I tried maybe 15 years ago and it went about as well as you’d expect for back then. But I’m starting to get the itch again.
Have any of you tried relatively recently? How impossible is it to get reliable deliverability to gmail and whatnot these days?
You must log in or register to comment.
I’ve been self hosting email successfully for 20 years. My goto article for this question:
https://poolp.org/posts/2019-08-30/you-should-not-run-your-mail-server-because-mail-is-hard/
TLDR;
- Mail is not hard: people keep repeating that because they read it, not because they tried it
- Big Mailer Corps are quite happy with that myth, it keeps their userbase growing
- Big Mailer Corps control a large percentage of the e-mail address space which is good for none of us
- It’s ok that people have their e-mails hosted at Big Mailer Corps as long as there’s enough people outside too
If I had to make one suggestion, I would use a trusted third party to relay outbound e-mail such as AWS SES, mxroute, sendgrid, mailgun, etc. When I was looking for a job a few years ago, I found many potential employers’ systems would flag my e-mails as junk or simply delete them, and I had to revert to gmail. My second suggestion is to properly set up TLS/SSL for security, and SPF, DKIM, and DMARC for maximum deliverability. I’m currently using a deprecated application, but I’ve been testing mailcow which seems alright.
Beware that Mailgun doesn’t differentiate between transactional and marketing emails, this could hurt your deliverability.
I tried the all-in-one server Mox two years ago and it just worked. In fact, I’m still productively using it to this day.
The spam filter could be a little better, but it does a good enough job IMO.
I tried, but my IMAP server recently stopped working. It also got flagged as spam by literally everyone I sent an email to.
Selfhost several domains for over 25 years, from home, on a dynamic IP (though it hasn’t changed in a long time) and no PTR records, and I have literally had zero problems with blacklisting or dropped connections. I must live a charmed life, or have set up my DKIM/SPF/dmarc records correctly.
Currently using mailcow-dockerized and it’s lovely.
mailcow-dockerized is great, really makes email setup so much easier.
Do you ever send mails to Gmail and Office365? Do you get through the spam filter without PTR record?
I have not done so in the traditional sense in quite some years. My experience was that it was an increasing headache due to crashing into a wide variety of anti-spam efforts. Get email past one and crash into another.
Depending upon your use case – using the “forward to a smarthost” feature in some mail server packages to forward to a mailserver run by a SMTP service provider with whom you have an account might work for you. Then it still looks to local software like you have a local mailserver.
If I were going to do a conventional, no-smarthost mailserver today, I think that I would probably start out by setting up a bunch of spam-filtering stuff — SpamAssassin, I dunno what-all gets used these days on a “regular” account — and then emailing stuff from my server and seeing what throws up red flags. That’d let me actually see the scoring and stuff that’s killing email. Once I had it as clean as I could get it, I’d get a variety of people I know on different mail servers and ask them to respond back to a test email, and see what made it out.
I’ve been hosting my own email servers for 20 years without issue. But email systems were a huge part of my IT career so it was easy.
It works great if you have static IPs and know what you’re doing in terms of following best practices. If you’re missing those two things you’re going to have a bad time.
If you have the statics and want to learn, I’d recommend purchasing a test domain and getting the kinks worked out before you move a domain you care about to your own system.
I really like the idea of having my own server, where I could have a bunch of cool stuff like email, VPN, Nextcloud, and so much more. The primary reason why I don’t have a server like that, is because I can’t trust myself to follow the best practices. For a while now, I’ve been thinking that I should hire a proper professional to take care of all that.
Any wisdoms to share?
Yeah, don’t do it.
Lol. After professionally hosting email for 15 years I’m happy to let someone else handle it now.
About 90% of incoming mail will be spam and it will be your job to make sure you are doing good job of classifying it so you don’t get junk in your inbox and don’t lose real mail in the spam folder.
Then for outgoing mail you need to make sure SPF, DKIM and DMARC are all in order.
Then there is all the usual stuff of security updates, backups, monitoring, alerting, logging and having a plan for internet outages.
Yes, it’s all doable but I won’t expect it be “set and forget”. I expect there will be quite a bit of tuning with some possible spam and delivery problems while you get kinks worked out.
I currently am and I have been hosting my own mail for the past several decades, so I can tell you from experience that it still is very much possible, but it has become significantly more complex than it used to be, not recommended for anyone who doesn’t have a particular interest in mail.
I have been self-hosting my mail server for the past 5 or 6 years with success. Recently my ISP decided to close port 25 so I have to use a third party to deliver my outgoing mail.
The fact that ISPs can do this should be a fkn outrage. But this is so far removed from what people care about. And so net neutrality gets eroded.
I don’t think they want to bother with the administration, they were forced to to stop anyone from spamming from random SMTP servers.
Because of dmarc and DKIM, we don’t really need this anymore, but there were good reasons for it.
I know some ISPs can enable it if you call them and ask them
Reminder that you can go for hybrid approaches; receive email and host IMAP/webmail yourself, and send emails through someone like AWS. I am not saying you can’t do SMTP yourself, but if you want to just dip your toes, it’s an option.
You get many of the advantages; you control your email addresses, you store all of the email and control backups, etc.
…
And another thing: you could also play with https://chatmail.at/relays ; which is pretty cool. I had read about Delta Chat, but decided to play with it recently and… it’s blown my mind.
Email is the hardest thing to self-host, but it’s definitely doable. You’ll need a static IP, and you’ll need to talk to your ISP to make sure outbound connections on port 25 are open.
Set up your servers and your DNS settings (another commenter gave a good guide), then use this tool to check that DKIM and SPF are working and that you’re not seen as spam with SpamAssassin:
Once that’s done, take your static IP and check it with this tool:
https://mxtoolbox.com/blacklists.aspx
If it’s on any of the lists, you’ll need to go to those lists’ sites and try to get it removed. You might need to make an email address for “postmaster@yourdomain” at this point.
Beyond that, you may need to “warm up” your IP address, by sending email to yourself on various services (Gmail, Yahoo, Microsoft) and marking them as not spam.
Then you should be golden.
I had to do this for both my SMTP servers for Port87. If you use more than one server, this process gets a little harder, so probably stick to one at first.
I’m pretty sure gmail’s filters are per-user. I’ve had it react after just one flag/unflag, and I doubt that it would do that it would only take one action to change it for everyone.
It’s more of a signal that the IP address does send trustworthy email. AFAIK, IP reputation isn’t handled on a per-user basis. Domain reputation probably is.
I have been using my own email for many years (to this day). Everything is working great. The main thing is to have a static IP and be able to specify your domain in the PTR record of the ip address.
In general, you will need: postfix (https://wiki.archlinux.org/title/Postfix) OpenDMARC (https://wiki.archlinux.org/title/OpenDMARC) OpenDKIM (https://wiki.archlinux.org/title/OpenDKIM) Dovecot (https://wiki.archlinux.org/title/Dovecot) Some interface to choose from (soGO, roundcube) Maybe graylists, ClamAV, SpamAssassin, or something else to protect your mailbox from spam and viruses. And if you want filtering functionality, then you also need Sieve.
Where are you hosting your mail?
On my home server. My ISP gives me a static address and makes PTR records for only about $1.5 per month.
How do connect to your mail’s server outside your home network?
Sorry for all the questions, I’m trying to get my DNS working with a vpn and it’s been difficult.
If you want to be able to accept mail, you’ll need to directly expose your mail server on your public IP (router configuration required). You’ll also need to allow your server to egress your WAN as well. That being said - if you really want tighten your security, and don’t care about missing some emails, you could limit your server to seeing only those servers you know you’ll be communicating with, such as work, bank, or GMail servers only.
You can make it so that retrieving your email with your client of choice requires a VPN connection to your home network also.
Well… as I already wrote, my home server is literally on the Internet because I rent a static public IP address from the provider.
But if you have a VPS, then you just need to do port forwarding to your server with a VPS, and then add the following entries to the mx DNS server:
you.domain. 21600 IN MX 10 you.first.vps. you.domain. 21600 IN MX 20 you.second.vps.Where 10 and 20 are the server priority Or if the VPS is part of your domain then:
you.domain. 21600 IN MX 10 first.vps.you.domain. you.domain. 21600 IN MX 20 second.vps.you.domain. first.vps.you.domain. 21600 IN A 1.1.1.1 second.vps.you.domain. 21600 IN A 2.2.2.2And if you also have IPv6, you can do
first.vps.you.domain. 21600 IN AAAA fd00::1 second.vps.you.domain. 21600 IN AAAA fd00::2Where 1.1.1.1, 2.2.2.2, fd00::1 and fd00::2 are the addresses of your VPS
You also need to enter the address in the SPF:
you.domain. 21600 IN TXT "v=spf1 +mx -all"What does it mean
v=spf1 is the SPF version.
+mx – it is allowed to send mail from the IP addresses specified in the MX records of the domain.
-all – prohibits sending from any other servers (hard refusal).
Also, in order for the signature to work on the mail server, you need to make several TXT entries (for a detailed explanation, see my links about DKIM):
keyname.__domainkey.you.domain. TXT "v=DKIM1; ...%DKIM params%"and
you.domain. 86400 IN TXT "v=DMARC1...%dmarc params%"And you need ask you VPS provider set PTR for you VPS IP address with first.vps.you.domain. Or some providers access that config in web panel.
But in reality, this will only allow you to receive incoming mail. In order for outgoing mail to work, it is necessary that the mail server and all the strapping go through the VPS to the Internet. This requires a rather complicated configuration of iptables, and I recommend that you simply either fill up the mailer on a VPS (there will be a maximum of gigabytes of mail. it’s not that heavy), or buy a static address at home.
If you still decide to go the hard way, here’s an approximate plan for what you need to do in the spirit of iptables, because setting it up in firewalld is a real torment.:
*mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A OUTPUT -m owner --uid-owner 924 -j MARK --set-mark 0x300 COMMITwhere 924 is the postfix user ID, you may have a different number. check it out
ip route add default via 10.8.12.4 dev wg0 table 100adding the default route via the VPS address to the routing table 100. replace 10.8.12.4 with the address of your VPS and wg0 with the name of the interface for communication between the VPS and home. Then
ip rule add from all fwmark 0x300 lookup 100We are sending all packets with the label 0x300 to the routing table 100. In other words, the postfix user will have his own custom routing table via VPS.
This creates several problems due to the fact that with this configuration, it may not be possible to connect to postfix via your server’s interfaces. But in basic case all will work. Bypassing this problem will create even more complex routing rules and will generally be overkill. But if you’re interested, write to me and I’ll sign it.
Lucky. I need to use an external service for 12€/month with 100Mbps and 1TB/month limits, per VPN.
I’ve been running my own mail for 10+ years. I recommend rspamd for spam filtering. It took the place of SpamAssasin, grey listing, SPF checking, etc. All in one single system.
Thanks, I’ll give it a try sometime.
No. I do that for my job and wouldn’t do it for personal use. HA/redundancy/security is too expensive.
I would recommend something like stalwart, which is just a single binary and works. Gives you a web interface and a zonefile you can just copy paste into your DNS including all correct DMARC DKIM SPF and autodiscovery records.
Setting postfix, dovecot etc. up from scratch can be a bit time consuming and annoying.
Deliverability depends on where it is hosted, many VPC providers IP space is completely blocked in spam filters.
I was actually recently discussing self-hosting email on Matrix a while ago, so I’ll just copy-paste below. Long story short, find the right existing email software you want to use, set it up correctly with a healthy IP address and domain (not blacklisted), the right DNS entries, and a PTR record, and it’ll work just fine.
Honestly, I haven’t had any issues with self-hosting email, and I’ve been doing it for the past 2 years. I think the trick is that you just need to set everything up correctly and then verify your setup with mail-tester.com to ensure all the headers, DNS entries, etc. are correct. There are some great projects that make it extremely easy to self-host, including Mailu github.com/mailu/mailu, Mailcow github.com/mailcow/mailcow-dockerized, Docker mailserver (https://github.com/docker-mailserver/docker-mailserver), Stalwart github.com/stalwartlabs/stalwart, and I’m sure more. I’m currently using Mailu, but I have been eyeing Stalwart, which has recently gotten quite popular and implements modern email protocols and does everything in Rust.
If I were you and just wanted to take a stab at self-hosting email, I would start with Stalwart and see how you like it. The only caveat is that it doesn’t yet come with a webmail client, so if you wanted one, you’d have to separately add that to your setup.
Something you would need to think about though is your IP address. It must be static, and it should be in a healthy IP address range (not on any popular blacklists). You also need to be able to set up rDNS (reverse DNS) / PTR record, so you can point your IP address back to your email domain.
