reader comments
run your own email server
- retrieving email, part 4: the end, with webmail & everything after
- retiring email, part 3: fortifying your box against spammers
- recovering email, part 2: arming your server with postfix and dovecot
- how to run your own email server with your own domain, part 1
email is old and complex. it is the oldest still recognizable component of the internet, with its modern incarnation being amalgamated from several decades-old messaging technologies, including arpanet’s node-to-node messaging in the early 1970s. and while it remains a cornerstone of the internet (the original killer app, really), it’s also extraordinarily difficult to get right.
Most of the time we interact with email servers through friendly web-based interfaces or applications, but a lot of work is required to hide the complexity that allows the whole system to work. email operates in a poisonous and hostile environment, inundated with viruses and spam. the seemingly simple exchange of text-based messages operates under complex rules with complex tools, everything necessary to keep the poison out and the system running and useful despite the abuse it is constantly subjected to.
from a normal person’s perspective, email looks like a problem solved: sign up for internet access and your isp will give you an email address. Google, Apple, Yahoo or any other free email provider will hook you up with email accounts with gigabytes of space and lots of cool value-added features. why fight arcane dragons to launch your own email solution?
I’ll tell you why: because if it’s in the cloud, it’s not yours.
Because you must rely on others for your security. You have no control over who can read your correspondence—you must allow your data to be mined and your marketing profile extracted. You won’t be told if your metadata is collected or if your inbox is vacuumed up by a secret government request. You consent to be not a customer but a product, and a product has no rights.
well, to hell with that. It is your email and we will retrieve it.
this is hard and even a little scary…
email is hard. if you want an easier sysadmin project, set up a web server. email is much more complex, with many more moving parts. on the other hand, your correspondence with others is one of the most personal aspects of your life online: in a medium ultimately made of text, your words are you. it’s worth learning how to get your online life back from those who would mine data and monetize it.
There are pitfalls and caveats, the biggest of which is that if you run your own email server, you will be the system administrator. The advantage of this is that no bored or tired customer service representative who is about to end their shift will fall for a social engineering attack and reset their email password. the downside is that you are responsible for the care and feeding of your system. This is not an impossible task, it is not even really difficult, but it is not trivial and endless. applying critical updates is your responsibility. when do critical updates come out? it is also your responsibility to follow up.
Worst of all, if you make a mistake and your server is compromised or used as a spam relay, your domain will almost certainly end up on blacklists. your ability to send and receive email will be diminished or maybe even eliminated altogether. And getting completely removed from the multitude of email blacklists is just as difficult as trying to get off the TSA’s no-fly list.
You have been warned.
…but it’s also worth doing
okay, that should be enough to scare people who aren’t serious. for those of you who are still with me: this is going to be a lot of fun and you are going to learn a lot.
This is going to be a multi-part series, and here in this first part we’re going to ask (and answer) a bunch of questions about how we’re going to set up our email server. We’ll also describe the apps we’re going to use and talk about what they do. we expect this series to expand over the course of the next few weeks; however, unlike our series on setting up a web server, you won’t be able to start sending email after part 1 – you need everything to get everything working properly.
This certainly isn’t the only DIY email tutorial on the web. If you’re itching to jump ahead and get started now, we suggest you check out Christoph Hass’s excellent tutorial at workaround.org: he does many (but not all) of the same configuration options that we do. however, ars wouldn’t be putting together this guide if we didn’t have a few tricks up our sleeves – we’ve been in an email setup cave for the last month and have a lot of good information to share. .
prerequisites and assumptions: the where and the how
then you want to have your own email server. Excellent! The first decision, before even getting into things like operating systems and applications, is where you’re going to put it. If you have a residential ISP connection, you’ll face a number of challenges running an email server out of your closet. In addition to finding the standard set of email TCP ports blocked, your IP address is almost certainly already on one or more blacklists to reduce the amount of spam being spewed out by virus-infected home computers. It doesn’t matter if you’re spamming or not: that ship has sailed long ago and residential IP addresses are almost universally considered poisoned. there are numerous tools you can use to see if your address is blacklisted; be sure to check before you start.
if you just want to stay home most of the time with a non-functional test domain for learning, then a spare virtual machine or closet server will work fine; If you want to do it for real, you’ll need to have a business class connection with unblocked ports and an IP address that isn’t blacklisted, or you’ll need a hosting service. You don’t need a monster dedicated server or anything, but you do need at least one vps that you can install software on from the command line. there are many options; I always recommend a small orange or lithium hosting, but if you’re willing to sacrifice some performance, you can almost certainly host a small email server on a free amazon ec2 instance.
You’re also going to need a domain (again, unless you’re going to play around and use a non-existing test domain), and that means you’re going to need a registrar and a third-party dns provider. my personal recommendations for registrars are namecheap and gandi.net; both have taken strict anti-soup stances (see these links) and both offer two-factor authentication options. I’ve used both loggers and both are excellent.
One of the lessons reinforced by the recent theft of @n’s twitter account is that you should segregate your online services where it makes sense to do so. A major component of the @n compromise came from the attacker gaining access to naoki hiroshima’s godaddy account, with godaddy serving not only as his registrar but also as the authoritative source of dns for hiroshima’s domains. once inside, the attacker was able to change at least one of those domains’ mx records and thus hijack that domain’s email delivery.
we will try to mitigate that specific risk by using an independent dns provider; Specifically, we are going to use Amazon’s Route 53 DNS service. that will limit the amount of immediate damage an attacker can cause in the unlikely event that your logger is compromised.
“ah,” you say, “but if I use amazon ec2 for my email server and amazon route 53 for dns, then I’m not segregating at all.” This is true, but Amazon gives you rich access control between different services; It’s not hard to make sure that one set of login credentials can only modify your ec2 server and a different set of credentials can only modify your 53 dns route settings.
There are also plenty of other dns providers if you want to physically distribute your eggs instead of relying on access control, and being paranoid about security is never unwise. however for this guide we will go over the specific steps i took when i took my own google apps hosted domain and my email private which means a physical server and a 53 dns route (which ends up costing me about $2 a month ).