I do it. Postfix+dovecot+spamassassin managed with ISPConfig running on a VPS. Works just fine, but my domains already have a long-ish good reputation so that may play a part on my experience. Biggest headache is to keep things running, which occasionally means jumping trough hoops microsoft(mostly) and others throw at you by flagging your server as spam for no apparent reason.

It’s quite likely that any given IP, unless you get one from shady VPS provider or something, is “clean”. And if it’s not it’s usually not that big of a deal to get it cleared from major blacklists (spamhaus, google and microsoft covers quite a lot). You just need to dig up proper forms to tell them that you’re a new owner of said IP and promise to play nice.

Same goes with domain names, but if you get a new one that’s a non-issue. Just set up SPF-records properly (and preferably DKIM/DMARC, but those aren’t strictly necessary and need a bit more than a single TXT-record) and you’re good to go.

And then you of course need to stay away from those lists. If you configure your SMTP to act as a open proxy you’ll be on every shitlist on the planet pretty quickly. So, reasonable measures against compromised account (passwords, firewalls, rate limits…) and against other threats (misconfigured/unsafe web service used for spam and stuff like that). Any of those alone are not too difficult to accomplish, but there’s quite a few things you need to get right.

Maybe easier to get anything runnin quickly. But it obfuscates a lot of things and creates additional layer of stuff which you need to then manage. Like few days ago there was discussion about how docker, by default, creates rules which bypass the “normal” INPUT rules on many (most?) implementations. And backup scenario is different, it’s not as straightforward to change configuration than with traditional daemon and it’s even more likely to accidentally delete your data as a whole.

As I already said, docker has its uses, but when you’re messing around and learning a new system you first need to learn how to manage the ropes with docker and only after that you can mess around with the actual thing you’re interested of. And also what I personally don’t really like is the mindset that you can just throw something on a docker and leave it running without any concern which is often promoted with ‘quickstart’-type documentation.

You absolutely can run services without containers and when learning and trying things out I’d say it’s even preferable. Docker is a whole another beast to manage and has a learning curve of it’s own.

Containers can of course be useful but setting everything up, configuring networking, managing possible integrations with other components (for example authentication via LDAP) it’s often simpler just to run the thing “in traditional way”. With radicale you can just ‘apt install radicale’ (or whatever you’re using) and have a go with it without extra layer of stuff you need to learn before getting something out of the thing. And even on production setups it might be preferred approach to go with ‘bare metal’, but that depends on quite a few variables.

On residential connections it’s a bit pain in the rear, but if you get VPS (or something similar) it’s perfectly manageable. You just need to maintain stuff properly, like having proper DNS records, and occasionally clear false positives from spam lists. The bigger issue is to have proper backups and precautions, I’ve hosted my own emails for over 10 years and should I lose all the data and ability to receive new messages it would be a massive personal problem.

Obviously we’re talking about hobbyist level stuff and with that there’s always something what can go wrong and it’s not always obvious what it is. So if the ‘remote end’ doesn’t have someone who can do at least very basic troubleshooting it can be nearly impossible to fix the setup over the phone unless you just replace the whole thing and ship whole units back and forth.

But in this particular case the remote end has someone who knows their stuff so it’s taken care of, with or without a KVM. I’ve been thinking a similar setup with my relatives and on my case the distance isn’t an issue but it’s still something I’d need to bother family members with and, for me, it was simpler to get a storage box from hetzner and run backups to that instead of getting more hardware.

Maintenance is anyways something you need to consider and viable options for that vary on a case-by-case basis, so there’s no ‘one size fits all’ solution.

It won’t help if your power supply breaks and KVM itself can malfunction too. It’s of course nice to have, but it has limitations.

I would consider also the case where something goes wrong. Maybe the whole thing crashes, maybe you misconfigure something, maybe there’s a power outage or something else happens and you lose the connectivity. Is there someone on site who can do anything to your hardware as you can’t easily just go and figure it out by yourself?

If the answer is ‘no’ then I would strongy reconsider the whole approach. On a worst case scenario the system goes down before you’re even back home from the trip and then your hardware is just gathering dust.

I somewhat agree on your comment about documentation and UI (altough once you get used to it, it’s manageable) but just to add with my experience on these things: for me they’ve been rock solid. I’ve used them both at home and professionally (mostly on small-ish networks) for at least 10 years and they just seem to run just fine.

Currently my home router is RB4011iGS+ and there’s been absolutely no problems with it in the 4-5 years it’s been on my network. I’m not saying all their models are as reliable and there’s not that many models I’ve had my hands on, but my experience with them has so far been pretty good.

You’ll get used to it eventually

I’ve been earning my living mostly with connecting to remote systems via ssh (and other means) for quite a few years and I still occasionally mess up and enter commands on a wrong terminal. Less now than I used to, but it still happens. The trick is to learn youself to pause for a second and confirm the target for any potentially destructive or otherwise harmful command, no matter if it’s locally or to some server other side of the world.

Do they really care enough to check your info manually if you don’t use your domain name for malicious purposes?

Depends on TLD how strict the checks are, but generally you’re at least violating TOS by doing it and can lose your domain should someone actually check the info. A lot of registrars provide at least whois-security, so they’ll know your real details but won’t share them openly to anyone who asks. I assume if you get into something illegal and court orders to release the data then they’ll happily comply instead of hurting their own business.

But if you just want to keep your real name and address out of the internet, that would be enough at least for me.

Ubiquiti

And they too aggressively push their cloud services and at least some point their management tool gave you ads on their other products.

I did self-host bitwarden and it’s not that bad to keep updated and running after initial setup (including backups obviously) but it still requires some time and effort to keep it running. And as I was the only user for the service it just wasn’t worth the time spent for me (YMMV) so I switched to their EU servers and I’ve been a happy user ever since.

What I should do is to improve local backps on that, currently I just export my data every now and then manually to a secured storage, but doing it manually means that there’s often too long time between exports.

For example I’m not aware of any way to do upload without a login in Seafile.

You can create upload share the same way you create a download share. Then just give a link to whoever you want to and that’s it. I’m pretty sure it’ll show files already in the share while uploading, but I’m not 100% sure on that.

You could get around with a normal file share service (assuming you already are using one) via tinyurl or similar redirect. I don’t know how much the free services track you or if they have other security implications, but I have couple of domains laying around and it would be pretty trivial to just create HTTP redirect from “class-a.up.mydomain.foo” to my nextcloud upload link.

Or, if you’re using only one or few distributions you can preseed the image and have the installer do the stuff for you.

That’s something along the lines I do as well, but your methods are far more in depth than mine. I just glance around documentations, how active the development is and get a rough idea if the thing is just a single person hobby-project or something which has a bit more momentum.

And it of course also depends on if I’m looking for solutions just for myself or is it for others and spesifically if it’s work related. But full audits? No. There’s no way my lifetime would be enough to audit everything I use and even with infinite time I don’t have the skills to do that (which of course wouldn’t be an issue if I had infinite time, but I don’t see that happening).

Is my current set up secure, assuming strong passwords were used for everything?

Network security is a complicated beast to manage. If general public can access your services over the internet, that’s a threat you need to mitigate. Strong passwords is a good start on that, but it doesn’t take into account if there’s a flaw or bug on the service you’re running. Also if you have external users, they might reuse their passwords and leak for those might cause a threat too, specially if there’s privilege escalation bugs on the software you’re running.

And so on, it’s a too wide field to cover in a short comment here, but when you’re building your stuff, and what is maybe the most disticntive feature on a good professional between a not so good one, is to think ahead and prepare for every imaginable scenario where something goes wrong. Every time you add a way to access your network, no matter how minuscle, think what happens if that way gets compromised and what it might mean on the very worst case.

Maybe you want to add another access point to your network since your terrace isn’t properly covered. That’s nice to have, but now everyone around 100 meters around your house/apartment might have access to your stuff if they can break your wifi security. Maybe you set up a reverse proxy or tailscale on the stack. Now the whole internet can at least probe your stuff and try to find vulnerabilities, try to use stolen credentials and even try to social engineer their way into your stuff. Or maybe you made an mistake and left something open that shouldn’t be.

I’m not trying to scare you off out of anything. Go ahead and play with your stuff, break things, learn how to fix them, have fun while doing it. Just remember to think ahead about worst case scenarios, weigh their risks, think ahead and then go on. Learn about DNAT, reverse proxies, VPN and network layers and whatever you come across on your adventure but keep in mind that shit will hit the fan at some point. And learn to accept that, learn from your mistakes and do better next time.

Hetzner provides managed web hosting too. For emails I think you need to look for some other provider.

I’ve been a happy customer with joker.com (Germany) for at least 10 years.