back to article The last post: Building your own mail server, part 1

Email is one of those internet services that, like it or not, we all have to use. Yet the underlying protocols have been around since before the invention of spam (the electronic sort, of course), and have little in the way of protection. No junk mail. Pic: gajman, Flickr Internet email is far from perfect, but unless you …

  1. Novex

    Nice to See an Article About This

    I'm glad to see an article tackling this subject, as I agree it's not that hard to set up an email server, and as long as you have a sufficient broadband connection with reasonable upload as well as download speeds, it's worth doing.

    Although it's offline for an annoying reason at the moment (not related to the PC or software), a couple of years ago I set up my own email server based on an Acer Revo 3700 (and a couple of gateways and a mail server were on such PCs as well) using ClearOS 6. It was connected to a Plusnet Fibre connection with a static IP, and once I'd solved installing the SOGo groupware on it, worked like a dream with Thunderbird. I couldn't get the Outlook Connector side of things to work, but that was down to ClearOS 6 being based on a version of RedHat that was too old for some of the components that SOGo's Outlook Connector needed.

    1. Anonymous Coward
      Anonymous Coward

      Re: Nice to See an Article About This

      I suppose some people think that running a server is rocket science.

      It isn't.

      I've been doing it since 2001/2002, and most of it with hand-me-down second-hand equipment. First mail server was a Dual Pentium PRO with 3 2GB SCSI HDDs running Slackware and using sendmail. Later we had an IBM Netfinity rackmount server with a PIII 550MHz CPU and 5 SCSI HDDs between 18GB and 72GB.

      In 2010 that was retired for a little Intel Atom box that's been running my site ever since. Mail stack these days is Postfix and Dovecot on Gentoo Linux.

      The important bit: make sure your server doesn't unwittingly relay spam. Dealing with the rest is not complex or expensive, and until only last week, the only on-going costs needed were for an Internet connection and power, I've only recently bought a domain to replace the freebie one I was using from yi.org.

      Set it up right, and it's as hands-off experience as you'd be used to from the likes of Gmail and Yahoo. Better in fact, since you're in control of your own destiny.

    2. Youngone Silver badge
      Pint

      Re: Nice to See an Article About This

      @ Novex

      I've been using ClearOS for donkey's years, (also the previous incarnation Clark Connect). It's a fantastic way to teach yourself an awful lot of different networking and sysadmin tools.

      I'm a bit sick of waiting for the latest update which seems to be taking forever to happen, but in the meantime my server just keeps chugging along working fine.

    3. Shoot Them Later

      Re: Nice to See an Article About This

      I agree a very welcome article. Been doing this myself with a FreeBSD/Exim/Dovecot setup since before spam was really a problem (and I've since added SA-Exim to the mix for spamassassin integration). Talking of spam, I find that the DNS blocklists reject a lot of this, and it is also particularly nice that this technique rejects the message before delivery is accepted - meaning that you don't generate backscatter spam bounce messages for rejected traffic.

      I would like to see some discussion about use of cloud though. My server lives at home, has a static IP and listens to the Internet on port 25. However, I also use an AWS-based server as backup MX (and also primary DNS) because there are occasions that I turn my home machine off for a while. My own issue though is reading email while away. I don't make my IMAP server available via the Internet, so if I am on the move, I generally have to VPN in to my network to read email (although I do also have Gmail for when I am mobile). I'm still not decided on whether to stick with this, open up a port for my local Dovecot to the Internet, or move the whole shebang to an AWS hosted image. It's an area where I'm always interested in what other people are doing and how well it works out for them.

      1. Nigel Whitfield.

        Re: Nice to See an Article About This

        Personally, I do have IMAP over SSL available from everywhere, and also authenticated submission on port 587.

        Generally, that doesn't seem to have caused any problems; looking at the number of failed SASL attempts in the logs, most days there are fewer than ten; a busy day still comes up with fewer than 50.

        I have the remote submission port because I have SPF set up fairly strictly on some of my domains, and I still want to be able to send messages from anywhere, so my phone (using Maildroid) sends everything that way.

        I could use a VPN instead, and I do have one of the other systems on the network set up to allow access that way, but it's fiddly to have to use all the time, and of course some networks I might connect to block VPNs.

        I wouldn't say I've ever noticed any significant attempts to connect to the IMAP server over the years; certainly, you get nowhere near the hammering on your hardware that you do when you have a SIP server!

      2. Vic

        Re: Nice to See an Article About This

        I also use an AWS-based server as backup MX

        I dislike the use of a backup MX except in large-scale operations. For those of is with a tolerable level of traffic, they tend to become a weakpoint in your spam defences - unless you rigorously control your user list on the backup to mirror the primary, you can end up in the situation of accidentally accepting mail for non-existent users. You've then got to deal with that...

        Far beter, IMO, to leave mail in the outbound MTA's queue, to be delivered to your primary MX when it's back on line.

        My own issue though is reading email while away. I don't make my IMAP server available via the Internet

        I use port-forwarding over SSH to create the IMAP ports on whatever device I'm using. As long as you use ports >1024, you don't even need to root your phone for that. But frankly, the single most useful access system I've found has been SquirrelMail.

        Vic.

        1. Shoot Them Later

          Re: Nice to See an Article About This

          @Nigel - for me the decision between local/cloud is not really security, but getting a balance of performance & availability. Mail local to my home has best performance and availability for when I am at home, but considerably less so for when I am mobile. If I have my IMAP on AWS or similar, I have better availability and performance when I am mobile (I hope) but worse than when at home. Ideally I'd want a solution with two way replication of IMAP content, but on the other hand I want a solution that is simple and reliable. I think those might be mutually exclusive :)

          @Vic - I agree with youur point about backup MX. In my case, my backup server is also Exim with the same spam configuration, and I use rsync to push whitelists and virtual domain lists to it from my main server. It works fairly well, although sometimes I get issues where the backup server has accepted mail that my main server later rejects, but this is handled relatively gracefully by Exim. I go for the backup MX route because I may from time to time turn off my whole home server for an extended period and I want to continue to accept mail. I have on occasion read the raw emails sitting in the mailqueue on my backup box while travelling. It's far from perfect, but works, in a clunky way, within my slightly odd parameters.

  2. Christian Berger Silver badge

    It's nice to see someone normal for a change

    I mean usually Reg-authors spend their time installing Exchange and Outlook and then boast about their new tools which enable them to do essential and trivial things.

    E-Mail also has the great advantage that it's error resilient. If your mail server goes down, you won't loose any mail as the other mailservers will retry for a week. This makes a great learning ground.

    1. LDS Silver badge

      Re: It's nice to see someone normal for a change

      The basic error is to believe Exchange is a simple mail server and Outlook a simple mail client. Both are designed to do much more than simply email sending/receiving. If you're Exchange/Outlook just for simple email management, you're wasting (a lot of) your money.

      If someone needs a simple, open source mail server for Windows, give a look to HMailServer.

      1. Christian Berger Silver badge

        Re: It's nice to see someone normal for a change

        Well first of all, why in the world should I install a mailserver on Windows? And why should it be something rather obscure like HMailServer when I can probably just get postfix or something to run on Windows?

        BTW there's also a lot of "groupware" solutions out there replacing Exchange and or Outlook.

        1. steamrunner

          Re: It's nice to see someone normal for a change

          Actually (and I can't believe I'm actually saying this) but there are reasons or scenarios for installing a mail server on Windows, especially for home users.

          Firstly, in some instances, the installation and running/maintenance of the software can be a bit easier, depending on your chosen package (Postfix - why? There are easier, free options out there). Or, at worst, it can be a little less scary and a little more more manageable if something goes wrong (if you're not too familiar with Linux for example).

          Secondly, mail servers take up surprisingly little resources. For one person or a family, it's basically sod all. If someone has a half-decent desktop PC that's 'on' all the time then running their mail server on that in the background would cost precisely £0 extra in hardware outlay. With the right software and restricting port access to just those needed (and also from *where* needed, i.e. your MXs), and *not* *ever* *under* *no* *circumstances* having your home server as your domain MX, all but the most paranoid should be good to go.

          A loooong time ago I used to run CommuniGate Pro on a Windows server — which, to add to the list, is free for up to five users so ideal for home experimentation (just a happy user) — and it was basically an indestructible tank... it would have run unaided for decades if I'd let it!

          (OK, to be fair, these days I run server stuff mostly on Linux on virtual and cloud platforms, because I can, so I do... ;-)

          S.

          1. Nigel Whitfield.

            Re: It's nice to see someone normal for a change

            For a small home setup, you could also consider using your NAS; there are package for things like Synology that will add a mail server, though I've not used them in anger. That will give you more or less point and click configuration.

            And certainly, for some people that's all they need. But this is The Register, and if I walked people through a setup with a friendly point and click wizard, I'm pretty sure a lot of you would feel we could have done much more.

      2. Captain Scarlet Silver badge

        Re: It's nice to see someone normal for a change

        HMailServer recently started to become more active, I use it for basic mail routing tasks on a spare windows machine

        @Christian - Its easy to setup the community is active, add-ons to extend functionality and can use a selection of backend databases.

  3. Barely registers
    Windows

    Fixed IP?

    Does any of this solution require a fixed IP address from your broadband supplier? If not, how does the rest of the web know how to reach your physical server?

    Asking for me, not a friend, out of total ignorance of how Internet routing works.

    1. jonathanb Silver badge

      Re: Fixed IP?

      There ways to have the system update your mx records every time your IP address changes, and no doubt a commentard will come along and explain how to do it.

      Life will be much easier however if you do have a static IP.

    2. PVecchi

      Re: Fixed IP?

      It's easier to configure things if you have a static IP but is not a must.

      You can search for dynamic DNS on your preferred search engine and you'll find a few that are free or others that cost anyway very little.

      The other option is to buy a domain from a hosting provider which generally provides a basic mail server for a tenner a year and "fetchmail" you emails from there with your local server.

    3. slooth

      Re: Fixed IP?

      You could use the no-ip client (no-ip.com). You could even get a domain name from them.

      1. Jack of Shadows Silver badge

        Re: Fixed IP?

        Our consumer Comcast Arris router has a built-in No-IP client. For what that's worth as it already has one vulnerability that I'm certain of here.

    4. d3vy Silver badge

      Re: Fixed IP?

      No-ip offer a free domain name and a client that keeps the dns in sync when it changes...

      If your really tight and don't want to pay for the paid no-ip service that allows you to use your own domain name you can do it with a cname record that points back to the free NO-IP address.

      Although a static IP would be easier - ive found quite a few anti spam systems will block email that has come from a home broadband IP.

      1. moiety

        Re: Fixed IP?

        ...or these guys (also free):

        http://www.dnsdynamic.org/

      2. Anonymous Coward
        Anonymous Coward

        Re: Fixed IP?

        Although a static IP would be easier - ive found quite a few anti spam systems will block email that has come from a home broadband IP.

        The workaround for that is to tell your server to relay through your ISPs server.

    5. Nigel Whitfield.

      Re: Fixed IP?

      For preference, a fixed IP is going to be best, so that messages can be delivered over the internet directly to your mail server.

      However, if your concern is more about, for example, having your own IMAP store so you can find any messages you want, then you could add Fetchmail to the mix, which will grab messages from external mail accounts and feed them into your server. You'd then simply ensure the server has a fixed IP on your local network, which your own clients would connect to (and perhaps use a dynamic DNS system if you want remote access). Outgoing mail would, in that scenario, probably be routed via your ISPs mail server.

      A fixed IP will certainly give you much more flexibility, and that's what I have - in fact, I have a routed network on my ADSL.

      I don't generally have problems with messages being rejected, because the IP range is allocated to me; ok, it costs a little more than a bog standard domestic broadband, but I work at home and figure it's worth it.

      For ISPs that will make this easier, I suggest you check out the article (and the comments) that I did earlier this year about "Boutique ISPs".

      1. Vic

        Re: Fixed IP?

        However, if your concern is more about, for example, having your own IMAP store so you can find any messages you want, then you could add Fetchmail to the mix, which will grab messages from external mail accounts and feed them into your server.

        This causes difficulty for spam processing; if your Internet-facing MTA doesn't do the spam processing you want - and if you don't own it, it probably doesn't - then you have a real problem, because the mail has already been accepted.

        At that point, you can either take it on the chin, or try to do some sort of local-processing, redirecting spammy-looking mails into a spam area. But that's actually the worst of all worlds, because there is a good chane of you missing a mail if you get a flaso positive, and you still have to trawl through that spam...

        For my money, there should only ever be one port of call for inbound mail. It's trivial to sort that with dynamic DNS clients. You can smarthost on the outbound mail[1], but inbound should have as few hops as possible.

        Vic.

        [1] Smarthosting loses quite a lot of the traceability of your email, so debugging a problem can be tricky. But if you've got a rDNS entry that looks like a residential account, you're bot going to have much choice.

        1. Nigel Whitfield.

          Re: Fixed IP?

          @Vic

          Yes, I wouldn't necessarily recommend doing that, unless you really have a compelling reason to. The best way to do this is to have the fixed IP, rDNS and so forth that you'll get from a friendly and wise ISP.

          Of course, while that's effectively what I'll be describing, hopefully there'll be plenty of info for anyone who wants to do the same sort of thing, but with their mail setup elsewhere, whether that be a small office, or a dedicated server that you'd prefer to set up yourself, not least because unlike using, say, Plesk, it won't all suddenly fall apart and sulk just because you looked at it wrong.

  4. Anonymous Coward
    Anonymous Coward

    Check for blacklists

    You should mention how to check the intended IP of your mailserver isn't on a load of internet blacklists that mean trying to send mail to anyone at gmail, hotmail etc. will be permanently rejected until you 'fix your spam problem'.

    Trying to run a mail server from a consumer IP block, even if fixed, is a recipe in frustration otherwise.

    And it's probably a good idea to do this before you buy the hardware, and start configuring Dovecot and Postfix.

    1. jonathanb Silver badge

      Re: Check for blacklists

      The other option is to buy an SMTP relay service and route outbound mail via that. You can usually get it from the same company you get your domain names from. Alternatively, your ISP may offer such a service.

      1. moiety

        Re: Check for blacklists

        Consumer IPs are routinely blackholed - that's why I gave up with a home mailserver in the end.

        1. LDS Silver badge

          Re: Check for blacklists

          Also, some ISP could block port 25, in an attempt to block some spammer, or spam botnets. I had little issues as long as I was self-employed and could buy a "business" ADSL and fixed IP (just, it required a VAT number), when I moved to another job as an employee, and had to switch to a "consumer" ADSL, my server could no longer work and I had to move it to a rented VM - I still can manage my own server, but of course data are stored on someone's else - you can encrypt and whatever, still less control. On the bright side, it has a far faster connectivity to the Internet, my ADSL is limited at 1Mb upload (another issue with "consumer" ones), and sending large mails is not fast at all.

          Other factors to take into account it's you need your own domain name, and a DNS configured with the proper MX record(s). If you're going to use DKIM or the like, you need also to be able to set them up in the DNS records. Some mail server could perform reverse DNS lookups, and reject connections that doesn't match.

          To use SSL/TLS properly, you need certificates - buy them, or you can easily generate them yourself. I would suggest to avoid simple self-signed ones (MITM could be too easy) - generate your own CA(s), trust it on your devices, and then generate certificates from that.

          To block spam I would suggest to use DSNBL services (i.e. Spamhaus, etc.) at the connection level, because they can reject an incoming connection before the actual mail is sent, reducing the server load (Spamassassin may be a bit heavy if it has to process everything).

          As soon as a server is accessible from outside behind your router/firewall, you have also to ensure it doesn't become an entry door inside your LAN, not it can be used for spam. You need to know how to properly harden everything.

          1. choleric

            Re: Check for blacklists

            @LDS: If you are using a VPS to get a static IP address then you can simply set it up as a firewall and tunnel your mailserver's connections to it. That way you get to use an IP address that isn't identified as DSL and but you also retain control of the hardware your mailserver runs on. Win win!

            Of course unencrypted mail can be read, though it could be already, but TLS encrypted channels remain secure.

            1. LDS Silver badge

              Re: Check for blacklists

              You can also setup an SMTP server to relay or forward mails ("open relays" are evil, not any properly secured relay), which is often done to avoid to store emails on a internet facing machines (it also helps to separate the local from remote traffic, but it's not within the scope of this article).

              It may be safer than a tunnel (you can't contact the destination server directly), there are no addresses translations - which may still be an issue due to what ends to be written in mail headers (a relay can rewrite headers), and also you can process spam/malware at this layer. If the VPS server offers good reliability, it's also a way to ensure it.

              However, it's a store-and-forward technique, thereby some data may still be readable from the VPS server.

              1. Anonymous Coward
                Anonymous Coward

                Re: Check for blacklists

                Alternative to a tunnel, is to relay the email via UUCP. It gets stored on the VPS, then your machine periodically "dials in" using UUCP over SSH to fetch it.

        2. linicks

          Re: Check for blacklists

          You could try SPF - but of course you need a decent no-messing-ISP to start with.

          https://en.wikipedia.org/wiki/Sender_Policy_Framework

        3. Lyndon Hills 1

          Re: Check for blacklists

          While some organisations block dynamic ips, not all do. Sendmail (what I use, so I know this works) allows you to change the routing based on the email address you're sending to. So most mail goes direct, and where the recipient domain is blocking a dynamic ip address, the mail gets sent via another mail server. Could be your ISP, although I use the server for another domain I have which includes mail hosting. The return address is still set to my own domain so (Hotmail is one example, IIRC) mail to Hotmail goes via<other domain server> and replies come directly back to my server.

          Every now and then I get another email blocked, so I add the domain to the routing list. I think I have about a dozen or so in the table now, after getting on for 20 years of running my own server.

          I've never looked at PostFix, so I'll be following this series with interest. Dovecot, Spamassassin and fetchmail I know.

        4. steamrunner

          Re: Check for blacklists

          Which is why you don't ever send emails out directly via DNS (MX lookup) on a home line - you relay the messages to your ISPs (or someone else's) server for onward delivery. And the reverse inbound, i.e. your home box is never your Domain MX and only accepts inbound mail from the servers that are. Simple.

          1. Vic

            Re: Check for blacklists

            Which is why you don't ever send emails out directly via DNS (MX lookup) on a home line

            I do. Have done for years.

            One ISP got a bit shirty with me - so I took my business elsewhere...

            Vic.

        5. Kevin 6

          Re: @ moiety Check for blacklists

          Ditto

          Years ago I used to run my own mail server on a 800mhz atom board(was also my personal web, and fileserver) when I had a static IP with my old ISP. When they went bust I ended up on a dynamic IP ISP, and found I could no longer send e-mails from my server as they would all get rejected.

    2. Nigel Whitfield.

      Re: Check for blacklists

      Good point; see my earlier answer about "Boutique ISPs", where you're probably less likely to have this problem.

      And also, there are services that automatically check against RBLs for you. The one that I use is RBL Tracker, and their free tier will check a single IP address every 48 hours for you. You can get a notification via Twitter DM (and other means) if your server's found on a blacklist.

      Again, for a small home or home office, 48 hours is probably sufficiently frequent, but I would definitely recommend some sort of monitoring like that.

    3. Mark 65 Silver badge

      Re: Check for blacklists

      I was going to ask:

      Isn't running your own mail server something best done from a rented server in a data center somewhere?

      I always thought that running such a thing on a residential connection is a recipe for unavailability and untold frustration especially with regards the blacklistings.

      1. Vic

        Re: Check for blacklists

        Isn't running your own mail server something best done from a rented server in a data center somewhere?

        No.

        In the event of my connection going down, I want my email in the place I'm most likely to be...

        I always thought that running such a thing on a residential connection is a recipe for unavailability and untold frustration especially with regards the blacklistings.

        There's never a problem for inbound mail. Outbound mail *might* have to be smarthosted through your ISP (or other), depending on the sort of connection you have (and the reputation of the previous owner[1]).

        Vic.

        [1] I once had a very interesting email problem. A user was trying to send mail through BT (his ISP), but everything was being bounced. It turned out that BT was using spam filtering on its MSA port, and the IP address he had had been blacklisted as spammy. He was on a dynamic IP; it was the previous user that was the problem.

  5. PVecchi
    Linux

    Knowing what you are doing

    Setting up an email server in Linux is generally quite easy, for those that have the skills, but then we've got to take in consideration that not everyone know how to deal correctly with firewall rules, filtering, certificates, etc...

    An easier route would be to use Webmin and the fantastic Authentic theme (https://github.com/qooob/authentic-theme) to reduce the risk of misconfiguring something and open your server to attack.

    For those that want an even easier life a product like Collax with 5 users and Zarafa Community could provide a free but business grade all-in-one platform that provides MS Exchange like features ready to be used in about 15 minutes without having to learn a single command (http://www.collax.com/en/products/collax-business-server/overview/).

    It's good to "decentralise" the Internet but make sure your servers are configured properly and don't become spam bots or nodes for the next DDoS attack.

    1. Vic

      Re: Knowing what you are doing

      An easier route would be to use Webmin

      You need to be very careful using Webmin if you're running sendmail.

      sendmail has a mahine-readable config file called sendmail.cf. It's generally a bad idea to try to configure it with that; it's a very terse format. Instead, most of us humans use the easily-readable sendmail.mc file, and then build the sendmail.cf from that (using the m4 macro processor).

      But Webmin edits sendmail.cf directly; this means that, if later you do something to sendmail.mc, you end up throwing away all your changes. That can be a little embarassing...

      Vic.

      1. Jan 0

        Re: Knowing what you are doing

        @Vic

        >if later you do something to sendmail.mc, you end up throwing away all your changes. That can be a little embarassing...

        Errm, where's your backup of sendmail.cf.prev?

        1. Vic

          Re: Knowing what you are doing

          Errm, where's your backup of sendmail.cf.prev?

          That's kinda irrelevant; if you have a change that *has* to be made, you either have to continue editing sendmail.cf, or you have to reverse-engineer everything in there so that it can be rebuilt from sendmail.mc. Both of these situations involves understanding sendmail.cf, which is not the easiest thing I've had to do lately...

          Vic.

  6. Mike Pellatt

    MTA

    Exim.

    That is all.

    Seriously, though, I jumped that way a few years ago when the only sensible options were Exim or Postfix. Far too many people were still using Sendmail. Or maybe it was so log ago (Exim 3, that's for sure) that Postfix wasn't as mature. If I started again, I think I might go the other way - simply because it's more popular.

    Or is that not a good basis on which to make a decision ??

    (I find Exim's teergrubing facility particularly satisfying)

    (Oh, and this was on RedHat - before I discovered Debian and that Exim was the default MTA there)

    1. linicks

      Re: MTA -> sendmail

      I remember setting up sendmail years again - about the most complicated thing I have done on a GNU/linux box. Then I found Postfix, and although a bit complicated, it is logical.

  7. Anonymous Coward
    Anonymous Coward

    Probably worth mentioning ..

    .. that this is NOT the thing to do if your name is Hillary Clinton. Just in case :).

  8. Version 1.0 Silver badge

    Port blocking?

    You'll need an internet connection that does not block common ports (25, 80 etc) or else work around them - HTTP is often blocked but HTTPS is usually allowed. Plus, if you have a firewall, don't forget to either put the mail server in front of the firewall or else open the required ports through the firewall to your sever.

    I assume this subject is going to be covered later.

    1. Martin Gregorie Silver badge

      Re: Port blocking?

      You don't need *any* ports open in your firewall or a static IP.

      Use fetchmail or getmail (getmail is better because it doesn't have fetchmail's bugs) to retrieve your mail from your ISP's smartmail host via a POP3 link. No open ports needed in your firewall because getmail opens a connection to the smartmail host.

      Your MTA (Postfix in my case) is set up to send outgoing mail via your ISP's smartmail host, so once again no open ports because your MTA opens the connection. Doing this avoids getting your mail blacklisted because it has come from a user's IP address: blacklisting user IPs is quite common, especially if they are dynamically assigned addresses.

      The rest? My copy of getmail passes mail directly to Spamassassin. What comes back marked as spam gets quarantined and the rest is passed to Postfix for delivery via Dovecot.

      I wrote my own mail archive, based on PostgreSQL. Feeding that is automatic: all incoming and outgoing mail goes through Postfix, which BCCs a copy to the archive. The archive is fast because its a database: it can find any message in 10 secs and optionally deliver it to my mailreader. That's certainly faster than I can ferret through a large mailbox regardless of whether its an IMAP store or not. Details at www.libelle-systems.com if you're interested.

      1. LDS Silver badge

        Re: Port blocking?

        Having mails going through your ISP mail server, or any other mail server but the recipient's one, defeats one of the main reasons to setup your own mail server...

        1. Nigel Whitfield.

          Re: Port blocking?

          Yes, it defeats some of them, but not all - for some people, simply aggregating all their accounts in one place, or having a searchable archive, is the main reason.

          Generally, though, yes unless you're using Fetchmail or equivalent, you will need to have at least port 25 open, and that will depend on your ISP.

          That need to have some ports exposed to the net is one of the reasons I'm using OpenBSD for this project - there's not going to be anything installed and listening, unless you've set it up to do that.

  9. Steve Foster
    WTF?

    Greylisting

    I've used greylisting for years. However, lately some of the big providers (Hotmail and their ilk) from whom I do sometimes receive genuine emails, but who use vast server farms, and therefore routinely manage to make contact from a previously unseen server, are not processing the temporary errors properly - they're giving up after the one attempt, just like the spammers do.

    I'm watching this fairly carefully, as it may mean I have to abandon the practice (it's no good getting rid of the crap if it costs me real email).

    1. Ken Moorhouse Silver badge

      Re: Greylisting

      In some cases it may be being re-sent, but is coming through from a different IP address. If you have a facility to ignore the IP address, but can verify that it is from the same email address then Greylisting can still work. Not ideal I agree, because these things could be spoofed, but spammers are after the low-hanging fruit..

    2. Nigel Whitfield.

      Re: Greylisting

      I use PostGrey at the moment, and that comes with a file called "postgrey_whitelist_clients" that lists specific domains that should be automatically whitelisted, because they either don't retry at all, have weird patterns, long delays, or big pools of sending addresses that make normal greylisting problematic.

      You can, of course, tweak the list yourself, if you find specific problematic senders. Postfix does now also include a tool called PostGrey that can do things like RBL checks before a message even hits the SMTP server, and checks similar to PostGrey. That can, apparently, reduce the load by getting rid of a lot of problems before a message even gets as far as being fed into SpamAssassin. I intend to experiment with that, however since my present experience is with postgrey, that's what I'll be using here.

  10. 7layer

    Nice one,

    As it was mentioned by Anonymous generaly is a very bad idea to use mail server on a broadband connection. Google/hotmail/yahoo will reject emails straight away from these ip blocks mo matter what.

    Of course the article says what hardware to buy first. Well do not buy anything, you will need a fix public ip from a proper isp, so therefore you need a virtual private server.

    Mine is at the moment with OVH which cost me £1.99/month. Fix public ip, 1gb ram, 10gb hdd.

    At Hetzner you could get this same server for about 6 quid.

    So all in all if you buy any hardware and try to use your broadband for mail/web server, then you will spend 10x more on hardware than you should and also about the same on electric bill to run your small pc.

    All small boxes eats up about 20-30w. Also if you try to use any proper MX relay for your broadband, that will also cost about the same amount monthly than a vps server.

    Make a calcultation, spend days weeks on the whole lot and you will still end up buying a vps server.

    I tried it didnt work, so dont waste your energy on it.

    By the way if you have a vps with centos/debian then it takes to fully get configured about 1 day.

    On mine i got postfix/dovecot/spamassassin + roundcubemail for webmail.

    If you want ssl certificate them get it from ssls.com cost 7 quid for 1 year.

    1. PVecchi

      Not just emails

      It is true that if you only want a mail server at home then it's not worth it and you are better off with a VPS but is that the only use you'll make of that server?

      If you plan to have a home server then use it as a firewall, a media server, a file server, etc... while you use it also as a local relay server which fetches and send emails using your VPS where you are pointing your primary MX record. Like that it makes sense and you get the best of both platforms.

    2. Doctor_Wibble

      > Google/hotmail/yahoo will reject emails straight away

      Sorry, that's bollocks. Unless you are referring to a home dynamic IP broadband connection.

      On a fixed-IP broadband link I have no trouble emailing people but on the other hand I do get a lot of spam (attempts) from people on VPS connections and yes, various sub-ranges of 'OVH' feature in my block-list, along with various compute-cloud providers, 'mail relay hosts' etc.

      But aside from that, having a personal email server is not primarily a financial decision.

      1. 7layer

        Yes I was referring to a home broadband with Dynamic address.

        But even for example Virginmedia's IP does not work properly and they only change the IP 1-1.5 years.

        Most providers got these address blocks already, not a big deal, can be checked on ripe.net freely.

        Also not to mention all SPAM filter providers, they do know these blocks already.

        If you have a domain to play with, try a fix public IP address with a "wrong" not matching reverse dns address without having an SPF record for the domain. All providers Google/Hotmail/Yahoo will reject your email and will end up in the spam folder, marked as spam. Maybe I was wrong about the reject part, it will end up in the SPAM folder, clearly the user wont have it as a legitimate email.

        1. Doctor_Wibble

          Perhaps my response was a tad blunt...

          > try a fix public IP address with a "wrong" not matching reverse dns address without having an SPF record for the domain

          No argument with this bit - as I found out the hard way - stuff wasn't even going into spam folders, it was being silently disappeared after being 'accepted for delivery'. This still happens in some places, and for 'reject' you are effectively not entirely wrong if the recipient has a vast overflowing spam folder and doesn't have time to look.

          There's too much money in the spam-processing business, it's tied too closely with malware and therefore the money in the virus processing industry, and as long as 99% of people don't know the true scale of it, there's not enough interest in picking up the task of killing something that big.

          1. Ken Moorhouse Silver badge

            RE: silently disappeared after being 'accepted for delivery'.

            IMHO the recipient mail server shouldn't do this, it should refuse to accept it in the first place, which is the way I configure systems.

            Not sure what the legal/contractual position is on this. My feeling is that "acceptance for delivery" constitutes delivery. Citations welcomed.

    3. Anonymous Coward
      Anonymous Coward

      I didn't know anyone but spammers used OVH. I've ended up blocking most of their netblocks due to continuous spam. Reporting the spammers never worked, I'd get spam from the same IPs for a couple of weeks after reporting the spam, so I decided blocking OVH users was easier.

    4. I Am Spartacus
      Mushroom

      This is not true

      "As it was mentioned by Anonymous generaly is a very bad idea to use mail server on a broadband connection"

      Rubbish. I have a mail server, very similar to what is being proposed in the article, running at home. It is also an FTP Server, Cloud Server, Media Server, Shared folder server, etc. It runs on Broadband, is behind a firewall, and has a dynamic IP.

      It simply works. Has done for years. It got fried by a power spike and took less than a day to recover from the encrypted backups on Amazon S3.

      It doesn't get any problems with Google, Amazon, Hotmail etc. It gets tested once a week to ensure it is not an open relay.

      And it hosts multiple mail domains easily.

      Why do this? Because its my data, in my hands. If any three letter agency wants access, they have to come to me to get it, so I will know.

      Just because you couldn't set it up yourself is not a reason to tell others not to try.

  11. Doctor_Wibble

    Good writeup

    Nice one, I'm on the verge of upgrading my mail server (custom qmail variant on OpenBSD) and it's good to see a decent writeup that clarifies one of the possible options because a technical manual is rarely informative about the true nature of the beast. That said, I will admit I might end up being horribly boring and stick with the one I know, partly because it's got "tinker with this" written all over it...

    For system specs, noting that my email traffic volume is very low and the now vastly oversized replacement HDDs needed add-on PCI-IDE cards because the motherboards were too old to handle a disk bigger than a 1.44 floppy: current mail server is on a Pentium 233 with 96MB of memory and I think it used some swap when I had a shared printer temporarily attached to it for the faxes (these more useful than people might think) ; the soon-to-be-new mail server is a huge upgrade, being a VIA 400Mhz with 284MB of memory which is seems like overkill.

    The current one is reliable but I had to make a custom CD to boot because the BIOS didn't like the setup and the new one seems to have a MAC address randomiser or an imminent nasty hardware fault (probably should RTFM) and I suppose the lesson here is that 'cheapest' (or re-used) is not always the same as 'appropriate minimalism'. Also, a new 20-times-spec box uses a quarter of the power but buying a new one kill half the fun of it...

  12. linicks

    Raspberry Pi B2

    I have been running my mail server on a Raspberry Pi B2 since my main server AMD64 MoBo died. Using Postfix (built from source) on Slackware it works a treat. And as it is using an SDCard, using dd to copy the image once and a while means I have pretty good back-ups (not worried about the mail, just the config).

    1. Tom 7 Silver badge

      Re: Raspberry Pi B2

      Do you monitor system load? Is it ever under pressure?

      Having run a mail system for a few hundred staff on a 200Mhz machine a few years with no real load problems back I'd imagine a PiB2 would be fine for a SOHO system.

  13. Nigel Whitfield.

    Just to say

    Some good points in the comments so far, and I'd normally reply promptly, but at a trade show this weekend, so will respond when back in the UK.

    1. Jack of Shadows Silver badge
      Thumb Up

      Re: Just to say

      Excellant points all. This is only the second time I've saved a comment section to PDF. Here I've got my eMachine Core 2 media center (eMachine) looking for a purpose aside from being effectively a file server from Hell. I look forward to the next installment.

      [Aside from the then new PDP-11, BSD is/was my fave. On mi Amiga no less.]

  14. AndrueC Silver badge
    Boffin

    I've been using VPop3 on Win 7 for several years now. Minimal setup and it runs 24/7. Seemed to run fine on a Fit-PC with 1GB of RAM. I solved the spam issue by using a wildcard implementation of DEA. If an address goes bad I just blacklist it. For the most part I just leave it to do it's thing.

    1. linicks

      £30.00!

      Windows users.... Tut!

      1. This post has been deleted by its author

    2. LDS Silver badge

      I wouldn't use anything that doesn't support IMAP4 today but for very basic tasks. Since I access email from several different devices, storing them on the server and have clients easily synced is a must.

  15. moiety

    As an alternative

    ...and as the path of least resistance:

    1) Buy a domain ($10/yr) [1]

    2) Get yourself some cPanel webhosting (£29/yr) [2]

    3) Use either an email client or use the built-in 'private' webmail, set up your email addresses and you're all good (if anyone needs a step-by-step let me know)

    So why do it like that?

    In a cost/risk/benefit sort of fashion, you get a lot of the benefit of 'private' kit; but very little of the brain-damage. You don't have to buy the machine; someone else is largely responsible for security; and you can usually use their certificate (certificate being a major source of brain-damage) for TLS. Plus the total cost is what you would be blowing in electricity anyway. You get a posh-looking email address; server logs; (optional) spam filter; webmail for those wot like it; and you're not going to be constantly blackholed if you pick the right host. If you're on a 'domestic' connection you're going to have to have some sort of bridge over your ISP in any event.

    [1] You will often be offered a free domain with the webosting. I find it best to keep hosting and domains separate because you are *far* more likely to encounter problems with hosting than with a domain registrar. If you have to extract your domain from the host, it makes moving a lot more troublesome and time-consuming. If your domains are separate, you just point the nameservers to the new host and you can be back in business within the hour. Webhosting tends to be a bit boom-and-bust...it's all great to start with, so customers are attracted. The company expands faster than they can cope with and it all goes titsup. Seen it happen time and again.

    [2] Vidahost. I (and a couple of clients) have been with them for a couple of years now and there's still no sign of impending apocalypse. They know what they're doing and support is good. They get the -extremely conditional, suspicious and grudging- moiety seal of approval. For now...

    1. Bob H

      Re: As an alternative

      I ran my own own home server for several years on static IPs, then I got myself a dedicated host and I also ran mail for my family. I used Dovecot, postgrey and various other tools (clamav and spamassassin).

      Eventually the dedicated host's HDD died and I spent ages doing a RAID recovery, doing backup recovery, etc. Frankly that tipped me over the edge. The maintenance, dealing with the odd mail that didn't get through and dealing with the hackers attempting to get in was tedious. Okay, dealing with my families requests was the most tedious part, but overall I didn't need the grief overall.

      I have since moved my mail and other stuff to Dreamhost on an unlimited hosting deal and at least I don't have to think about it. The performance of Dreamhost mail isn't fantastic and the webmail is basic, but I am happy enough not to have to think about maintenance. I could move my mail to Google but I decided to draw a line somewhere and give myself a little control.

  16. DougS Silver badge

    I doubt it increases security

    The spooks will be sniffing the wires between the sender and your email server. STARTTLS is a rather poor solution, which a lot of major email providers don't support, and which a MiTM can trivially short circuit after which the connection will still proceed, unencrypted for easy sniffing.

    Plus it only helps for sending/receiving emails from others who the spooks can't get to. That's not the case for the vast majority of them, so if you email someone at aol.com, gmail.com, hotmail.com or so forth they'll just get your email on the other end.

    You have to encrypt the body of the email if you want to be assured of security, but at that point it doesn't matter whether you run your own email server or not.

    1. Anonymous Coward
      Anonymous Coward

      Re: I doubt it increases security

      Suggest you investigate metadata.

      Suggest you ask yourself how much is visible in an unencrypted MTA <-> MTA transaction with encrypted email body vs an encrypted (even STARTTLS) entire MTA <-> MTA transaction.

    2. LDS Silver badge

      Re: I doubt it increases security

      While SSL/TLS may help little for mail delivery between SMTP servers, they help a lot to protect your POP/IMAP/SMTP connection/authentication to the mail server.

      One important thing to consider when setting up a mail server, is which kind of authentication methods it supports. Some are very unsecure over an unencrypted connection, and anyway using TLS/SSL both encrypts and authenticate (as long as certificates are used properly)

    3. Jack of Shadows Silver badge

      @DougS Re: I doubt it increases security

      That really is irrelevant at this point. Just getting started with the safe/sane installation and configuration, especially in regards to normal threats, is the topic at hand (which probably explains the down votes). Now if we want to discuss going into competition against nation-state whose multiple intelligence organs have multi-billion dollar budgets. Each. It's an interesting topic but this neither the time nor the place for such discussion. Trust, secure channels, and not giving them a clue. Ahem.

      1. LDS Silver badge

        Re: @DougS I doubt it increases security

        It happened to me once that of the account I setup up on a new phone, luckily the "one to use when you'll know you'll get spammed", wasn't properly set up to use SSL/TLS.

        After I used it through an hotel wifi, someone was sniffing data (I guess the hotel network was compromised), cracked the account password, and immediately tried to use it to spam through my server (it looked it didn't access the account through IMAP or POP, anyway, he would have found just mailing lists messages, luckily...).

        Thereby if you believe a proper SSL/TLS setup is only useful to guard against state level attackers, I would suggest you to reconsider how many crooks are competent enough to perform relatively sophisticated attacks. Against most three letters agencies, probably SSL/TLS is too weak already.

  17. Gronk

    An alternative is iRedmail. I've set up a couple of servers with iRedmail recently to test and so far it works pretty well.

  18. This post has been deleted by its author

  19. Richard Morris

    Mysql & amavisd-new

    Hello,

    I'd probably also throw mysql into your recipe, and configure postfix to use it for tables and lists.

    To simplify in postfix (and also generally complicate) spam and virus checking I'd also add amavisd-new too.

    1. Nigel Whitfield.

      Re: Mysql & amavisd-new

      Yep, the config I'm using at the moment (as in the block diagram) does use amavisd-new, which is what summons ClamAV as well.

      I did install Postfix with MySQL compiled in, and used that in a previous iteration of the system when I provided a load of mail aliases for a client, and it was easiest to tweak them that way. Now I have far fewer, so they're all in the text file instead. Space permitting, however, I will include notes on how you can use a database to handle one of your domains.

  20. url

    The last one of these I saw was on ARS a couple of years back. I'm glad to see one on OpenBSD.

    I'm hoping this will be fully indepth step by step.

    (please also the "NSA proofing" thing)

    :)

  21. The Vociferous Time Waster

    Other methods do exist

    there is no "right" way to do this and any tutorial can be either a guide for those with simple requirements or a starting point for those who want to explore deeper - some great suggestions from commentards but be mindful of your own requirements before you get carried away with an ultra secure house of cards solution

    And once you get it working keep a "gold build" backup so you can get your mail working again if it all goes pear shaped in future

  22. John Doe 6

    As I see it...

    ...after I have been running my own mail server @home, the biggest problems are sending SMTP out to the net, you need a PTR record and you need an ISP that allow you to send and receive on port 25.

  23. Spanky_McPherson

    But running a mailserver from home simply doesn't work...

    My experience was the same as some other commenters - (some) outgoing emails never arrived at the destination.

    I suspect that some SMTP servers would silently drop email based on the source IP address (i.e. they knew it was a residential ADSL connection)

    It made the whole exercise pointless, and I ended up on gmail.

    1. John Doe 6

      Re: But running a mailserver from home simply doesn't work...

      You need AT LEAST:

      1. fixed IP address

      2. your OWN Internet domain with a MX record

      3. DNS pointing your domain to your fixed IP address

      4. PTR record mapping your IP address to your domain (that is on your ISP's DNS server)

      5. an ISP allowing direct SMTP traffic

      If your mailservers hostname is hermes.yourdomain.uk the PTR must point to hermes.yourdomain.uk

      Microsoft hosted domains will not receive mail unless you ask Microsoft to allow your mailserver (or have SPF records), they will however return an error to you.

  24. Ed Mozley

    I tried Synology

    I tried running my Synology box as a mail server but as a home user with no fixed IP my outbound emails were being blocked as spam by gmail.

  25. AlexRomul

    Helps to reduce spam

    I recently tried to enhance spam assassin with a free Cloudmark Authority anti-spam client (apparently most of UK ISPs like VirginMedia, Plusnet, TalkTalk use it) and so far it blocks around 25-30% extra spam comparing to spam-assassin alone.

    I run a small tech company with a postfix MTA and I had a lot of spam before with spam assassin. I've also tried to short-circuit spam assassin whilst using Cloudmark filter and it delivers good 10-11x times faster performance and processing.

    Another handy feature is the fact that Cloudmark Authority lets you to mark spam messages from the webmail client enabling the system to learn dynamically. Postfix integration all seemed to be pretty simple as well.

    1. Nigel Whitfield.

      Re: Helps to reduce spam

      Yes, you can use the Razor-Agents, which is the non-commercial version of Cloudmark to been this up. I may, however, have to leave that as an exercise for the reader, let we end up with a series that doesn't finish until Christmas

  26. James 100

    Hybrid for now

    I've been very impressed with Fastmail for a few years now - seriously committed to reliable service (replicating in real-time between IBM Linux and Sun Solaris hosts in different DCs, to minimise common points of failure: firmware bugs, hardware flaws, OS bugs etc). So far it's been rock-solid for me.

    I handle a bit of mail routing myself right now though, on VPSs (I have a few addresses I want special handling for, like blocking particular senders on the SMTP level - Fastmail can only filter post-delivery) - in the next month or two I'll probably shift the balance in that direction a bit further, so everything hits my machines first, then gets copied into Fastmail.

    Like the article says, it's not scary or rocket science, just a little bit of effort to get full control. Well worth it for a lot of The Reg's target audience I suspect.

  27. Steven Raith

    Easy peasy mail

    Bah, I really want to mention my employers solution to this (a FLOSS project to make debian + exim = other things easier) but I'm concerned about coming across as a bit shilly.

    I'll waffle on about it a bit if someone wants me to, but suffice to say my entire (pitiful) online estate runs on it these days, not because I have to, but because it's really rather good in my humble opinion. We have some fairly hefty servers running dozens of domains using it, too, because it works nicely and tends to Not Break and is easy to configure - a nice mix.

    Steven "Google Bytemark Symbiosis, kids" R

    1. Steven Raith

      Re: Easy peasy mail

      As an example, I see gerdesj linked to mail-tester, which was what I was looking for earlier; my simple mail config (with correct DNS, SSL, SPF) gets 9/10; the only thing it lacks is DKIM signing, mainly because I'm not up on that as yet. Just checked the docs, and it doesn't look too tricky. Suppose I'll have a crack at that this week.

      Just FYI, natch.

      Steven R

  28. Frumious Bandersnatch Silver badge

    maildir format

    That brings me back. I used to use it with the mh mail client and exmh (which I think integrated with fetchmail). Despite exmh being written in tcl/tK, it was as nice to use as any "full fat" mail client I've used since.

    The problem I eventually ran into back then was scalability. With the possibility of tens of thousands of emails, each with their own file, the mail directory could get really slow as the dir had to be rescanned for each sub-command. Mind you, that was in the days before the ext? filesystems had optimisations (automatic indexing or something) for huge directories like that. Even with the drawbacks, the maildir format still beat the alternative of a bunch of huge Inbox.bz files that needed to be decompressed twice when you were searching for something (once to find out which inbox file it was in, with no tools apart from zless) followed by a second decompress when you issue the command needed to extract the particular mail you want.

    Of course, if I'd foreseen the need to index mailboxes before archiving I could totally have used something like glimpse on them instead of torturing myself with slow searches.

    Nowadays, of course, all that seems like an anachronism when Google or Microsoft will happily index everything automatically. That's good, of course, but at what price?

  29. gerdesj Silver badge
    Linux

    I run email systems for a living

    A few suggestions if you want to DiY:

    * You *must* have a static IP with A, MX and PTR records

    * Exim for the MTA. You are welcome to try others eg Sendmail, Postfix or Qmail

    * Greylisting is a great idea but it will get on your nerves after a while and is no more effective than blacklisting (sign ups to new services will be delayed by your greylist)

    * Use Spamhaus, Hostkarma and co for blacklists - they are very good for an initial filter

    * Spamassassin

    * SPF, DKIM, DMARC - they will improve your "reputation" but be careful - they are complex beasts.

    Test with this: http://www.mail-tester.com/

    To really get to grips with it, from a standing start, allow at least 1 year. I'm not joking. You can get good results in a couple of hours but you will still be learning for years. I am.

    Cheers

    Jon

    1. GrumpenKraut Silver badge
      Thumb Up

      Re: I run email systems for a living

      > Test with this: http://www.mail-tester.com/

      Very useful, thanks!

    2. Vic

      Re: I run email systems for a living

      You can get good results in a couple of hours but you will still be learning for years. I am.

      I don't imagine we'll ever stop learning - but a few hours' study really can give you a useful mailserver. It's not nearly as difficult as some[1] would paint it.

      Vic.

      [1] Including me, if I'm charging for my time :-)

  30. -tim
    Meh

    Effective spam filtering need lots of spam

    I figure you need about 500,000 spam messages a month to be able to filter it out properly while minimal false positives. That means you have to be able to throw out about 10 gig a month of data over your home network. It is easy to collect that much if you just put in some random email address in a web page but the spammers will throw away the ones that look randmon like uizctyiutywe@example.com but bob@example.com will get far more spam. Common names all get spam as well so alice, bob and smith will get spam very soon after starting up a new server.

    There are antispam services that you point your MX records to and they do the filtering and then deliver to your home server. They can install SSL certs so they only deliver to your dynamic IP address and some can do IPv6 which you might find is static. I have a computer in a data center in LAX and I've about given up on trying to filter spam and letting others try. I'm currently using MXGuardian which seems to work but is getting expensive as I keep finding more and more email address I set up years ago that are still being used. Most of the services are cost per doamin, cost per mailbox or cost per message. With over 100 people using my vanity domain over the last two decades, any of those options get expensive. My habbit of using a new email address everytime I print business cards just adds to the expense.

    1. Vic

      Re: Effective spam filtering need lots of spam

      I figure you need about 500,000 spam messages a month to be able to filter it out properly while minimal false positives

      Where did you get that figure from?

      I use <1% of that, and my filters are very effective...

      Vic.

      1. -tim

        Re: Effective spam filtering need lots of spam

        I have a domain that is over 20 years old (with plenty of email address published in usenet and on the web and archived mailing lists) and that is the level I need to process so that my spam level is less than 1%.

        1. Vic

          Re: Effective spam filtering need lots of spam

          I have a domain that is over 20 years old

          Mine are only about 15 years old.

          with plenty of email address published in usenet and on the web and archived mailing lists

          Yes, me too.

          that is the level I need to process so that my spam level is less than 1%.

          Well, I use <1% of the training spam you quote, and my spam level is << 1%, with approximately zero false positives[1].

          I don't understand yuour figures.

          Vic.

          [1] It's silly to quote zero, as a single one ever breaks that promise. But my false positive level is negligible.

  31. Daniel Hall
    Coat

    in normal use, the load average is around 1.1.

    1.1 what?

    1. Shoot Them Later

      Re: in normal use, the load average is around 1.1.

      I can see you're getting your coat, but maybe I'm not getting the joke. In case it's a serious question, here is a serious answer.

    2. Vic

      Re: in normal use, the load average is around 1.1.

      1.1 what?

      Just 1.1. Load averages are essentially[1] dimensionless.

      1.1 also seems a little high; my server generally runs quite a bit lower than that (I was going to get some figures, but there is no mail at the moment, and it's actually showing 0.00).

      Vic.

      [1] It's actually the average number of processes in a runnable state at any point in time. You might be able to torture a unit out of that - but it's really not that important.

      1. Nigel Whitfield.

        Re: in normal use, the load average is around 1.1.

        I could probably bring it down a little with some tweaking - for instance, the screenshot shows a lot of Perl running, which is the various Amavisd-new child processes. Tweaking that down, and also the maximum number of simultaneous SMTP connections allowed would probably get it a lot lower.

        Normally, I also have a couple of IMAP clients signed in continuously. And clamd is a bit of a hog too, at times. So, yes, I could tweak this down - but 1.1 on a system with two cores is perfectly livable with, and not really in the region where I need to worry about tinkering.

  32. CAPS LOCK Silver badge

    Is it just me or does this seem like a lot of effort and risk?

    I admit I'm lazy and hopeless, but...

    1. Nigel Whitfield.

      Re: Is it just me or does this seem like a lot of effort and risk?

      A good few hours effort, for sure. Depends if you think the benefits outweigh that.

      In terms of risk, probably less than there used to be - with a modern MTA, I think it's a bit less likely that you'll accidentally set up an open mail relay without intending to, whereas with Sendmail and some other old software, it was very easy to do that unwittingly.

      1. Vic

        Re: Is it just me or does this seem like a lot of effort and risk?

        it's a bit less likely that you'll accidentally set up an open mail relay without intending to, whereas with Sendmail and some other old software, it was very easy to do that unwittingly.

        No, that's very old, very stinky bait. sendmail generally comes configured not even to speak the the LAN; you have to make a deliberate effort to turn service on. Setting up an open relay requires you to read the documentation...

        There's a lot of FUD spread about sendmail. It's actually a very good MTA, just as long as you don't try to understand the .cf file...

        Vic.

    2. Vic

      Re: Is it just me or does this seem like a lot of effort and risk?

      Setting up a mail server is actually really easy, and very worthwhile.

      Where I differ significantly from the author is in the priorities for the system - I wouldn't be going out buying new kit to try this out. Find a duff old carcass - I've got them from the tip before - and just give it a go. If you decide it's worth your time and attention, *that's* the time to start looking for sexy hardware...

      Vic.

      1. Nigel Whitfield.

        Re: Is it just me or does this seem like a lot of effort and risk?

        I wouldn't necessarily recommend buying a new server; this article was prompted by the new Revo, certainly - largely because it happened to turn up just when the old system wents tits up.

        So I agree, an old machine will probably work pretty well, and that's one reason why I thought it was worth using the cheap Revo here, to show what you can do without a massively specced machine.

        If you stick with the generic OpenBSD kernel, too, you can probably get away with building this on an old machine, and then if you want to replace it, popping the drive into a new system and not having to do much more than tweak the settings for the network interface, which may have a different name depending on chipsets.

        1. Vic

          Re: Is it just me or does this seem like a lot of effort and risk?

          If you stick with the generic OpenBSD kernel, too, you can probably get away with building this on an old machine, and then if you want to replace it, popping the drive into a new system and not having to do much more than tweak the settings for the network interface, which may have a different name depending on chipsets.

          Indeed. I'd build this with Linux rather than OpenBSD - but that's more about familliarity than anything else. The two are pretty much equivalent.

          The box that runs my business mail started out as an IBM Aptiva - 400MHz? Something like that. It was an old dog that I repurposed to try out a home server.

          That personality now has none of the original hardware - it's now an Athlon64 (still running in 32-bit mode, though, because it's evolved from the Aptiva installation) running on a 2005 Winfast motherboard. Moving from one chassis to another is trivial in Linux (as it is in *BSD, IME).

          Vic.

  33. captain_solo

    So, what do I do if I need to wipe the server before turning it over to a congressional committee? You know, like wipe it with a cloth? Is that supported?

  34. Anonymous Coward
    Anonymous Coward

    Use a Pi2

    I've been running email servers at home ever since I got ADSL. I now use an rPi2 with an external disk. I use postfix with dovecot with an auth'd submit port and IMAP over SSL with external inbound access. My rpi2 is a hidden gateway so and have two externally facing SMTP MTAs running on cheap VPSes (£3 pm also used for web servers, dns, etc). On those servers I only run postfix with DNS blacklists (zen.spamhaus.org and bl.spamcop.net), OpenDKIM to get more mail through to some servers (some will greylist you unless you have a valid DKIM sig) and postfix anvil (to prevent those annoying dict'-based email attacks). I don't use any AV - I get hardly any SPAM ever. Works a treat. The servers hardly break a sweat ever. I have a long queuing time on the externally facing servers so my rPi2 can be down for up to a month before a mail is bounced - good when away on long hols if my adsl fails. You really have to make sure you choose your VPSe/VMs well; Need to make sure your IP or AS isn't blacklisted and must have reverse DNS setup. On top of this I use a different email address for every company or org I deal with. Just cut them off if they don't honour the unsubscribe etc.

    1. Vic

      Re: Use a Pi2

      On top of this I use a different email address for every company or org I deal with. Just cut them off if they don't honour the unsubscribe etc.

      This is one of the best bits of running your own mailserver - you can allocate and destroy email addresses on a whim. None of this easily-defeated "me+tag@example.com" addressing - you can have genuinely unique addresses for every single contact. And when they become a pain in the arse, they suddenly don't get to send you any email...

      Vic.

      1. Anonymous Coward
        Anonymous Coward

        Re: Use a Pi2

        Actually this very policy has outed many companies that have sold or had my details stolen from them. I seem to recall that thebookdepository and Santander were in that list - the former admitted the hack and apologised the later ignored all of my reports despite much effort to inform them that they'd been compromised!! I started getting spam to both my entirely separate Santander emails from the same spammers at the same time.

  35. SImon Hobson Silver badge

    Just my 2d worth ...

    Add in amavis-milter - then you can do before-acceptance scainnig. Almost all the howtos out there configure dual Postfix instances so it goes : accept mail and queue it, scan it, requeue it and deliver to mailbox. The porblem is, you are now too late to reject it because it then becomes : accept mail and queue it, scan and reject it - now what ? If you "bounce" it then you are now part of the problem as you'll generate huge amounts of backscatter. If you don't bounce it, do you bother telling the user - if so, then that's no more useful than just delivering the message and tagging it as spam. Of do you silently discard it which is just so wrong in so many ways - which seems to be why all the big outfits do it.

    With pre-queue scanning, it needs a bit more resource at message receipt time, but you have the option to reject the message outright. Any properly configured mail server will then notify the sender of any falsely tagged mail that their message has not been delivered, while spam software will just move on to the next.

    Greylisting - most definitely, it gets rid of almost all my spam. There's a few niggles, but mostly it "just works" and you don't notice it.

    I'd also suggest adding "Postfix Admin - a nice web frontend for managing domains, mailboxes, etc.

    And Policyd (aka Cluebringer) which provides a nice policy daemon (though fiddly to set up) that will handle quotas (message count/size), greylisting, and some other stuff.

    And of course - go over to sslmate and get yourself a real certificate. It's not expensive, but the real benefit is that they provide config snippets for the common softwares, and it can manage renewals etc.

    1. Vic

      The porblem is, you are now too late to reject it because it then becomes : accept mail and queue it, scan and reject it - now what ? If you "bounce" it then you are now part of the problem as you'll generate huge amounts of backscatter.

      My apologies, I can only upvote your post once...

      I used to get endless recommendations for MailScanner. Now I've not looked recently, but at the time, that was purely accept-then-reject. And the backscatter just flows...

      One significant tool I use is an SPF milter[1]. Many, many spammers still forge domain addresses, and this just stops them dead.

      Vic.

      [1] I've actually modified mine - although it's no longer fully RFC-compliant, I recommend the modification to everyone. I treat "+all" in SPF as "-all". I suspect "+all" was included for orthogonality, but I cannot for the life of me think of a single situation where it is anything but harmful - and I've seen lots of "+all" records in the wild :-(

    2. Nigel Whitfield.

      The config I'll be describing has a pre-queue filter using amavis. I agree that's the best way to do things.

  36. storner

    I'd recommend using a test domain first

    Having mail thrown away by accident is really annoying, especially when you only have yourself to blame. So if you are new to this, get yourself a domain to play with, and set everything up the way it should be. And test it properly. Domain prices vary a lot between the TLD's, but the .info domains appear to be cheap at the moment (29 kroner = ~3£ for a year at my local dns shop).

    Having done this for 20+ years, my experience is that you shouldn't try this on a home connection. Too much hassle with ISP filtering ports, home DSL IP's being blacklisted etc. etc. And if you end up providing mail service to friends&family (and believe me, it will happen ...) then your home server suddenly needs to be up and running 24/7 - including power and Internet connection.

    Much easier with a VPS somehwere, and it is cheaper on the power bill.

    My own setup is based on https://workaround.org/ispmail/ - is uses Postfix and Dovecot on Linux. Sendmail? No way I'm gonna do another sendmail.cf voodoo dance again. QMail? Been there, done that - for 10+ years, actually, but it is definitely showing its age now, getting it to do spam filtering and avoiding backscatter mails was just too big a hassle.

    1. Vic

      Re: I'd recommend using a test domain first

      Sendmail? No way I'm gonna do another sendmail.cf voodoo dance again.

      As I keep saying, sendmail.cf is a horrific way to configure sendmail. sendmail.mc is easy.

      There's little wrong with sendmail that can't be fixed with a bit of education for its admins...

      Vic.

  37. TonyJ Silver badge

    Couple of comments

    Haven't had a chance to fully read the comments so apologies if I am repeating anyone.

    I used to use Mailcleaner - www.mailcleaner.org as a free, fully customisable border protection with good forum support;

    For Dynamic or Static IP, DNSExit can provide not only free tools to update the Dynamic aspect but for around US$20 a year, a backup MX/storage feature;

    A lot of mail systems will bork at receiving mail from consumer IP addresses; Likewise a lot of ISP's like to close off known mail ports to force the use of business broadband.

    Hope some of this is useful. :)

  38. Anonymous Coward
    Anonymous Coward

    Attn: Normal people

    If you are one of the willy-wavers saying how easy-peasy it all is, please move on to the next post.

    Now I've got rid of them...

    I've set up postfix / dovecot / amavis etc firstly for my own domain on my own (datacentre-based) server and then for various customers. The only real reason I can think of for finding out that smtps won't bloody work until you've uncommented the line that says " -o smtpd_sasl_auth_enable=yes" (whatever that means) is so that you can tell a customer that yes, you can set up their mail server.

    If email is a tool to do your job the same as your car is a tool to get you there to do it, you should no more roll-your-own mailserver than you would build your own gearbox.

    Any fricking uber-geeks still reading - yes, I also needed smtpd_tls_wrappermode.

    Let the flames begin.

    1. Vic

      Re: Attn: Normal people

      I've set up postfix ... -o smtpd_sasl_auth_enable=yes ... smtpd_tls_wrappermode

      I use sendmail. I don't use any of those sorts of options - SSL is on by default.

      Vic.

      1. Anonymous Coward
        Anonymous Coward

        Re: Attn: Normal people

        "I use sendmail."

        Now you have *two* problems.

        (Runs away).

    2. Hans 1 Silver badge

      Re: Attn: Normal people

      smtpd := smtp daemon, actually, the process that you connect to with your email client (outlook, thunderbird, icedove, whatever) to send emails (via SMTP).

      sasl := Simple Authentication and Security Layer

      auth := authentication

      enable := !disable

      = := = or "equals"

      yes := !no

      Basically, it means that for the smtpd daemon, set the "simple authentication and strong security layer" to "enabled" for "authentication". Hope that helps ...

      As for wrappermode ... I will quote the postfix TLS readme:

      TLS is sometimes used in the non-standard "wrapper" mode where a server always uses TLS, instead of announcing STARTTLS support and waiting for remote SMTP clients to request TLS service. Some clients, namely Outlook [Express] prefer the "wrapper" mode. This is true for OE (Win32 < 5.0 and Win32 >=5.0 when run on a port<>25 and OE (5.01 Mac on all ports).

      It is strictly discouraged to use this mode from main.cf. If you want to support this service, enable a special port in master.cf and specify "-o smtpd_tls_wrappermode=yes" (note: no space around the "=") as an smtpd(8) command line option. Port 465 (smtps) was once chosen for this feature.

      Basically, email clients tend to issue a STARTTLS to the server to say "Heydo, I wanna talk encrypted, you support that, right?" Outlook uses a wrapper mode instead - postfix discourages you from using it in the readme, I could not find anything in the actual cf file or google explaining why. Apparently non-standard.

      Also, you would have to watch with Outlook, sometimes it insists on sending cleartext passwords over the wire, because, well, it detected mail server is not exchange.

  39. Richard42

    Fail2Ban?

    Great to see an article about this.

    Been running my own mail server for over 15 years, Postfix + Spamassassin + Dovecot + (can't remember the AV software) + fail2ban.

    Fail2ban is great, I see a lot of connections from spammers trying to brute crack users passwords and Fail2ban is set to ban them after 3 attempts, and it automatically unblocks these attempts after a couple of hours. (usual config time to unblock is a few minutes IIRC)

    There are a couple of things in here I either never quite got working fully, or haven't used (GreyList) so will read the next installment closely.

    1. Nigel Whitfield.

      Re: Fail2Ban?

      sshguard will do similar for you, and works nicely with the OpenBSD pf firewall. It's available as a package, and if you want to use it to catch SASL login attempts, there's a patch for that here

      1. Nigel Whitfield.

        Re: Fail2Ban?

        Ooops; correct link to the patch is http://www.djs.to/2013/10/1-postfix-sasl-support-for-sshguard/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019