So I’ve been running self-hosted email using Mailu for a couple of months (after migrating out of Google Workspace). Today it turned that although my server seems to be capable of sending and receiving emails, it also seems to be used by spammers. I’ve stumbled upon this accidentally by looking through logs. This seems to have been going on for all this time (first “unknown” access happened just a couple of hours after I’ve set everything up).

While browsing the logs there were just so many crazy things happening - the incoming connections were coming through some kind of proxy built-in to Mailu, so I couldn’t even figure out what was their source IP. I have no idea why they could send emails without authorization - the server was not a relay. Every spammy email also got maximum spam score - which is great - but not very useful since SMTP agent ignored it and proceeded to send it out. Debugging was difficult because every service was running in a different container and they were all hooked up in a way that involved (in addition to the already mentioned proxy) bridges, virtual ethernet interfaces and a jungle of iptables-based NAT that was actually nft under the hood. Nothing in this architecture was actually documented anywhere, no network diagrams or anything - everything has to be inferred from netfilter rulesets. For some reason “docker compose” left some configuration mess during the “down” step and I couldn’t “docker compose up” afterwards. This means that every change in configuration required a full OS reboot to be applied. Finally, the server kept retrying to send the spammy emails for hours so even after (hypothetically) fixing all the configuration issues, it would still be impossible to tell whether they really were fixed because the spammy emails that were submitted before the fix already got into the retry loop.

I have worked on obfuscation technologies and I’m honestly impressed by the state of email servers. I have temporarily moved back to Google Workspace but I’m still on the lookout for alternatives.

Do you know of any email server that could be described as simple? Ideally a single binary with sane defaults, similarly to what dnsmasq is for DNS+DHCP?

    • Shdwdrgn@mander.xyz
      link
      fedilink
      English
      arrow-up
      15
      arrow-down
      1
      ·
      1 year ago

      I agree that a static IP address is an absolute requirement for a mail server to send messages these days. You also need a host of checks in place like SPF, DKIM, and DMARC, along with a strong set of blocklists and spam filters. My own setup includes dual ISP connections from two different providers, and even with all that in place, Microsoft has always been a thorn. They will block me for no apparent reason, their own tools don’t even show any detected spam activity, and sometimes they don’t even block the same IP address (or provider) that my emails were sent from. Every other spam service on the planet behaves in a rational way, but of course Microsoft has made a point of locking in so many businesses to their own spam-ridden service that you simply can’t run a mail server any more without being able to talk to them.

      Overall, yeah it can be a pain to run your own mail server. I can’t imagine trying to use a pre-built mail server and expect it to run, there’s so much that you have to configure to each specific setup. It’s not like a web server where you load up a docker container and it just works.

      • witten@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        I’ve had similar experiences trying to send mail to Microsoft-hosted email addresses. My current “solution” is to send all outgoing mail directly from my VPS-hosted Mailu server… EXCEPT for Microsoft-destined mail. For those messages, they get transparently relayed from Postfix to a third-party email sending service that Microsoft apparently trusts.

        The upshot is I can still use my own Postfix daemon for all mail sent to sane (non-Microsoft) providers.

        • Chobbes@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          I’ve never heard of anybody relaying just the Microsoft e-mails, but that’s a really funny spiteful solution.

          Lately I’ve been able to send to outlook just fine (maybe it’s just dumb luck, who knows). I think I had troubles initially because they’re really picky about rDNS matching the MX exactly. I also signed up for SNDS just in case, but I don’t know if they factor that in…

          • witten@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Ooh, lucky you! Maybe it was both the rDNS and the SNDS. Part of the problem IMO is it’s such a black box…

            • Chobbes@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 year ago

              Definitely. It’d be nice if there was more reporting when a provider drops your messages.

          • Neo@lemmy.hacktheplanet.be
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            In my experience (self hosting mail since 2005) signing up for SNDS does factor in. Although last time I had trouble with delivery to MS, my hosting provider Linode’s support also helped out by contacting MS back channels on my behalf. The biggest problem I (rarely) have is when whole IP blocks end up on a ban list that MS seems to really trust. That said, fuck it, I will keep fighting the fight and self host my mail like a stubborn old git :p

            • Chobbes@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              Hell yeah :). I’ve heard people have had problems with Linode’s IP blocks with MS… I’m glad to hear that Linode was actually able to help you resolve the problem. The biggest problem seems to be that you just might not realize if your e-mails are being dropped. Not sure if MS will notify you via DMARC if your IP block has been blacklisted, from the sounds of things they probably don’t and just silently drop things, so I guess you have to monitor the blacklists yourself?

  • slander@lemm.ee
    link
    fedilink
    English
    arrow-up
    19
    ·
    1 year ago

    unless you realllllly enjoy self hosting your email, IMO it’s just not worth it anymore with the state of things. I use Fastmail and could not be happier.

  • Cosmo@lemmy.world
    link
    fedilink
    English
    arrow-up
    15
    ·
    1 year ago

    I use fastmail, and I enjoy it a lot. Their masked email is very nice as well, and integrates with bitwarden. So quite convenient to use my personal domain for stuff where my identity matters, and use masked @fastmail addresses for more disposable stuff.

    The only thing that ticks me a tiny bit is that their mobile app doesn’t have offline mode; but you can use imap client or w/e, so it’s not too much of an issue.

    Also hear good things about protonmail; I would consider it if I didn’t already use/trust fastmail.

    • fraydabson@sopuli.xyz
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 year ago

      Another vote for Fastmail. In my recent effort to degoogle I switched to Fastmail and I love it.

    • BitSound@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      For mobile with fastmail, I use fairemail. Works great with it, and provides a nice merged view with my non-fastmail work emails.

  • originalucifer@moist.catsweat.com
    link
    fedilink
    arrow-up
    13
    arrow-down
    2
    ·
    1 year ago

    im an old school email admin. i gave up on my personal exchange box for protonmail years ago… multiple domains, lots of dns nonsense on my part. zero problems.

    i highly recommend them.

    • RegalPotoo@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      I’d be super cautious about relying on any company that even offers a “lifetime” plan.

      Offers like that are tools to raise cash - take money now for a service that you will provide people in the future. They tend to get used in one of two situations:

      • We need to raise money for investment in upgrades, so take the equivalent of ~2-3 years subscription from people up front, and count on the investment bringing in enough new customers paying regular rates that you can cover the cost of having the lifetime customers out of revenue
      • We need cash now or we aren’t going to be able to pay salaries, and it won’t matter that we’ve screwed our customers if we are bankrupt

      Even in the best case, it’d be much simpler to raise cash through usual investment mechanisms, so you do have to wonder how viable their business strategy is if they can’t get money that way

    • chrizl@feddit.ch
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Do you maybe have a link for the lifetime plan? Because I cant find it.

  • aard@kyu.de
    link
    fedilink
    English
    arrow-up
    5
    ·
    1 year ago

    Nowadays I’d recommend a simple postfix + dovecot setup. If you care about a web-UI and possibly some groupware functions put SOGo on top.

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    1
    ·
    edit-2
    7 months ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    DNS Domain Name Service/System
    Git Popular version control system, primarily for code
    IMAP Internet Message Access Protocol for email
    IP Internet Protocol
    SMTP Simple Mail Transfer Protocol
    SSL Secure Sockets Layer, for transparent encryption
    TLS Transport Layer Security, supersedes SSL
    VPN Virtual Private Network
    VPS Virtual Private Server (opposed to shared hosting)

    8 acronyms in this thread; the most compressed thread commented on today has 3 acronyms.

    [Thread #169 for this sub, first seen 27th Sep 2023, 14:35] [FAQ] [Full list] [Contact] [Source code]

    • lemmyvore@feddit.nl
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      Great configuration, very flexible and fill of features. They make it easy to get all the DNS records you need to add to your domains and they have a diagnostic tool that checks that everything is set correctly. They even include wildcard aliases (which I’m not sure if it’s mentioned in their public pages).

      Should also note that they don’t limit accounts, domains, aliases or any features, just overall mails and storage space. The only additional limitation on the lite account is inability to set account quotas.

    • Oliver Lowe@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      This was the provider I went with after self-hosting my mail for 7+ years on an OpenBSD VPS. I feel like Migadu is an honest and good-value service.

  • eros@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    I found myself in a similar situation last year. MXRoute’s lifetime plan works well for those domains that just need basic email and not a lot of storage.

  • pqdinfo@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    I use Zimbra with an external email gateway that only accepts authenticated email. Zimbra is pretty heavy (it’s intended to be a Microsoft Exchange replacement) but it at least has a huge amount of protection built-in to deal with spam and comes configured out of the box to not relay (well, outside of you setting up aliases and lists.)

    That said, it’s not hard to find “incoming email only” configurations that deliver to local mailboxes only, for most email servers. The thing to avoid is having a single server configuration that tries to do both - accepting external email and sending locally originated email out. The configurations do exist to do that, but they’re confusing and tricky.

    External email gateways… that bit is hard. I use a mail server I set up myself on a VPS. It does not listen on incoming port 25. It requires credentials. I did this largely because I was trying to send email out via Xfinity’s customer email relay, but the latter kept upping the authentication requirements until one day Zimbra just couldn’t be configured to use it any more. And each time they changed something, I wouldn’t find out until I noticed people had clearly not received the emails I’ve sent out.

    VPSes are problematic as some IPs are blocked due to spam. There’s not much you can do about it if you’re stuck with a bad IP, so if you can find a way to send outgoing email via your ISP’s outgoing email server, do that. For Postfix, you can send out authenticated email using something like: in main.cf:

    relayhost = [smtp.office365.com]:587
    smtp_sasl_auth_enable = yes
    smtp_sasl_security_options = noanonymous
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_use_tls = yes
    

    and in /etc/postfix/sasl_passwd:

    [smtp.office365.com]:587 [email protected]:hunter2
    

    So in summary:

    • Consider an email-in-a-box solution like Zimbra, I understand the wish to go for something light but it might make sense if your aim is just to control your own email
    • Regardless of whether you do or not, use separate servers for incoming/outgoing email.
    • For incoming email, lock it down to accept local email down if you’re manually doing this rather than using an email-in-a-box solution like Zimbra.
    • For outgoing email, use authentication and avoid it listening on port 25. Consider either directly using your ISPs, or if that’s not practical, configuring your outgoing email server to relay in turn to your ISP (see above for how to do this.)

    Good luck.