back to article The last post: Building your own mail server, part 2

Last week, I explained the reasoning behind setting up your own mailserver, and the choice of software that I'll be using for it. This week, it's time to get hands on and show you how to do it. One word of advice, though: this is my configuration, and there are lots of options for tweaking, not to mention different ways to do it …

  1. alpine

    Why a PC?

    My Pi2 based server has been up and running for several months now. I first started looking at doing this because I found that, believe it or not, my large UK based domain and email provider was treating M&S order acknowledgements as spam, despite my email service being supposedly configured to accept all spam so I could sort it out on my clients.

    So I bought a Pi2, added a little inbuilt UPS module which is probably unnecessary but there to handle shut down tidily, and built an email server. The links include all the information necessary to get to a domain provider who handles non static IPs for you:

    This chap, Sam Hobbs, is not me:

    https://samhobbs.co.uk/raspberry-pi-email-server

    https://samhobbs.co.uk/2015/01/dynamic-dns-ddclient-raspberry-pi-and-ubuntu

    1. alpine

      Re: Why a PC?

      PS, the only other change I needed to make was when I discovered that my ISP provided Huawei ADSL router prohibited NAT loopback. I reverted to my trusty old Speedtouch 585 which can be configured to allow this (and discovered that this old one actually syncs a few hundred Kpbs faster than the shiny newer one).

    2. Nigel Whitfield.

      Re: Why a PC?

      Well, it doesn't have to be a PC, of course. To a degree, this is one of those sort of projects that you can do with whatever you happen to have lying around. The first time I tried out OpenBSD (a very long time ago) was when I wanted to press an old SparcStation into use, and it was about the only OS I could find that would support the hardware.

      So, if you happen to have a SparcStation sitting in your junk room, or a Raspberry Pi, or a spare old PC, as long as you can get an OS onto it, you can probably get by with that - as I said in last week's part, you don't need a huge amount of oomph to run a mail server.

      In this case, I used a x86 system because a) I had previously been using one and b) a new one (the Revo One) turned up to review at just the time I needed it, and is a nice compact bit of kit.

      There are some BSD flavours available for the Pi, so you could give it a go with that, and much of the Postfix / Dovecot instructions here will be applicable on other OS flavours too (with key differences in things like how to add packages, or start and stop services).

      The one caveat I would mention with regard to less mainstream platforms is that the less popular your platform is, the more likely that you will have to compile some parts of the system yourself, rather than simply downloading pre-compiled packages. That's not exactly a hardship, and the Ports system on BSD makes it pretty easy, but it will make things slower.

      1. Anonymous Coward
        Anonymous Coward

        Re: Why a PC?

        Indeed, for many many years a group of us have been running a 'mail toaster' on a second hand Sun Netra AC 200, which was based on the Ultrasparc port of FreeBSD. Around the time we eventually decommissioned the machine as part of a datacentre move, it had uptime somewhere around 3 years.

    3. Anonymous Coward
      Anonymous Coward

      Re: Why a PC?

      From an hardware power perspective, a Pi is perfectly able to handle a moderate mail traffic. The drawbacks are its hardware is not really designed for 24x7 operations, and I would not store my emails on a SD card (especially a consumer grade one), since a mail server writes often - nor on an USB disk )of course, backups are a must anyway).

      Then everybody needs to select which hardware he or she can afford, understand how critical mails are, and so on.

      1. Anonymous Coward
        Anonymous Coward

        Re: Why a PC?

        I have my mail server running on a PI 2, and it works great - but why worry about e-mails? Once you have read it, save it or bin it? The Pi is perfect for this.

        I also use prayer webmail so I can access my mail away from home. That is a brilliant bit of kit.

        http://www-uxsup.csx.cam.ac.uk/~dpc22/prayer/

        1. Nigel Whitfield.

          Re: Why a PC?

          I depends on how you view email; for me, as I mentioned in part 1, it's part of an audit trail of discussions about work and so on, so I do keep it.

          I'll take a look at Prayer (though since I use IMAP, it's easy to sync a phone to the same set of mail folders); I've played with Horde in the past, which does the job, but is a big of a big beast to install and set up

          1. Anonymous Coward
            Anonymous Coward

            Prayer

            Prayer is good because I wanted a webmail server that doesn't use javascript/php and all the other crap (all coded in C, so you need to build from source) - it is fast and in it's own right a web server. It is a bit of a fight to set it up, but once sussed, it just works perfectly (and using imap, of course).

      2. alpine

        Re: Why a PC?

        "The drawbacks are its hardware is not really designed for 24x7 operations, and I would not store my emails on a SD card (especially a consumer grade one), since a mail... "

        My emails aren't stored on the Pi2, they are removed every 15mins via my pop clients. And of course its hardware is perfectly able to handle 24x7 operation. It may have escaped your notice that many hundreds of milions of tablets, phones and SSDs exist today, all using flash.

        And of course, I am a consumer...

        1. Anonymous Coward
          Anonymous Coward

          Re: Why a PC?

          POP just means syncing properly mail across different devices is far more difficult, something that today in a multi-device world is increasingly needed. Do you access your email from a single one?

          IMAP ensures easy syncing and a central storage - making backups, especially for multiple users, far easier - while you can still access your email offline from any device (and have also a copy there, sometimes it's very useful, if something goes wrong between backups)

          Moreover, POP increases the write-delete-write cycles on the SD card, especially if the OS doesn't use the proper delete commands. Have you ever heard of the different type of flash memory (SLC, MLC, etc.), and terms like "overprovisioning"? There are reasons because an SD card can cost a few bucks compared to some SSD disks designing for write intensive operations, which can cost thousands... most phones and tablets aren't write intensive devices, on PCs, you won't run a server on a SSD not designed for the task - and when you decided to run a server, you're no longer a "consumer" - but nobody forbids you to select the configuration you like - just, be aware of the implied risks.

    4. xerophyte

      Re: Why a PC?

      I'm impressed with my new Raspberry Pie Ver. B

  2. Lee D Silver badge

    Look... I like the techy tutorial. This is the right direction. It's come up in the forums recently about doing this very thing, especially whenever a mail host forgets to renew their DNS etc.

    But.... a million HOWTO's for this are a two-second Google away, using the exact same software and configuration, and aren't split across four pages, and don't spend the first entire article telling you to install an OS and then install a package.

    It's a good article, the right direction, but I just don't feel that you have targetted the right audience here at all. Any beginner would look at those submissiond lines and go "ARGH!". Anyone who's ever done this themselves knows that line by heart. The others can follow the same HOWTOs across the net that provide the same steps.

    Postgrey is also such an obvious next step that - guess what - every HOWTO covers it as well.

    Though I welcome the article, and may be being unnecessarily harsh, what are you going to cover once you've exhausted the HOWTO that we can all find on the net, that will keep us reading?

    1. Infernoz Bronze badge
      Meh

      @Lee D

      Agreed, and I've more to add:

      * The Register: Where the F* is the print whole article button already? F* tedious trimming, joining and reformatting of several pages of content!

      * Low load servers like this should preferably be hosted in a container/jail on a shared server like a NAS, not in another pain to manage box; I've already done this with FreeNAS 9.3 and PostgreSQL 4*, with robust storage protection and web shell for free. The cost of proper mini server hardware (e.g. Asustek and HP) /with parity RAM/ is not that expensive, but it's a lot more reliable and will probably end up costing a lot less time, grief and power cost than lots of iffy micro servers.

      * A fixed IP address is not necessary if you use one of the free (to a limit) DDNS services like DtDNS, and a DDNS updater in a decent internet router or local computer.

      1. Nigel Whitfield.

        If you use Pocket, that seems to manage to collate all the content into one chunk - certainly when I save a multi-page Reg article to Pocket and then read it on my Kobo, it comes out as a single piece.

      2. Anonymous Coward
        Anonymous Coward

        Re: Infernoz

        Where did you get PostgreSQL 4 from? Hopefully that's a typo, as recent versions are 9.x. ;)

      3. Sloppy Crapmonster
        Happy

        Print button

        add print.html to the end of any story url, and there's your printable page.

  3. Anonymous Coward
    Anonymous Coward

    Good luck to "vi" something - if you're not used to it

    The biggest issue in this tutorial looks to be able to use vi - if you never learnt it.

    1. Nigel Whitfield.

      Re: Good luck to "vi" something - if you're not used to it

      If you need a quick and easy intro to vi, here's one. Though I'm sure someone will be along soon to say "if you don't even know how to use vi..."

      1. Anonymous Coward
        Anonymous Coward

        Re: Good luck to "vi" something - if you're not used to it

        Bah - I am a GNU/Linux user of over 12 years, and never bothered with Vi - just use nano (in your .bashrc file use export EDITOR="nano" export VISUAL="nano"). visudo buggers me up though when I use it once every 3 years or so :)

        Easy

        1. Nigel Whitfield.

          Re: Good luck to "vi" something - if you're not used to it

          If you want to use nano, just

          pkg_add nano

          will do the trick; likewise for other favourite editors. We got taught vi in pretty much the first week at uni. Mind you, they didn't teach us C programming in those days!

          1. Anonymous Coward
            Anonymous Coward

            Re: Good luck to "vi" something - if you're not used to it

            :~$ pkg_add nano

            bash: pkg_add: command not found

            Good one!

            1. Nigel Whitfield.

              Re: Good luck to "vi" something - if you're not used to it

              If you're not on a system with pkg_add, yes, you'll get that error.

              If, however, you're following the steps in the article, and using OpenBSD, then that's exactly the command to install nano, and you can do that right at the beginning before you need to edit any config files. Then, throughout, instead of "vi main.cf" or whatever, type "nano main.cf"

              1. Anonymous Coward
                Anonymous Coward

                Re: Good luck to "vi" something - if you're not used to it

                Yes, sorry - Wife's Birthday yesterday so bit of a hangover making sarky remarks, plus I am a Slacker anyway :)

    2. Anonymous Coward
      Anonymous Coward

      Re: Good luck to "vi" something - if you're not used to it

      Personally I know how to use vi but prefer joe.

    3. Hans 1

      Re: Good luck to "vi" something - if you're not used to it

      Totally agree, most howto's mention nano or pico, actually.

      May I add that vi is an "impressive" little piece of software once you master it. I handle 2000+ pages worth of text almost exclusively with vi, split in some 500 files. I also use a bit of sed and awk.

      Must see: classic learning curves for some common editors (jpg)

  4. Neil 44

    A really simple alternative...

    is to use Blueonyx (https://www.blueonyx.it/)...

    Based on Centos 6 (or 7 soon), it is a derivative of BlueQuartz which ran on the Cobalt Raq range of 1U servers (subsequently owned by Sun)

    Suitable for multiple virtual hosts (from its heritage in hosted solutions!)...

    Boot the CD, follow the prompts and you're done: all administration can be done via a web interface... If you want you can add a webmail client (eg Roundcube) and mail filtering (spamassassin, clamav etc). Being Centos you can install other things if you like or build them yourself but there is a "shop" if you want to buy some of the packages...

    The real bonus is that it is being actively developed, and has a very responsive support group.

    1. Anonymous Coward
      Anonymous Coward

      Re: A really simple alternative...

      Please tell me they're not associated with Hacking Team.

  5. Kevin Davidson

    Push email for mobile?

    Next week do we find out how to set up either ActiveSync or Apple Push Notification support so mobile devices (which are now the most common way to check email) don't drain battery by fruitlessly polling every few minutes? Keen to know how you can do that on OpenBSD with free software... (AFAIK you can't - Zimbra, Kerio, OpenXchange etc all have costs for ActiveSync licensing)

    1. Nigel Whitfield.

      Re: Push email for mobile?

      The plan for next week, so far, is to go through the config for spam and virus filtering (the original plan was to do it all in this part, but I felt I'd have to compress things so much it wouldn't be helpful).

      In terms of notifications, a few things come to mind off the top of my head, at least as far as Android is concerned.

      Firstly, choose your mail client. For example, MailDroid has a various options to control polling, including control over whether or not connections are maintained when you exit a mailbox, and whether or not mail should be checked when the device is asleep. For me, that's fine.

      Secondly, you can sign up with Google to send notifications over their network to Android devices via GCM. It's quite easy, having registered for that, to send messages from the command like, for instance via a PHP script or curl.

      So, in terms of getting notifications out, you could use a Procmail recipe to send a push notification for new messages.

      On the client side, I'd then knock up a very simple listener to register with GCM and display the notifications, and start the mail client if required.

      If you don't want to do any coding yourself, you could use something like PushOver.net to deliver notifications, though it's not completely free.

      1. Nigel Whitfield.

        Re: Push email for mobile?

        A quick read around suggests that z-push may be worth a look at too; it can use Maildir as a backend, and as far as I can see the notifications are done via long polling. z-push.org - but not played with it myself, as I'm happy with Maildroid.

      2. AndrueC Silver badge
        Thumb Up

        Re: Push email for mobile?

        The plan for next week, so far, is to go through the config for spam and virus filtering (the original plan was to do it all in this part, but I felt I'd have to compress things so much it wouldn't be helpful).

        It'd be nice if you could stick in a bit about DEA. That's what I've been using for many years now with great success. I have my mail server set up with a wildcard redirect that sends matching addressees to my actual mailbox. That way I can hand out individual emails to new contacts with zero configuration.

        Most random spam fails at the first hurdle because it doesn't match the wildcard template. If I do get spam I can see what address was used and immediately block just that address. It means I don't need to run any kind of spam filtering software.

    2. Dan 55 Silver badge

      Re: Push email for mobile?

      Doesn't Dovecot support IMAP IDLE? Couple that with K9/MailDroid and that's your push solution.

      1. Nigel Whitfield.

        Re: Push email for mobile?

        Dovecot does, but certainly some older versions of iOS didn't support it in the mail client. I don't know what the current version is like, as my only iDevice is on iOS 7. Or possibly 6.

        1. Dan 55 Silver badge

          Re: Push email for mobile?

          As Apple are still against IMAP IDLE for religious reasons, even in iOS 9, you'd need to use an ActiveSync push for iDevices.

  6. JeffyPoooh
    Pint

    Google's Gmail spam filtering...

    I understand that one reason that they're so good at spam filtering is that they, of course, examine the *contents* of billions of emails.

    It'd be difficult to replicate that level of near-perfection (YMMV) spam filtering without being as all-seeing, intrusive, and snooping as Gmail.

    1. choleric

      Re: Google's Gmail spam filtering...

      I don't know. I was a huge fan of their spam filtering for a long time, but in recent years not so much. I get better results with spamassassin and postfix than I do with Gmail. But maybe I just get weird email.

  7. cdd-aix

    Funny, OpenBSD provides a greylister, spamd. However, the article does not mention it.

    Spamd can tar pit hosts on the blacklist. Blacklisted hosts are sent to a separate dummy SMTP server that responds slowly and discards everything.

    http://www.openbsd.org/spamd/ has details.

    Thank you for including configuring submission protocol.

    You neglected the "Why"

    Many ISPs block outbound SMTP, but permit outbound submission protocol.

    May I suggest a followup article.

    Mail senders that do not play nice with greylisting.

    There is a well loved advertising company that retries sends from EVERY host in their netblock.

    There are several parcel carriers that attempt delivery only once.

    1. Nigel Whitfield.

      Well, there are a few other tools I didn't mention - and as I've said before, this isn't the definitive solution, because there's no such thing. It does, however, work for me with these tools. Though it doesn't do the tarpitting, Postfix's postscreen can effectively do the same job too. I'm actually experimenting with that at the moment, using it to drop connections based on RBLs before passing them on to the PostGray and then amavisd; there are an awful lot of ways to skin this particular cat.

      With regard to the companies that don't play nicely with greylisting, the Postgrey package installs a list of the major offenders, who are automatically whitelisted, and you can of course tweak that yourself.

  8. Anonymous Coward
    Anonymous Coward

    Personally I use dovecot + postfix + mysql on debian, works quite nice though I'm a bit concerned about the number of probes I get from various universities and internet security testing establiments, though once identified I block with iptables. Looking forward to the spam and virus filtering article as it's not something I've needed or set up but would like to.

  9. ckm5

    Used to run my own mail server 6 or 7 years ago, but stopped

    At one point, it was getting 15k scans/hr from cracking scripts. Dealing with mail bombs, spam false positives, zero-day hacks etc. was making it a job to maintain.

    IMHO, running your own mail server (and believing you are safer that way) is asking for headaches. There are so many more threats these days that it takes a team of people working 24/7 to keep highly vulnerable systems (like mail servers) safe. Never mind the spam and all the other things you should be doing on what is a production server (backups, system upgrades, etc).

    Yes, you can probably run a mail server on your own, but other than a few select people who's day job involves doing this sort of thing at an industrial level, you are probably just going to create yet another easy to crack/abuse endpoint on the interwebs....

    All my email is now hosted using Google Apps for Domains - I control the domain, Google deals with all the BS. Yes, they are scanning every inbound email, but they are also one of the only companies in the world to have successfully fended off nation-state sponsored hacking. Sure, they are close to TLAs, but to think that any one individual can realistically fend off a determined TLA focused on them is naive - at that point you are probably best off avoiding anything connected....

    1. Anonymous Coward
      Anonymous Coward

      Re: Used to run my own mail server 6 or 7 years ago, but stopped

      That's just what Google wants you to think, so it can access of all your data and use them whatever it likes... and keeping it and others away is one of the main aims of these articles.

      Sure, running your own server requires some time, it's not a "fire-and-forget" solution (although many tasks can be automated) - but unless your domain is hillaryclinton.gov, there a good chance attacks are never sophisticated one, no one wastes a zero day (or other sophisticated resources) to attack a server with little or no interest for him. And if he's interested, he will have good chances to break into your Google account - they have been broken and will be broken, don't worry.

      Sure, spammer and the like may be interested in some server easy to exploit, but today botnets are far more useful than open relays because far more difficult to block. And there's little chances as well being DoSed unless you make someone angry. Most attacks are automatic ones looking for known vulnerabilities in little maintained servers, or badly configured ones.

      But serious bugs in the mail software itself - which is pretty stable today - there's less risks than, say, HTTP and web applications, which may have a fairly larger number of potentially exploitable bugs due to their more complex nature. Running a web mail software atop the mail server opens IMHO more issues than running the mail server alone.

      1. Nigel Whitfield.

        Re: Used to run my own mail server 6 or 7 years ago, but stopped

        I agree;on the whole, I don't find that there's a huge number of attempts to do anything other than send mail through a mail server, and robust filtering can manage that pretty well.

        While a system with a handy web-based config server is appealing, especially to the novice, the web server itself means there are more things open to attack. By starting with OpenBSD and adding only the things we want, there's far less of a surface for people to attack.

        I don't believe I"ve ever seen a DoS against the mail server, and it's quite easy to limit concurrent connections if you do need to. The good thing about mail, of course, is that a properly configured sender will retry anyway.

        Certainly, compared to the hammering you'll see the moment you have something listening on port 5060 (SIP) accessible from the internet, a mail system suffers very little. In theory, my phones are set up so people can call using my main email address via SIP. In practise, it lasted a couple of hours before I had to give that idea up an allow calls only via my SIP trunk provider

        1. ckm5

          Re: Used to run my own mail server 6 or 7 years ago, but stopped

          One of the most common attacks I saw the last time I hosted a mail server (and this was years ago) were a huge amount of brute force attacks on IMAP ports. So much so that they were effectively a DoS. And mitigation was not easy as IPs were all over the map. And some of the mitigation I had in place gave me grief when I was in Mexico & was locked out because of an unusual source address....

          Also, the amount of inbound spam was an issue, it was somewhere around 30x legitimate mail volumes. Granted, I've had the same email for ~20 years, so that doesn't help.

          All-in-all a headache I'd rather not deal with. Sure, I'd have some illusion of privacy & security, but since I view email as the equivalent of sending a postcard, I'm really not sure what the ROI is....

          1. Vic

            Re: Used to run my own mail server 6 or 7 years ago, but stopped

            One of the most common attacks I saw the last time I hosted a mail server (and this was years ago) were a huge amount of brute force attacks on IMAP ports. So much so that they were effectively a DoS.

            dovecot can rate-limit login attempts, and iptables can rate-limit SYN connections. Between the two tools, you can make this a minor annoyance. fail2ban can take care of anything that doesn't get stopped by those, if that's your thing.

            Also, the amount of inbound spam was an issue, it was somewhere around 30x legitimate mail volumes

            That's a low level of spam compared to what most of us see. Again, you defeat spam by using tools, not the sweat of your brow.

            Vic.

            1. Nigel Whitfield.

              Re: Used to run my own mail server 6 or 7 years ago, but stopped

              There are also plenty of config options in Postfix to control how the smtp daemon will behave. For example, maximum simultaneous connections per client, maximum connection rate per client, and also options to slow down the smtp chat (effectively tarpitting) based on the number of errors.

              Some options in the config can be set to be 'stress dependent' too, so you set a limit to the number of SMTP processes you want to run (eg 50) and if that's reached, then the stress config is used.

        2. Vic

          Re: Used to run my own mail server 6 or 7 years ago, but stopped

          By starting with OpenBSD and adding only the things we want, there's far less of a surface for people to attack.

          You've made this claim several times - I believe it is a fallacy.

          The attack surface is minimised by minimising the installation; the choice of OS is almost completely irrelevant,

          Vic.

      2. ckm5

        Re: Used to run my own mail server 6 or 7 years ago, but stopped

        I am much more confident in Google's ability to repel attacks than I am in either my own or pretty much anyone commenting on this thread. It's not an opinion, it's been proven out time & time again, from Chinese dissidents to the CEO of CloudFlare or even Lavamail.

        As far as Google accessing all my (or your) data - they are already doing so. Pretty much every ad served in every website is driven by Google's backends. Even using ad blockers doesn't really stop tracking unless you are blocking them at the firewall (even then, it's still YOUR firewall...) or you never use a web browser. You may be under the illusion that by using all these blockers you are anonymous, but that's just not the case (c.f. browser fingerprinting).

        Besides, as a paying customer of Google's services, I have also explicitly given them permissions to access my data - I'm perfectly OK with that.

        As far as attacks, have you never seen automated scans? Because I see thousands of them every day just on my home connection. Zero-day attacks are NOT about specific targeting, they are about automated attacks where the vulnerability is unknown. As soon as you setup a server on the interwebs, is is vulnerable, it will be scanned within the first 5-10 minutes and this will only increase from then on.

        Finally, it's not just bugs in the 'mail software' (which is a pretty broad term for some spectacularly crappy software....), but the entire stack, from the hardware all the way to crypto libs. And given that a lot of comments describe webmail setups, it also includes all the HTTP/application vulnerabilities (and probably database ones as well).

        The overall point I am trying to make is that, as someone who is hosting anything on the internet, you only have to make a mistake once to have a compromise - automated scans & exploits makes the odds far, far better for the attacker than for you. Personally, it's not really something I want to clean up (BTDT, it was unpleasant).

        But, hey, it's your risk, not mine - given the amount of downvotes on my original post, there are clearly a lot of people willing to take that risk.... Good luck to them.

        1. Vic

          Re: Used to run my own mail server 6 or 7 years ago, but stopped

          I am much more confident in Google's ability to repel attacks than I am in either my own or pretty much anyone commenting on this thread.

          You confidence is misplaced.

          The most likely form of attack from a security agency will be by some sort of legal disclosure notice. If Google gets one of those, you'll never know. If TPTB want to look into my mail - they'll need to send *me* the notice.

          As far as attacks, have you never seen automated scans?

          Yes, of course. And they get nowhere because they are rate-limited. Any scanner persistent enough to annoy me with the crap left in my logs gets firewalled to boot - and I DROP, rather than REJECT, further slowing down the attacker.

          Besides, as a paying customer of Google's services, I have also explicitly given them permissions to access my data - I'm perfectly OK with that.

          Good for you. I'm not.

          The overall point I am trying to make is that, as someone who is hosting anything on the internet, you only have to make a mistake once to have a compromise - automated scans & exploits makes the odds far, far better for the attacker than for you.

          No, you're incorrect. It's quite easy to set up a mail server, and the tools to probe it for poor configuration are easily obtained. As long as the admin checks his config before claiming it to be "finished", there's no real risk. That might be quite a significant proviso on some situations...

          Vic.

    2. Vic

      Re: Used to run my own mail server 6 or 7 years ago, but stopped

      At one point, it was getting 15k scans/hr from cracking scripts

      That's trivially defeated by using rate-limiting. You can do this directly on the MTA[1], or you can do it with iptables. The former gives you more visibility, the latter uses less CPU load. I use a combination of both...

      There are so many more threats these days that it takes a team of people working 24/7 to keep highly vulnerable systems (like mail servers) safe

      Those of us who are doing this would say you're wrong...

      you are probably just going to create yet another easy to crack/abuse endpoint on the interwebs....

      There are a number of tools you really should use to check that your server is properly configured. It's really not that difficult to nail down properly...

      Vic.

      [1] sendmail does this - I assume the others do as well, but I haven't checked.

    3. AndrueC Silver badge
      Happy

      Re: Used to run my own mail server 6 or 7 years ago, but stopped

      IMHO, running your own mail server (and believing you are safer that way) is asking for headaches. There are so many more threats these days that it takes a team of people working 24/7 to keep highly vulnerable systems (like mail servers) safe.

      I sort of agree...and sort of don't :)

      I agree because it seems like you will get attacked. My own little private mail server is under continuous low-grade attack. Random spam, probes on SMTP and POP3 ports. Occasional probes on the web interface.

      I disagree because my server just shrugs it all off. The only time I had a problem was when I changed the rejection logic to quietly accept random spam. It didn't bother the email server but did chew through 90GB of my 100GB monthly allowance in two weeks. So now I reject everything at RCPT and that's that. My server is VPOP3 running on Windows 7 on a FitPC2.

  10. Daniel von Asmuth

    Why Postfix?

    BSD and Linux may be similar, but there are significant differences between Postfix and Sendmail configuration.

  11. Kevin McMurtrie Silver badge
    Pint

    The path off MacOS

    I have an original "Mac Mini Server" running MacOS 10.6. I know that an Apple upgrade will destroy every single configuration it has so the logical choice is a new Linux box. This nice set of instructions will probably shave a few hours off setup when that happens.

  12. Anonymous Coward
    Anonymous Coward

    Those wishing to learn VI…

    A useful tutorial comes with the vim package, vimtutor. This is how I learned, when I stuffed SuSE Linux onto a 386 with a 120MB HDD and found I didn't have room for emacs¹.

    vim was all I had, so I was forced to confront it instead of running away. I've been a vim user ever since. I'm a bit rusty with OpenBSD, but pkg_add vim will probably do the trick.

    ¹: Yes, I know, Eight Megs And Constantly Swapping!

    1. Vic

      Re: Those wishing to learn VI…

      vim was all I had, so I was forced to confront it instead of running away

      That's why I learnt it as well. I'm glad I did.

      The Single Unix Specifcation requires vi - so prestty much any *nix box you will come across will have vi installed on it. The same cannot be said for other editors.

      vim in particular is very extensible; you can do quite a lot without leaving your editing session. In my last job, I was running PyFlakes from within vim, with colour highlighting to show any problems. I was showing off :-)

      Vic.

      1. Jay 2

        Re: Those wishing to learn VI…

        Yep. It was drummed into me a l-o-n-g time ago that the only editor you can rely on being available in a UNIX distro (as it was back then) is vi.

        Things may have moved on quite a bit since then regarding UNIX/Linux, but vi, or more likely vim nowadays, continues. Like a post apocalyptic cockroach.

      2. AndrueC Silver badge
        Thumb Up

        Re: Those wishing to learn VI…

        The Single Unix Specifcation requires vi - so prestty much any *nix box you will come across will have vi installed on it.

        Yup. You can also control it purely using standard keys. Back in the day when cursor or function key support on a terminal was not something you could rely on that could be a godsend. On really dumb terminals you can even drop back to ex which is not that hard to use if you know vi.

  13. Alex Brett

    Smarthost likely required

    A lot of large ISPs block any inbound mail from subnets that are believed to be 'end user' IP addresses and thus not expected to be delivering mail - see https://www.spamhaus.org/pbl/ for an example - as such if you do host a mailserver yourself you would be well advised to use e.g. your ISPs mail server (if it will accept mail for non hosted domains) as a smarthost for outbound mail otherwise you'll find quite a few destinations rejecting it.

    Also re: dynamic IPs - there is a big risk in using a DDNS service that if your connection goes down, you won't update the DDNS name until it comes back, at which point you might find people delivering mail to someone entirely different who happens to have got your old IP - while in most cases that person won't be running a mailserver, if they are then they can either steal your mail, or if they reject it as an invalid recipient the other end will bounce it back to the sender, which I suspect is not what you want...

    1. Nigel Whitfield.

      Re: Smarthost likely required

      The Postfix docs cover quite a bit about these issues. Setting up a host for outbound relaying of all mail is simple:

      relayhost = [mail.isp.com]:587

      would send via port 587 on your ISP, for example. It's also quite easy (described in full here) to use SASL on that connection.

      You can, if you want to get really fancy, have different outbound hosts for different email, and differed SASL credentials for each person too.

    2. SImon Hobson Bronze badge

      Re: Smarthost likely required

      Personally I explicitly do not use my ISPs mailers (inbound or outbound) as that removes a bit reason for running my own mail servers - visibility.

      By delivering directly, I can see if a message has been delivered - if it isn't then I get notified. I can grep the logs and keep the lines showing a message was handed off to the recipients MX - which as far as I'm concerned (and probably for legal purposes) means it's been delivered. If the recipient MX has accepted it but doesn't deliver it, then that's "not my problem" - they should run a mail system that isn't fundamentally broken.

      I'm waiting to see if Nigel makes this classic mistake in the next installment.

      Basically, I take the attitude that having delivery notification is like sending snail mail by recorded delivery. I can't prove the message made it to anyone's desk, but in either case it reached their designated office address. I have had a few instances where I've been able to point out "I send you a message and it was accepted by your MX at ${timestamp}, see this excerpt from my mail server logs" - and that's put the other side on the defensive as it's now down to them to prove otherwise (hard to do when, by definition, they run a broken setup)..

      I'm on a fixed IP, and I don't find the "IP in the wrong neighbourhood" to be very significant - in fact I can't remember a single example in the last few years where it has been. YMMV, and of course the "quality" or otherwise of your IP neighbourhood will be a factor. The biggest problem by far has been AOL who have always been a law unto themselves and have always been a complete and utter PITA. But I did find they have a page on their site where you can tell them effectively "yes I'm on a residential ISP, but I'm on a fixed IP and I run my own mail server" - once I found that, the problem went away.

      As to spam, well I get a bit, but it just "isn't a problem" - it's little enough that I don't care. Greylisting is by far the biggest spam killer - along with a few Postfix protocol enforcements.

      1. Nigel Whitfield.

        Re: Smarthost likely required

        I'd certainly always recommend delivering to the right place, rather than via a smarthost, and that's what the setup in the articles will do, and why I kept the smarthost tips for the comments.

        Clearly, from the comments this week and last, a lot of people are concerned about whether or not they're able to do this on their home connection, and it's worth providing some options - and tips about when they may turn out not to be so helpful.

        But, yes, ideally, I'd recommend that you get yourself a fixed IP from a provider that will also let you set up rDNS for it

  14. Anonymous Coward
    Anonymous Coward

    smtputf8_enable is true, but EAI support is not compiled in

    As a nice weekend project I wanted to try, but get this msg. when installing postfix:

    postfix: warning: smtputf8_enable is true, but EAI support is not compiled in

    I have tried both i386 and amd64 versions of OpenBSD running in KVM under Debian Jessie amd64

    # pkg_add postfix

    quirks-2.54 signed on 2015-03-09T11:04:08Z

    Ambiguous: choose package for postfix

    a 0: <None>

    1: postfix-2.11.4

    2: postfix-2.11.4-ldap

    3: postfix-2.11.4-mysql

    4: postfix-2.11.4-pgsql

    5: postfix-2.11.4-sasl2

    6: postfix-2.11.4-sasl2-ldap

    7: postfix-2.11.4-sasl2-mysql

    8: postfix-2.11.4-sasl2-pgsql

    9: postfix-3.1.20150201

    10: postfix-3.1.20150201-ldap

    11: postfix-3.1.20150201-mysql

    12: postfix-3.1.20150201-pgsql

    13: postfix-3.1.20150201-sasl2

    14: postfix-3.1.20150201-sasl2-ldap

    15: postfix-3.1.20150201-sasl2-mysql

    16: postfix-3.1.20150201-sasl2-pgsql

    Your choice: 11

    postfix: warning: smtputf8_enable is true, but EAI support is not compiled in

    +---------------

    | The existing configuration files in /etc/postfix have been preserved.

    | You may want to compare them to the current sample files,

    | /usr/local/share/examples/postfix, and update your configuration as needed.

    +---------------

    postfix: warning: smtputf8_enable is true, but EAI support is not compiled in

    postfix: warning: smtputf8_enable is true, but EAI support is not compiled in

    postsuper: warning: smtputf8_enable is true, but EAI support is not compiled in

    partial-postfix-3.1.20150201->postfix-3.1.20150201: ok

    The following new rcscripts were installed: /etc/rc.d/postfix

    See rcctl(8) for details.

    1. Nigel Whitfield.

      Re: smtputf8_enable is true, but EAI support is not compiled in

      Don't panic - it's only a warning and you can just add

      smtputf8_enable = no

      to the config file to avoid it, which won't cause any problems unless you want to use extended characters in domain and user names

  15. ingie

    backward compatibility...

    "The final option there deals with the quirks of some clients, such as Outlook Express 4."

    ... there's backward compatibility, and there's backward compatibility.

  16. OmgTheyLetMePostInTheUK

    Does Hillary Clinton know about this article?

    Has anyone informed Hillary Clinton about this article?

    1. Herby

      Re: Does Hillary Clinton know about this article?

      If so, they should mention how to do off site backups.

  17. my farts clear the room
    Happy

    Horde supports Activesync ....

    But I don't know how straight forward that would be to bolt onto a PI running OpenBSD :-)

  18. RPG

    My mail server

    I have been running my mail server for years using the ClearOS version of linux, it has worked very well with ClearOS security managing all the nasties coming in from the net. I get very little spam.

    One observation though, I ran without a fixed IP address for years using dynamic DNS. It worked well except for one exception. The exception was occasionally email sent from my domain would bounce because some virus checkers check the IP and if it thinks it isn't a fixed IP address The email will be rejected. This was particularly annoying for me as my accountant was one of those affected.

  19. JamieL

    And take control of your folders

    ...and if you're into storing mail in folders, set up with IMAP and install POPfile the mail sorting utility. I've had it running for literally years and it sorts all my incoming mail into over 20 folders so I can see at a glance what needs my attention and what can be left until later. One of the best "install and forget" utilities that just gets on with it, learning as it goes.

  20. TheKeffster

    Problem with running your own mail server now is the big 3 do not trust your email by default

    Try setting your mail server up on a dedicated server using a functional IP address (I.E. not one that is sat in the "Residential use" only blacklists belonging to Spamhaus).

    Set up your mail server, insuring your DKIM and SPF records are correctly set up and your using properly signed certificates for TLS and try sending an innocent text based email to Yahoo, Gmail or Outlook/Hotmail. It's an absolute guarantee that if they have never seen mail coming from that address before, your email will go straight to the junk folder and will continue to do so for a very long time until they decide (At their own schedule) you are playing nice.

    Trying to solve this problem is an absolute nightmare for a lot of people.

    1. Nigel Whitfield.

      Re: Problem with running your own mail server now is the big 3 do not trust your email by default

      I have to say that that's not my experience; I have SPF, but not DKIM, and other than the very occasional wobbly with Hotmail (which has a habit of vanishing mail into black holes, though I suspect more to do with user prefs than anything else), I don't have any problems.

      I have a server set up in a dedicated hosting centre as well, as we send out newsletters to around 1500 people a week, and again largely no problems, nor indeed with the various welcome messages when people sign up to that site.

      If what you're suggesting is true, how would anyone ever be able to launch a new service that requires verification of users' email addresses?

      1. TheKeffster

        Re: Problem with running your own mail server now is the big 3 do not trust your email by default

        > I have a server set up in a dedicated hosting centre as well, as we send

        > out newsletters to around 1500 people a week, and again largely no problems,

        > nor indeed with the various welcome messages when people sign up to that site.

        It's quite likely the address space or IP address you use is set as trusted. You can very roughly check how reliable the big guys trust your mail server by using SenderBase at http://www.senderbase.org/ as a good (But not definitive) guide.

        > If what you're suggesting is true, how would anyone ever be

        > able to launch a new service that requires verification of users'

        > email addresses?

        Or for that matter, any plain mail server? Simple answer is you can't, at least not with the emails shooting straight into the spam folder by default. It really is a bad problem. And for some bizarre reason, using certain mail server software exacerbates the problem for no good reason. For example if Outlook/Hotmail sees email from an IP address they haven't sent mail from before and sent through the Zimbra Groupware server, it won't even make it into the spam folder!!

  21. JaitcH
    Happy

    One needed feature - the ability to read incoming e-mails as text only

    Banks take all incoming e-mails, strip out everything and simply present the bare-bones message. This renders scripts neutered.

  22. Bob H

    I would suggest that PostfixAdmin is well worth a look as well, when I bothered to run my own mail host with multiple domains and users it was invaluable. Especially useful because I could give my brother access to manage certain domains.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like