this post was submitted on 27 Feb 2025
19 points (91.3% liked)

Privacy

980 readers
621 users here now

Protect your privacy in the digital world

Welcome! This is a community for all those who are interested in protecting their privacy.

Rules

PS: Don't be a smartass and try to game the system, we'll know if you're breaking the rules when we see it!

  1. Be nice, civil and no bigotry/prejudice.
  2. No tankies/alt-right fascists. The former can be tolerated but the latter are banned.
  3. Stay on topic.
  4. Don't promote proprietary software.
  5. No crypto, blockchain, etc.
  6. No Xitter links. (only allowed when can't fact check any other way, use xcancel)
  7. If in doubt, read rule 1

Related communities:

founded 3 months ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
19
Isn't it better* to host a mail server at home than to use Proton or Tuta? (lemmy.cat)
submitted 16 hours ago* (last edited 16 hours ago) by [email protected] to c/[email protected]
15 comments fedilink hide all child comments
 

*With ‘better’ I mean that an encrypted solution is adequate in these cases because the mails are on other servers, and the companies/servers depend on the jurisdiction where they are located. But by hosting a mail server at home, even unencrypted, we are 100% in control of our data.

PS: is there a self-hosting mail server solution that stores everything encrypted? I already self-host almost everything I use, but not email.

top 15 comments
sorted by: hot top controversial new old
[–] [email protected] 1 points 59 minutes ago* (last edited 44 minutes ago)

2 points I'm not sure got mentioned here

  1. There is a new hero on the block - his name is mox and he is bloody awesome! It's a single binary written in go, that takes care of (citing) ...IMAP4, SMTP, SPF, DKIM, DMARC, MTA-STS, DANE and DNSSEC, reputation-based and content-based junk filtering, Internationalization (IDNA), automatic TLS with ACME and Let's Encrypt, account autoconfiguration, webmail.. pretty much everything. As somebody who maintains few mailservers for living - this is a wet dream come true. It implements eg MTA-STS that I haven't seen even on many commercial offerings yet. You run it once - it returns a long file with DNS records for MX, SPF, DMARC, DKIM etc... You run it second time with some switch - it generates its systemd file. Then you just spin it up - and that's it. I always wanted to write something like this but I am nowhere near clever enough. There may be some performance constrains, it's probably not "production grade" yet - but I've been using it for over a year with stellar results.

  2. There has been a lot of gatekeeping (they call it security strengthening) going on lately. In my experience even year ago If you managed to fit into your DKIM / DMARC / SPF rules stated in your DNS records you could still deliver pretty much everywhere. Even with a dynamic IP. As of June 2024 google started enforce PTR records and M$ I believe followed (meaning if your ip doesn't have a correct PTR record your mail isn't deliverable to Google / Microsoft mailservers). Most residential ISPs will not enable you to edit your PTR and since more and more people / companies use bloody google /M$ cloud services I don't think it's worth running mailserver just from home because the deliverability would be a hit and miss. You need at least to proxy the outgoing mail through some cheap VPS with public ip that you can set a PTR on.

[–] [email protected] 4 points 10 hours ago* (last edited 10 hours ago)

This topic always gets strong opinions on Lemmy. The truth with security is: it always depends a lot on what you're doing and fighting against, i.e. the threat vectors. There probably are some edge cases where it's better to have physical control over the server. And there will be other cases where it's better to use an established solution.

Just keep in mind, the people over at the good companies do this as a job. They probably have years of experience. Had long meetings to discuss technicalities and what might happen and how to handle it. They've analyzed the threat vectors and put some thought into the exact setup. And they likely constantly improve it. You need to judge by yourself if you can do it as good as them. And you obviously don't want to make any major mistakes.

There are several all-in-one mail solutions available. I don't know which can do encrypt at rest. Stalwart can do it. There is autocrypt.org and some Dovecot plugins, so I guess everyone can do it.

I like selfhosting and having control. What I host probably isn't perfectly secure, though. Since I don't spend all my time doing it and I also haven't had anyone else look at the config and check for potential problems. E-Mail is one of the more complicated things. Due to abuse and spam, a bazillion things got added on top of the original protocol and the other providers are relatively strict with flagging mails as spam or straigt refusing to accept them. So there are lots of things to do, and get right. Even without encryption. And usually the needed ports are blocked on residential internet connections.

(And ultimately, your house also is under some jurisdiction, so if you're worried about your own government, they can come raid your house and take your server. Or bug your phone and laptop. So you need additional security like encryption. And means to ensure they can't circumvent it. And temper-proof devices.)

[–] [email protected] 29 points 16 hours ago (4 children)

Hosting email is hard. Getting your reputation up to a point where emails will even be delivered is challenging, and then you have to worry about the absolute non-stop attacks on your server. Patch, patch, patch...

[–] [email protected] 1 points 8 hours ago

https://poolp.org/posts/2019-08-30/you-should-not-run-your-mail-server-because-mail-is-hard/

It's not super easy, but it isn't impossible either, especially nowadays with email deployment suites

  • mailu.io
  • iredmail.org
  • mailcow.email

(I'm talking about the email part, hosting at home would also bring other issues e.g. availability, you would need a VPN to route it from a non-residential IP, etc)

[–] [email protected] 2 points 11 hours ago (1 children)

What if is like to receive emails? I don't really send emails at all lol

[–] [email protected] 2 points 10 hours ago (1 children)

I mean... your email client can already do that, so I'm not sure what the point would be.

[–] [email protected] 1 points 3 hours ago

Cause then you could self host email without worrying about the complicated side of it. Since you have no need to send emails.

[–] [email protected] 3 points 15 hours ago (1 children)

The fact you are asking scares me a little. If you are seriously thinking about this, please don't - you will very likely become an open relay, which is bad for everyone. It won't even help with your privacy concerns. Seriously. Running a mail server is a full time job.

[–] [email protected] 1 points 6 hours ago

Yeah running your own email server is basically just broadcasting who you are to everyone you give it to.

[–] [email protected] 1 points 16 hours ago (1 children)

Is it really THAT difficult? Hillary Clinton did it...

[–] [email protected] 3 points 15 hours ago* (last edited 15 hours ago) (1 children)

Honestly? No. It takes a bit of reading into SPF, DMARC, DKIM etc., and you will need to set up an authentication method (using PAM means you need to cache your unix users credentials in mail clients), which is easy via the dovecot passwd driver. The problem is that some blocklists will block any residential connection per default, but mxtoolbox will search through those, and I basically only needed to fill out spamhouses unblock form, which is easy. Even my employer (major bank) seamlessly accepts any emails from my domain.
Bruteforce attacks can be caught with fail2ban and reported to abuseIPDB

[–] [email protected] 2 points 12 hours ago* (last edited 11 hours ago)

It takes a bit of reading into SPF, DMARC, DKIM etc.,

That alone is often (usually?) not enough. Since many IP addresses are already blackholed before you even set up a mail server on one, there is also the slow and sometimes painful process of:

  • Figuring out by trial-and-error which recipients are not receiving mail from you (or are receiving it directly into their spam folders).
  • Figuring out which email filtering services are used by those recipients' mail providers.
  • Figuring out how to contact those filtering services.
  • Figuring out what process each filtering service uses for requesting removal from their blacklists (or adding to their whitelists).
  • Navigating each of those processes.
  • Submitting documentation of having done so.
  • Waiting and hoping for the filtering services accept your request and start allowing mail from you.

...and then starting all over again every so often, whenever a filtering service changes their configs or a new one appears.

It can be done, and you might get lucky, but it often requires tenacity and a lot of patience.

[–] [email protected] 8 points 15 hours ago

One thing you'll find about self-hosting is that you find yourself on the other side of the spam shield very often, and getting your server to a point where other servers won't block or filter you can be a challenge, especially if your IP or domain is on more aggressive lists like Spamhaus.

Besides that it's not really that much different from hosting another Federated service, which you seem to have experience with.

[–] [email protected] 4 points 16 hours ago (1 children)

Self-hosting has other drawbacks. Your need to maintain your server, you need a steady internet connection and a steady power supply. These are things providers like Proton and Tuta deal with for you.

[–] [email protected] 1 points 9 hours ago

Proton even takes care of endorsing MAGA for you 👌 Some people call that a bargain and a feature. I call it a reason to switch.

Anti Commercial-AI license