opinions on home email services
Hi, I've noted that many of you host your own email and file servers, and I've wanted to do this for several years, but I've been avoiding taking this on myself. This is due to the time investment (to learn tech I don't necessarily want to learn) and the added weight of responsibility for security. Quite frankly, I'm getting lazy in my old age and I'm considering a packaged solution/service like The Helm. I guess my question is, are the tech barriers to setting up a home email server really as formidable as claimed in the below justification from The Helm's web site? If a lazy guy like me sets up an email server, but then doesn't get around to applying security updates for half a year, is he just asking to be hacked? For context, I am a local Charter customer with a standard internet-only subscription. From: https://blog.thehelm.com/post/how-helm-works-part-1-networking [quoted text] For an email server to send and receive email with other servers on the internet, they need port 25 to be open. Unfortunately, ISPs in the U.S. block port 25 by default, a practice started in the 90s when home computers were hacked and turned into open relays abused for spamming. Sometimes it’s possible to get this port unblocked, but it’s not uncommon for the ISP to ask for a significantly more expensive class of service in exchange. ISPs also typically assign dynamic IPs to residential internet connections. Large email service providers block residential dynamic IPs en masse also due to the issue raised above. While it’s possible to get a static IP address from your ISP, they will charge for it and potentially require a more expensive class of service. PTR records, or reverse DNS, is also a key requirement for trustworthiness when setting up an email server. Getting this type of record with a residential internet connection can be a significant challenge and may also incur additional costs. To summarize, port blocking, dynamic IPs and challenges in establishing a PTR record all interfere with easily running an email server at home. It can cost hundreds of dollars per year and consist of a significant investment of time with your ISP to get things set up just right. After thinking about this problem and experimenting for a while, we managed to find a better way. [end quoted text] Thanks, Mike
On 6/15/21 12:13 PM, Mike Peckar via WLUG wrote:
[quoted text] For an email server to send and receive email with other servers on the internet, they need port 25 to be open. Unfortunately, ISPs in the U.S. block port 25 by default [...] ISPs also typically assign dynamic IPs to residential internet connections. Large email service providers block residential dynamic IPs en masse also due to the issue raised above. [...]
Port 25 access is not blocked by Charter in central MA, anyway. Perhaps it is blocked elsewhere. My IP address has changed about 4 times in the past 7 years or so. When it changes a script of mine warns me, and I go edit my DNS to change the MX and SPF information there. This all takes perhaps 5 minutes. If you don't want to watc hyour home IP as carefully, you could run a backup MX server in some more IP-stable location, i.e., a VM off in Amazon EC2. Certain domains will flat-out refuse to accept email which originates from a RESIDENTIAL network block. The only one I've encountered though is Comcast. Email sent to addresses @comcast.net are refused, even when the email passes all the tests (SPF, DKIM, DMARC etc). Mail sent to GMAIL, YAHOO, various microsoft/azure addresses etc, all work. I presume that if you want your mail to be accepted from everywhere, you should get a business plan from your ISP. Depending on what you'd like to add on top of your mail service things can get more complicated, but email itself isn't too bad. Test out your setup before exposing it to the internet, and make sure it doesn't accept email for domains other than your own. If you run an open relay email server that's a very good way to get shut off. --MCV.
"Michael" == Michael Voorhis via WLUG <wlug@lists.wlug.org> writes:
Michael> On 6/15/21 12:13 PM, Mike Peckar via WLUG wrote:
[quoted text] For an email server to send and receive email with other servers on the internet, they need port 25 to be open. Unfortunately, ISPs in the U.S. block port 25 by default [...] ISPs also typically assign dynamic IPs to residential internet connections. Large email service providers block residential dynamic IPs en masse also due to the issue raised above. [...]
Michael> Port 25 access is not blocked by Charter in central MA, anyway. Perhaps Michael> it is blocked elsewhere. Michael> My IP address has changed about 4 times in the past 7 years Michael> or so. When it changes a script of mine warns me, and I go Michael> edit my DNS to change the MX and SPF information there. This Michael> all takes perhaps 5 minutes. If you don't want to watc hyour Michael> home IP as carefully, you could run a backup MX server in Michael> some more IP-stable location, i.e., a VM off in Amazon EC2. Michael> Certain domains will flat-out refuse to accept email which Michael> originates from a RESIDENTIAL network block. The only one Michael> I've encountered though is Comcast. Email sent to addresses Michael> @comcast.net are refused, even when the email passes all the Michael> tests (SPF, DKIM, DMARC etc). Mail sent to GMAIL, YAHOO, Michael> various microsoft/azure addresses etc, all work. I presume Michael> that if you want your mail to be accepted from everywhere, Michael> you should get a business plan from your ISP. I run my own domain on a Linode Droplet and it works well, except for when I get on a spam list for some reason. I used to run on a Digital Ocean Droplet, but charter.net would just refuse to accept my email, so I had to move. I've not got a company blocking my emails, which is frustrating since I'm such a small outgoing email system. Michael> Depending on what you'd like to add on top of your mail Michael> service things can get more complicated, but email itself Michael> isn't too bad. Test out your setup before exposing it to the Michael> internet, and make sure it doesn't accept email for domains Michael> other than your own. If you run an open relay email server Michael> that's a very good way to get shut off. In my experience, setting up postfix/dovecot on a system in the cloud isn't too hard, but both Mike and I are IT people at the $WORK job, so it's something we do anyway. I haven't made the jump to doing DKIM yet, if only because it's painful to do so, and I'd probably have to spring for a larger node with more memory at Linode to handle that overhead. In general, it's not too bad, and could be made even simpler if there was an Ansible playbook to do all the setup for you. So I pay $7/mo for my Linode host, plus te $60/year for my DNS hosting elsewhere. So if Helm is $10/month for 10 addresses/mailboxes, then maybe it's not worth doing it yourself. But I also like the control and I like to learn new things. John
About 15 years ago, I found that I could send email directly between my OpenVMS home system and work computers. [I didn't have to set up anything. It just worked.] [Not a server per se (to, say, PCs with email clients); just using the built-in mail program to send and receive mail.] Then, it stopped working. It turns out that Verizon (for DSL, at least), started reporting/registering all of the DHCP IP addresses that they would assign to home users as SPAM sources, so they'd be blocked everywhere. You had to pay for business-class service (and get a static address) for them to let things through. Verizon also blocked port 80 inbound. [Easy to get around; I just started using a different port.] {Verizon was a nightmare in general. They collected the money that they pretended on the bills is a tax, even though it's a fee that Verizon keeps, purportedly for maintaining copper lines, and actually spent the money on cell phone infrastructure. [There were lawsuits against Verizon in several states for fraud; In California, at least, Verizon settled.] Places with nothing but copper had dreadful service. [I started running curl in a script to log all of the outages. And, I often managed to get no more than 32K baud. When it rained, the baud rate often dropped below 1K. I was paying for 1M - 3M.]} Then, some volunteers in my town arranged for the local municipal light department to run optical fiber cable through the town. We now have Spectrum, and, as far as I can tell, nothing is blocked. [And, the modem presents a real internet address to the house/Ethernet side. -I have a separate router, separate WiFi access point...] Haven't tried sending email directly in a while, though. _____ From: Mike Peckar via WLUG [mailto:wlug@lists.wlug.org] Subject: [WLUG] opinions on home email services
Mike Peckar via WLUG <wlug@lists.wlug.org> writes:
I've noted that many of you host your own email and file servers,
I run a mail server (Postfix) as well as web and name servers on a Pentium ATX bought used 2012-09-27 for $225. It has a Tandy monitor that I have had since forever, and connects to the internet via DSL.
I've wanted to do this for several years,
Why? What to do depends on what you want to get done.
but I've been avoiding taking this on myself. This is due to the time investment (to learn tech I don't necessarily want to learn)
I run Linux because I _do_ want to know how it all works and be able to control it myself, ... at least sometimes. Sometimes I wish it would just work.
Quite frankly, I'm getting lazy in my old age and I'm considering a packaged solution/service like The Helm.
Why not gmail?
If a lazy guy like me sets up an email server, but then doesn't get around to applying security updates for half a year, is he just asking to be hacked?
You don't want to run an open relay, but a packaged server from a Linux distribution will not do that. Don't do something really stupid to change it. I don't think the chance of the server getting hacked is great. The server doesn't do much but copy Ascii characters from an internet port to your mail file. No harm in that. The crackers will be trying to trick you, some other user on your machine, or some stupid software, to treat that text as an executable program and run it. Don't do that! One example of a potentially stupid program is a web browser that treats the email as HTML and obeys javescript, downloads URL-s, and does a lot of automagic to give you a "user experience". In short---worry about the user interface and the user more than the mail server.
I am a local Charter customer with a standard internet-only subscription.
What does that mean? Not bundled with cable TV and telephone? The old question: Are they stupid or lying? It's not an XOR question. Sometimes it's both, and sometimes the meaning of words has changed. At one time internret service meant you got an internet address and packets sent to that address came to you. Now, it's not so clear, but internet-only might mean you get what you need to run a web browser and not one bit more. They may actively try to prevent other internet traffic.
I guess my question is, are the tech barriers to setting up a home email server really as formidable as claimed in the below justification from The Helm's web site?
From: https://blog.thehelm.com/post/how-helm-works-part-1-networking
I looked at that. They are trying to sell a stange shaped box. There is almost no information about what's in the box, at least on that page. Helm web page> Since announcing Helm three weeks ago That's a bit scary, but the web page is 18 months old. Maybe by now you can find some product reviews from one who bought it a few months ago. Helm web page> When you buy a Helm, a gateway (AWS EC2 instance) is spun up with an Elastic IP. I didn't know what is an "Elastic IP", so I Googled that. It looks like a Rube Goldberg plan to get Amazon Web Service to give you a temporary IP address without conforming to the DHCP RFC. I saw ominous references to an _hourly_ charge if your IP address is not used in the way AWS expects. Does Helm help get AWS to work, or just provide another level of indirection and recusive finger pointing? Helm> ISPs in the U.S. block port 25 by default, Helm> ISPs also typically assign dynamic IPs Helm> To summarize, port blocking, dynamic IPs and challenges in Helm> establishing a PTR record all interfere with easily running an email I don't know your ISP. I got my setup almost two decades ago from Speakeasy. Speakeasy was great. I could email a question Sunday night and have a reply from someone who understood the question and knew the answer by the time I woke up Monday. They set up reverse DNS, and ran a secondary name server for a one-time set up fee and negligble monthly charge. Speakeasy was sold to Best Buy, who sold to...Megapath... ...I forget...who sold it to GTT. With each sale the service got worse, until now it's a hassle to just pay the bill and get it credited to the right acount. They provide no service. They ignore email, but insist that communication comes via "tickets" on their web interface. These are handled by some bot-man who is paid to push a button that generates an auto-reply that says: "That is not a problem. The ticket is closed." I can't imagine getting this set up with my current Idiot Service Provider. Fortunately, they have (so far) not screwed up _all_ of the setup they bought. In particular I still have the same IP address and reverse DNS. I live in fear that some Idiot will "upgrade" my service by breaking something zey does not understand, and I will never get it back. Ask your ISP how to get an IP address with reverse DNS. If they do not understand the question, ignore it, of say $10,000/month, think of a new plan. -- Keith
participants (5)
-
John Stoffel -
Keith Wright -
Larry Camilli -
Michael Voorhis -
Mike Peckar