|
|
Subscribe / Log in / New account

email self-hosting

email self-hosting

Posted Aug 2, 2025 15:37 UTC (Sat) by storner (subscriber, #119)
In reply to: email self-hosting by gerdesj
Parent article: The NNCPNET email network

Fully agree that it can be done, but it can be a steep learning curve to get all of the details right so the "big boys" will talk to you.

But there are several good guides available. I am fond of the workaround.org ISPmail guide.

As for IPv4/IPv6 problems, run it on a small virtual server at one of the hosting providers. Costs me a total of 9 € per month.

to post comments

email self-hosting

Posted Aug 3, 2025 14:34 UTC (Sun) by bferrell (subscriber, #624) [Link]

nice resource!
Thanks

email self-hosting

Posted Aug 29, 2025 7:04 UTC (Fri) by fest3er (guest, #60379) [Link] (5 responses)

I want to run my own email server at home. Alas, the *one* thing that prevents it from working 'universally' is rDNS. I configured dovecot and postfix and set up the dmarc, spf and domain key records. It worked except for the few servers out there (like yahoo) that rely on rDNS. Since my ISP are reluctant to set my statically-assigned IP's rDNS, I moved the email to a VPS ($60/yr). That provider was happy to set up the rDNS PTR record.

I have to deal with the dmarc email reports, but they just accumulate in their own folder. Otherwise, yahoo and ms silently forward emails for my accounts there to my email account on my own server. I have very few outgoing failures; pretty much all are due to non-existent mailboxes for spammers trying to create accounts on the forum I run. I get no spam, except for a few from the forum's 'contact us' page; maybe my domain hasn't been 'discovered' yet. I get more spam from google.

Setting up your own email server can be done. Alas, there are a *few* things that cannot be controlled.

[soapbox]
The real problem lies elsewhere. The worldwide internet long ago outgrew SMTP, DNS and Whois/RDAP, and it was skewed to favor 'big corporations' and disfavor small/individual users.
- BGP routes are far too easily corrupted by internet bandits
- idle and unassigned IP blocks should be marked as such so that we can block them.
- we should be able to determine who controls any block of addresses
- we should be able to determine who assigned/delegated any block of addresses
- we should be able to determine all addresses associated with an FQDN
- we should be able to determine all FQDNs associated with an address
- whois/rdap data should be consistent around the world
- accessing this information should not require a college degree
More can be added to this list.

If an internet bandit (1) sends me spam, (2) hammers my web server, (3) probes my firewall, (4) probes my SSH servers or web servers or any other service I have available, I want to block that bandit and all of his domains and addresses from accessing all of my systems. In other words, if someone assails me while I walk down the street, I don't want that person or her cronies anywhere near my home(s), vehicle(s), or any other people/homes/vehicles for which I provide 'security'. The current internet information systems do not provide the information *I* need to (1) prevent bandits from accessing my LANs and (2) prevent malware and maldata that may be present from escaping from my LANs onto the worldwide internet. Yes, we do have a social duty to block malware/maldata from entering *and* leaving our private internetworks of LANs. [End-to-end encryption prevents us from honoring that duty. But that is a topic for a different discussion; OE would be a fair solution.]

Will the change be painful? Yes. But that whole information system needs to be re-engineered.
[/soapbox]

email self-hosting

Posted Aug 29, 2025 9:18 UTC (Fri) by anselm (subscriber, #2796) [Link]

Since my ISP are reluctant to set my statically-assigned IP's rDNS, I moved the email to a VPS ($60/yr). That provider was happy to set up the rDNS PTR record.

Even with an rDNS entry this might not have worked if your static IP address is from a range marked in the appropriate e-mail blocklists as “assigned to end users of an ISP”. Mail providers often assume that e-mail submissions from such IP addresses are sent by malware running on the computers in question, and score them way down or just refuse them outright. VPSes are much more likely to function properly in that respect.

email self-hosting

Posted Aug 29, 2025 10:58 UTC (Fri) by pizza (subscriber, #46) [Link] (3 responses)

> If an internet bandit (1) sends me spam, (2) hammers my web server, (3) probes my firewall, (4) probes my SSH servers or web servers or any other service I have available, I want to block that bandit and all of his domains and addresses from accessing all of my systems.

All of that is predicated on said internet bandit being (a) "authorized" to use the addresses in question, and/or (b) identifiable.

For example, earlier this month one of my sites got hit by a distributed crawler that exceeded 1.5 million unique source IP addresses. How exactly am I supposed to identify the "responsible" party, much less block them?

email self-hosting

Posted Sep 11, 2025 17:19 UTC (Thu) by fest3er (guest, #60379) [Link] (2 responses)

1.5M? That's almost 6000 /24s. With more IP assignees 'publishing' their large assignments in /24s, it becomes a PITA identifying who controls an IP address for both blocking and allowing. Examples: (1) which netblocks do TenCent control (to be blocked)? (2) Which netblocks do Crunchyroll and Netflix use (to be allowed)? (3) Which netblocks do MS' supposedly benevolent scrapers and probers use (to be blocked)?

Let's not confuse 'authorized' or 'controlling' with 'using. Bandits steal and use things they aren't authorized to use or control. Detecting their presence to shut them out is part of the guarding/protection task. Determining and notifying those who are authorized to use and control those remote resources is a different part of the guarding/protection task. Presently, there is no reliable way to identify who controls any block of IP addresses, or even which netblock an IP address is part of. For example, who controls 150.136.168.242? Crunchyroll seems to use it (found via tcpdump), but nothing points back to CR or to CR's upstream. This is just part of the reason I said that DNS/Whois/RDAP are broken, have far outlived their usefulness, and need to have a replacement engineered.

If someone is breaking into (or out of) your home, you don't really care who he is; you want to stop him. Bandits are not authorized to enter my home; they have neither warrant nor probable cause. Just the same, bandits are not allowed to enter (or leave) my network regardless of whether or not they are 'authorized' to use the source IP.

So manual effort and time required. Often more than should be needed.

  • If your servers are generally intended for human consumption and many of the requests come from certain cloud providers, block that provider's netblocks and then allow individual IPs as needed. Human users rarely access web sites via cloud providers (AWS, Google, MS, Akamai, etc.)
  • Scrape your web error logs. Block any IP that has more than, say, three 'not found' errors in the past 10 days. Human users rarely generate 'not found' errors.
  • Scrape your web access logs. Block any IP that has only 1-3 accesses in the past 10 minutes. Human users generally access at least four things in a couple minutes when they visit a web site.
  • Scrape your Snort/Suricata alerts; block any IP that generates an alert (chose your rules carefully).
  • Scrape your firewall logs; with due consideration, block IPs that trigger DROPs and REJECTs.
  • Peruse your conntrack table. Block IPs that don't respond to SYN_SENT and SYN_RECV within, say, 5 seconds; and block IPs that keep conns ESTABLISHED 'too long' (letting the timer run down too far). Also use nf-exp-delete to erase those conntrack entries
  • Make use of the Spamhaus stolen netblocks, shadowwhisperer, firehol and other lists.
  • Make use of the IPs in the Univ. of Toulouse categorizations (ads, pron, warez, et alia). I block almost 10k of these IPs.
  • Add the domains in the Univ. of Toulouse categorizations (ads, pron, warez, et alia) to dnsmasq as local=/domain.to.block/. I currently block 1.3M domains outbound (grows dnsmasq's memory to 100MiB).
  • Use ipset entries with escalating timeouts. Some types of entries should be allowed a 15 seconds timeout to allow for human error (e.g., a mistyped URL). After that, bandits (and those deemed non-human) are blocked for five minutes; if they reappear, their corner time is escalated to 10/20/60 minutes, 1 day, 1 week, and 24 days (ipset/netfilter max).

My scripts employ brute force methods. It would be more elegant—and probably more accurate—to employ statistical analysis of the frequency of IPs and their netblocks appearing in error and access logs.

I currently block around 40k IPs and netblocks. I throttle those and another 20k IPs and netblocks down to 2400 baud using HTB. (Yes, those 40k are blocked, but Scheiße happens.)

email self-hosting

Posted Sep 11, 2025 18:27 UTC (Thu) by farnz (subscriber, #17727) [Link]

The thing that makes any "fix" to DNS/RDAP/Whois problematic is twofold:
  1. The existence of "residential network VPN" services; you pay the provider to give you access to people's home or mobile connections, and the more honest end pay people to host VPN endpoints (the less honest end use hacked routers etc). This means that the worst offenders for abuse will be using these services, and be impossible to distinguish from an "ordinary" residential user.
  2. The global shortage of IPv4 addresses combined with a lack of movement to IPv6, resulting in residential providers around the world sharing IPv4 addresses between multiple unrelated people. This, in turn, means that if you block abusive addresses, you also block desired customers who have had the bad luck to use a residential provider who's other customers take part in residential network VPN services. This can be fine - if you don't need to interact with anyone from the EU, blocking most EU residential ISPs from accessing your services is not a problem - but is an issue if you have customers you've blocked, too.

And, FWIW, DNS delegation tells me that ns1.p78.dns.oraclecloud.net. is authoritative for 150.136.168.242; given that it has no DNS entry, this is likely to be a shared Oracle Cloud IP, used by many Oracle Cloud customers, of whom Crunchyroll will be just one.

email self-hosting

Posted Sep 15, 2025 16:47 UTC (Mon) by paulj (subscriber, #341) [Link]

A lot of the large tech companies do not use their own assigned IP address space for scraping operations (least, far from exclusively). In addition to their own address space, on which they host their services, they will also have PA (Provider Assigned) address ranges from which they may do some (or all) of their scraping operations.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds