this post was submitted on 27 Sep 2023
94 points (99.0% liked)

Selfhosted

39980 readers
768 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

So I've been running self-hosted email using Mailu for a couple of months (after migrating out of Google Workspace). Today it turned that although my server seems to be capable of sending and receiving emails, it also seems to be used by spammers. I've stumbled upon this accidentally by looking through logs. This seems to have been going on for all this time (first "unknown" access happened just a couple of hours after I've set everything up).

While browsing the logs there were just so many crazy things happening - the incoming connections were coming through some kind of proxy built-in to Mailu, so I couldn't even figure out what was their source IP. I have no idea why they could send emails without authorization - the server was not a relay. Every spammy email also got maximum spam score - which is great - but not very useful since SMTP agent ignored it and proceeded to send it out. Debugging was difficult because every service was running in a different container and they were all hooked up in a way that involved (in addition to the already mentioned proxy) bridges, virtual ethernet interfaces and a jungle of iptables-based NAT that was actually nft under the hood. Nothing in this architecture was actually documented anywhere, no network diagrams or anything - everything has to be inferred from netfilter rulesets. For some reason "docker compose" left some configuration mess during the "down" step and I couldn't "docker compose up" afterwards. This means that every change in configuration required a full OS reboot to be applied. Finally, the server kept retrying to send the spammy emails for hours so even after (hypothetically) fixing all the configuration issues, it would still be impossible to tell whether they really were fixed because the spammy emails that were submitted before the fix already got into the retry loop.

I have worked on obfuscation technologies and I'm honestly impressed by the state of email servers. I have temporarily moved back to Google Workspace but I'm still on the lookout for alternatives.

Do you know of any email server that could be described as simple? Ideally a single binary with sane defaults, similarly to what dnsmasq is for DNS+DHCP?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 5 points 1 year ago (1 children)

Eh, I guess it's a Ship of Theseus kind of thing. So much in the core is roten that if we change it you could argue it will be something different.

[–] [email protected] 1 points 1 year ago (1 children)

Sure, but my point is.... sending electronic messages, or electronic mail; why would this practice die?

[–] [email protected] 2 points 1 year ago

Traditional snail mail has died. For bills and other important documents there are better, digital, solutions out there. Mail has too many security issues to be the answer for that. What do you get by email today that couldn't be chat message, an entry in a RSS feed, part of a social media feed or a to do item of some sort? 95% of my mail box is newsletters and ads. The rest is order confirmations from various sites. But none of that needs to be emails imo.

The only real, proper use case, these days is work related communication. But even there chat is often the better tool and email lacks because it's fundamentally insecure and to make it secure you run into the problem of having to set it up between domains, and if you're already doing that kind of work why not decide on a more secure by design communications channel?

I think in the future communication solutions like Matrix that can talk to (virtually) all other solutions will enable us to move away from email, but it won't happen until we get Matrix like solutions for task management such that I can send someone a task without having to care about which solution they use at X company, and it will still land in that system. Once we have something like that mail won't have anything going for it. That really is the final use case.