinator.com/item?id=32715437
https://cfenollosa.com/blog/after-self-hosting-my-email-for-...
I remember reading this and being enraged for all of us.
My first email usage was at University, pre-WWW. After that I briefly used some ISP email service, but that was on a time of very limited storage and POP only accounts, so I started hosting my own email even before having an always-on internet connection, using a relay and dynamic DNS to receive email when online. Now a days, I use a small VPS to route and receive email, but final destination and storage is on my home server. Over the years, I had, like others here, to ask Outlook and other providers to unblock my IP or domain, but it has been rare.
I really don’t want to live in a world where only two or three companies run email for the entire world, and this is my little act of resistance.
One problem in this are bad actors. German Telecom for example (t-online.de) only accepts mails from servers it whitelists.
To get whitelisted you have to apply with them and your domain HAS to have a website with an Impressum, your clear legal name AND an email that is NOT your domain for emergency contact. It is insane. If every provider would act like that, email would die in a month.
Ironic that a big telecom does not believe in decentralized protocols. Oh wait….
[dead]
It's addressed in the article:
> The elephant in the room is real-world deliverability. With self-hosting you risk not receiving mail or someone missing your mail. I accept this for my personal projects, but you may not. Keep this in mind.
Not self-hosting if you actually need email does not address the elephant that self-hosting email doesn't actually do email. I say this as someone who self-hosted for several years but had to give up because important emails were discarded. Until the deliverability issue is actually addressed, self-hosting is not viable for email.
I’ve been self hosting my email for thirty years. I don’t have any more deliverability issues than I do at work using a major provider. It is entirely viable.
I've never heard of "not receiving" as a problem. Does that happen in the real world? In what cases?
I went back to self hosting when Google were going to kill free Gmail for your domain. I have no problems with deliberability. And I have tiny mail volumes.
Pre Gmail I was on Exim. Now I'm on Postfix. I used the 123qwe.com tutorial as a starting point.
The real problems are (1) family members just want Gmail and (2) I have to maintain an email system.
I do wonder about reliability. The only things I'm missing are the PTR record and reputation from what I gathered. Even if the mail server goes down, mail gets to me because email providers attempt to deliver again.
Anyway, I added a disclaimer at the top, so people don't treat this as a production ready setup.
Isn't that what DMARC is for?
DMARC is for setting policy to authenticate email which ends up becoming a requirement to even send mail to other providers, amongst an evolving set of policies which may cause your emails to be silently undelivered.
[dead]
I haven’t read the article and I am to afraid to open the link in case they are using sendmail.
How long are you going to keep the cat in the box?
Spoiler alert, it’s Postfix. So not really 1984 software. But then again, neither is Linux…
Almost everything described in the article didn't exist in 1984. Postfix, OpenDKIM, TLS, SPF, DKIM, DMARC. Only very basic SMTP and DNS, but even MX records didn't exist.
But the experience of using mailx is close to that time, hence the title. Even though I’m too young to know for sure :)
Crafted by Rajat
Source Code