Fully self-hosting my email

[Havin_it]

Hi,

For some years now I've run a local mail server stack at home for a handful of domains/addresses with dovecot for IMAP access and sieve filtering, postfix for sending, auth and internal relaying, and fetchmail + spamassassin for receiving from the online mailboxes maintained by the domains' hosting provider.

I've always been interested in going the last mile and having my own server handle the whole thing: become the domains' primary MX (right terminology?) so that incoming mail is sent directly to me; and send outgoing mail directly instead of via my host's authed SMTP gateway. This has mainly been because the hosting is shared, so the outgoing IP often gets a bad rep due to other tenants' misdeeds. Now though, I'm also noticing a lot of places jacking up prices for email provisioning; that probably won't affect my host but it's still renewed my interest in moving to self-hosting. I'd also like to be able to bounce back more obvious spam actively (my host do offer this but I don't trust their filters).

It's an intimidating prospect though. I expect a steep learning curve in managing DNS correctly (particularly in extending it to antispam practices like SPF/DKIM), and I'm leery about how much rogue traffic I'll have to deal with when opening a port to the world for SMTP. (I already do in fact, but it has no DNS record as it's only for relaying from my clients so it just gets the odd opportunistic knock. I'm sure a published MX record would bring a lot more.) Availability/failover is a concern as well: the current setup also serves my partner's mail, and incoming mail getting black-holed due to downtime could really get me in the doghouse I've never done any sort of clustering/load-balancing before so that would be all new ground too.

I'd really like to know if any readers have experience of doing this at the home/soho level. If so:
- How much hardware/resource grunt did it require? (Not always easy to quantify, I know)
- Did you employ multiple hosts for redundancy, and if so what software did you use?
- Does handling multiple domains make it much more complex to set up?
- What did you use for spam filtering and how did it hold up?
- Did you have scaling issues, and how did you overcome them (if you did)?
- What was the worst/hardest part of the process?
- How much hair did you lose? [I'm already on a budget lol]
- Was it worth it?
- What is the biggest gotcha I haven't even thought of?

Even just any general war stories from anyone who's been through it would be of interest. TIA

[Navar]

become the domains' primary MX (right terminology?) so that incoming mail is sent directly to me; and send outgoing mail directly instead of via my host's authed SMTP gateway.

Yes, "MX" record(s) in DNS ("Mail Exchange"), directs mail to the specified server for the given domain.

I haven't fought with running a mail server in production since BSD in the 90s for a small firm, so I'll tap out from there. I guess that's not entirely true, there were recent years of LB'ed mail relays (that role only) in a large global production environment, but they never failed, no matter how often blamed. But proving that, past explaining detailed logs and such to stakeholders and Spiderman finger pointings for who should have the hot potato was always a good time. Towards the end of my tenure, they got the luxury of being further configured to handle even more worldwide. Irony.

It would be interesting over time to hear how much of an actual challenge, if any, your ingress of real vs harvested/generated spam there would actually be with only a few accounts associated to a small domain, if I understood correctly on skimming your post. You're on a budget yet trying to add in LB and clustering? Is this entirely your local infra or cloud service providers?

[pa4wdh]

I'm running my own mail server since 2014 and handle e-mail for 5 public domains there. I'm the only user, and software is:
- postfix for smtp
- dovecot for imaps and sieve
- Roundcube for webmail
- spamassassin for spam filtering
- opendkim for dkim signing
- Not really e-mail specific, but i also have my own DNS servers running based on BIND, hosting the MX (and other) records for the domains

I'll try to answer your questions:

How much hardware/resource grunt did it require? (Not always easy to quantify, I know)

Not much, in 40 days the whole setup used 9500 CPU seconds.

Did you employ multiple hosts for redundancy, and if so what software did you use?

Yes.
My primary mailserver is running on my home server, which runs the full stack listed above. My secondary mailserver is a VPS which only runs postfix and forwards e-mails to the primary. In case the primary is not available e-mails are cached there. The partition for cached e-mails is encrypted with LUKS because this is a public host. Redundancy itself is as easy as adding a second MX record for the domain.
I actually use/test this redundancy during upgrades: I simply shut down postfix during the upgrade process (emerge ...) and the other server should be handling the e-mail.

Does handling multiple domains make it much more complex to set up?

Not really, it just means you have to to some setup for every domain. Of course you can make it more complex with routing rules, but that's up to you

What did you use for spam filtering and how did it hold up?

Spamassassin is running here, it does a nice job. Because some spam still get through i also use sieve rules to catch those and move them to a place where spamassassin will learn from

Did you have scaling issues, and how did you overcome them (if you did)?

No

What was the worst/hardest part of the process?

I think getting it right is quite difficult now. For me it was a slow process to adopt to new standards as they arise, but now everything should be right at once now.
My advice: Start small with non-critical addresses and build the setup (and complexity) from there.

How much hair did you lose? [I'm already on a budget lol]

Not much, but it changed color , but i think that's more due to age than due to my mailserver

Was it worth it?

Yes, it was and still is worth it. You'll learn a lot about software, protocols, crypto (tls, dkim), internet politics and probably other stuff too.

What is the biggest gotcha I haven't even thought of?

I think there are two:
1) Many ISP's block SMTP ports. This effectively breaks a home mailserver. Before you start make sure you can make inbound and outbound connections on port 25. Some ISP's offer a relay host as a workaround, but be aware that they will be able to read all your non encrypted e-mails.
2) Some big-tech email services are really unfriendly to self hosted mail servers.They might reject your emails even if you do everything correct. If you try to ask them to de-list you from their blocklist they are very uninformative or unresponsive.

I hope this helps, feel free to ask for more information if you need.

[szatox]

I've been running an email server on a teeny-tiny VPS. When it comes to personal use, resources are not an issue, difficulty is not that big either, and using single-purpose aliases eliminates spam completely.
Having a domain slowly becomes more annoying though, as if "someone" wanted to tell us civilians are not supposed to do that though. It's not a huge deal yet, but I can see the direction.

[Havin_it]

Hi Navar, thanks for the reply.

It would be interesting over time to hear how much of an actual challenge, if any, your ingress of real vs harvested/generated spam there would actually be with only a few accounts associated to a small domain, if I understood correctly on skimming your post. You're on a budget yet trying to add in LB and clustering? Is this entirely your local infra or cloud service providers?

There are a total of four domains involved. Myself and my partner both have longstanding personal domains, with existing but largely defunct static websites attached, and one active primary mail address each (both in use for almost 20yrs). The incoming mail config is catch-all configured, though, so $anythingatall@ourdomains.coms gets through to us (I use this for giving out throwaway addresses; my partner doesn't bother) which means we get all the opportunistic crap sent to webmaster@, sales@ and so on. Spamassassin + sieve has a fairly good handle on most of that. There are occasional high-volume days but mostly we see about a dozen spams a day.

The other two are not web-hosted and not actively used for email (just diverted into my account). One is used for providing a DNS name for our home, where the current mailserver kit is (I run some web stuff and VPN from here too). I could use either for trial and error if I proceed with this.

The stack runs on my home everythingserver which is a HPE Microserver Gen10. I've also got sundry Raspberry Pis floating around doing odd jobs on the LAN, e.g. I moved local DNS/DHCP service off the main server and onto a Pi for continuity whenever I do something to temporarily b0rk the main server

Something like that might be all I'd need in terms of failover for the SMTP server (which is the main part that concerns me: having incoming mail not get bounced). I worry a bit that a Pi might struggle if it did have to handle a big squall, but the poster below you has steered me a bit that my initial thoughts of needing anything serious like clustering were probably overblown.

[b11n]

I used to. Postfix + Amavisd + Spamassassin, all the way back in 2005. It was a bad idea then, and it's a really bad idea now. It seems like fun, but you'll probably just bored with the admin. Because email is boring.

As with running any server facing the public internet, at the very least you're going to need to keep up with security advisories and patch things promptly when they're found. And you're going to be asleep for ~8 hours of the day, and probably busy doing something else for the other 16. Is that a level of service you'd accept from a mail server you were paying for?

If it's just for you - don't.
If it's just for you and about 10 others - still don't.
If it's for you and 30,000 others - provision enough redundancy, implement LDAP, a web portal for managing password resets, backups, disaster recovery plans, recruit and train enough staff you've got 24/7 pager duty, and compete with thousands of other firms doing the same thing (i.e. don't)
Or just pay a few bucks a month for an MTA that gives you the things you need, and go to sleep not worrying about your server getting owned.

There is no glamour or glory in running a mailserver. Your port 25 should be closed.

[Havin_it]

Thanks for such a comprehensive reply!

Yes.
My primary mailserver is running on my home server, which runs the full stack listed above. My secondary mailserver is a VPS which only runs postfix and forwards e-mails to the primary. In case the primary is not available e-mails are cached there. The partition for cached e-mails is encrypted with LUKS because this is a public host. Redundancy itself is as easy as adding a second MX record for the domain.
I actually use/test this redundancy during upgrades: I simply shut down postfix during the upgrade process (emerge ...) and the other server should be handling the e-mail.

I sort-of get this. The backup postfix acts as a relay towards the primary, and keeps trying to deliver the cached messages until the primary reappears. Yeah?
I only considered a 2nd local host in this, and I'm not likely to cough up for an external VPS, so the increased gravity of an ISP outage is definitely a point against.

Spamassassin is running here, it does a nice job. Because some spam still get through i also use sieve rules to catch those and move them to a place where spamassassin will learn from

SA has been the most temperamental part of my existing setup over the years I must say. Correctly pipelining it between fetchmail and dovecot-lda gave me my first grey hairs, I think ... but for the mode of use with postfix, which is probably more common, hopefully I'll find more prior art to work off. It's also quite resource-heavy when scanning, which I think is my biggest worry on that topic when I imagine huge squalls of spam coming in.

I think getting it right is quite difficult now. For me it was a slow process to adopt to new standards as they arise, but now everything should be right at once now.
My advice: Start small with non-critical addresses and build the setup (and complexity) from there.

Agreed. I have an unused domain that I can use for testing. I don't think I dare try to coexist with the current stack so I'd need to setup a VM or a spare RPi - for testing, probably adequate.

Yes, it was and still is worth it. You'll learn a lot about software, protocols, crypto (tls, dkim), internet politics and probably other stuff too.

Internet politics? :intrigued:

I think there are two:
1) Many ISP's block SMTP ports. This effectively breaks a home mailserver. Before you start make sure you can make inbound and outbound connections on port 25. Some ISP's offer a relay host as a workaround, but be aware that they will be able to read all your non encrypted e-mails.

My latest ISP is a historically business-centric one that's just starting to go mass-market (if you're in UK you could probably guess who that is); I'm optimistic but will check. I actually have :25 open because originally I was using SMTP+IMAP from outside, but in fact now it's unused because the only clients outside are devices doing everything over ActiveSync from a Horde instance.

2) Some big-tech email services are really unfriendly to self hosted mail servers.They might reject your emails even if you do everything correct. If you try to ask them to de-list you from their blocklist they are very uninformative or unresponsive.

Yikes. That could be a big point against. How do they identify you as self-hosting?

[szatox]

I only considered a 2nd local host in this, and I'm not likely to cough up for an external VPS, so the increased gravity of an ISP outage is definitely a point against

Unless an attempt to deliver mail is explicitly rejected with a permanent condition, sender's MTA is expected to retry delivery later.
Recipient's server being unavailable is _not_ a permanent condition. I think they typically try for 3-5 days before bouncing, at increasing intervals between attempts.
There are even anti-spam measures which rely on sender's behavior. Graylisting (error on first attempt, accept retry), and knockd (primary MTA always down, secondary accepts mail from senders who tried connecting to primary first).

How do they identify you as self-hosting?

Probably IP allocation. The purpose of IP ranges is not really a secret, if they want to, they can know whether you're talking to them from a consumer line or a data center.
Whether it's actually going to be a problem... You probably won't know until you actually try.

[C5ace]

I have been since 2006 running a private mail server (Iredmail) on top of Gentoo. Switched in 2011 to Ispconfig (mail, web, dns, ftp, multi domains, etc.) on Debian, when the then ISP wanted a crazy monthly fee for 200Mb outgoing file transfer.

It's important is that you have a static IP address and the domain name (mail.xxxxx.com) of the mail server is hosted on the ISP's name servers. This will allow validating reverse DNS to to your server and DKIM and SFP.

Debian is a pain in neck because they are not a rolling release. Ispconfig ver. 2 used to run on Gentoo. They stopped Gentoo support with ver. 3., but still supply a installation batch file for ver. 2.

My server runs in a VirtualBox hosted on a old laptop running Gentoo. It takes about 10 minutes down time to move the server to another machine running VirtualBox.

[pa4wdh]

Thanks for such a comprehensive reply!

Yes.
My primary mailserver is running on my home server, which runs the full stack listed above. My secondary mailserver is a VPS which only runs postfix and forwards e-mails to the primary. In case the primary is not available e-mails are cached there. The partition for cached e-mails is encrypted with LUKS because this is a public host. Redundancy itself is as easy as adding a second MX record for the domain.
I actually use/test this redundancy during upgrades: I simply shut down postfix during the upgrade process (emerge ...) and the other server should be handling the e-mail.

I sort-of get this. The backup postfix acts as a relay towards the primary, and keeps trying to deliver the cached messages until the primary reappears. Yeah?
I only considered a 2nd local host in this, and I'm not likely to cough up for an external VPS, so the increased gravity of an ISP outage is definitely a point against.

VPS's are cheap (mine is 5 euros/month) and since postfix barely consumes any resources it can do other things too. In my case it's also webserver, secondary DNS, etc.
In postfix i configured the primary MX as it's smartrelay, which makes it try to deliver there. The reason for doing that is that i can deliver the e-mails via een VPN which i have running betwee my private network and the VPS.

Spamassassin is running here, it does a nice job. Because some spam still get through i also use sieve rules to catch those and move them to a place where spamassassin will learn from

SA has been the most temperamental part of my existing setup over the years I must say. Correctly pipelining it between fetchmail and dovecot-lda gave me my first grey hairs, I think ... but for the mode of use with postfix, which is probably more common, hopefully I'll find more prior art to work off. It's also quite resource-heavy when scanning, which I think is my biggest worry on that topic when I imagine huge squalls of spam coming in.

Integrating SA with postfix was quite easy. Disadvantage for now is that also outgoing e-mails are scanned which is kind-of useless.
I'm open for suggestions on better spam filtering options .

I think getting it right is quite difficult now. For me it was a slow process to adopt to new standards as they arise, but now everything should be right at once now.
My advice: Start small with non-critical addresses and build the setup (and complexity) from there.

Agreed. I have an unused domain that I can use for testing. I don't think I dare try to coexist with the current stack so I'd need to setup a VM or a spare RPi - for testing, probably adequate.

Yeah, a RPi is overpowered for this .
I'm running my mailserver in a LXC container. I actually have two, one for "production" and one for "test". Whenever i need to make a change, i always start with test, and if i like the result i make the changes on production. I also make sure they are 99% similar (some things simply can't be, so it'll never be 100% ).

Yes, it was and still is worth it. You'll learn a lot about software, protocols, crypto (tls, dkim), internet politics and probably other stuff too.

Internet politics? :intrigued:

Accepting someones e-mails is almost a political game these days. Some will happily mark your e-mails as spam (or just discard them) even if you have DKIM, DMARC, SPF and reverse lookup of the hostname all set up correctly. They just don't like you for other reasons which they do not make clear.

I think there are two:
1) Many ISP's block SMTP ports. This effectively breaks a home mailserver. Before you start make sure you can make inbound and outbound connections on port 25. Some ISP's offer a relay host as a workaround, but be aware that they will be able to read all your non encrypted e-mails.

My latest ISP is a historically business-centric one that's just starting to go mass-market (if you're in UK you could probably guess who that is); I'm optimistic but will check. I actually have :25 open because originally I was using SMTP+IMAP from outside, but in fact now it's unused because the only clients outside are devices doing everything over ActiveSync from a Horde instance.

Here in the Netherlands there is usually one ISP which targets more tech-savvy users, those are usually a good candidates for internet connectivity without blocked ports. Downside is that they tend to be the most expensive too ...
But, regarding costs in general (VPS, internet, server, power used by the server, your time, etc), i also see it as a hobby and opportunity to learn. In my opinion that makes it worth it. This experience has served me well over the years in my jobs in IT.

2) Some big-tech email services are really unfriendly to self hosted mail servers.They might reject your emails even if you do everything correct. If you try to ask them to de-list you from their blocklist they are very uninformative or unresponsive.

Yikes. That could be a big point against. How do they identify you as self-hosting?

Because you are not one of their fellow big-tech companies who wishes to monopolize e-mail . Of course consumer IP addresses are also easy to identify with things like whois. The biggest problem is that they are not clear about their policies and are very unresponsive. In the end you're just sending a few e-mails while they are handling billions, you are of no priority.
My way to cope with this:
1) Be happy if it works , you could just be lucky
2) If a friend uses such mailbox and experiences problems, it's a nice way to motivate them to move to a better e-mail provider, which is also good for privacy.

[b11n]

2) Some big-tech email services are really unfriendly to self hosted mail servers.They might reject your emails even if you do everything correct. If you try to ask them to de-list you from their blocklist they are very uninformative or unresponsive.

Yikes. That could be a big point against. How do they identify you as self-hosting?

Because you are not one of their fellow big-tech companies who wishes to monopolize e-mail :). Of course consumer IP addresses are also easy to identify with things like whois. The biggest problem is that they are not clear about their policies and are very unresponsive. In the end you're just sending a few e-mails while they are handling billions, you are of no priority.

It's not a conspiracy. Consumer IP blocks are used overwhelmingly for sending spam. Even when it was more common to run your own SMTP, those servers were the most likely to be misconfigured and abused as open relays. Nowadays, the number of people self-hosting is vanishingly small, it's an easy decision for providers. Email originating from consumer blocks is a highly effective signal in the management of spam, you'll never convince them to abandon it.

The irony of course is that if you set up your own email relay, you'll inevitably configure it to do exactly the same thing in your quest to filter spam even half as effectively as the big guys. Your home-built SMTP server would probably flag itself as spam.

SMTP is broken. It was designed when there were fewer than a million people on the internet, and spam was dealt with by sysadmins calling each other on the phone. It's only still around because it's impossible to get rid of. SMTP itself hasn't changed a whole lot since, but the way we deal with it has. Most ISPs can't even be bothered dealing with it any more. A small number of self-hosted systems just aren't a consideration in the current email landscape.

[pa4wdh]

Because you are not one of their fellow big-tech companies who wishes to monopolize e-mail . Of course consumer IP addresses are also easy to identify with things like whois. The biggest problem is that they are not clear about their policies and are very unresponsive. In the end you're just sending a few e-mails while they are handling billions, you are of no priority.

It's not a conspiracy. Consumer IP blocks are used overwhelmingly for sending spam. Even when it was more common to run your own SMTP, those servers were the most likely to be misconfigured and abused as open relays. Nowadays, the number of people self-hosting is vanishingly small, it's an easy decision for providers. Email originating from consumer blocks is a highly effective signal in the management of spam, you'll never convince them to abandon it.

I never said it was a conspiracy.
So because in the past some people could not set up a mailserver correctly, i'm not allowed to use my own server in 2025? That's crazy.
Even with minimal filtering the SPAM problem also moved mostly to social media (where users actually subscribe to spam from so-called "influencers"), so it's not as bad as it was.
Fortunately i experience little problems with my server.

The irony of course is that if you set up your own email relay, you'll inevitably configure it to do exactly the same thing in your quest to filter spam even half as effectively as the big guys. Your home-built SMTP server would probably flag itself as spam.

No, it wouldn't and has never done that. Anything based on IP addresses is useless these days since (on most places) they are very dynamic.

SMTP is broken. It was designed when there were fewer than a million people on the internet, and spam was dealt with by sysadmins calling each other on the phone. It's only still around because it's impossible to get rid of. SMTP itself hasn't changed a whole lot since, but the way we deal with it has. Most ISPs can't even be bothered dealing with it any more. A small number of self-hosted systems just aren't a consideration in the current email landscape.

I agree that SMTP is from "the old days" and all security has been bolted on afterwards which never results in a clean result. On the other hand, there is still no good replacement. Part of the openness of e-mail/internet (so that everybody CAN run their own) immediately makes it hard to keep it secure.
With DMARC, DKIM, SPF all set up properly i think there should be no other reason left to block e-mails if they comply. It's like saying "Your website has a valid certificate, but based on some other policy i'm still going to present a security warning to the user".

[Ralphred]

>- How much hardware/resource grunt did it require? (Not always easy to quantify, I know)
Practically none, the SQL server for the webmail interface uses more than the rest combined
>- Did you employ multiple hosts for redundancy, and if so what software did you use?
No, when the server is down the life of the unsent email in the message queue of the sending server is roughly 4-7 days, so as long as you aren't down that long you're OK.
- Does handling multiple domains make it much more complex to set up?
Meh, remembering how to use certbot to add an extra domain the to the SSL cert is the hardest thing.
- What did you use for spam filtering and how did it hold up?
Nothing, I just hand out unique addresses and block them when the spam starts to hit.
I used to run spamassassin, but constantly updating rules was more maintenance than blocking the odd address.
- Did you have scaling issues, and how did you overcome them (if you did)?
N/A
- What was the worst/hardest part of the process?
Certbot
- Was it worth it?
110%
- What is the biggest gotcha I haven't even thought of?
Local DNS server so your phones, laptops etc will connect both "over the wifi" and "out in the world". You can get round it with some hackey SNAT shenanigans in iptables, but BIND|Unbound is the correct way TBH. It'll give you a chance to test your dkim/spf/dmarc settings too.

I run Sendmail, Dovecot, BIND, and Roundcube (used to be squirrelmail) on Apache. My sendmail config is from 2004 plus some tweaks, and I have no desire to "learn Postfix"

I set up similar for a friend on a Pi5, but used a docker container(s) called Mailu to do the heavy lifting << Even if you don't fancy containerising it, their docs are really good!

I don't know if they still exist, but I've had to "whitelist my IP" from some anti-spam services in the past (like 10 years + ago), but have had no issues since my ISP's (the last two) didn't stare at you like deer in the car headlights when you ask them to update the reverse DNS record to reflect your FQDN.
If you want to know if any of your ports are blocked at the ISP level you can use https://www.grc.com/shieldsup.

[freke]

... but have had no issues since my ISP's (the last two) didn't stare at you like deer in the car headlights when you ask them to update the reverse DNS record to reflect your FQDN.
If you want to know if any of your ports are blocked at the ISP level you can use https://www.grc.com/shieldsup.

PTR/reverse DNS record for you FQDN is not just nice - it's - in my experience - IMPORTANT.

For the last 15+ years I've had a PTR record for my mail-server (Postfix/Dovecot/rSpamd/Roundcube/MySQL) and have not had any problems with blacklisting, hosting my server on my home ADSL connection.

dkim/spf/dmarc and maybe dane is also something that should be setup to prevent being marked as a spamhost/being able to deliver to more servers.

For a personal mail-server hardware/resource reqs are minimal - for 1.000+ messages hour with spam-/virus-scanning, maaybe not so minimal.

A short outage should be no problem as a wellconfigures server should retry for some time.

[pa4wdh]

PTR/reverse DNS record for you FQDN is not just nice - it's - in my experience - IMPORTANT.

For the last 15+ years I've had a PTR record for my mail-server (Postfix/Dovecot/rSpamd/Roundcube/MySQL) and have not had any problems with blacklisting, hosting my server on my home ADSL connection.

Same experience here. Before i had the PTR record set up correctly one ISP would simply reject my email (even when mailing to their abuse team to resolve the issue). When it was clear what the problem was it worked immediately.

[b11n]

So because in the past some people could not set up a mailserver correctly, i'm not allowed to use my own server in 2025?
That's crazy.

And that's not what I'm saying. It's not that you're not allowed, it's that you need to win an unwinnable battle, because:

Email originating from consumer blocks is a highly effective signal in the management of spam.

Spammers often resort to using consumer IPs because they won't last a minute using popular commercial gateways, like AWS or GMail. Commercial gateways don't want to take their money, because it'll gut their own customer base by getting listed on an RBL.

I agree that SMTP is from "the old days" and all security has been bolted on afterwards which never results in a clean result. On the other hand, there is still no good replacement.

There's no good replacement because there can't be one. Even in the 90s, it was obvious that moving away from SMTP to a newer protocol would fix it. It's the moving away part that makes it unworkable. SMTP email is here to stay, for better or worse. You can't come up with a replacement without losing interoperability with the rest of the world. Nobody wants to make the first move, which is why it's played out the way it has.

With DMARC, DKIM, SPF all set up properly i think there should be no other reason left to block e-mails if they comply. It's like saying "Your website has a valid certificate, but based on some other policy i'm still going to present a security warning to the user".

DMARC & co are more of a defence against phishing. A useful part of the puzzle, but they don't stop anyone with a random domain signing their own messages. A party being authenticated is not the same as them being trustworthy, and yes, there are good reasons for a web browser to throw up a warning for a site with a valid cert, if it's known to contain malware etc.

I'm not the guy stopping you running your own mail server. I can't stop you, and I hope you have fun if you try. I'd like to run my own MTA too, I'm capable, and in a perfect world there are benefits I could use. I'm not happy with the state of affairs either. But I accept they are what they are, are unlikely to change, and I just try to swim with the current. I'm just trying to talk someone out doing something I think will be frustrating for them.

[szatox]

I'm not happy with the state of affairs either. But I accept they are what they are, are unlikely to change, and I just try to swim with the current. I'm just trying to talk someone out doing something I think will be frustrating for them.

Dead fish swim with the current.
You're making it sound impossible. Meanwhile, I only needed 2 attempts to make it work, because the first 1$ VPS I rolled turned out to already be on an RBL. I used it for learning how to set up postfix + dovecot + mysql stack, and then then ordered another 1$ VPS which came up clean.
Getting gmail to receive my mail required claiming my domain in some google's service (which was linked in the bounce message, making it reasonably easy enough, even to it certainly was an inconvenience), while hotmail initially flagged me as spam, but after recipient responded, it accepted the rest of conversation until I tired sending a picture (pictures at least used to score much higher in spam tests, who knows how it is now with all those advancements in AI department).
Regular maintenance does NOT take much effort either, basically just regular updates I would be doing anyway. Certainly NOT paddling electrons along the wires for 24 hours a day, or sitting atop a watchtower and catching carrier pigeons. Me sleeping for 8 hours and working for another 8 hours, and doing other stuff for the remaining 8 hours does not stop my server from working on my behalf.

I never bothered with blocking senders by IP and spam wasn't a problem either; running my own server I had unlimited number of single-purpose addresses. Very convenient. If someone leaked my email, I could just kill the compromised alias and maybe even scold the culprit.

[b11n]

I only needed 2 attempts to make it work, because the first 1$ VPS I rolled turned out to already be on an RBL.

Getting gmail to receive my mail required claiming my domain in some google's service (which was linked in the bounce message, making it reasonably easy enough, even to it certainly was an inconvenience),

while hotmail initially flagged me as spam, but after recipient responded, it accepted the rest of conversation until I tired sending a picture

I stand corrected - that sounds like bliss!

Can you even hear yourself, my dude? Do you really want to come up against this with one domain after another? Not be able to send pictures? Is this no big deal for you? Stand it up on yet another VPS every time you wind up on yet another RBL because half the users in your IP block are playing the same game of whack-a-mole because they're the ones that got your first VPS on the RBL to begin with?.

What was your thought process when you found your first VPS was RBL'd? That this was just a freak accident that would never happen again?

You're making it sound impossible.

No, I'm making sound like exactly what you're describing.

[Ralphred]

~~Some Valid Stuff~~

TBPH, I understand the VPS filtering stuff - When I do bother to check my fail2ban logs it's nearly always some VPS instance nowadays, but I do have an extensive "known bad actor" PERMABAN table in my firewall.

I know the costs and availability differ from country to country, so YMM wildly V*, but I've bought business broadband for a while now (last 3 ISP's, the middle one wasn't business, but offered "SME like features" on even their most basic package).
I can do a rough timeline of things that needed to be in place for a peaceful life:

• 2004: Send and receive from a dynamic IP attached to a .dyndns FQDN, no issues at all
• 2008: Switch to a normal domain, still dynamically updated, no issue.
• ~2011: New ISP with static IP, port 25 open by default, RBL issues
• 2014: ISP gets bought out by "normie reseller", static IP unavailable after contract renewal
• 2014.5: New normie ISP, new static IP, port 25 opened upon request, multiple RBL chores
• 2015: New ISP (normie "business" supplier), one RBL chore and really sh*tty contention
• 2016: New ISP (non-business), no RBL issues (have a static IP's pulled from a separate block like the SME customers), rev DNS needs to work for some big name "email providers"
• 2020: New "business" ISP, rDNS part of the sign up process (/happyface), dmarc spl and dkim now ubiquitous to the point of "you're gonna get spam filter points without them"
• 2022: Switch to fibre, get given a static ipv6/64 along with the ipv4, /ambivalentface - ipv6 firewall/DNS and local DHCP chores, but get to have a "FRIEND" table whitelisting mates with static ipv6 subnets - was supposed to be for tech support/lols, but mostly replaced ktorrent... Email unaffected after "chores" completed

*We FGO users are, more often than not, "the corner case" right here on this forum - How useful would a Country:ISP "stars out of 10" rating thread be to you?

[szatox]

Can you even hear yourself, my dude? Do you really want to come up against this with one domain after another?

How many domains do you need?
Gmail is THE service normies use. This is the only player big enough to get away with making demands.
Business emails have never caused any issues for me. Neither have the other, smaller providers relatively common in my area, those that still have users from 20 ears ago, before gmail became a thing.

Not be able to send pictures? Is this no big deal for you?

it is not any deal at all because I no longer talk to anyone on hotmail. The server appeared to be learning, so it should become much more lenient towards me over time (and messages exchanged).

Stand it up on yet another VPS every time you wind up on yet another RBL because half the users in your IP block are playing the same game of whack-a-mole because they're the ones that got your first VPS on the RBL to begin with?.

What was your thought process when you found your first VPS was RBL'd? That this was just a freak accident that would never happen again?

Do stand corrected: It hasn't happened. It's been almost a decade, I think I'm good.
Banning IP ranges from data centers makes absolutely no sense. If you want to do that, just use a whitelist instead, forget about interoperability, and stop calling it an email.

[b11n]

How many domains do you need?
Gmail is THE service normies use. This is the only player big enough to get away with making demands.

All of them in theory, and in the long term. I'd add at least O365 and Amazon to the list of big players. I don't have the luxury of knowing ahead of time what MTAs my outbound emails will end up, any more than I can name the highways I'm going to drive on in the next 10 years.

If it's working for you, that's great. I'm really not out to stop your fun, I just won't take your anecdote over things I know are are actually happening at email providers, and things people I know who manage enterprise email servers say they come up against, and why the prevailing wisdom for some time now has been to just use a well-known gateway to send email, because the headaches of getting everything working well enough for the general case really only work at scale.

Regular maintenance does NOT take much effort either, basically just regular updates I would be doing anyway.

Spoken like a true sysadmin. Just install updates bro, it's pretty basic. Next day, install 'em again. Up-arrow, enter, repeat. I don't even know why they're paying me six figures for this, it's pretty basic.

0day RCE in the MTA? Just install updates bro. It's gone now. It's easy, you just connect to your machine to the internet, forward ports to it, and install the updates bro. It's basically just that bro trust me bro.

[szatox]

I'd add at least O365 and Amazon to the list of big players.

O365 is micro$soft, isn't it? Just like hotmail.
That leaves Amazon. I didn't even know Amazon offers email accounts. I'm not too surprised that they would, but I never heard of it before.

I just won't take your anecdote over things I know are are actually happening at email providers, and things people I know who manage enterprise email servers say they come up against, and why the prevailing wisdom for some time now has been to just use a well-known gateway to send email,

Ooooh, so we've finally got to the root of the problem.
I know those people too. All I can say is: if you're getting paid to send actual spam, then yes, you do need to give a fair cut to someone who knows which way the bribes go.

Spoken like a true sysadmin. 0day RCE in the MTA? Just install updates bro. It's gone now. It's easy, you just connect to your machine to the interne

You got me here, I've done enough sysadmining to pick up farming, so I guess I am.
Do you know just how dumb your irony mode complaints sound when posted to FGO specifically?
Why won't you tell us about Gentoo not having an installer next? How are you OK with with going through 30 pages of installation manual every time you fat finger a dd?

Can you point out some problems you had to ACTUALLY face and not just be afraid of MAYBE ENCOUNTERING one day?
In your first post you said it was boring. Sounds like pretty smooth sailing to me.

[pietinger]

The thread creator had asked specific questions that were answered by several experts. A warning can also be helpful. A single warning should suffice, as what each individual chooses to do is their own decision. However, as a moderator, I am following this thread with increasing attention. I really don't like reading the following:

Can you even hear yourself, my dude?
Just install updates bro ... It's basically just that bro trust me bro.

I wouldn't want - and wouldn't allow - anyone to address me as ‘dude’ ... Sarcasm is a very dangerous step towards making statements that become personal.

[eccerr0r]

I run my own email stack using regular user accounts (no virtual mail) on my home machine. I think my first Gentoo box was my first SMTP server, did not need much of a machine, was an AthlonXP 2100+ IIRC. It was a lifelong dream to be able to do this, got it done, but it's slowly being eroded away from me. Trying to hang on...

I do not have backup MX. Simply don't have the resources to host another site somewhere else to do it. Relying on SMTP failsafes.

The main problem is ISP connectivity. Still stuck with really slow network connectivity because it gave me the DNS records I needed to be able to do this. There simply are no others and it's expensive for what they give me.

I do no spam protection. People simply don't get my email address if I have a suspicion they are a spam source. It's been doing okay for me, my spam input is fairly low compared to my gmail, yahoo, etc., etc. accounts which gets loaded with spam.

The most recent security challenge I've had is that there have been people probing my mail server for weak passwords. If you think sshd bruteforce was bad, there were a few people going through dictionaries on my SMTP server. I do have login on my SMTP server so I can relay remotely through dovecot so outright disabling that isn't an option. Probably need to figure out how to get sendmail to disconnect after a few bad login attempts and then let some other mechanism to silence the port to the attacker.

[Ralphred]

Probably need to figure out how to get sendmail to disconnect after a few bad login attempts and then let some other mechanism to silence the port to the attacker.

IME fail2ban does a good job at this, "X" wrong login attempts and your server "disappears" as far as the offending IP is concerned.