"Run Your Own Mail Server" by M.W.Lucas

I started sending through Amazon SES around a year ago. That got the blocklisting down to practically zero and my volume is low enough to be free. Running a mail server itself is not *THAT* hard really, I consider that a pernicious myth. It's the babysitting of users and the rest of the outside world misbehaving that takes most of the time. My stack: FreeBSD obviously, Postfix, Dovecot, OpenDKIM, OpenDMARC, SpamAssassin (I know, old but works), clamav-milter, and a few plugins for Dovecot like Sieve.

Running through SES botched the test above quite a bit. It takes it down from 9 to 6 for me, which is worth a complaint against AWS (which is interesting and I'm going to route through the big fat enterprise support agreement at $work for added effect) . The test at internet.nl is less comprehensive but good enough for my purposes. Mail works and has worked for me for years with my current setup, which is practically maintenance-free. I can't help the DANE situation unfortunately as AWS Route53 doesn't let me add that. which is another open case with AWS posted with my work hat on.
 
What the heck is the point of MTA STS when the server can just do SMTP over TLS? "I put something in my DNS records" YES THAT IS WHAT THE MX IS FOR.
 
Install a mail server, follow the documentation. Learn the basic protocol – it helps a lot when debugging and looking for vulnerabilities. It also clarifies a number of idiotic myths that have accumulated over the years.

Spamhaus is tolerable among free blacklists while all others are complete junk. You shouldn't expect miracles though: I checked my today's spam feed at Spamhaus: 3 IPs were indeed listed, 1 was clean, and 1 IPv6 was also clean.

Much of spam used to come from big tech free mail, and vast majority of that was GMail. This has been rapidly improving in recent years. However I haven't administered a busy mail server for some time now, so I might not have the full picture.

Graylisting and fake MX records with higher priority work just fine on stupid botnets. SPF does not because it's trivial to circumvent. The idea was good, but the actual protocol that they cooked was a conceptual disaster.

DKIM, DMARC, DNSSEC, S/MIME, and some other fancy abbreviations are waste of your time.

PGP is vastly underutilized.
 
Umm... Matlib.. Nowadays you're not going to get much of anything delivered from your box if you do not have DKIM, DMARC, SPF and reverse DNS properly in place. DNSSEC is not as hard a requirement but doesn't hurt if you know how to manage it properly. You may be factually correct in that these protocols/additions to the mail worklfow are flawed, but that's the world we have to work with. If you choose not to implement any of them, I wish you the best of luck with your mail sending endeavours because you will need it.
 
Of course SPF works, you just have to keep your records correct and clean for every domain you are sending mail from...

DKIM is pretty much mandatory today and it also works; same as DMARC (yes, you have to actually *look* at the reports you get...), DNSSEC (not only for mail delivery) and S/MIME.

It's fascinating how much FUD about mailservers still seems to be general folklore. Especially from people who doesn't seem to have ever ran a mailserver.

I've been running maliservers for almost 20 years now, ranging from my own, personal (and my former business) ones, to medium sized corporate servers. And yes, the landscape has become a major shitshow, especially thanks to RFC-ignorant monopolists like microsoft and google which constantly come up with random crap to break communication and a protocol that even has "simple" in its name. Especially the former are by large the most incompetent, elitist idiots in the field, constantly "bending" the rules (or simply too dumb to follow them), rejecting legitimate mail while sending massive amounts of spam themselves (#1 spamhoster for *years*; by orders of magnitude larger than anyone else on the top 10 list). And no, you can't just mail their postmaster@ or abuse@ to sort things out, because they simply don't accept mail to those *strictly required* addresses...
Yes, at some point you have to deal with those idiots. Yes, it's tedious. Yes, you can just block them altogether with a meaningful error message on your private mailserver, telling everyone still using them to get a proper mailprovider (that's what I'm doing - and it actually works). For a corporate server however, you can't really do that, so you again have to deal with those idiots...
So if you have the choice and don't want to waste your precious time with idiots - don't run a mailserver. Not because it's *technically* very hard, complicated or tedious - the RFCs are pretty clear and simple - but because you have to deal with idiots that aren't able/willing to follow even the most simple rules...
 
bvdw78 said:
You may be factually correct in that these protocols/additions to the mail worklfow are flawed, but that's the world we have to work with. If you choose not to implement any of them, I wish you the best of luck with your mail sending endeavours because you will need it.
Click to expand...
No, it is not only that it fights spam by making life difficult to spammers (and anyone).

DNSsec makes sure that the domain is in possession of the domain owner.

SPF allows the domain owner to specify the host names and IPs that he allows to send mails with addresses
in his domain.

DKIM allows the domain owner to sign certain parts of the mail, among them the From header,
and if the From has this domain, as required by DMARK, then it is a sign of authenticity.

SMTP allows any IP to send mails with any "from header" and any "envelope from". Mechanisms to prove
authenticity are necessary, and the above bind these data to the DNS.
 
No, they aren't mandatory. I do run my own mail server and I've got no problems with mail delivery whatsoever.

Another email myth:

HTML only for spammers? Out of 1324 spam messages I've received over the past year, 328 (24.77%) were text/plain, significant amount of the rest were HTML messages with no markup. Whereas I don't recall receiving a valid text email in any recent history. In fact plain text message in an indicator of spam unless the user is subscribed to mailing lists.

Mailing lists... yeah, but that's off-topic.
 
And why do you assume I don't have reverse DNS set up?

Yup, I've just sent a message to GMail and it worked.

...also to check whether they finally support PGP, but it doesn't seem to be the case. My PGP public key is shown as unknown attachment.
 
ralphbsz said:
Trying to run a mail server as an amateur, without a staff that is very knowledgeable and can monitor/manage things 24x7 is pretty silly.

People will complain that I am pushing users to give money to the big evil cloud companies. Let them complain. The reality is that mail has become very complex, due to the spam abuse of the internet, which for real users needs to be controlled, and that is hard and complex.
Click to expand...
No, it's worse, and You're turning things around: the big evil cloud companies are the commercial spam distributors - nearly all the spam comes from them.

There is nothing hard and complex - the point is just to get rid of people running their own mailservers and being independent, and then have all the users being confined into an environment of commercial spam and be flooded with advertisment crap.
This is exactly the same as with discussion forums, where people have been routed into facebook and reddit where they learn that it is normal to always be flooded with stupid advertisment crap.

I even have this in explicit writing, from my ISP (AS3320): they state that they censor private email and allow their customers only to receive commercial crap.
 
Gmail have been giving the following errors out for probably the best part of a year at least. They definitely require SPF and/or DKIM...

(host gmail-smtp-in.l.google.com[142.251.173.27] said: Your email has been blocked because the sender is unauthenticated. Gmail requires all senders to authenticate with either SPF or DKIM. For instructions on setting up authentication, go to https://support.google.com/mail/answer/81126#authentication.
Click to expand...
 
ralphbsz said:
People will complain that I am pushing users to give money to the big evil cloud companies. Let them complain. The reality is that mail has become very complex, due to the spam abuse of the internet, which for real users needs to be controlled, and that is hard and complex.
Click to expand...

PMc said:
No, it's worse, and You're turning things around: the big evil cloud companies are the commercial spam distributors - nearly all the spam comes from them.
Click to expand...
Probably, getting e-mail delivered reliably has gotten more difficult because the delivery itself was / is being (deliberately) confused with spam avoidance and filtering, while in reality these issues (delivery being one, filtering the other) should be separated. The delivery system would need to be robust enough to be able to be as agnostic of whatever content is being delivered as possible. The spam issue (I'm guessing) on one hand was only possible to become relevant because for the sender it is relatively cheap to send spam: compare that to traditional post mail, letters and packages, those would need a stamp that pays for delivery. And realistically then, no one would want or even expect a post company to inspect the contents of envelopes and packages to flag it as whatever. If I get advertising paper in my physical letter box, I throw it in the trash. Why should it become difficult to handle with electronic mail? Why is inspection and expensive filtering necessary, how did it get so bad? Is it really that bad? Well, if anybody can create a free e-mail address with Microsoft instead of running their own mail server... and here we are. Could it be big providers are intentionally exaggerating the issue for *reasons*? I don't know a lot about the history or even current state of affairs in e-mail hosting so excuse me asking possibly naive questions. I don't want to get off topic but I would imagine the book covers spam filtering, reputation, blacklisting, etc. too.
 
greylisting does not suck 'per se' but explaining to your users that email is not an instant messenger evey two weeks does suck
 
pming said:
Probably, getting e-mail delivered reliably has gotten more difficult because the delivery itself was / is being (deliberately) confused with spam avoidance and filtering,
Click to expand...
Very much so. Also, there is a common concept, that the evildoers are always the others. Rarely people get to the idea that their own actions are the ones responsible for causing the problems.

Tranditionally any computer was able to send and receive email, without much effort. And with the advent of the Internet, computers became connected and email started to work globally.
Only there was a problem with the Windows guys, because they wanted to switch their computer off at night, and therefore could not receive email. That is when shops like Yahoo etc. jumped in and offered a delegated email service, based on web pages.

It is important to understand that web pages (HTTP/HTML) and email (SMTP) have nothing at all to do with each other, as they are entirely different protocols. But bringing both together is the cause for about 100% of all scams, malware attacks, ransomware and other cyber criminal actions. It is in fact the absolute worst one can do.

Furthermore, the original demand or usecase (people wanting to switch off their computers at night) is not even true anymore. Nowadays we are expected to own a smartphone that runs day and night, and to be reachable 24/7. There is no longer a technical problem in receiving your own mail at any time.

But, the web based mail shops like Yahoo etc., being not only pernicious, but also superfluous now, nevertheless want to stay in place and continue to get fat on income from feeding their users with unwanted advertisements.

In the golden times of email, around 2000, when you met somebody at a conference and wanted to exchange further ideas in private, you would just exchange email addresses. It was easy to communicate, back then. Nowadays you don't get somebody's email address anymore, because it is considered dangerous to give it away (what good is email then, anymore?)

The traditional usecase of email, individual persons exchanging ideas in writing, over distance, at neglegibe costs, has dimished.
A new usecase for email has appeared instead, it is a (kind of) communication between un-equals, between corporations and consumers, and it is simplex (uni-directional): advertisement crap (so called "newsletters" and similar) is sent out to the consumers, no matter if they want it or not, and replies are neither expected nor possible - because only the money from the consumers is of any interest.

In the old times a header line like this
Reply-To: noreply@corporatehost.com
would be considered simply an offense - because it is one. Nowadays such is common case.

Those who nowadays make email apparently difficult, with the vindication to protect people from spam, are actually the ones abusing the email system for their own spam.
And, as a diversion, the general public is instead presented with a fake issue of "email privacy" to consider. Email was never private - because the Internet was a science network, and science also was never private before falling into the hands of the criminal lobbyists.

I'm not sure if Mr. Lucas has sufficient political sensibility to unroll this malady properly.
 
covacat said:
greylisting does not suck 'per se' but explaining to your users that email is not an instant messenger evey two weeks does suck
Click to expand...

The users are not the problem. The webshops sending two-factor authentications valid for five minutes are.

And in the modern view of the customer not as somebody who deserves proper service, but only as a money-bag in need of emptying, these webshops would just tell you to get yourself another email provider.
 
The users are not the problem. The webshops sending two-factor authentications valid for five minutes are.
Click to expand...

I tried greylisting for a while. The basic idea of temporarily rejecting emails that will get retried by genuine senders is quite interesting.

Unfortunately, there are just too many instances where people expect, even require, emails to be near instant. It's not just the multitude of sites that send login codes / 2fa by email. It's people trying to reset their password to log into a site they need to get in to that don't get the reset link for half an hour, or the people on the phone who ask the caller to email them something so they can look at it during the call.

It's not the users, or the websites. The entire world expects emails to be delivered immediately. I don't really have a problem with this as email should be delivered promptly and always has been unless there was an actual problem, but it does mean greylisting is not a viable option for any production mail system.
 
usdmatt said:
email should be delivered promptly and always has been
Click to expand...
Ups. I never got that message.
Mine was long running via uucp call, once a day or so.

I would think, the lesson to learn is: if you give people something wonderful for free, they're not happy, instead they take it for granted and demand more.
 
I have been running my own mail server for over 15 years now. I have never had any issues with deliverability, I am using SPF, DMARC, and DKIM. I also have SpamAssassin configured. One thing I immediately removed was greylisting, it just complicates things when you are expecting an email NOW
 
You must log in or register to reply here.
Back
Top