I know Tom and others urge strongly against running your own mailserver (say mailcow etc) but what are the main concerns besides the amount of spam mail that needs to be blocked.
And what are some tips and possibly tricks to do it anyway?
It brings some advantages… Been trying for a while now to get smtp relaying to work for self hosted bitwarden to not much avail with services like sendinblue, elesticmail… so yeh…
Anyone using the Proxmox Mail gateway in combation by any chance?
I’d appreciate some pointers for extra pointers regarding protection besides keeping pfsense as closed off as possible.
To me, there are a multitude of concerns. It’s just not a good idea anymore. Connecting Bitwarden to services like Sendinblue etc. shouldn’t be a problem.
Concerns I would see:
- Your domain reputation is at risk, if someone ever manages to relay spam through your mailserver
- You increase your own attack surface (SMTP relays are prime targets)
- Email has become complex. Topics such as DKIM, SPF, DMARC, mTLS etc. all need to be taken care of, and you need a solid understanding to be able to do so (do something wrong = bad for your domain reputation)
- Potential legal issues if something happens
It’s just not worth the trouble anymore. Email providers that have specialized in mass-sending of transactional emails are very cheap, work reliably, and save you the time to focus on more important things.
Just my 2 cents.
Lots of the trouble people have for signing up for my fourms because they can’t get their personally run email servers off of the spam list due to not having email properly setup DKIM / SPF / DMARC or they are trying to run their home server on the IP blocks offered by their ISP which are pretty much all blocked by the spam lists with no way off. I used to be a mail server admin for myself and several businesses from 1997 until I surrendered to the big companies.
It’s fun leaning, but before spinning up a server, check the IP to see if it’s on the ban list here: Email Blacklist Check - IP Blacklist Check - See if your server is blacklisted
Thanks Tom, yeh I heard you talk about that on one of your podcasts, videos… Very valid issue there.
I’ve played around with mailcow in the past week but wanted a fresh look at things to look out for hence the questions.
I had already checked my public IP and I did ask my ISP (which I have a static IP from) to set the reverse DNS record and they did… Its not blacklisted
Thanks, yeah… good points as well… If I get it up and running well I might just use it for internal use only for the time being…
Mail servers are hard work now a days, you will need to monitor them constantly since they tend to be under constantly attacks. Not only are they complex, like already mentioned, you will also need to have an above average knowledge about security.
If you just need it for receiving notifications from your own selfhosted services, you don’t have to care about blacklists and all the other concerns mentioned in the previous posts.
If you want to use the server also for regular email communication and / or for sending notifications to third parties, you don’t want to run it behind your pfSense on a regular internet connection, unless you have a static IP in a non-residental IP block. Otherwise I would recommend using a VPS with a clean IP address. And yes, then of course you have to do all the necessary schenenigans, in order for everything to work reliably. But this is absolutely doable. I have been running a Mail-in-a-Box instance for years and I’m now running a Mailcow instance and never had any major issues. Even at Gmail my emails are delivered to the recipients inboxes.
Yeh I’ve got mailcow setup now with a static public IP and reverse DNS from my provider… I like managing it. Hey that is what is homelabbing is al about. The worst that can happen is manageble as well… Worst thing is I abandon the server, have my reverse dns deleted and get another static IP…
Mail server success is 90% building good IP reputation and 10% technical stuff related to the mail server itself.
I’ve setup few mail servers myself for work both internal and external. Linux and Microsoft Exchange servers. One thing that most people seems to forget is reverse DNS. Without it most e-mail servers will reject it. Seems you have that on the checklist.
Since I am big home lab person I may run one just for fun but I can’t run it on my home network since I don’t have a ISP business account to allow SMTP connections. Although I’ve been thinking about creating a VPS on Linode just to receive and send e-mails while my mail server at home would connect to that VPS for actual e-mails. I know there are forwarding services out there but something I want to learn.
Cloudflare offers e-mail forwarding service currently in beta which might be a better option for me as they take care of the security aspect of it. I just want a server at home to hold the actual e-mails. I have one running to archive the e-mails that I move them from my e-mail clients like Thunderbird. So many ways to do this with Linux
Yeh static IP and reverse DNS all covered (works a little bit easier overhere)… Got mailcow running fine this week but wasn’t happy with some of the config decisions I made so yesteday I redid the installation…
DMARC/DKIM etc… everything valid…
I’m not going to expose my mail addresses to the public yet until some time has passed and know everything is ok… Not using it on these forms as well ofc.
Only problem I’m still facing is that trying to send verification mails from vaultwarden to my mailserver is giving me certificate ssl errors… Both mailcow and vaultwarden running in a docker container on ubuntu srv 22.04 LTS… Which is puzzling to me since both are using wildcard certs from letsencrypt. Or so they should. Not exactly sure yet how to troubleshoot that.
both are proxied through NGINX. Couldn’t really get haproxy on pfsense behaving the way I wanted so I switched to nginx.
I’m using cloudfare as my DNS manager since namecheap didn’t offer some of the options. Never got cloudflare e-mail forwarding working okay so I just let it go.
And yeh… homelabber here for a very, very long time… management is still considered fun for me and part of the learning experience, even though I’m older. (not working in IT anymore either)… Done with that, it is not my happy kind of world.
I’ve been using Zimbra (Open Source - community supported edition) for a number of years for a local community arts centre plus my own domain at home. First thing, you must have a fixed IP address and not is the public space. Talk with your ISP to ensure you have an IP address that will be accepted by other mail servers.
Ensure that your mail server is not an open relay (Zimbra default) and set up SPF & DKIM and rDNS. Use good passwords for each user account and check the logs daily (Zimbra will send a daily summary) to ensure “normal” traffic is occurring. At the community centre I had one account hacked (poorly trained user) which resulted in a spammer using that account to send over 2 Million emails over a couple of days. Stopping that account was easy but it took days to clear our name on the multitude of black lists. No problems since then, touch wood.
I use alias accounts to point to my real account, that way I can give out an individual email address to all of those websites that request an email account. If I get non-related emails into that alias then I know they have given (or sold) that email address to others. Simple fix, delate the alias.
yeh using an alias makes sense… but all the points you mentioned before that have been checked off the list…
Still troubleshooting some weird ssl errors while trying to send a verification mail from bitwarden/vaultwarden to my own internal mail server.
My 0.02 on the subject of self hosted email systems. Take a look at Mail in a Box, a quality turnkey free email system that runs on Ubuntu with a excellent spam filter, Based on Postfix, Dovecot and Sieve
- DANE TLSA
- TLS (SSL)
- Calendar and contact configuration auto discovery
- Monitoring and alerts with Munin
- Backup ability locally or via rsync, S3 (Amazon) or Backblaze B2
- Auto security configs for almost everything
- UFW firewall
- IMAP over TLS
- SMTP over TLS
Have setup approx 30 of these in the last year for clients, friends, family and know a few businesses that use it daily. Only issue I have seen is when the email domain is new, sometimes emails sent from the new system end up in the spam folder. The workaround for this is to send a quick note to your contacts in batches of about 10 or so at a time, 3 times over about a week to train the spam filters on the receiving system that the source is legit. If you can get the contacts to respond to the messages, it trains the spam filters more quickly.
Do take your time and setup things in DNS . Nice thing is this system can also host DNS and do almost all the authenticity and security configs automatically as part of the setup.
Managing this is easy too. Updates are about twice a year or so.
Mail In A Box https://mailinabox.email/
Looks interesting… think I’m mostly struggling with getting DNS setup perfectly. Especially as far as the autoconfig/discover records go and the SRV/TLSA ones… For automatic configuration of say thunderbird/ outlook mail…
I checked if there was docker image of mail in a box but the last one on the hub seems to be 6 year old.
There is no official docker image. You should use their install script on a dedicated machine / VPS with a public IP address. It’s the only way of installing and using Mail-in-a-Box that is officially supported.
tried to use the install script on a freshly installed ubuntu server 18.04.6 LTS… fails at the start…
/etc/mailinabox.conf: line 4: !–: No such file or directory
Of course the entire scripts etc appears to be setup to be ran from a VPS which I’m not. I’m running it in a VM… so not sure if that would matter… Not sure though why they would use such an old version of ubuntu which will probably run out of support soon.
Background: I started an ISP back in 1994, so I have quite a bit of experience running mail servers under linux.
FWIW, I stopped running a full mail server over 15+ years ago because of the amount of SPAM I had to deal with. What I have done instead is run my own postfix mail relay and then relay the end users to Gmail, thereby letting Gmail deal with the spam. This worked great until last year, when Google decided to bounce my relayed emails as spam. I ended up playing for a Google Workspace account per user in order to whitelist my postfix mail relay server.
Seriously, you consider doing this because it gives you so much more flexibility in routing and setting up mail aliases. Paying Gmail to be my spam filter is a pretty good deal, IMHO.
Also, I’m running my postfix mail relay as a VM. That way, if it gets hacked, I just bring back one of the backup images. Since no data other than logs are actually stored on the relay machine, it’s pretty easy to recover.
If I were to redo it today, I would seriously consider running it as a docker container instead.
I use the Proxmox Mail Gateway in a VM to protect my Postfix/Dovecot mail server (also in a VM). I’ve found it to be a very reliable and flexible way to receive mail for my own domains. Much reading is required but once you know your way around its virtually pain free. I check the ‘tracking centre’ every few days to see where the hacks and spam are coming from, and delete the spam ‘buffer’ every week. It’s very capable at dealing with attempts to subvert the mail server and interesting to see who’s doing it. The only thing I’ve found to be unclear is whitelisting and bkacklisting.
Running it in a VM atm and inside a bunch of docker containers… I see it more as a fun homelabbing experiment with some very useful applications. If it doesn’t work out, no harm done.
I’ve looked into it parking it in front of the mailserver… Looks overall a nice product. mailcow already has a lot of defenses built in but proxmox mail gateway does a bit better reporting and has a bit more control by the looks of it.
Will definitely try it out again