[HN Gopher] After self-hosting my email for twenty-three years I... ___________________________________________________________________ After self-hosting my email for twenty-three years I have thrown in the towel Author : carlesfe Score : 841 points Date : 2022-09-04 17:28 UTC (5 hours ago) (HTM) web link (cfenollosa.com) (TXT) w3m dump (cfenollosa.com) | AndrewUnmuted wrote: | This was a great read. Thanks for posting it here! | | I found this line to be especially intriguing: | | > Hellbanning everybody except for other big email providers is | lazy and conveniently dishonest. It uses spam as a scapegoat to | nerf deliverability and stifle competition. | | The big tech firms criticized in this article are guilty of these | sorts of transgressions in other arenas, as well. It's always | been my contention that the "hellbanning" of user-generated | content by big media and big tech alike comes from the same | motivations. YouTube and CBS alike want to make niche content | difficult to consume in order to stifle any competition that | might get vaulted up as a result of that niche audience finding | the new distribution endpoints. This comes with the added bonus | of reducing cost of goods sold, by reducing the firehose of new | content to process. Or, as the article puts it: | | > Unfortunately, the computing power required to filter millions | of emails per minute is huge. That's why the email industry has | chosen a shortcut to reduce that cost. The shortcut is to avoid | processing some email altogether. Selected email does not either | get bounced nor go to spam. That would need processing, which | costs money. | | I would be very curious to learn if there are any proposed | explanation as to why this phenomenon is so commonly spread | throughout the big tech space. Do we get the same kind of | behavior out of other enormous multi-national firms like oil | producers, ocean freight companies, defense contractors, and | chemical suppliers? | jeffbee wrote: | Is there actually a "big tech" email provider that accepts a | message with a 2xx SMTP code and then deletes it? The only one I | personally know of never does that. That one also does not use | anything like an IP address blacklist. This article doesn't name | names, it just waves its hands and throws around some innuendo. | But as far as my own personal experience goes, this author has no | idea what they are talking about. | sillystuff wrote: | > Is there actually a "big tech" email provider that accepts a | message with a 2xx SMTP code and then deletes it? | | Agreed, that is really broken behavior. Once you accept mail | for delivery, it should be treated as a contract to deliver | that mail. Rejects during SMTP conversation are fine as they | notify the sender and do not generate backscatter. | | I have heard complaints that Microsoft's hosted mail offerings | accept then silently delete mail. It is somewhat believable, as | MS Exchange server would respond 2xx for any message to any | (including non-existent) destination address and later spam the | possibly spoofed sender with bounce messages. Maybe MS has | broken behavior like this in their hosted offerings too? And, | rather than fix their software, they silently delete mail since | they have finally learned that backscatter is a bad thing? | | And, MS o365 allows 'delete' as an option for the centralized | spam rules maintained by the admin. These mails are accepted | 2xx then silently deleted. | | MS does other questionable things on their 'free' hosted | offerings to mitigate their abysmal spam filtering. I have a | couple burner @outlook.com addresses, and they no longer | receive any mail reliably from any sender. MS provides the user | a place to whitelist senders and domains, but after wasting a | bunch of time whitelisting domains, mail still is marked spam. | "Junk" is effectively the inbox on those accounts. | | Disclaimer: experience is dated, from a past job, running | Postfix MTAs for a large organization and dealing with / | mitigating MS issues, but never directly involved with any MS | stuff. | Avamander wrote: | Microsoft and maybe sometimes very rarely Google does it. | | > But as far as my own personal experience goes, this author | has no idea what they are talking about. | | He's not very informed about being on the receiving end. | singularity2001 wrote: | Despite my friends repeatedly marking my email as "not spam" | google keeps classifying them as spam. Still hoping that one day | European anti trust laws will fix that. | eduction wrote: | The Helm email server -- funded by future YC CEO Garry Tan's VC | firm, but I bought one before he returned - is a really great | compromise between privacy and convenience. | | The IP block is managed by the Helm co., they tunnel connections | and sell you the (tiny, silent) server and software. Each Helm | server generates its own TLS cert, so the tunneling does not | violate your privacy (unless it was delivered without TLS, in | which case your privacy already vanished upstream). | | The only delivery issues I hit are sometimes with | Outlook/Microsoft managed domains. It's been at least a year | since I had that issue. When I first bought one someone on gmail | had to move a message of mine out of spam, but it's been fine | since. Last I checked their infra is hosted on AWS but apparently | they have some screening technique for getting clean IPs. | schappim wrote: | Looks like the op decided to go w/ iCloud for the cfenollosa.com | domain[1]. | | [1] https://files.littlebird.com.au/Shared- | Image-2022-09-05-07-2... | 2Gkashmiri wrote: | how many of posters here have used mailinabox ? or something | similar? how was your experience? | | i am almost 2 years into it now and beyond the first months | hiccups, it just works | no_time wrote: | MIAB user here. I pay ~$4 for a small VPS hosted here in | Hungary. The company did a pretty good job of keeping it's IP | range clean apparently. I only had to request whitelisting from | 2 spamlists. One being Outlook's. I filled out their form and | my mail was delivering a few days later. | | I wonder how the ubuntu 22.04 upgrade is progressing though. | The EOL of 18.04 is getting pretty close. | derekzhouzhen wrote: | I am still doing it, on a cheap VPS no less. Yes, it is hard, and | yes, some large email vendors drop my emails for no reason. | However, if everyone throws in the towel, they (the monopolies) | won. | sgt wrote: | Very interesting, I've self hosted my e-mail since 1999, which | incidentally is 23 years ago. My current server is at Hetzner in | Germany. | z3t4 wrote: | do you have your own asn? The entire Hetzner network has been | banned by Microsoft, so you can't send to Hotmail addresses | prmoustache wrote: | Is that really a problem? | sgt wrote: | Not at all, just a /29 | nor-and-or-not wrote: | Do you have a source for this? Because I don't think it's | true. | williamtrask wrote: | It's time for the US mail service to digitise and fulfill its | constitutional obligation to provide a private, secure mail | service for all American citizens. | rootusrootus wrote: | Of course it all started with spam. But the response was just as | destructive. I worked for a small ISP (25K email customers) back | in the mid-2000s, and it was so hard to keep email flowing. All | it took was one random customer somewhere on our DSL who had a | misconfigured open relay, and spamhaus would blacklist us. They | wouldn't respond when we'd try to get the block lifted. We tried | and tried to work with them to streamline the process, nobody | wanted spam to go through our servers, but they weren't really | interested in any cooperation. They were perfectly happy to stop | all legitimate email if it stopped a single spam. | | I don't work there any more, but I'd be surprised if that little | ISP hosts their own email servers nowadays. It's so expensive to | deal with such issues, it's just not worth it. | awinter-py wrote: | Hard to untangle the incentive for collusion + need to police | legit bad behavior. | | This _could_ be a few large providers saying 'we control most | email traffic, let's control _all_ email traffic '. Or it could | be serious players saying 'spam hurts our users, let's stop | criminals using a blanket rule'. | | More likely it's a schelling point where large players are rent- | seeking (crowding out some competition), but only to the extent | they can preserve the illusion this is about policing spam. | | Suspect we'll start asking platforms to offer something like due | process in the law -- administrative checks that increase the | cost to administer a system, and reduce the quality to end users, | but increase transparency and make it harder for the platform to | engage in corruption. | the_third_wave wrote: | Oddly enough I do not have these problems after self-hosting for | close to 27 years now (i.e. from before spam became a problem). I | hardly ever get any spam and my messages seem to arrive where | they need to be even when that destination lies in Microsoft- or | Google-land. I have the usual assortment of DKIM/SPF configured | for my domain, I send mail through a smart host operated by my | IAP (at no extra charge) but for the rest I do not do anything | special. Am I the exception to the rule, am I just lucky that my | IAP's smart host has not been blacklisted by the likes of | Microsoft and Google or is the perception of self-hosting mail to | be fraught with problems erroneous? I suspect the latter to be | true, self-hosting is neither difficult nor bound to fail just as | long as a) you have some good spam filters (easy), b) your MTA is | set up with the correct SPF and DKIM records (also easy) and c) | you send outgoing mail through a smart host (easy to configure | once you've found one). | damir wrote: | I would just like to point out, you _don't_ actually own your | domain... | warent wrote: | For those interested, I made a post related to this topic a few | months ago: https://news.ycombinator.com/item?id=31180379 | johnklos wrote: | You start with the premise that you can't host your own email, | which is problematic. I don't know why the people who fail at | self-hosting email are so adamant about telling others that | nobody should self-host, but it seems more like a squeaky wheel | problem than a real one. | | In every scenario, deliverability problems can be solved by | smarthosting through a reputable email provider. Period. | | You get all the benefits of your own filtering, your own logs | showing every delivery attempt, you get to store your data on | your own systems, access it however you prefer, et cetera - all | the reasons to self-host are there except for delivery logs, | and those can be arranged through your smarthost provider. | | Simple, huh? So why are so many people emphatically telling us | to NOT self-host email? | Dylan16807 wrote: | If you're sending through someone else then you're not self | hosting! | johnklos wrote: | Actually, yes, you are still self-hosting: | | You're in control of all deliveries to you, so you can grep | through your logs and see any and every delivery attempt, | which you can't do with, say, Gmail. | | You can store your data however you like, with as many (or | as few) security considerations as you please. Want full | disk and OS encryption with a Yubikey that has to be | physically present when you boot the system? Sure! Want to | encase it in a cube of concrete? Install your server at the | top of a tree? Why not? Want to store all of your email | encrypted in memory? Go for it! | | You can back it up as you like, you can make sure nobody | else sees or indexes it, you can access it via command | line, webmail, IMAP, POP, whatever. You can more (less) | your spool file directly. You can overwrite the disk where | the mail was stored when you delete it. It's up to you. | | Smarthosting does mean you have less control at delivery | time, though. For instance, I can choose to refuse to | deliver email to domains that don't negotiate TLS. | Smarthosting doesn't easily allow this (or at least I don't | know of any way to do this). | | But every other part will still be 100% in your control. | leohonexus wrote: | > In every scenario, deliverability problems can be solved by | smarthosting through a reputable email provider. Period. | | Could you provide an example of such a smarthost email | provider that has the benefits you mentioned? | | Not challenging you, just genuinely curious. | johnklos wrote: | Sure! I would never recommend, for instance, Dreamhost, but | I set up a company's smarthosting with Dreamhost because | the company was already using them. Dreamhost in general, | though, is quite spammy. | | Linode and Panix come to mind. | | Really, though, many hosting companies won't necessarily | list "smart hosting" / "smarthosting" as a service. If they | offer a cheap VPS and offer outgoing SMTP, you can set up | smarthosting through a VPS. | | One can even smarthost through Outlook / Gmail, if you | really want. | pseudalopex wrote: | Deliverability problems sending from VPS providers like | Linode are common. The article mentioned using a VPS. | aimor wrote: | Funny thing happened to me today: Gmail sent its own Google Fi | customer support email to spam. Haha, wish I noticed that before | spending my morning going in circles with chat support. | tannhaeuser wrote: | gmail also puts mails from mailing lists into spam, despite | repeated "not spam" tagging. Wondering whether mail getting | flagged as spam is even a problem anymore as people get used to | erratic results, at which point we can get rid of spam | filtering, or what's left of it, altogether when on balance it | does more harm than good, such as preventing SMTP self-hosting. | Fuzzeh wrote: | And yet I continue to get "Walmart Confirmation Receipt" or | "Verizon Confirmation Receipt" all coming from addresses like | "verizon_info_nlAT2Q7uf0d@zfgfdyyqsckxbvwg.linenight.com" | which means google are't even trying for some. | sbuk wrote: | If you continually mark those emails as read without | opening them, then gmail will learn that they are junk _for | your account_. | hammyhavoc wrote: | I see this same behaviour. It's infuriating. At this point, | I'd almost rather be able to disable all their spam filtering | and simply run an App Script, or email client with its own | rules that then syncs changes back to the server. | indigodaddy wrote: | bashblog! | [deleted] | kazinator wrote: | > _So, starting today, the MX records of my personal domain no | longer point to the IP of my personal server. They now point to | one of the Big Email Providers._ | | A MX records don't have to point to an IP; it can point to a host | name. | | My MX record is a dynamic DNS host name. | | > _Big email servers permanently blacklist whole IP blocks and | delete their emails without processing or without notice. Some of | those blacklists are public, some are none._ | | OK, but if you're having trouble sending, that's no reason to do | anything with your MX record, which is for receive only. Just | route outbound SMTP through someone forwarding service. | | I've run my mail domain for twelve years. In that time, I've not | sent SMTP directly to anyone; always through the SMTP forwarding | host run by my ISP. | | Well, you know, the mail is going through that ISP anyway! If I | could directly connect to port 25 of various hosts around the | net, I would still be routing through that ISP's hardware. So the | fact that mail is routed at a higher semantic level through their | SMTP server, rather than just at the IP level, just almost just a | footnote. | dn3500 wrote: | Unless you're doing something special, there is a big | difference between sending your mail to the recipient's smtp | server and relaying it through you ISP's smtp server. The | difference is that if you send it direct the ISP can't read it, | because it's encrypted. If you relay it, the ISP can read your | mail, and even tamper with it, unless the message itself has | been encrypted with something like pgp. | SoftTalker wrote: | Your ISP can log and analyze all SMTP traffic if they want | to, whether it's being processed by their mail relays or not. | jeffbee wrote: | According to Hoyle, MX records _must_ point to a domain name. | The _cannot_ contain addresses or point to aliases. Some | mailers can tolerate IP address literals in MX records, but | that is not universal and _will_ cause problems. | machidarabbit wrote: | optimalsolver wrote: | I love the idea of self-hosting my email, but there's no way I'm | going through all that work if getting my mail delivered will be | a toss-up. Complete motivation-killer. | greatjack613 wrote: | I have had the exact opposite experience, I used mail in a box | and set it up on digital ocean on a 5$ droplet. | | Have not had any spam or blacklisting issues and it was super | easy to setup. | cm2187 wrote: | I am somewhere in the middle. Have been running my personal | mail server for 15y, it mostly works but my emails do get often | flagged as spam by the major providers (but not deleted). | Though those very same providers are themselves a major source | of the spam I receive. Do as I say, not as I do. | | The nice thing if you control your domain is to be able to | create unique email aliases, which is a way to cut spam to | zero. A company starts spamming or leaks your email address, | just delete the alias. | john_minsk wrote: | Wanted to get my own email specifically for this. Is it | possible on one of the serviced emails? | [deleted] | secabeen wrote: | Part of the problem is silent deliverability issues. You can | send to someone @gmail.com that you've never messaged before | and it won't get rejected. It will probably end up in their | Junk folder. You don't know it, they don't know it, and unless | they check, which many people don't, it will be as if you never | sent it. | whyoh wrote: | >You can send to someone @gmail.com that you've never | messaged before and it won't get rejected. It will probably | end up in their Junk folder. | | That happens even if you send from @gmail to @gmail. Well, it | happened to me not long ago. | | But I've mostly been using lesser known email providers and I | haven't noticed any problems. | devy wrote: | OP Carlos Fenollosa mentioned this: | | > Over time I realized that residential IP blocks were banned on | most servers. > You just cannot create another first-class node | of this network. > Email is now an oligopoly, a service gatekept | by a few big companies which does not follow the principles of | net neutrality. | | It's unfortunately true. However, the reason that how we end up | like this is more nuanced than just the big players trying to | power grab (perhaps) but rather because of the rise of | spam/scams/phishing/malware. All big players like Google (Gmail), | Microsoft(Outlook/Live.com/Hotmail), Yahoo!, Apple (iCloud) are | suffering from those threats, wasted bandwidth and compute on | spam detection heuristic AI. | | There are industry consortiums like Spamhause and commercial | entities like Barracuda to maintain blacklist/whitelist to | restrict access of major MTA network interconnect to fight off | spams/malwares/phishing/malware delivery from botnets and | individuals. And it helps, at the mean time, it consolidated the | control of who can send outbound emails. | | We are seeing this trend repeatedly in other communication | channels like phone calls (due to robocalls, VoIP numbers are | being blacklisted by all major players' services) or Text | messaging (due to spam texts, major U.S. wireless carriers band | together established Campaign Registry to control who can mass | send outbound text messages. This is also known as 10DLC | registration). | | I think the vulnerabilities of previous communication protocols | (email, VoIP, SMS/MMS) lie in the fact those protocols are | designed with security in mind. Modern community protocols like | Push Notification has been designed with security in mind, which | make it less susceptible to abuse and spamming. That's probably | the way go forward. | eruci wrote: | I threw in the towel a few years ago, after 15 years running my | own server on top of dan bernstein's qmail. | amelius wrote: | Why can't we have an open source mail hosting solution that self- | updates? | jasode wrote: | You've actually asked that question before and the answer is | still the same: you can't embed "trusted sender status" into | source code for a mailserver or a software package. The | invisible rules for rejecting email is an _emergent external | property that exists outside of the software package_ : | https://news.ycombinator.com/item?id=20853157 | | E.g. Software that "auto-updates" cannot solve the problem of | how different participants change their criteria on which ip | blocks are "bad". | amelius wrote: | Good catch :) | | But I'm not completely convinced. Sender reputation is made | up of at least two parts: the software (rules) used to send | the emails, _AND_ the actual emails sent, frequency of emails | and number of unique recipients. | | If you're a spammer you can still use the same software as | everyone else, but your reputation will be bad because of the | number of bad emails you sent. | | In other words, if everyone used the same software to send | emails, then anti-spam systems will have to use other metrics | to blacklist people. | jasode wrote: | _> In other words, if everyone used the same software to | send emails, then anti-spam systems will have to use other | metrics to blacklist people._ | | Right, and the _" other metrics"_ is what spam heuristics | already use now. | | In other words, you replied to this author's problem with | "self-updating software" but software cannot solve his | outgoing email getting rejected/spamholed. It's those | "other metrics" that made him give up running his | mailserver from home. | johnklos wrote: | This is sad, but it's a gross and inaccurate oversimplification. | Let's look at the summary of "What are we left with?": | | > You cannot set up a home email server. | | This is true enough to not care about edge cases. | | > You cannot set it up on a VPS. | | This is definitely _not_ true. | | > You cannot set it up on your own datacenter. | | This is absolutely, unambiguously untrue. | | I get that there are many people out there who don't want to | administer an email server, or who administer one (or more) and | are tired of trying to train users to DTRT and care about | security. The truth is that if you have lots of users, it's | likely that one will get compromised, and their account will be | used to send spam. | | Is it the end of the world? Heck, no, unless you let it go on for | days. "It's not if, it's when. Say goodbye to your email. Game | over. No recourse." That's just plain not the case at all, | unless, again, you don't have monitors in place. | | A super simple example: a script which counts the number of email | sent by any given user in a certain timeframe is really not | complicated. I've used something like this and it has caught a | mail loop which wouldn't end because the entity causing the | looping was rewriting so much that typical anti-loop checks | failed. | | So a user gets compromised. If this is a real concern (say, for | instance, you have a lot of Windows users), your script should | send an alert to you when this user's account has sent several | hundred messages over the past hour. You disable the user's | account, you clean the mail queue, and you deal with the fallout. | Sure, that may mean watching your logs for a few days for | rejections and visiting other networks' delisting pages, but it | happens. | | So there's the largest problem with running your own email server | handled. Boom. Done. If you've hosted email for years yet can't / | won't do this little bit of work, then that's you. The rest of us | understand this. | | What about deliverability in general? Isn't that the largest | problem, you ask? No. No, it isn't at all. You can even run an | email server on your home Internet connection, if your ISP allows | incoming connections, the same way you can handle any other | general deliverability issue: smarthosting. | | If you want to claim that there are NO ISPs out there that can | reliably send email outside of Yahoo / Outlook / Google / Amazon, | then you might say smarthosting isn't a solution. However, you'd | be flatly wrong, so wrong you shouldn't be hosting email. | | If your home network can't send email (it almost certainly | can't), and your VPS can't send email (it'd probably have | issues), and your datacenter can't send email (you're clearly | doing something wrong, but let's pretend), then you can smarthost | through an email provider that has a good reputation. Period. | | Anyone who wants to argue that hosting your own server can't be | done today because of deliverability ignores this super obvious | solution, which negates this entire article. | | Let's move past that and look at the suggestions this article | makes: | | Should we throw in the towel, proverbially speaking? Certainly | not. I disagree with this emphatically. | | "This doesn't only affect contrarian nerds." No, it doesn't, but | discouraging others isn't the solution. Your lack of solutions | isn't a good reason for others to throw in the towel. But why are | so many "contrarian nerds" so quick to tell others to NOT do | something? Do you tell people to not paint or draw, because it's | too hard for you? Or to carve, or write fiction, because you're | not good at those things? | | "You can no longer set up postfix to manage transactional emails | for your business. The emails just go to spam or disappear." | Nope. You're accepting that as normal and equal. It isn't. This | is the same basic idea as "I can't afford to not run Windows, | because everyone else runs Windows" - it's a fundamental | misunderstanding on your part that leads you to assume you're the | victim, and you're powerless. If your email is being silently | dropped, then you need to tell the recipients that they need to | 1) complain to their provider, and / or 2) find real, | deterministic email services. I've told many people that I'm not | responsible for overzealous spam filtering, and I provide proof | that the email was delivered. It's on them after that. "But I | can't afford to do that!" Then smarthost. This isn't difficult. | | "One strike and you're out. For the rest of your life." Nope. | Demonstrably, nope, unless you're letting spam flow from your | servers for days at a time. | | Your recommendations: | | "Let's keep antispam measures." Sure, but consider the fact that | they're part of the problem. Spam filtering shouldn't be | arbitrary - for instance, I do ZERO content filtering, unless or | until I can prove to myself that there are no false positives. | Email with "storage.googleapis.com" URLs? 100% spam. Email from | random addresses / networks with Gmail Reply-To? Absolutely 100% | spam. Email from servers with a HELO / EHLO name that doesn't | exist? Rejected. But keywords? No. That's stupid. I've seen, for | instance, too many abuse email addresses that don't accept spam | complaints because of content-based, rather than behavior-based, | spam filtering. The problem with Gmail is that they do too much | content based filtering, with no rules and no logs that we can | see. | | "Change blacklisting protocols so they are not permanent and use | an exponential cooldown penalty." Fair. | | "Blacklists should not include whole IP blocks." I disagree. If | your network neighbors are shitty, then you should 1) ask for | your IPs to be SWIP'd to you, 2) find a better company that | punishes spammers / scammers, and/or 3) smarthost. | | "Stop blackholing." Yep. But, "No need to bounce every email" - | 100% disagree. If you're sending so many messages that you're | overwhelmed by returns, then you're doing something horribly | wrong. Every email needs a bounce. This is how email works. | | "There should be a recourse for legitimate servers." 100% agree. | I think someone who has the time and resources should take all | the large providers to court to compel them to have methods for | correcting interoperability. If Google, for instance, wants to be | like a utility, then they should be forced to act like one and | they should have real ways to interoperate. As it is right now, | it it not possible to reach an actual human at Google about | anything via email. Every single message goes nowhere. They | shouldn't be allowed to operate like that, or if they want to be | arbitrary, they should lose the right to be called RFC compliant | email and the use of Gmail accounts shouldn't be usable for | anything public. That's another whole battle, though - why should | a company get to call themselves an email provider when they | don't provide reliable, repeatable service? Sigh. | | "Email discrimination is not only unethical; it's a risk for the | industry." Agreed. I think there's already legislation proposed, | if not already passed, making certain types of communication | unblockable. It's shitty legislation, but it's a first step at a | precedent we all need - we need to be able to dictate to large | corporations the parameters of what they can do and can't do if | they want to be considered email. | [deleted] | tedivm wrote: | I started hosting my own email in 2004 before finally giving up | and migrating my email to Fastmail last year. | | Besides the problems mentioned in this post the real problem I | had was dealing with spam. The open source community around spam | has really degraded over time, to the point where most solutions | are extremely high maintenance and require regular tweaking. | Methods that used to work, like greylisting, cause problems when | dealing with GMail because google doesn't play nicely with it. | The big spam blacklists have also gotten a bit less trustworthy | over the years. | coggs wrote: | After 30 years running my own MTA I also gave up and moved to | fastmail. | noAnswer wrote: | I started self hosting in 2017. (With a fresh domain. I'm the | only user.) My sever closes the incoming connection if it | doesn't has a rDNS or the HELO doesn't match the rDNS. Apart | from that I have no anti spam measures! Friends and family have | my firstname.lastname@domain address. Websites and companies | get a <random>@domain address. So far I have only reserved 3 | spam mails. Two times they got the address from a public | mailing list I participated. One time it was from a webshop | that sold or leaked my address. | azinman2 wrote: | I've noticed since switching to Fastmail from gmail my spam | filtering is very problematic. I always end up with legit | emails in spam, and I just can change if I want even more legit | in spam or more spam in inbox, which still gets through. | | I think it's both a tough problem, as well as something that | only becomes easier when you have both talent and scale to have | a wide perspective. | beprogrammed wrote: | Know what will kill self-hosted email? Giving up and hosting your | email with the big guys, the less self hosted email servers there | are the less the big guys feel any requirement to support it | kmeisthax wrote: | >In many countries politicians are forced to deploy their own | email servers for security and confidentiality reasons. We only | need one politician's emails not delivered due to poorly | implemented or arbitrary hellbans and this will be a hot button | issue. | | "I just the other day got... an Internet was sent by my staff at | 10 o'clock in the morning on Friday. I got it yesterday!", as Ted | Stevens would say. | | Unfortunately the man said this as part of a massive, uninformed | speech[0] about why big tech[1] needs _less_ regulation. | | [0] https://en.wikipedia.org/wiki/Series_of_tubes | | [1] Comcast inclusive | Avamander wrote: | > Unfortunately the man said this as part of a massive, | uninformed speech about why big tech needs less regulation. | | Sometimes they'll regulate themselves to avoid the exact | problem you've cited. | | https://www.fec.gov/files/legal/aos/2022-14/202214R_1.pdf | sk55 wrote: | We need new protocols. Blockchain protocols can somewhat solve | the spam problem by charging to send. Receiving addresses can | also whitelist or charge to receive. | fay59 wrote: | How does one verify that their server has never ever sent spam, | for instance through a security breach? | m3nu wrote: | Have around 100 users on my self-hosted mailserver. Works alright | for the most part. Once or twice a year, there are connection | issues to small companies with weird settings. I just route those | over an external ESP. | | Then there is also mxroute.com, which is an indie email provider. | He seems to do fine too. Didn't use them yet. | | So I think having at least some sending volume is key to running | an indie server. You can't do it just for a few mailboxes/users. | | I still wouldn't recommend to learn or start with email in 2022. | There are better uses of your time. | hammyhavoc wrote: | _He_? Is it a one-man-band? If so, that 's a scary single point | of failure for something as critical as your email. | m3nu wrote: | Nah, he should have some staff. I just know the founder | ("Jar") from forum posts. | rospaya wrote: | RBLs and other blacklists have been annoying for decades, even | more so when they were maintained by annoyed individuals rather | than corporations like today. You had to beg a single person to | remove you off a list that an ISP somewhere used without thinking | twice about it. | dsr_ wrote: | I can't send mail to mit.edu addresses. It gets rejected with a | message that says I should talk to Microsoft. | | I frequently end up in GMail's spam folders. No idea why. | | I see no more than one piece of 'spam' a week; everything else is | caught by a combination of a 15 minute greylist, the zen spamhaus | BL, and SpamAssassin evaluating things. There are a bunch of | spammers who send from accounts with valid SPF and DKIM, by the | way. | | Spam is a reasonably solved problem, but SPF and DKIM aren't much | help. | | (I get lots and lots of business spam, where the sender clearly | believes that they have a right to try to sell me crap. The | difference is that if I respond to business spam, someone will | answer, trying to sell me crap.) | massaman_yams wrote: | I might be reading into this a little, but you seem to be | arguing that "Spam is a reasonably solved problem at my scale, | therefore spam is a reasonably solved problem at global scale", | and those are very different things. One of the key differences | is: a small domain like yours is multiple orders of magnitude | less attractive of a target, vs. Gmail, and as a result Gmail's | filters are subject to constant, high-volume adversarial | attacks, and you are not. | | SPF and DKIM are pretty explicit in their RFCs that passing | authentication isn't a sign the mail is legitimate. The | presence of passing auth in a message does change how filters | should handle it, but for most larger-scale production | filtering systems (not spamassassin) that mostly ends up as | "change the weight of certain reputation identifiers in the | spam filtering inputs", more or less. | rsyring wrote: | SPF/DKIM are not intended to prevent people from sending spam. | | They are intended to let a domain owner tell other email | providers what servers have the right to send email from that | domain (and sign email). | | I can send email all day from joboffers@google.com. But most | email providers will check SPF and see that my VPS IP is not | authorized by google.com to send email, and it will go to spam. | | Those standards wouldn't keep me from registering example.com, | setting up SPF correctly, and then spamming. There are other | techniques to filter out that kind of behavior. | Symbiote wrote: | > I can send email all day from joboffers@google.com. But | most email providers will check SPF and see that my VPS IP is | not authorized by google.com to send email, and it will go to | spam. | | Actually, it will be discarded completely. | | Google's DMARC policy is for mail from unrecognized origins | to be rejected: host -t txt _dmarc.google.com | _dmarc.google.com descriptive text "v=DMARC1; p=reject; | rua=mailto:mailauth-reports@google.com" | | p=quarantine would send it to spam. | jacobsenscott wrote: | It was a huge mistake for email receivers to take on the cost of | filtering spam. Of course given the evolution of the internet and | email it is easy to see how that mistake happened. Nobody had a | crystal ball. But the only solution here is to raise the cost of | sending email to the point where spam is no longer profitable. | | It seems like one solution is to bcrypt hash (or some similarly | expensive algorithm) the email and include the hash in a header. | Of course you need to hash per receiver or a spammer can just | hash it once and spam away. | | The receiving client hashes the email and compares the result | with the value in the header and discards emails that don't | match. | | You'll never get industry buy in though - the FAANG companies | don't want to pay that cost for their semi-legitimate email. They | prefer to keep that cost externalized. | | I believe there have been attempts at something like this, but it | clearly never went anywhere. | kortex wrote: | That is a clever idea but I think it'll still fail so long as | email (SMTP) is a fire-and-forget architecture. As long as you | have that asymmetry, your SNR is going to suck. | | If it were a back-and-forth protocol, more like TCP, then you | have way more options for congestion control, error reporting, | load balancing, and the like. The server can choose to accept | the incoming request, ask for more verification, or interrogate | the client in various ways. This could be something just like | DKIM / DMARC / SPF, or even something more exotic, like making | the client do proof-of-work with difficulty tied to how | suspicious that client is to the server, and also the delivery | scope/scale. Or forcing the client to wait for ACK for valid | delivery while slow-walking it. | | This gets around some of the issues in cousin comments, with | respect to punishing botnets and rewarding lawful players. | Established, high-trust players pay no cost. Suspicious players | can still get through, albeit with a tax (that should be | trivial for low-volume personal MX, but expensive for high- | volume spam). Furthermore, it's adaptable. | Avamander wrote: | > If it were a back-and-forth protocol, more like TCP, then | you have way more options for congestion control, error | reporting, load balancing, and the like. The server can | choose to accept the incoming request, ask for more | verification, or interrogate the client in various ways. | | That's basically what graylisting aims to achieve. | kortex wrote: | Yeah, this is essentially a form of greylisting. The | difference is (as I understand it, this is fairly outside | my domain), with the current setup, MTAs can accept an | email, and it ends up getting blackhole'd or spam-folder'd | anyways. My hypothetical scheme would put more onus on the | first "boundary node" to report on errors/compliance. | Basically the MTA tells the client what hoops to jump | through, and the client gets some indication what will | happen once those conditions are met. | | That could be an exchange like: "Sign this nonce, and your | message will be vetted", or "this is very suss, you have to | do X difficulty hashes to have any chance of delivery, and | regardless it'll be flagged as potential spam". Or perhaps | just a guarantee on how an action would affects the | message's "spam score". | | This could be used alongside nested packets/envelopes and | various headers/trust levels in a network of trust to give | a message some overall trust level. | kevincox wrote: | The problem to adding a cost to email is that it affects | everyone. The amount of CPU power you need to waste to make | most spam not viable is so much that it isn't worth it. | Groxx wrote: | It definitely does not - you can allow different work loads | for different senders. Mailing lists you actually want can be | dropped to zero for instance. | | Most spam comes from new address pairs, not existing ones. | Requiring high cost to get past a first-contact filter, then | near zero forever after, is completely reasonable and would | practically eliminate unsolicited spam. | kevincox wrote: | But now the sender needs to know the receivers policy and | if they remember that there has been contact before. Or I | guess you change SMTP but we still allow unencrypted | connections so good luck with that. | Groxx wrote: | For newsletter style stuff, nah. The "confirm your | registration" email can "pay" to get past the wall, and | then you're done - approved pair established, future | letters can probably be zero cost and everyone receives | the same one. | | I wholly admit that this is arguing theoretical setups | and that's always problematic, but _of course_ patterns | would be established pretty quickly. There are loads of | simple tactics that would still make spam dramatically | harder, and legitimate use nearly unaffected. The current | reputation system has clear, _massive_ gaps that really | don 't need to exist. | SoftTalker wrote: | Most spam is sent by hijacked machines and botnets is it not? | They don't care about wasting CPU power; they aren't paying | for it. | klibertp wrote: | This indeed looks like a good direction. A decade ago Freenet | (not sure if it still exists?) had a problem with spam on its | equivalent of USENET. It was pretty bad, until they changed the | protocol so that it's the sending node that keeps the message, | which is then pulled (or not) by the recipients. It made a lot | of sense to me: I'm the one sending you the message, I want you | to see it, while you don't even know whether you want to get | that message. So it's me that should pay for storage and | propagation of the message in terms of bandwidth and disk | space. Not sure how it turned out in the end, but the approach | seems right to me. It's like phone calls: it's the caller that | pays the cost, not the one receiving the call. | klabb3 wrote: | Wow that's ingenious - and obvious when you think about it. I | guess evolving the email standard is a much bigger obstacle | though, no matter how clever the proposal. | flomo wrote: | An attempt was made. | | https://en.wikipedia.org/wiki/Internet_Mail_2000 | pas wrote: | it's ridiculously easy to create a template that is stored | and when the remote client pulls the message only a few | variables has to be substituted. it's how spam is generated | after all :) | barrkel wrote: | Something different: a hash which is expensive to calculate but | cheap to verify. E.g. calculating a string of bytes to append | to a hash stream on order to produce a hash with a certain | number of leading zeros; you provide the hash and the bytes, | and it's trivial to verify. | amelius wrote: | Not good from an energy-wasting perspective. | zootboy wrote: | There were proposals for this sort of thing a while back, but | they never caught on: | | https://en.wikipedia.org/wiki/Hashcash | quickthrower2 wrote: | Like cryptocurrency this will be a moving target. You would | need a difficulty setting - but where as cryptocurrency only | has to track one thing "total hash rate" this would need to | track two things "minimum supported hardware for legit | sender" and "hardware threshold for attacker to be successful | with a mining rig they can afford, based on the income from | the spam". | | Each email provider might come up with different difficulty | levels based on what they thing this is. So some handshaking | might be required. And less computer literate people would be | stressed why their email is taking 6 minutes to send. I think | it would be hard to implement. | heckelson wrote: | yeah, I believe it is called "HashCash" and works similarly to | "proof of work" in cryptocurrencies | seabrookmx wrote: | HashCash is actually referenced as part of the inspiration | for Bitcoin by Satoshi themself. It's the birthplace of proof | of work. | xtracto wrote: | Right, I can't believe people are re-discovering HashCash. It | was a brilliant idea way ahead of its time. Sadly it was not | adopted for email. | drchiu wrote: | A big problem with the way the big companies fight spam is that | sometimes it is a bit too aggressive. Happened a couple of times | where legitimate government-agency emails had trouble getting | through. | | Personally, I prefer defining my own spam list rather having an | algo decide what pops into my inbox. | thewebcount wrote: | Totally naive questions: | | Could we come up with a new protocol (possibly based on | SMTP/IMAP/whatever), that would only guarantee to get your email | to its recipient if you included some sort of token generated by | the recipient and given to you? Something where you could | text/message/whatever a unique token to a friend/business/etc. | and then they can send you email? And if you email someone, your | outgoing email includes the token necessary for them to reply? | The contents (including who it's being sent to) would be | encrypted by default rather than being plain text that anyone in | between sender and recipient (or at least sender and recipient | servers) could read. Is something like that possible? | | Obviously at first nobody would have it implemented, so you'd | have to get developers interested in writing server and client | software, and convince people and companies to use it instead of | or in addition to regular email. But I wonder how many people | would be interested in such a system and whether it would be | workable? | david927 wrote: | Seems like we need to write a law (draft a bill). | reuven wrote: | Yeah, I ran my own e-mail server from 1995 until about 10 years | ago. It used to be fairly simple, but between incoming spam and | attacks, the various standards that were developed, and my e-mail | not getting through... this became a problem that was worth | paying someone a few dollars a month to solve for me. | | I still use my own domain, but I'll let actual delivery and | security experts deal with the day-to-day running of things, | while I run my business (which definitely isn't that). | | It was a bit sad to give up, but the time and frustration it | saved have been more than worthwhile. | jitbit wrote: | > You can no longer set up postfix to manage transactional emails | for your business | | Well, actually you can. But it's _tough_ : | https://news.ycombinator.com/item?id=20553028 | teddyh wrote: | E-mail is complicated, sure. But I've had it up to here with | people who give up running their own server and then go on to | vastly exaggerate how infeasible it is, in order to placate their | own conscience. It's not that they've gotten tired of doing it, | oh no; (they say,) it's entirely the fault of Google, Microsoft, | etc. who've made it literally _impossible_ to run your own e-mail | server. Except it's not _impossible_ - lots of us do it, still. | And now there's one fewer of us, so the rest of us have to work | that much harder when the next monopolizing standard comes along | (BIMI, anyone?). Sure, you don't _owe_ us anything, but thanks | for nothing when making these public rants; you are _scaring | away_ people who might still be inclined to help! | Avamander wrote: | How is BIMI "monopolizing"? It's a trivial DNS record. | teddyh wrote: | https://news.ycombinator.com/item?id=28196403 | Avamander wrote: | There's the catch - VMCs are not a mandatory part of BIMI. | Though if you want to establish _trust_ , someone has to be | willing to put their name on the line and verify everything | required. If you have a better approach in mind, I'm sure a | lot of people would love to know. | teddyh wrote: | Trust (by way of VMC) is the _whole point_ of BIMI; it's | what's in all the marketing copy: The fact that nobody | else can send mail with your logo. If you merely wanted | to send e-mail with your icon on it, that already | existed: the X-Face header has been around for decades. | Avamander wrote: | Absolutely not, BIMI is a way to provide brand identity | for recognition/marketing purposes. Trust or security is | not the standard's goal. Being able to trust the logo is | an optional extra. | | Also nobody really uses X-Face, it's irrelevant. | teddyh wrote: | You're talking nonsense. What is the improvement of BIMI | (without VMC) over X-Face? The only things I can think of | are: | | 1. BIMI logos are in color. | | oh yeah, and: | | 2. BIMI logos are inherently a tracking pixel so the | sender can see when readers read the mail. | Avamander wrote: | You are free to read the BIMI standard's section 2.1 | containing its high-level goals. | | The next section also literally says "This document does | not cover the different verification and reputation | mechanisms available, but BIMI relies upon them to be in | deployed in order to control abuse." It's not a standard | meant for establishing trust, it does not mandate | requiring a VMC. | teddyh wrote: | Just like with e-mail, it doesn't matter what's in the | standard, what matters is what the big providers actually | do. If Google (Gmail), Microsoft, etc. will simply show | any BIMI logo without VMC verification (which will never | happen), then I will concede that BIMI is not a | monopolizing standard. It'll just be a tracking pixel. | Avamander wrote: | Showing any BIMI logo is an absolutely unreasonable thing | to demand from a large-scale BIMI implementation. It does | not make it "monopolizing", I don't think you even know | what the word means. | teddyh wrote: | So VMC _isn't_ optional? | Avamander wrote: | Is it that difficult to grasp that there's a "depends" | option between "optional" and "not optional"? | | Nobody really forces you to use HTTPS either, it's not a | "monopolizing" standard if someone doesn't trust you | without. | | And again, if you have a way of establishing just as much | trust without such a labour-intensive/expensive | verification process, please do share. | teddyh wrote: | When the big providers all require VMC to show BIMI, then | VMC is not optional, no matter what the spec says. | Claiming it is optional is then disingenuous. | | As I said in the linked post, logo verification is not a | problem which can be solved. Identical trademarks can | _legitimately_ be issued in different fields, and both | still be valid. Let's say you are a brick manufacturer, | and have paid an arm and a leg to a VMC certificate | authority (previously a HTTPS EV certificate authority) | for your logo, a nice iconic square logo. Then someone | else can simply come along, register a flower shop in | another country, use a different VMC issuer and get an | _identical logo_ issued to them. They can now send e-mail | invoices to your customers with your logo on it, | legitimately obtained, and the BIMI system will have | trained your customers to trust your logo. | | Any fix for this you try to implement will make the | system even less usable for its stated purpose, or more | suited to only large players and unusable in practice for | smaller operators. | Avamander wrote: | > When the big providers all require VMC to show BIMI, | then VMC is not optional, no matter what the spec says. | Claiming it is optional is then disingenuous. | | What do you mean "no matter what the spec says", it _is_ | the spec we 're talking about. It is what you argued | against several times. | | If you had started with saying "big providers' | implementations of BIMI", then it wouldn't be wrong to | say it's required but it's still not "monopolizing". | Requiring you to prove your claims using a third | unrelated party is simply not that. | | > As I said in the linked post, logo verification is not | a problem which can be solved. [...] and the BIMI system | will have trained your customers to trust your logo. | | There are caveats to each system. It does not mean the | problem is not solvable to a large extent. | | Secondly, it's pretty clear who to jail for the attack | described. I'd say it's even a positive side of the | system if that's the type of attacks we'd get. | | > Any fix for this you try to implement will make the | system even less usable for its stated purpose, or more | suited to only large players and unusable in practice for | smaller operators. | | That's simply not true. The price of a VMC is really not | that high for any business that doesn't only employ one | man and his dog. | teddyh wrote: | > _If you had started with saying "big providers' | implementations of BIMI", then it wouldn't be wrong_ | | That's just splitting hairs. | arriu wrote: | I'm genuinely interested. Where would you recommend a newcomer | starts? | IronWolve wrote: | Not seeing anyone talking about email lists, now you need to buy | a mailchimp type service, but many mailchimp type companies ban | political customers if your not on their team. | | Setup a private listserv or mailman use to be easy, but now you | need to have a smtp provider in front, or you will quickly get | blacklisted. Even then, get too big, and you will trigger some | email email providers. | toun wrote: | The topic often comes up. Can't say I share the experience. My | servers have never been put on a blacklist in the 7 years they've | been running, and one of them operates from my residential DSL | connection. Standard postfix+dovecot stack on an Archlinux VPS, I | log in once a year to update the packages and make sure there is | enough disk space left. | tacon wrote: | Essentially all residential IPs are blacklisted for email | servers, at least on port 25. Many ISPs blackhole any traffic | on port 25 to residential IPs. Do you have port 25 working on | your residential connection? | no_time wrote: | Just did a test with my own mailserver hosted on a small-ish | local vps. | | Outlook: OK (had to bother with this one when I started out) | Google: OK iCloud: OK | | I have a pristine track record and not a single byte of outgoing | spam so I cannot attest how easy is it to get back into the game | after an incident. I do agree with the larger point being made | here. It is clear some kind of anti racketeering legislation | would be the only fix. Sadly, currently there is zero will from | both the EU and the US to fix any of these blatant anti | competitive issue on the internet. | tacon wrote: | My experience is that Outlook will accept email from a new IP | ... for awhile. But rather quickly they block it. I think they | watch for a commercial amount of traffic, enough to get a | reputation from various services. Not enough traffic for a | reputation? Very suspicious, adios... How else would legit | commercial email senders bring up a new server? | | From the MailOp commercial mailers mailing list, it seems | Outlook will eventually unblock you, but you have to keep | appealing, etc., for multiple rounds. | seomint wrote: | Completely agree this is anticompetitive and worthly of | examination under the light of antitrust laws. Of course the | defense that will be offered and one which is partially true will | be one of providing safety from spam, phishing, and other evils | prevalent in the email system today. Maybe texting is the new | email after all... | jwie wrote: | The range IP bans hit home. Been hit by this more than a few | times. You don't have to be sending spam, but if someone in the | range did, ever, you will be blacklisted all the same, and | treated like a spammer. | | The people who run these blacklists are unreasonable. I can | understand why, they tend to interact with the bowels of the | internet and the heuristic is effective. Usually people who need | to talk to them are doing something naughty, so why bother taking | a chance? | | Guilty until proven innocent would be an improvement. | ironmagma wrote: | Alright blockchain nerds, now is your time to shine. An actual | problem that can be attacked through distributed consensus. | dane-pgp wrote: | If you insist. I put my suggestion as a reply to another | comment in this discussion, specifically here: | | https://news.ycombinator.com/item?id=32717921 | type_Ben_struct wrote: | I relate to this. I also stopped hosting my own mail server for | this exact reason. | | However I do think it's a case of damned if you do damned if you | don't. As a consumer of big tech email I become equally | frustrated when spam makes it past the filter and I expect them | to do more. | | If it's easy for the average person to setup a mail sever with | high reputation then it's easy for spammers to do the same. I | can't think of a great way to manage this at scale for the | average person using a $5 a month Digital Ocean VPS sending < 10 | emails a month. | | One thing I have noticed is that there's still a load of large | organisations failing to implement basic deliverability best | practices like SPF records. These organisations have themselves | to blame. | lolinder wrote: | The paradox here is the same one patio11 discussed in "The | optimal amount of fraud is non-zero", on the front page | yesterday [0]. The more non-tech people have an email address, | the more we have to prevent fraudulent email, and the harder it | becomes to run your own email address. | | The original email users were much more savvy and needed less | protecting against fraud. Now my grandma has an email, and if | we're not careful she ends up on the phone with "Microsoft | customer support" giving them full access to her computer. Spam | filters aren't just a question of irritation anymore, people's | life savings are at risk. | | [0] https://news.ycombinator.com/item?id=32701913 | gpapilion wrote: | I actually would rephrase it as there weren't enough users | with money to make using email a worthwhile scam medium. | | Email is low trust and almost any user is susceptible to | being scammed, because there aren't good trust markers in | emails, and companies use it in ways that make it | indistinguishable from spam. | lolinder wrote: | I think both are true. The kinds of scams my grandparents | (and even parents) fall for are trivially recognizable as | scams to me. It takes more work to defraud someone who | knows more about the way thing are supposed to work. | | But yes, it's definitely still possible for anyone to fall | for more sophisticated scams, and there being more money to | be had is a huge part of it. Either way the effect is the | same: more protection is necessary than was before. | mikece wrote: | " This concept may sound familiar to you. It's called a racket." | | Wouldn't RICO statutes apply then? | manquer wrote: | The author is confusing not being independent one person setup | friendly to an oligopoly. | | There are plenty of ISPs that offer email services , plenty of | small businesses, government orgs, universities host on their | own, most have no problems . | | Email is still very much small business friendly, it is no | longer easy for indie one person setups anymore. | | Many industries are not one person shop friendly , that is just | nature of the industry, doesn't make it a racket | iamgopal wrote: | We need kubernetes level of distributed messaging system to beat | email. What's most popular next option? | hammyhavoc wrote: | Matrix protocol. Can be bridged with existing platforms and | protocols, including Facebook Messenger, WhatsApp, and email. | 60m+ publicly addressable users, not including EU military, | gov, healthcare, emergency services et al. | tomxor wrote: | > There should be a recourse for legitimate servers | | ... one of the "big three" being google, this will never happen, | there is no recourse in anything, even when you pay them for it. | betwixthewires wrote: | I know a lot of older guys will disagree with me here, the guys | that use mailing lists to work on FOSS projects, many of whom I | respect very much, but I think email sucks. I only use it for the | same reason I have a phone number: because some people need me to | have one in order to contact me. | | I don't like email. I think the problems with it are shortcomings | of the protocol. I'd rather not use it. But I do, as a last | resort contact method. | | For me, people that use email are like people that primarily | communicate over SMS. If I need to talk to you and that's all | you'll use, I can. But if there's another way to talk to you I'd | rather use that. Xmpp, matrix, signal, shit even telegram and | discord if I have to, are preferable to SMS or email. But | otherwise, yeah I have some email addresses and a phone number if | you insist on doing things that way. | taf2 wrote: | I like a lot of what's being discussed here. One thing to | consider is a similar problem I am facing is people trying to | hack into a login page. We see thousands of requests per minute | from different IPs... many from VPS, some from obviously hacked | TVs/devices. We could implement an exponential back off on | abusive IPs but detection requires observation of action that | action could result in a compromised account... so another idea | is we simply block large ranges of know bad IPs from | blacklists... I think this is similar to the email sending | issue... it's not fair and I think a solution could be some kind | of "block chain" - make it expensive to login... make it | expensive to send an email... but I'm not sure and for email it's | way harder because you need agreement from the oligopoly of email | providers... not sure what the solution is | secabeen wrote: | The general rule of thumb for my home server is that messages to | people I've contacted before, or to addressees that were in a | thread that I'm also part of get delivered reliably. Messages to | new people I've never emailed before often go to spam. I've | learned to accept this. | tambourine_man wrote: | The biggest challenge is in the sending. | | If, for whatever reason, Gmail doesn't like your setup, even if | it's 100% according to specs, it's effectively broken. And | there's no one to resort to, often no previous relevant search | result, because the errors are vague when not silent (you don't | get to know the email was hard rejected, i.e. has not even | reached the recipient's Spam box). | | Your only hope is for your complain to go viral on HN or | Twitter and some Googler takes pitty on you. | daitangio wrote: | I am still hosting my emails via docker mailserver[1] I got some | trouble with outlook.com bans, but Linode helped me to switch to | a "good" ip address and it is working fine for now. | | I will try ti resist as much as possible, because email is your | primary identity "link" on the Internet, and you deserves to own | it if you want. | | [1]: https://gioorgi.com/2020/mail-server-on-docker/ | Kim_Bruning wrote: | It should be possible for everyone to participate in internet | systems equally as peers. | | Somehow it seems like the Overton window has shifted such that | people find it acceptable that ordinary individuals can no longer | take part in the email infrastructure as equal peers. | tsimionescu wrote: | Spammers are also equal peers, and are a huge problem. The | concept of every computer being an equal peer is in fact part | of the problem with email. | ttul wrote: | My company exists to solve this problem at scale for the web | hosting industry. It's too bad that self-hosting isn't viable | because of IP reputation problems, but it's a reality that is | unlikely to change any time soon. | | I'd say if you want to continue self-hosting, just let go of the | delivery part. Use a service like SendGrid; it probably won't | cost you anything and it's easy to set up. | TekMol wrote: | It would be possible to solve the spam problem once and for all | with a crypto currency: if (Sender is | whitelisted by receiver): All emails arrive in the inbox | else: Sender has to send $1 for their email to arrive in | the inbox The $1 will be returned if the receiver | replies | neilk wrote: | e-postage, knows-SMTP-4, knows-SMTP-5 -> | https://www.rhyolite.com/anti-spam/you-might-be.html | | We have cryptographic identity in SMTP already. In fact, almost | all our protocols and formats for signing and identity were | first adapted from email standards. This has already failed. | | "You might be an anti-spam kook" does need to be updated to | also include cryptocurrency solutions. You're neglecting the | transaction costs associated with cryptocurrency, which might | be punitive both for senders and for those attempting to | collect the spam bounty. Of course the big email providers | could aggregate settlements... but now we're back to having big | email providers. | fortran77 wrote: | > "You might be an anti-spam kook" does need to be updated to | also include cryptocurrency solutions | | I was scanning this thread to see if someone would post that | old copypasta email solution checklist form again. | | Here's one version: https://craphound.com/spamsolutions.txt | akmittal wrote: | I will stop replying to my mail for sure | dinosaurdynasty wrote: | I think ideally replies would have a token to bypass it | (since replies are expected) | eli wrote: | This was a bad idea when it was first proposed 30 years ago | rekrsiv wrote: | Why are we still using email? | | No, I'm serious, why? | userbinator wrote: | One of the few means of online communication that isn't a | proprietary walled garden? | rekrsiv wrote: | So in the few other means of online communication that aren't | proprietary walled gardens, what else we got? | dane-pgp wrote: | IRC, XMPP, and Matrix (in increasing order of support for | E2E crypto). | | I'm not sure how well those protocols (as implemented, in | practice) support clients that go offline for long periods | of time. | sys_64738 wrote: | 1999 was a pretty late adopter to the self-hosting email cause | since it was pretty apparent since 1997 that free email was going | to win out. As Gmail filters get smarter then it becomes an | altogether more fruitless cause. Email hosting at the individual | level died out for most due to this and the pointless rivers of | spam you had to deal with. If you've only now come to the | realization that you can't make it then you've been wasting a lot | of your life. | tamsaraas wrote: | Sad, but true... | aeharding wrote: | I have self-hosted my personal email account for years without | issues. At some point early on I started relying on AWS for | sending emails, but that can be easily switched out or removed at | any time (and its free for my small volumes of sent emails). | renewiltord wrote: | Honestly wish there were a mode where you pay me $x to send me | email and I can sort by spend. | hammyhavoc wrote: | The name evades me, but this was a thing a few years back. | IIRC, it was the equivalent of what a stamp for an envelope | would cost, and the recipient got a chunk, as did the service | provider. Will try and find the name for you, but AFAIK, it's | no longer doing business. | the_third_wave wrote: | Would that be Hashcash you're thinking of? | | http://www.hashcash.org/ | hammyhavoc wrote: | Alas not! Much more recent, had a very polished of-its-era | SaaS style website. IIRC, you might have even been given a | specific email address for it, which then forwarded to your | chosen personal address. | andai wrote: | >You cannot set it up on your own datacenter. | | There are still new email providers appearing every few years | right? What special incantations are they performing to be | allowed in the club? Do they buy large IP ranges? Do they pay | protection money to Google et al? | structural wrote: | They buy their own IP range, establish their own AS, and pay | for peering/bandwidth as an independent network and not as a | single user/customer on someone else's network. | | This is fairly straightforward to do, but requires more | commitment than renting some CPU time and bandwidth on someone | else's machine. | Morizero wrote: | Totally agree with the tone & premise, but | | > At some point your IP range is bound to be banned, either by | one asshole IP neighbor sending spam, *one of your users being | pwned*, | | feels like a hint that | | > My current email server IP has been managed by me and used | exclusively for personal email with zero spam, zero, for the last | ten years. | | Might not be entirely accurate. | rkagerer wrote: | _Nowadays, if you want to build services on top of email, you | have to pay an email sending API which has been blessed by others | in the industry ... | | This concept may sound familiar to you. It's called a racket._ | jasode wrote: | The sweet spot for having control over your email while | simultaneously minimizing unforseen headaches is to simply own | your domain name and point the MX record to whatever hosting | provider you want instead of self-hosting a server at home. | | Same philosophy for exposing a your personal blog of html files | or content like mp4 videos. The sweet spot is to focus on buying | a domain name you control. Then let Amazon S3, or Cloudflare, | Hezner etc, host your html or mp4 files. | | I quit self-hosting email at home over 15 years ago. It's just | not something I want to babysit anymore because I have other | things to focus on. As long as I control the MX record on my own | domain, that's really all that's necessary. | mechanical_bear wrote: | It isn't about what's convenient for you. It's an individual | cost benefit analysis. Your needs are different than mine. | mordae wrote: | You are totally missing the simple fact that the number of | blessed email providers to choose from is slowly going down. | I've seen ISPs with thousands of clients to give up and move | the mailboxes to large players simply because their clients' | email was ending up in the spam so often that running the | support has gotten too expensive. | | It's definitely an anticompetitive practice. | api wrote: | It's just because of spam. All open systems that do not | impose a cost to participate are destroyed by spam. | bbarnett wrote: | Spam has been a thing forever. Literally forever. Yet | people have been dealing with spam far better than the big | boys, and doing so for decades. | | Want to talk about anti-competitive? Gmail will accept | mails, provide a 250 SMTP response, then drop the email | internally. | | That's not right. At all. You can reject the email easily | during SMTP exchange, and people have been doing that | literally for 20+ years. | | No valid excuse here. None. Zero. | | And if your 250 OK accept then drop the message, _and_ | provide no way to notify, or discuss, or find out why, you | make it impossible for a remote admin to fix the problem. | | This is 100% on purpose. Yahoo, outlook/hotmail, gmail, | collude to resolve issues like this, while blocking all | others to resolve issues their own purposefully broken | policies cause. | | If you see Alphabet with a policy, or action, you can be | 100% sure it is aligned to increase market dominance. | antod wrote: | Agreed. It's the increasing difficulty in getting things | delivered to the big providers making it harder rather | than spam. | | At this rate, eventually we'll have a handful of mail | senders (Mailchimp, Sendgrid), and a handful of mail | receivers (Google, MS). | ratata wrote: | True. But they are not calling for a completely open | system. I like this proposal from the author. | | > Change blacklisting protocols so they are not permanent | and use an exponential cooldown penalty. After spam is | detected from an IP, it should be banned for, say, ten | minutes. Then, a day. A week. A month, and so on. This | discourages spammers from reusing IPs after the ban is | lifted and will allow the IP pool to be cleaned over time | by legitimate owners. | | > There should be a recourse for legitimate servers. I'm | not asking for a blank check. I don't mind doing some | paperwork or paying a fee to prove I'm legit. Spammers will | not do that, and if they do, they will get blacklisted | anyways after sending more spam. | | But Big Tech will not do that because they will gain more | from eliminating the competition. | tinus_hn wrote: | Spam has been been fought for decades, you can rest | assured any obvious solution has been tried and either | doesn't have the desired effect or is impossible to | implement. | cowtools wrote: | I think we ought to move email (or some future | incarnation of email, like matrix) to a completely | whitelist (opt-in to receive messages) basis. | KoftaBob wrote: | That's essentially how www.hey.com works! I thought it | would be tedious at first, but I don't mind it, and it's | done a great job of making it so I only see what I want | to see in my inbox. | pas wrote: | signup confirm emails are like that. | | similarly, any "hello pls add me to your allow-list" | emails could be made auto-disappear to the "will be | deleted in 30 days" folder in ~10-15 minutes, so even if | you get a 100 spam messages per day you only see the last | of those, you can easily pick what you are looking for, | and don't worry about the rest, they'll just disappear. | | (and you still have 30 days to look for messages that | might be interesting/important/etc.) | | ... | | the real missing piece is the feedback mechanism. DMARC | is meh. of course large senders have implemented FBL, but | they are not available for mere mortals. | | https://en.wikipedia.org/wiki/Feedback_loop_(email) | cowtools wrote: | signup confirm emails are not what i'm describing, | because you need to establish and filter the initial | offer that they send you via email itself, which is still | prone to phishing. | | What I'm describing is a situation where users themselves | have to proactively subscribe to a connection using some | sort of out-of-band mechanism. For example, if a website | wanted to send you emails, they could produce some sort | of "connection ticket" that you can give to your email | client in order to subscribe to them. | pas wrote: | I know, but anything out of band won't really work, | because that can be phished even more, plus as described | above, there's no real need for it either (IMHO). | franga2000 wrote: | This makes sense for service emails and is similar to how | push notification services like Pushbullet work, but | can't work for humans. You need to be able to give your | email to someone IRL so they can send you a message. | Mutual approval would be possible in the "we just met and | want to exchange emails" situation, but that too breaks | when you legitimately want to give anyone the chance to | message you. | michaelmrose wrote: | This is useless because users are stupid, people sending | the mail are stupid, people getting the mail are stupid, | UI people creating interfaces are so stupid society could | be improved by putting them in a box and mailing them all | to some wasteland and hoping they form their own society | there or starve. | | This would result in half the planet being frustrated all | the time and the other half never getting their mail. | | If your goal is to secretly destroy email this is the | way. | Javantea_ wrote: | You ignore the fact that there are perverse incentives | among the participants. It's possible to implement, and | I'm doing it myself. If I had more time to spend on it, | we could end spam. Instead I am fine as is: most of the | spammers have given up. | dane-pgp wrote: | > I don't mind doing some paperwork or paying a fee to | prove I'm legit. | | Then how about this: The big email companies all declare | one day that any newly registered domain (with an MX | record) needs to post a bond for good behaviour in escrow | somewhere. If any of them find the domain being used to | send spam, they can slash the bond (sending it to some | charity or something). | | This has the advantage that it doesn't affect any | existing senders (so there's no one to complain about | it), and it makes transparent the cartel-like power that | these companies have over email. Perhaps, to democratise | the process a bit, the ITU could organise a ballot (one | vote per country) to elect 5 companies/non-profits who | would have this bond-slashing power. | | Unfortunately to implement something like this, they'd | also probably have to demand that DKIM signing become | mandatory (so there are cryptographic proofs of any | evidence of spamming), and this sort of global consensus | / money processing scheme would probably end up being | built using a blockchain, whether that was a good idea or | not. | hug wrote: | I can just imagine the headline. "Ask HN: Google sent my | mail bond to charity for no reason and has torpedoed my | small business, and I can't get in touch with anyone to | make it right" | dane-pgp wrote: | I can imagine headlines like that too, but the idea of | electing 5 (or some other odd number of) entities is that | they would be able to share among themselves the | cryptographically signed evidence of the spam they | detected, and then the bond slashing would require a | majority vote. | | So instead, the headline should be something like "Ask | HN: Google, Amazon, and the Shanghai Cooperation | Organisation forced me to send $100 of Ether to UNICEF | and I couldn't send any new emails until I sent another | $100 payment to my domain registrar. How do I take them | to the World Court to force them to reimburse me?". | That's not a great situation, but it's slightly better | than the status quo. | IgorPartola wrote: | Is there any actually money to be made in hosting email | for people? I genuinely don't know but my suspicion is | that GMail, Yahoo, Outlook, et al are loss leaders for | their owner companies. I suspect people at those | companies would be quite happy if the protocol got | unfucked enough that it small players could participate | without negatively impacting the network. | 0x445442 wrote: | I gladly pay for Fastmail and I assume they're not | running a charity. Also, I think hey.com is charging $100 | per year. | GekkePrutser wrote: | O365 web costs me 5 bucks per month and I only use it for | a few emails a week so I doubt it's a loss leader. | | If I'd actually use all of it a lot, sure but I don't. | [deleted] | dhosek wrote: | Indeed. I host my domains with dreamhost and it turns out | that outgoing mail from their servers will get marked as spam | by Google. The exact same mail sent through a gmail address | (whether under gmail.com or a custom domain) will be | delivered no problem (although after the sudden closing of | legacy free email, I found that emails that I had been | sending via gmail with my own domain that had been getting | blocked by spam filters were being delivered when they came | from a gmail.com address). | grepfru_it wrote: | The problem is your outbound mail server does not have a | good reputation. You also probably do not have a large | enough swath of IP space to prevent bad neighbors from | becoming your problem. Lots of tricks to getting your email | sent reliably to most mail servers. What got me out of | hosting mail was trying to send an email to a potential | lead I met at a local meetup. His email was hosted at some | very small and relatively unknown university, but my email | was flat out rejected. Something about that moment just | clicked that it's not worth my time to chase down the | admins and resolve the problem. I'll just start shunting my | email through O365. I still selfhost everything else I can, | but I offload mail management to a provider | aidenn0 wrote: | I'm guessing dreamhost has a decent chunk of IP space... | cameldrv wrote: | It's more than that. I'm on a mailing list for a social | organization that I've belonged to for 20 years, and has | been hosted at the same place for all of that time. I | have marked hundreds of the messages not spam, and still | Google sends about 80% of them to spam. | | Google does not care even if you have regular | correspondence with an address -- if the server isn't big | enough, it's going to spam. The user's wishes or ideas | about what is or isn't spam are irrelevant. | killjoywashere wrote: | > It's definitely an anticompetitive practice. | | Or maybe it's an overly competitive protocol? Like playing | Monopoly. Even a neophyte can end sweeping the game despite | not understanding any of the underlying mechanics that drive | the game's outcome. Those remaining mail providers are also | fighting back the insanity. They 'just' won. | | Don't hate the player, hate the game. | prox wrote: | I wonder if we can't build a far simpler postoffice app on | http (self hosted domain space) and have a whitelisted | encrypted exchange. | fuzzzerd wrote: | Of course we can, but good luck getting people to use it. | They'll keep using what everyone else uses. | chrismeller wrote: | Substitute "HTTP" with "SMTP" and you already have that | today... SMTP in plain text isn't generally used anymore, | it's always transported over TLS. Of course you can run | whitelist-only, but how is that ever going to work? | | SMTP is text based and we'll defined, so I would also | argue that the transport being "simpler" is nonsense. | prox wrote: | Whitelist is easier. If I added an mail of a friend in | this system, we can communicate. Everything else goes | blackhole. | | Nothing is easy about email! Having worked for years just | to get reliable in and outboxes is definitely not | trivial. Also SMTP is a system out of your control if you | want anything verified and actually delivered. | chrismeller wrote: | Of course whitelist is easier, but how valuable would | your email be if you only allowed your friends to email | you? Goodbye order confirmations, subscription reminders, | recruiter emails, notifications... | tomohawk wrote: | A normal company could engage in these practices, but it is | settled law that a monopolist may not. A monopolist may not | use their monopoly in one are to supress activities in | another area. | | You can't put these big tech monopolists into the same | bucket as normal companies. They have way too much power, | and even when they do not intend to smash things, they end | up smashing things. | rnd0 wrote: | >It's definitely an anticompetitive practice. | | yeah, but in this climate what are you gonna do? It's not | like there's any kinda recourse for monopolistic behavior | that has any teeth to it. | srkaplan wrote: | I just randomly looked at 8 different emails in my inbox. All | of them were from different email providers (except google | which was there twice). There's hundreds or thousands of | email providers you can chose from. | | iphmx 1 google 2 kornet 1 linkedin 1 secureserver 1 amazonses | 1 self hosted university email 1 | redeeman wrote: | > It's just not something I want to babysit anymore because I | have other things to focus on | | Dont know about you, but I have setup my mailserver years ago, | and outside of regular OS updates, havent had to touch it. | Joeboy wrote: | For me, the issue wasn't that I had to fix it _frequently_ , | but that when I did it was urgent, stressful and disruptive. | Eventually the VDS I was renting had a fatal HD crash and I | gave up. | miketery wrote: | Where is it hosted? Isn't the primary issue being blocked by | the major providers due to spam filters? | abdullahkhalids wrote: | I have used Mailinabox on a Hetzner server for about an | year. My email delivers to all the major providers. | However, small providers will occasionally block my email. | So I continue to use my Gmail address for now. | | With small amounts of evidence, I think if my contacts on | those providers email me first, and I reply to those | emails, then my domain is not blocked. | redeeman wrote: | server4you. | | there is one blocklist im aware of that simply | categorically blocks all their IPs, but thankfully none of | the "big tech" players use it, so its really of no | consequence to me | theturtletalks wrote: | How do you make sure your emails don't end up in spam? | redeeman wrote: | i just have spf+dkim, nothing fancy | megous wrote: | That's a recipient's problem. | lisper wrote: | > point the MX record to whatever hosting provider you want | | You can even have a hybrid solution where incoming mail goes | directly to your self-hosted server and (some) outgoing mail is | relayed through a third party. | mmsnberbar66 wrote: | What would be the advantage? | Snild wrote: | Benefiting from the large provider's reputation in regards | to spam blocklists etc. | lisper wrote: | There are many benefits to running your own server. The | three biggies for me are: | | 1. Control. A third party can change anything about the | service any time they want, and if you don't like the | change they made you're screwed. | | 2. Expectation of privacy. Because I am not contracting | with a third party, the government cannot argue that I have | waived my right to privacy. (As a practical matter of | course this matters not at all. If the government -- or | anyone with the right technical skill and access -- wants | to read your email they will. But if push ever comes to | shove in a court of law it could matter.) | | 3. Spam filtering. I think the whole industry is doing it | wrong. The Right Way to filter spam is to use your | _outgoing_ mail as ground truth for what is not spam. I | have a custom spam filter that I wrote based on this idea | and it works like a charm. No Bayesian analysis needed. I | don 't even look at content _at all_. Just the headers are | enough to achieve >99% accuracy. | tsimionescu wrote: | > The Right Way to filter spam is to use your outgoing | mail as ground truth for what is not spam | | Could you elaborate? Does this mean that email from | people/domains you haven't corresponded with before is | spam? | lisper wrote: | Anything that comes in from an address I have never seen | before is handled specially. But it's not hard to filter | out the obvious spam. Just a handful of heuristics on the | from and subject lines (e.g. if the sender's name | contains common English words it's probably spam) takes | care of >90% of the cold calls. The rest I just look | through manually once a day or so. | | I was planning to institute a system where my contact | page included a special keyword to include in the subject | line to get past the spam filter, but that has turned out | not to be necessary so I haven't implemented that yet. | | The only remaining case is things like confirmation | emails for new accounts, but those just get lumped in | with the other cold calls. They are super-easy to spot | because I'm almost always expecting them, so they are | always at the top of the list. | WretchedEarl wrote: | > simply own your domain name and point the MX record to | whatever hosting provider you want | | That's not necessarily a sure cure, depending on the hosting | provider. RoadRunner (Spectrum / Charter) in the US and Shaw in | Canada won't deliver emails from my domain hosted at Runbox.com | (or sent directly from the runbox.com domain.) Spectrum's | bounce message references an error code that translates to | "Spectrum limits the number of concurrent connections from a | sender, as well as the total number of connections allowed. | Limits vary based on the reputation of the IP address. Reduce | your number of connections and try again later." | eikenberry wrote: | There is also a happy medium. Host your own MX servers but use | someone else's SMTP servers. You have complete control over the | incoming mail but dodge the filters by using the established | business for sending mail. | 1vuio0pswjnm7 wrote: | This should be made a standard practice. | | Third party email providers, the so-called "established | businesses", get a free pass as sending SMTP servers that are | accepted by almost all receiving STMP servers. Everyone just | assumes everything coming from those SMTPs is legit. | Establishing this "legitimacy" and getting the "free pass" is | difficult and some have suggested, the third parties may | employ anticompetive tactics. | | However, IMHO the receiving SMTPs is a different issue. Why | do we let these third parties receive and store our email. | (Why do our homes have their own mailboxes. Why not use a | "P.O. Boxes" instead.) Eventually we could move away from | letting third parties control the receipt of our mail. | Neither "POP3" nor "webmail" was part of the original concept | of email. | | Today, it is easier than ever to set up overlay networks | where we can assign our own IP addresses and run our own SMTP | servers that can communicate directly with other SMTP servers | on the overlay network. These networks are not open to the | world, they may only be open to people we know. Much of our | mail is between people who know each other, e.g., friends, | family, colleagues. Or businesses that we contact first. We | can separate different social and business networks on | different overlay networks. | | Anyway, the sending and receiving of mail can be separated. | We do not need to let a third party control both. | Animats wrote: | > Host your own MX servers but use someone else's SMTP | servers. | | Yes. My outgoing email goes out via Sonic's SMTP server, with | the SPF records to allow it to have a source address of my | own domain. Incoming email goes to my own domains and gets | forwarded. | | This seems to be trouble-free. The domain is on a cheap | shared hosting account. I'm not running a server. I own the | domain, and not though the hosting company, so I can switch | to another provider if necessary. In 27 years, I've had to do | that twice, because the hosting provider went out of | business. | | This is easy to do, and I don't have to deal with Google. I | don't even get much spam. All the spammers seem to be | targeting the big services now. | | I just looked at my spam folder. I'm regularly being offered | dental supplies, large hydraulic sheet metal bending presses, | and ammonium sulfate fertilizer. It seems that having your | own domain now means you get mostly business-to-business | spam. I subscribe to Machine Design, which gets me some heavy | industrial marketing, but I have no idea why I get dental | supply ads. The fertilizer spams, from China, look like a | scam - there's a fertilizer shortage, so that's a spam which | might get replies. | xanaxagoras wrote: | I do this too with a different provider whose whole | business is relaying for self hosters. I have had exactly 0 | problems since I started a couple of years ago. Its kind of | perfect. | pixl97 wrote: | It can very much depend on your domain. In the early 2000s | I ran a domain for a firm and the domain had 'UT' in it. | Well spammers thought it was related to university of Texas | at some point and we went from around 10 messages a day to | over quarter of a million. The immediate issue I has was | poor back scatter protection so I had to configure that in | a few days. That stopped 99.99% of the spam, but still | caused massive issues with the mailboxes that did exist | getting hundreds of messages per day even though we were | blocking tens of thousands of mails per valid email | addresses. | | Spammers are miserable, I don't fault anyone for giving up. | Fuzzeh wrote: | SPF and DKIM no longer have any real value. Just look at SA | and the values it assigns by default to mail with those | headers. Couple that will the fact that spam now has valid | SPF and DKIM - just makes them pointless. | sbuk wrote: | DKIM and SPF, along with DMARC are more about | authentication - they let you know that the message has | come from where it says it does. This makes spoofing | harder, not necessarily spam. Greylisting deals with most | of the "spray and prey" spammers, though it does have | it's own issues. | joecool1029 wrote: | >I just looked at my spam folder. I'm regularly being | offered dental supplies, large hydraulic sheet metal | bending presses, and ammonium sulfate fertilizer. It seems | that having your own domain now means you get mostly | business-to-business spam. I subscribe to Machine Design, | which gets me some heavy industrial marketing, but I have | no idea why I get dental supply ads. The fertilizer spams, | from China, look like a scam - there's a fertilizer | shortage, so that's a spam which might get replies. | | I used to have a 'Shirley' email all the time from China | about elevator parts. It was such a niche kind of spam that | I eventually replied and requested pictures of a bunch of | parts. They sent them! | thaumasiotes wrote: | > I used to have a 'Shirley' email all the time from | China about elevator parts. It was such a niche kind of | spam that I eventually replied and requested pictures of | a bunch of parts. They sent them! | | https://web.archive.org/web/20030412191437/http://www.pen | ny-... | dhosek wrote: | I remember in grad school, one of my classmates being | upset about getting a porn spam email in Chinese and | saying, "but don't they know that I'm a _girl_?" I | pointed out to her that I got the same emails (but had no | idea what they were saying) and explaining to her that | they send them to everybody. | chx wrote: | Whose SMTP service you'd recommend? | eikenberry wrote: | I use zoho.com, $12 a year and I haven't had any issues | with blacklists. | butterknife wrote: | Sendgrid works well for small volumes | conradev wrote: | You can also use an MX backup service which will accept mail | when your server is offline (and it will resend it when the | server comes online) | | You can also even keep Gmail as your MX server! Just move | messages off of it as soon as they arrive. It's just a | mailbox, after all | RunningDroid wrote: | > You can also even keep Gmail as your MX server! Just move | messages off of it as soon as they arrive. It's just a | mailbox, after all | | Do you have more information about this? | | I've been looking to do something similar so that I can | have my mail sorted into folders without setting up the | same rules on multiple clients. (Gmail's sorting doesn't | seem to support some of the sorting I'm currently doing in | Thunderbird) | iam-TJ wrote: | I've been hosting and operating my own MTA MX with | Postfix since 2005. I have Postfix set to use "MailDir" | format storage (one file per email) and then use Procmail | filters to direct emails into per-sender or per-topic | specific folders when they arrive on the server - nothing | needed to be done in the email client. Dovecot provides | the IMAP4 client interface. Thunderbird connects via | IMAP4. | | Each domain has its own user home directory so for each | there is a /home/${domain_name}/Maildir/ directory as the | base for storing emails, and each IMAP4 folder has an | associated directory. Snippet: $ ls -1da | Maildir/.Technology.FOSS.Projects.Linux* | Maildir/.Technology.FOSS.Projects.Linux | Maildir/.Technology.FOSS.Projects.LinuxContainers | Maildir/.Technology.FOSS.Projects.Linux.drbd | Maildir/.Technology.FOSS.Projects.Linux.kernel | Maildir/.Technology.FOSS.Projects.Linux.linaro.dev | Maildir/.Technology.FOSS.Projects.Linux.linux-i2c | Maildir/.Technology.FOSS.Projects.Linux.linux-input | Maildir/.Technology.FOSS.Projects.Linux.linux-pci | Maildir/.Technology.FOSS.Projects.Linux.linux-usb | | Here's an extended snippet example from $HOME/.procmailrc | that directs deliveries into the correct directory (IMAP4 | folder): :0H * ^List-id: .*linux- | usb\.vger\.kernel\.org | $HOME/Maildir/.Technology.FOSS.Projects.Linux.linux-usb/ | :0H * ^List-id: .*linux-wireless\.vger\.kernel\.org | $HOME/Maildir/.Technology.FOSS.Projects.Linux.linux- | wireless/ :0H * ^List-id: | .*yaffs\.lists\.aleph1\.co\.uk | $HOME/Maildir/.Technology.FOSS.Projects.Linux.yaffs/ | :0H * ^List-id: .*util-linux\.vger\.kernel\.org | $HOME/Maildir/.Technology.FOSS.Projects.Linux.util-linux/ | ### LinuxContainers :0H * ^List-id: .*lxc- | devel\.lists\.linuxcontainers\.org | $HOME/Maildir/.Technology.FOSS.Projects.LinuxContainers/ | ### Linaro :0H * ^List-id:.*linaro- | dev\.lists\.linaro\.org | $HOME/Maildir/.Technology.FOSS.Projects.Linux.linaro.dev/ | :0H * ^List-id:.*linaro-kernel\.lists\.linaro\.org | $HOME/Maildir/.Technology.FOSS.Projects.Linux.linaro.kern | el/ | [deleted] | intelVISA wrote: | Yep SMTP relay is the only sane choice nowadays sadly. | Sending your own mail is a losing battle against the email | blacklist cartel. | LinuxBender wrote: | Adding to the happy medium is to teach your friends and | family to use Thunderbird so they can easily GPG encrypt [1] | their emails keeping the nosey email providers off the email | body. Also teach them to use the IMAPS (TLS) endpoint for | their mail provider, usually port 993. There are probably | simpler how-to's with pictures, I just do not have any of | them handy. | | [1] - https://support.mozilla.org/en-US/kb/openpgp- | thunderbird-how... | sneak wrote: | Most of my friends and family don't own computers, only | phones and sometimes tablets. | m12k wrote: | I'm sorry to say, that's nowhere near a medium stance or | ask. | LinuxBender wrote: | It could be we have different circles of acquaintances. I | have managed to get non technical friends to GPG encrypt | their emails. I also talked 2 lawyers into using this and | the two lawyers are not only non technical but have | nearly zero patience. | oynqr wrote: | I guess a lawyer might know a thing or two about | confidential messages. | orev wrote: | I think you'd be very surprised at how much lawyers don't | know or care about any of that. They store stuff in the | cloud without ever having heard of the Third Party | Doctrine (which allows the US government warrantless | access to those documents). | JumpCrisscross wrote: | > _store stuff in the cloud without ever having heard of | the Third Party Doctrine (which allows the US government | warrantless access to those documents)_ | | Or because they know the third-party doctrine doesn't | apply to attorney work product and privileged materials. | pixl97 wrote: | After doing work for lawyers for years, they really are | the worst when it comes to understanding computers. | [deleted] | squarefoot wrote: | Not all of them. I keep seeing lawyers sending photos of | sensitive documents using their cellphone and Whatsapp | (before encryption), and most of them don't even care | about all those documents still residing on their | cellphone, at the mercy of whoever steals it since all | the security they have in place is that swipe thing that | anyone with good eyes spots in 2 seconds straight. | LinuxBender wrote: | They do. Most of them use proprietary https web | interfaces that usually have "secure email" or "secure | messaging" in the description but they are just fancy web | portals. I despise those systems. The content is not | encrypted at rest and can be leaked. With OpenGPG the | emails are only decrypted on the recipients end points | and can be deleted by request. | marvel_boy wrote: | Apple supports encryption on Mail: | | https://support.apple.com/en-gb/guide/mail/mlhlp1180/mac | [deleted] | deltree7 wrote: | ok, this is the text book definition of "out of touch" | briandear wrote: | Apple mail support GPG easily. No need to use Thunderbird. | Avamander wrote: | Can you please provide a few references to that claim? | zikduruqe wrote: | They might be talking about S/MIME. | | I use https://github.com/Free-GPGMail/Free-GPGMail which | is a plugin for GNUPG, without the "support" plan. | sbuk wrote: | https://gpgtools.org | | GPG Mail is a paid for add-on, but it works and it works | well. | usefulcat wrote: | Yeah, I've been doing exactly this for over 20 years. The only | problem I can recall is related to the fact that the hosting | provider uses a single SSL cert for the machine that hosts my | domain (and many others, presumably), so of course the cert | doesn't match my domain name. It's pretty easy to work around, | and I only have to deal with it every few years when they do a | hardware upgrade, which sometimes means moving my domain to a | different machine. | pretext-1 wrote: | Certs for MX servers are supposed to have the MX as subject | or SAN, not your email domain. It's important when the sender | enforces encryption with a valid cert (e.g. MTA-STS, or | config in the mail server, or many hosted solutions like | Google Workspace also support enforcing this for selected or | all domains). | | Example: | | example.com. MX aspmx.l.google.com. | | Cert should have aspmx.l.google.com as subject or SAN. | kro wrote: | The MX servers cert in my experience does not need to include | your email domain name . | usefulcat wrote: | I believe you're correct. I should clarify that the SSL | cert problems I have are only related to my client | connecting to the server to send or receive messages. | skywal_l wrote: | I am ashamed to admit that I have no idea how email works. Is | there a dumb down explanation of what are the moving parts and | how you can achieve that sweet spot? | nvahalik wrote: | You send your email through a client. That client then sends | (transfers / SMTPs) that email through an MTA either bundled | with it or provided by your mail server. | | The MTA parses the message, figures out who it needs to go to | (To, CC, BCC headers), figures out what servers receives mail | for those recipients, and then transfers (SMTPs) it to the | server. | | What OP is referring to is that the MTA essentially does a | DNS lookup for the recipients domain for a record of type MX | (Mail eXchanger). | | If you own the domain you have complete control over where | that mail goes: you own the MX record. | jeffbee wrote: | There is no such thing as a BCC header. That's the entire | point of the BCC. | | What you've described might be correct in some cases but is | not universal. The mainstream way that messages are sent is | your "email client" or MUA speaks the ESTMP protocol to a | mail transfer or submission agent (MTA or MSA). The client | directly specifies the envelope recipients, which are not, | generally speaking, parsed out of the formatted message. | That is why it is possible for me to send a message to | myself but the message is subsequently delivered to | hundreds of unnamed recipients. | megous wrote: | > The MTA parses the message... | | That may happen, but not for the purpose you stated. MTA | just uses addresses you told it to use in the SMTP dialog. | It doesn't use addresses from the message. In fact the | addresses in the message may be totally different. | delecti wrote: | Typically, if you sign up for an email account, you get an | email address like skywal@gmail.com or skywal@yahoo.com. | Alternatively, if you own/host skywal.com, you can have an | email address like skywal@skywal.com served from a computer | in your home. | | The "sweet spot" is combining the two, where you own | skywal.com, and have your email send/receive through Google | or whoever. Then, if Google decides to ban you, you just | register skywal.com with another company who provides that | same service, and you keep your same email address. | | That's the broad strokes anyway. | patmorgan23 wrote: | Email is complicated but the jist is there are relays and | mailbox/mail-exchanger servers (and email clients). And a | million different anti-spam measures that make making sure | people actually get you email difficult. | | When you send an email you mail client contacts you mail- | exchanger (MX) and drops the mail in your outbox. Then the MX | will look up the MX record for the domains in the TO field | and attempt to send the email to it using SMTP. | | The first thing receiving server ussally does and look up the | IP of the sending server and see if it's on a spam black | list. If it is it will probably just drop the connection. | Then it will look up the SPF record for the domain in the | FROM address and see if the sending server is allowed to send | that mail. | | Larger email services will have an internal 'reputation' | scoring system that will use data from reported spam to | figure out what IP's and domains are sending spam emails and | filter them out. They'll also look at if it's a residential | IP, in an IP pool for a major cloud provider etc. Each | provider has a different system and it can be really | difficult to get a provider to trust your IP or whitelist | your IP so you can make sure that your mail actually gets to | who you're trying to send it to. | | Relays are pretty simple they'll take email from one place | and send it to the recipient. The mail exchanger usually has | a built-in relay. A lot of people will use a third party | relay service so they don't have to worry about managing the | reputation of the IP of their sending mail server. They'll | just add an SPF record for the relays service to their | domain. And then configure their mail exchanger to send all | outbound mail to the relay and then the relay will do the MX | lookup. | | A lot of mail services will also have their MX records | pointed at relays. These inbound relays will often have a lot | of those anti-spam services bolted onto them and they can | also be used for load balancing to make sure that the service | is always able to accept mail even if it doesn't make it in | the mailbox immediately. | zahllos wrote: | I can type out an explanation relatively easily. | | Let's imagine I'm sending from user@zahllos.example to | user@skywall.example. I'm doing it from say Thunderbird or | Outlook, and you're using the same. | | I need to send, and to do this I typically use an SMTP | server. This is something configured, probably on | zahllos.example, maybe with the domain smtp.zahllos.example. | My mail client contacts this and 'logs in' with my details, | then transmits the email message I want to send to this | server. The server says 'right fine' and closes the | connection. | | At this point, the message is in a mail queue ready to go. | The SMTP server then does a DNS request for the MX record of | skywall.example. Let's say this is 'mail.skywall.example'. My | server, smtp.zahllos.example, then connects to | `mail.skywall.example', also speaking SMTP, and says "hey, I | have this message to deliver". | | It is at this point that mail.skywall.example can decide to | do some things. It might check SPF, so it will query the SPF | record of zahllos.example to find the list of servers that | may send email for that domain. In this example, let's assume | smtp.zahllos.example is in the list. Great. | | It may then also check the mail headers for a signature, | called a dkim signature. My server signed the message before | sending; mail.skywall.example can query | <uid>._domainkey.zahllos.example and find a public key (or | not) and check that this signature matches (or not). Again, | let's assume it matches. | | It might also check something like TXT _dmarc.zahllos.example | to see what my DMARC policies are. If I have something like v | =DMARC1;p=reject;sp=reject;pct=100;ri=86400;fo=1;aspf=s;adkim | =s;rua=mailto:postmaster@zahllos.example;ruf=mailto:postmaste | r@zahllos.example;" this tells you I'd like you to outright | reject anything not matching policy, that I expect everything | to match SPF and have DNS signatures, and you can send | reports if you support that to postmaster@zahllos.example. | Your server can then enforce these checks as it likes. | | One of the first things that will happen is that my server | will announce itself via an EHLO statement. An obvious check | to do is to check that the sending IP actually matches | smtp.zahllos.example. by querying 'reverse ptr' records. | | Your receiving server will also likely hand the message over | to various spam-checking tools for analysis, such as against | DNS blocklists and so on. Larger providers likely have much | more sophisticated infrastructure here. Ultimately, you're | going to do one of a few things: 1) deliver to inbox or apply | user-specified rules and deliver to a folder; 2) deliver to | junk (which is typically just another folder, but treated | specially by clients), 3) reject, and tell | smtp.zahllos.example you don't want the email. | | Once the email passes through the smtp dameon, assuming | either 1 or 2, it then gets stored somehow and in some way. | I'm being a little bit vague here, because 'it depends', but | in the simplest scenario, the smtp daemon will write the | message to an mbox or maildir-style format. More complex | setups definitely exist, indeed, there can be multiple layers | of servers doing analysis on separate machines, but for | simplicity, mail.skywall.example is one VM that makes its | decisions and the result ends up in /var/mail/user@domain/ or | some such. | | A key aspect of this step that makes email very nice is that | if smtp.zahllos.example cannot, for some reason, reach your | server now it will queue the message and try again at set | intervals. You can reasonably safely turn off | mail.skywall.example for a couple of hours. | | Another aspect is that you can have multiple MX records where | you are prepared to accept email, with priorities. So if you | can't accept at one address because the server is down for | maintenance, another will accept. | | So, now you've technically got an email, but you don't know | it. So you open thunderoutlook, and you connect to an IMAP | server imap.skywall.example - in our example let us assume | this is really the same thing as mail.skywall.example. The | server checks you are really you with your credentials. At | the backend, this is just another daemon that knows to read | /var/mail/... and find new messages; it finds one, downloads | its headers and displays it on your screen. | | Since we're in a slightly more modern world now, in the case | your client was already open you might have an "idle" | connection with the server at all times, in which case it can | push the message down to you. | | In the case of webmail, it is really all the same thing, | except you point your browser at a webpage, and that webpage | communicates with the servers instead of your client | communicating directly. Open source webmail might even use | IMAP underneath; things like Zimbra use their own java mail | agent, while Google is entirely custom. | | That might seem complicated, but in the end it isn't: between | two domains at the 'edge', in the end, there's an SMTP | conversation. One sending server tells a receiving server it | has mail for delivery, and it finds that server by asking DNS | where it is. The receiving server may do a bunch of checks | against DNS also before making a decision on what to do with | the email. | skywal_l wrote: | So in the example of the parent, he's got a domain name | registered somewhere (mydomain.com) and he set, in its MX | records, the gmail server. But how does gmail make the | connection between that address and your gmail address | then? | zahllos wrote: | So normally in the cases like this, you also have to tell | Google about this, and you typically do this by using one | of their paid-for products like workspaces or apps for | business or whatever they call it. So let's say that you | decide to host skywall@skywall.example with Google. You | pay them for workspaces and you likely tell them "I would | like to use this domain I already have, with email". They | then tell you "OK, add our servers as your MX record in | your DNS, or transfer the whole domain to us and we'll do | it for you". In this case we're doing the 'changing the | MX records' part. | | Now when a sending server asks "where should I deliver | skywall.example email" by querying MX skywall.example it | gets google's servers and starts an smtp conversation | with them, saying "I'd like to deliver a message for | skywall@skywall.example". At this point, Google knows it | can accept that, so they say yes, and then continue doing | whatever they do to check for spam beyond that, including | queries for spf and friends. | | The reason the parent suggests this is that if at any | point you decide to move off Google, you can pay someone | else, e.g. fastmail, for their services, and modify your | MX record. 24-48 hours later, DNS around the world | catches up and everyone will get fastmail as a response | when they ask for your MX record. Any new email goes | there instead of Google, and thus you aren't 'tied' to | the provider: you just have to move all your old email | over. Whereas Google cannot let you move a user@gmail.com | address, because they can only change the MX records for | the whole of gmail. | | DNS is the source of truth here. Whatever your MX records | are is where other servers will try to contact to send | email. The MX record is typically just another DNS | address that will be queried for AAAA/A (i.e. what is the | IP), and that doesn't need to be on the same domain at | all. | | Here's an example of what it looks like: | delv MX ycombinator.com @9.9.9.9 ; unsigned | answer ycombinator.com. 295 IN MX | 20 alt2.aspmx.l.google.com. ycombinator.com. | 295 IN MX 10 aspmx.l.google.com. | ycombinator.com. 295 IN MX 20 | alt1.aspmx.l.google.com. ycombinator.com. | 295 IN MX 30 aspmx4.googlemail.com. | | This is me using DELV to ask "where should I send email | for ycombinator.com?" and I have four responses. Column 5 | tells me the priority. Lower numbers are higher priority. | Unsurprisingly, this is Google. But let's see where they | host their DNS, shall we? delv NS | ycombinator.com @9.9.9.9 ycombinator.com. | 159148 IN NS ns-225.awsdns-28.com. | ycombinator.com. 159148 IN NS | ns-1914.awsdns-47.co.uk. ycombinator.com. | 159148 IN NS ns-1411.awsdns-48.org. | ycombinator.com. 159148 IN NS | ns-556.awsdns-05.net. | | So AWS. So they have separate DNS to Email, and could | change those MX records to host their email anywhere | else, without needing to change or move ycombinator.com's | DNS from AWS. | | I'll cover off the SMTP outgoing as well while I'm at it. | You _can_ also not run your own outgoing smtp server but | use someone else's. The key here is that if you use SPF | and DKIM, you should put their IPs into SPF and their | keys into DKIM, as that is what the receiving server will | use. So smtp.zahllos.example could be replaced by | sendgrid, provided in my DNS I say so. This may work | better, as sendgrid may have a better reputation than the | server I chose. | nullc wrote: | > The sweet spot for having | | no forth amendment protection for your email because its stored | by a third party. | MichaelVangard wrote: | Most emails are still going through servers owned by | Microsoft or Google, so what does self-hosting email | accomplish in reality? Some government entity likely has | warrant-less access to most of your emails regardless. I like | email as a way to communicate, but speaking pragmatically, | it's just not a secure means of communication in 2022. | ilovecaching wrote: | This is what I do. The downside is that a lot of email | providers make it really difficult to set up 3rd party clients | outside of their own clients. I've struggled to get mutt to | work with a lot of email providers because they use their own | auth mechanisms. | colordrops wrote: | I'm pretty happy using protonmail bridge with local clients. | It does take some effort to setup though. | WheelsAtLarge wrote: | "The sweet spot for having control over your email while | simultaneously minimizing unforseen headaches is to simply own | your domain name" | | You would think. The issue no one seems to think about is that | you need to make sure to pay for the domain for the duration of | your life(at least). Otherwise, as soon as you lose your domain | you lose ownership of your email. Any one that has control of | the domain has control of your e-mail. | | This dawned on me after a place I worked at reactivated the | email I used for work when I worked there. It has my name but I | have 0 control over it. Lucky for me I never used the email for | things other than work so it's not a big deal. It is still | bothersome that they can do that and I have no say so on its | use. | lisper wrote: | > The issue no one seems to think about is that you need to | make sure to pay for the domain for the duration of your life | | But that's true for any delivery endpoint in any medium, | including physical mail and phone numbers. | | It's pretty easy to set up auto-pay for domain names so that | all you really need to do is keep the billing info up to | date. After that it all runs on autopilot. | Aeolun wrote: | Unless your registry messes up and forgets to renew your | domain. It's happened to me before (don't use them anymore | though). | vereis wrote: | You can always use a different email address to manage the | domain if that's the issue? | tsimionescu wrote: | I would imagine the issue is someone else buying the | domain, and subsequently receiving any email meant for you | (such as a password reset request). | matheweis wrote: | > The issue no one seems to think about is that you need to | make sure to pay for the domain for the duration of your life | | Is there a registrar that will allow you to do this? Most of | the ones I've looked at have an upper limit of around 15 | years or so | WheelsAtLarge wrote: | You don't have to do it all in one shot but you should make | sure it gets paid so you don't lose access. | [deleted] | DrudgeCorporate wrote: | While this is true I don't see it as a huge deal. Treat it | like any other annual bill (e.g Insurance, property taxes) | and you will be fine. | colordrops wrote: | I agree with this assessment, and it's what I do. There is | still the single point of failure of losing your domain due to | a hostile registrar or mismanagement e.g. allowing registration | to lapse. | | Ideally there would be some a decentralized permanent domain | registry keyed on certs (I know these exist but have not been | adopted), or at least a fallback domain you could configure | somehow in case you lost control of your main domain. | [deleted] | npteljes wrote: | I agree with the pains, but the options are not juts Big Tech or | self-hosting. There's a myriad of not-big-tech email providers | out there, for example there's Posteo, who use open source | software and green energy. They are going strong for 13 years now | with 400+k accounts. | | https://en.wikipedia.org/wiki/Posteo | jrm4 wrote: | This isn't actually that hard to fix, it's just that for whatever | reason, we seem to frequently have this blindspot that we don't | seem to have in other industries. | | Namely that "do it yourself at home" and "massive oligopolist" | aren't the only two options. It's like saying "You can only have | hamburgers two ways, cook them yourself or McDonalds." | | I do the third and it's been great. I let my paid webhost handle | it. (hostdime if you're interested, but I'm sure others do it | well also) | colinsane wrote: | > like saying "You can only have hamburgers two ways, cook them | yourself or McDonalds." | | and your comment seems to be saying it's OK if we lose the | ability to cook hamburgers at home, because there are other | (more ethical) restaurants that aren't McDonalds. am i | misunderstanding? | jrm4 wrote: | No. To beat up the metaphor, I'm saying if we support the | restaurants that aren't McDonalds and that are more "mom and | pop" (and get others on board) then we can beat McDonalds or | at least live in harmony with them. | Avamander wrote: | The metaphor is kinda good. It's okay for people to refuse | your home-cooked burgers because they don't trust them to be | safe. There are actual small food vendors that comply with | sanitation rules and you can have them provide catering | services, professionally. And that is okay. | nathias wrote: | we shold come up with a more universal approach to tackle spam | fnordpiglet wrote: | What the author doesn't mention is he uses his email to discuss | his penis enlargement company with his friend, a Nigerian prince. | jacooper wrote: | I know the pain and the annoyances of hosting Email. | | But still, I won't switch to big providers, I use Proton Mail | personally, and Postale.io for many projects. | | There is also mailbox.org and many others, you have a choice to | not use the big providers, it totally possible. | tony-allan wrote: | "Newsletters from my alumni organization go to spam. Medical | appointments from my doctor who has a self-hosted server with a | patient intranet go to spam. Important withdrawal alerts from my | bank go to spam. Purchase receipts from e-commerces go to spam. | Email notifications to users of my company's SaaS go to spam." | | Are you talking here about incoming emails? I expected that these | would be reliably delivered to you and that the problem is only | with emails you send to the large providers? | rkagerer wrote: | For those who are still self-hosting, what tools & services do | you use and find useful? | electric_mayhem wrote: | The fix here is use a commercial provider for outbound smtp but | continue to self-host inbound. | | Not ideal, but it works. | gingerlime wrote: | what do you use for outbound SMTP? do you need to | add/authenticate each domain or from address with it? (I host | several domains and mailboxes) | johnklos wrote: | Actually, smarthosting is precisely ideal for deliverability | problems, particularly with IP reputation that can't be fixed. | jokethrowaway wrote: | Sending emails with dkim + sfp and I never had big problems with | reachability and a postfix server on Digital Ocean. | | I haven't done it since last year though. Has something gone | terribly wrong? | | I remember debugging issues with email sent via aws ses to | Hotmail addresses at $dailyJob but I can't think of a single | Microsoft product that works well (windows, teams, azure, now | even GitHub is starting to work every other day) so it doesn't | surprise me. | armchairhacker wrote: | I support the author but let me tell you a counterargument I | don't think he devotes enough to: | | Spam is a real issue. | | The amount of spam emails which get sent are absurd and likely | _orders of magnitude more than non-spam_. And spammers do a lot | to mimic real emails, including just hacking legitimate addresses | and adding them to botnets. | | Even on gmail, I still get spam sent to my inbox. Fortunately | very rarely, but it still happens. | | And even if it isn't bad today, spam has the potential to be much | worse in the future with transformer networks and hostile state | actors. | | And even if it really isn't that bad and never will be, the big | companies and those arguing against self-hosting will claim it | is. They don't want to allow a relative few self-hosted email | servers in exchange for much more difficult and less effective | spam detection. Forget Gmail and Outlook, why not just use | Fastmail or Protonmail? | | If you want a legitimate argument for self-hosted emails you | _need_ to address the spam. It may be as simple as registering | your official email with some organization sponsored by open- | source, and all the big companies can trust that one | organization. Then the org has to deal with spam registrations | but maybe there won't be much and it will work out. idk much | about self-hosting so this org might already exist. | | But this article doesn't mention that org, in fact doesn't say | much at all about spam besides "keep existing spam-prevention | because it already works". But you should at least explain why. | Because spam is a legitimate argument for big-co forming an | oligarchy that's not just "so they can make more money", and it's | the main argument that big-co uses. | pas wrote: | email spam is not a real issue. big uncooperative gigacorps | fucking it up for everyone is. | | responsibility for spam (and other kinds of abuse) can be | delegated via simple reputation scoring for netblocks, sender | authentication and a proper feedback mechanism along the chain. | | when the user clicks "spam" gmail already uses that to train | their fancy AI and _if_ you are not a small nobody, then they | already alert you that ooops you sent something spammy via a | feedback loop [1]. (see also how Mailchimp proudly claims they | work with big integration partners like gmail ... | https://mailchimp.com/help/how-mailchimp-prevents-and-handle... | ) | | whitelist clearinghouses exist [2] but they are not terribly | useful, because there's most of the signal to use for | reputation is hidden :/ | | [1] https://en.wikipedia.org/wiki/Feedback_loop_(email) [2] | https://www.dnswl.org/ | armchairhacker wrote: | > responsibility for spam (and other kinds of abuse) can be | delegated via simple reputation scoring for netblocks, sender | authentication and a proper feedback mechanism along the | chain. | | Are there any real-world examples of this? I know other | decentralized networks like Tor and BitTorrent have some sort | of reputation and feedback system. What type of "spam" do | they deal with and how well do they deal with it? Are there | any systems more similar to mail with mechanisms to prevent | spam? | | Spam is a serious issue, not just in email, not just in | decentralized systems - it's one of the main issues in | technology today. If there's a solution, even a proof-of- | concept in a smaller system would be great | Avamander wrote: | Very well-put. | | > And even if it isn't bad today, spam has the potential to be | much worse in the future with transformer networks and hostile | state actors. | | > Even on gmail, I still get spam sent to my inbox. Fortunately | very rarely, but it still happens. | | It is as good as it is _exactly_ because of the requirements | author finds tedious. | | > It may be as simple as registering your official email with | some organization sponsored by open-source, and all the big | companies can trust that one organization. Then the org has to | deal with spam registrations but maybe there won't be much and | it will work out. idk much about self-hosting so this org might | already exist. | | They do exist but there are a bunch of problems with that. | People have varying definitions of spam, getting paid to | whitelist someone creates a perverse incentive or not getting | paid will quickly overwhelm the organisation. | | Things could be better if we could enforce sender | authentication (SPF/DKIM). It would assign a direct cost to | getting your domain blacklisted. But if nobody is taking away | rest of the spammer's domains (or keeps selling them new ones), | they'll continue. | KennyBlanken wrote: | Spam is an issue, but it's not the one that impacts me the | most. I rarely get true 'spam' in my inbox. | | What impacts me the most is a never-ending problem with Gmail | classifying messages as spam that were actually important to | me. Time sensitive announcements of meetings or events, for | example. Many are coming from senders I've been receiving email | from for years. | | Gmail is convinced that almost every technical-related email | mailing list I'm on is a spam source, despite my _constantly_ | going into my spam folder and telling it dozens of messages | from those mailing lists are not actually spam. | | Meanwhile, what I do get is a barrage of promotional emails - | what I consider very much to be spam - from corporations that | at some point have had my email address and now email me | multiple times a week. Those sail right past the spam filter | into my "promotions" folder and accumulate... | xeno42 wrote: | I've been hosting my email on my own server since the 90s, but | got tired of dealing with keeping up with spam filters. Updated | the MX to deliver inbound to mailroute.net and have them do the | filtering before forwarding to my server and that's been working | great for years. Not free, but not expensive and still gives me | 99% of the control i want with very good spam filtering too. | | Outbound mail is relayed via mailroute too, which solves the | tainted IP delivery problem. | bob1029 wrote: | Proper, artisanal self-hosting of email can still be viable | depending on your expectations and tolerance levels for random | issues. | | These days, I operate with the medium-temperature bowl of | porridge: AWS WorkMail with custom domains & users. My use case | is basically "Replace gmail for personal email". I don't have a | lot of patience for running an actual email server, so this is | about as custom as I can get. | | Running a custom email domain can have other practical | implications, such as having to carefully re-iterate spelling | when mentioning your email address over the phone to a customer | support agent. With a gmail or hotmail account, virtually | everyone can type that hostname in without thinking about it. | This concern is moderated by being able to select a username with | fewer than 5 characters, rather than your full legal name | appended with your date of birth. | pif wrote: | Part of the problem is that the wrong people are complaining. | | Using Google as an example, the author has no right to push | anything to a gmail inbox. Google has no contract with the author | to accept mail from him. | | What Google is doing, it's failing _its_ customers, the people | who signed on gmail to have an address where other people could | send data to. | | And now those people are not receiving everything they could, but | it's only up to them to decide whether this is actually a problem | and whether it's serious enough to contact gmail support. | | I do understand the point and the spirit of the author, but he is | actually conflating the freedom of speech with the right to be | listened to. | peter_retief wrote: | I tried to host a home email server a few times and it was a pain | to say the least. Finally I created a droplet on Digital Ocean | and used Mail in a Box https://mailinabox.email/ with a glue | record to act as a name server. So far so good | rkwasny wrote: | After 19+ years of hosting my own email - It's worth it! | | Imagine someone revokes your access or deletes all your emails | because of an error, at the scale of gmail or outlook.com it just | happens. | | For spam there is one solution: | | - implement greylisting. It just solves the problem. | Fuzzeh wrote: | ..or imagine if google just shuts down your account. Gives you | no reason and suddenly stuff on your phone, your email and all | those related services stop. | | The issue with greylisting happens when you receive a lot of | email from Google or Outlook servers. Different one each time, | unless you're whitelisting them all - which defeats the | purpose. | lxchase wrote: | Reminds me of this fun story: | | A person at a company mistakenly created an email list segment | (or lack thereof) resulting in an email to the entire email list | of hundred of thousands of emails. This combined with inexistent | (we were a naive startup without an email specialist role) list | hygiene practices meant we were blacklisted by Gmail after some | time. | | Took a year to get a hold of someone on Gmail's spam team. We | found out were on 4+ Gmail blocklists, some of which were ML- | based. We couldn't do anything to remove ourselves after we fixed | the issues. A $1-2 million revenue channel dried up because we | couldn't get out of the Gmail blackhole (short of rebranding | completely, rewriting content, and using a different ESP). Fun | times. | zzo38computer wrote: | I run my own email server for receiving, but use the ISP's server | for sending (and setting up Exim on Ubuntu provides such an | option at installation time). I have no problem. | yonrg wrote: | I'll keep going with my private server (on a vps). I just moved | it to another hoster, meaning new IP block. This caused blocking | issues: Some but not all gmail address delivered to the spam | folder. Another big mail provider asked me to set up a web page | with contact info on the same domain I use for mail. And another | self hosted mail server from a public service agency had me on | block list. | | This caused me some headaches and I was thinking this could be | the end and I have to use one of the big players. But I did not | give up, invested time and it works now again! | f1recat wrote: | Same here, I've been hosting my email since 2007 and gave up in | the beginning of this year, mostly due to constant delivery | issues with microsoft infrastructure, which can be mitigated for | a couple of months before coming back again | cerol wrote: | Totally unrelated. But this guy has an amazing OS-from-scratch | tutorial [0]. | | [0] https://github.com/cfenollosa/os-tutorial | almog wrote: | > The industry should fix email interoperability before | politicians do. We will all win. | | Not sure if by "politicians" he means legislators, but given very | few players that control today's email deliverability, while | doing very little to provide observability (=feeback loop) to the | users who needs it most (that is users who cannot afford to build | an expensive pipeline that optimize deliverability), given all | that, I think regulation around distributed protocols | observability/fairness is not unlike AI explainability | regulation, only I expect that with mail it shouldn't be as hard | to implement. | Ferret7446 wrote: | Maybe the approach is all wrong? Maybe we should be educating | users to scan their spam folder regularly because spam filters | will never be perfect. Then it will not be as big an issue if | self-hosted email gets marked as spam, and the users of providers | like Gmail can complain and push for filter improvements. | martin_a wrote: | I've been self-hosting my mail for 17 or 18 years now, by | purchasing just some managed webhosting package from somebody who | cares about their services not being used for shady stuff (any | reputable managed hosting provider) and I think I've never "lost" | an outgoing mail for personal use. | | I don't understand what the author thinks it's so hard here and | why he's painting it so black and white. There's lots of more to | "my own e-mail" than choosing between some old notebook running | and collecting dust in your garage and using GMail. | | Some people just want to find a hair in the soup. | AlbertCory wrote: | I managed 3+Mail at 3Com 35 years ago, and in fact, it gets its | own subplot in The Big Bucks (https://www.albertcory.io/the-big- | bucks), back when email was brand-new (well, for most people). | | However, nowadays I'm bored with stuff like this. PITA. So I | totally sympathize with the author. | gwnywg wrote: | I host my mail for around 12 years so only half as long as the | author of the article, I faced the same problem- that my emails | land in spam for some people. In most cases it's those people who | care to receive my email and I always tell them it's their | provider who is at wrong and that they should switch. We have | some laugh together, exchange some jokes and continue with our | lives. I'm one of not many who love postfix and dovecot enough to | use it to self host, but I'm fine with that, I won't throw towel | and will continue to run my email, hopefully I'll be lucky enough | to run it for next 12 years :) Peace everyone :) | capdeck wrote: | My fear is that something similar will slowly happen to | everything "compute". How long before my bank's website won't let | me login if I don't use a computer with secure boot and a browser | installed from an app store? McDonalds app on Android won't run | on a de-googled or rooted device... At this point one may argue | that there will always be computers that you can compile and | install your own Linux. Yes, that is true. But just like I am not | likely to have un-googled andorid for some apps and googled one | for others, the same way it won't be practical to have one | computer for some apps and the other one for others. And the one | that will win will be the one that lets you login into your bank | account, for simple and practical reasons. | throwawaygram wrote: | It's ironic, 23 years for me too and my towel is not thrown in at | all. | cush wrote: | Big email companies were never threatened by self-host. Spammers | ruined it, not big email companies. Spam is an incredibly | difficult problem to solve. | yonixw wrote: | > ... [They use] spam as a scapegoat to nerf deliverability and | stifle competition. | | Disagree. It was a way too open protocol to begin with. From a | time of innocence best suited for places with inherit trust like | inside a business. And it's not just spam. Phishing is also a | huge issue. | | As much as I want to sympathise, Email for the big WWW is | unsalvageable IMO. Too many bad actors are out there. | | > [Solution:...] * There should be a recourse for legitimate | servers | | This is the same Big tech story. They want to cut cost, you want | a human touch. You can see similar stories here in HN every week. | Which is why I think it will never happen. | SQueeeeeL wrote: | > This is the same Big tech story. They want to cut cost, you | want a human touch. You can see a similar story here in HN | every week. | | Dang, sounds like our monopolized tech dystopia is probably | inevitable. If only there was some state level mechanism to | help balance the interests of industries maximizing profits and | those of users who need a robust system which doesn't harm | them. | yonixw wrote: | A previous thread (5m old) here showed it is not that cut and | dry, a good read: | https://news.ycombinator.com/item?id=30788681 | SQueeeeeL wrote: | There is a really great bit from Robert Reich (labor admin | from the Clinton years) about how if you're business would | collapse if you need to pay people more than minimum wage, | you shouldn't be in business. | | If your business suddenly fails as soon as you need to... | _support_ your customers, then you probably shouldn 't be | in business and only exist as a fluke in the current | economic model. | bArray wrote: | I know of some small servers that get a lot of spam and hacking | attempts, and their most effective tool against abuse is an IPv4 | block ban. Increasingly this became more and more difficult, and | I assume email servers are at the same point. Thanks to VPNs, | people appear to be able to spawn insane numbers of random IPs. | | One solution this decentralized server system came up with is the | concept of accounts that have some barrier to entry to create | (which involves a delay and proving identity). This account has a | private key and it uses this to access the servers through any | IP. Abuse on this account and any connected accounts of course | leads to the key being temporarily revoked. Lots of positive | interactions with well established accounts increases your | credibility. Lots of reports decreases you credibility. | | If you have been sending credible emails with multiple hosts for | 10 years, even if you did get flagged, you would be given the | benefit of the doubt. Hell, it should be easy to email the host | and give them the headers and the reason why the email was | flagged. | | About the email space now being owned by big tech, it could | simply be time for a boycott until they improve their practices. | There is far too much centralization on the web now, and we all | contribute to it every time we use an external service rather | than host our own. | Avamander wrote: | > One solution this decentralized server system came up with is | the concept of accounts that have some barrier to entry to | create (which involves a delay and proving identity). This | account has a private key and it uses this to access the | servers through any IP. Abuse on this account and any connected | accounts of course leads to the key being temporarily revoked. | Lots of positive interactions with well established accounts | increases your credibility. Lots of reports decreases you | credibility. | | That's essentially DKIM being fed into your average domain | reputation system. | jbreckmckye wrote: | Is email itself broken? What could replace it, that isn't a | "platform" like WhatsApp? | sylware wrote: | Wrote my smtp server 5 years ago. Still running. | | BTW, did you know the smtp protocol works without DNS? | | You just need to puth the ipv4 between brackets | @[xxx.xxx.xxx.xxx] and for ipv6 @[ipv6:...]. | | spam? simplicity and freedom has a price (personnaly, I have have | very, very little spam since I am self-hosted), and don't think | corpos won't try to force you to use their servers one way or | another... Whose coding the virus? It is sane to presume it is | the seller of anti-virus software... | alyandon wrote: | I'd like to consider migrating from my self-hosted solution but | it seems like all major email providers want $ per month per | user|mailbox. Are there any providers out there that charge a | reasonable fixed amount for say 50 mailboxes? | Daegalus wrote: | I gave up self-hosting ages ago. For a while I even used the old | Google for Families grandfathred in setup. That also went the way | of the dodo a few years ago for me. | | I signed up for ImprovMX, setup my domains there, and just route | my emails to whatever service I want. I use a random gmail | account that I use for my login and Google services, but the | email itself is never exposed anywhere, I only give out the | custom domain one. | | ImproveMX handles routing for my whole family. My mom uses | Outlook, and it routes there for her. If google, microsoft, or | whatever give me trouble or ban me, I just quickly switch the | email and nothing lost. | | If you pay for their service, since they have a super generous | free tier, you also get SMTP servers to use as outbound, which | lets me send emails through them and not have the `on behalf of` | email thing. Also they do all the work to make sure their IPs | aren't blocked and in good standing with MS, Google, etc. | gist wrote: | There is even a much larger problem here other than not being | able to self-host your own email. The issue is that large | providers and large companies have no accountability. No way to | ever have a conversation with an actual person (email or by | phone) to resolve a simple problem or mistake in an algorithm or | automated process (or even a manual process if that's what it | is). Canned replies not reply to follow up question not a care in | the world or a conscience. And the fact that the service is free | (to someone) does not mean a company should be able to so easily | do what they want and cause aggravation to others. | | And it happens even with paid services at large companies. | | That is not 'just business' and has never been the way business | operated pre-internet except in a few super rare (and perhaps | rare monopoly) situations. | zh3 wrote: | Hosting an email server on a consumer IP does seem to a losing | proposition, | | Hosting an email server on a cheap (reputable) cloud server and | doing the basics (PTR records, SPF etc) still works well. | jacobsenscott wrote: | How do you know? SMTP wasn't designed for reliable delivery. | You don't know if your emails are being received, and even i | they are, you don't know if they'll be received tomorrow. | johannes1234321 wrote: | You can know from getting responses and sending test mails to | different mailboxes. | | Doesn't give full certainty, but can be well enough. (If all | my recipients respond I don't care about the ones I don't | send to anyways) | 3434111 wrote: | johnklos wrote: | If you're not getting bounces, then the receiving email | servers are not RFC-compliant. | | If you're really that worried about it, smarthost. | zh3 wrote: | Statistically. I communicate with a lot of people via email, | and if I don't get an expected response to something of | consequence I follow up - it's far more common the recipient | simply missed it/didn't get around to it than it is to get "I | never got it/I found it in my spam folder". | gingerlime wrote: | Sending email out is a royal pain. Trying to deal with a | Microsoft ban on my IP even though it's sparkling clean for | several years. DKIM, DMARC, SPF etc all ser up, reverse dns, you | name it. Looks like Linode is being blocked as a whole pretty | much? | | Hate the level of centralization, particularly since there's | still a shit ton of spam still around. Sorry for the rant. | | https://docs.microsoft.com/en-us/answers/questions/674558/55... | tsukikage wrote: | I've been running a private mailserver for myself and a couple | of friends since 2002. I hit a similar issue with Microsoft | last year. | | I route outgoing mail to hotmail.com, live.com, outlook.com and | msn.com domains via email-smtp.us-east-2.amazonaws.com. I | started doing this when I noticed a large portion of e-commerce | email I was receiving originated from amazon vms and they | clearly had no deliverability issues. | | The ability to do this is a paid-for service, and needs to be | configured appropriately. I was expecting to have to pay for a | VM when I set out to do this. However, it turns out you do not | need that - you can just configure the SMTP forwarding without | needing to purchase any other products, and the cost for this | is a few cents per 10k emails, which I can see would be | significant for commercial services and/or spammers, but for a | private mail server essentially means I will never have to pay. | Amazon go to great pains to maintain deliverability for those | servers, so you don't have to. | | I don't really see a problem with adding one extra SMTP hop to | outgoing emails tbh, but as no-one other than Microsoft has (to | date) a permanent IP block ban with no recourse whatsoever | policy, while I've had transient issues with most other big | providers at one time or another, those four Microsoft domains | remain the only destination I have to route this way. | gingerlime wrote: | office 365 hosts a bunch of domains though. My bounce was to | a .berlin domain hosted there. Yes, I could route all smtp | via a ESP and pay for it, but that's centralization. | tsukikage wrote: | Interesting - whatever permaban it is that my IP block got | didn't affect office 365 hosted services (verified with | several different domains at the time) - just literally the | domains I mention. Guess I've lucked out so far. | zahllos wrote: | Wouldn't surprise me if Linode were entirely blocked. Also | anything in M247 Ltd's ASN. They host a lot of VPN endpoints, | including Mullvad's. | | Step 1, I'd move off Linode. Find a local DC or business you | can support by hosting a VPS or dedi box with them. LowEndBox | might be an interesting place to search but avoid anything too | famous. | | Step 2, join this https://sendersupport.olc.protection.outlook. | com/pm/services.... They don't actually email me when they | block my IP, but at least when I contact them I can argue I'm | already in their program and they didn't actually notify me of | any sending issues. I've got myself unblocked relatively | quickly this way. | SoftTalker wrote: | IMO, _any_ low-cost VPS provider is going to have a poor | reputation. I 've even had trouble running websites on some | of them, as some "endpoint security" products have their IP | addresses blacklisted, causing users to get alarming warnings | if they try to visit sites hosted there. | | You'll run into the same issues with the "free/trial" tiers | of bulk email services like Mailgun. | | I agree with OP, you pretty much have to at least send your | outgoing email via an established, widely-accepted SMTP | service provider, or in some other way pay a lot for a | "clean" reputation. | zahllos wrote: | I'd still say it depends. I've used memset (www.memset.com) | in the UK in the past without issue. They have low end VPS | offerings, but they're not as well known as say Linode. | | It isn't so easy to categorise such a service by pure ASN, | as they also offer dedicated and colocation services, so | you might be blocking a licensed 'on prem' exchange box for | a local UK council. | throwawaygram wrote: | I had that issue with them once in the past, I found a form on | their site, filled it out and they had it fixed in a week or | so. No issues since then. | teddyh wrote: | > _Trying to deal with a Microsoft ban on my IP_ | | https://sendersupport.olc.protection.outlook.com/snds/index.... | gingerlime wrote: | Thanks I'll check it out. The bounce link was to an office | 365 spam delist portal. My request was auromatically rejected | and my only option was to escalate it to support (one click | luckily). I'm yet to hear back, but from the stories on the | link I shared, I doubt it will do anything. | lamontcg wrote: | I have my personal e-mail on linode for probably 15 years or so | and haven't had any issues with e-mail delivery (knock on | wood). Had the same two static IPs there for years, and have | always had things locked down so I couldn't be used as a relay | for spammers. | gingerlime wrote: | mine is maybe 10 years? I don't recall. No issues so far, but | started seeing those Microsoft blocks when I moved my | brother's domain over to my server. I hardly send email out, | so it could be unrelated to his domain, just that he sends | much more email out. | DarkmSparks wrote: | I pretty much stopped using email altogether once I realised this | is what was happening. Maybe 10 years ago now. | | Email was really useful if you wanted to send a message or | notification to multiple people at the same time, but that got | abused so much literally everyone disabled it, at which point | email was no longer useful. | | People can still send me emails (e.g. for plane tickets), but the | chances of me replying to one are nearly zero. Now I send maybe 4 | or 5 emails a year and only to people who wont use literally | anything else. | zahllos wrote: | I'm on 12 years of self hosting email and counting. Once every so | often, I do end up being blocked, usually by Outlook and once by | Yahoo. I'm in their 'sender program' and they still don't | actually bother to contact postmaster@, but a few emails is | usually enough to unblock the block within 24h. | | Agree with a sibling comment that many major providers fail to | operate the SPF/DKIM/DMARC tools they insist you do. | | Each to their own, but ultimately if we don't hold on to the | freedom to operate our own mailservers, it will be taken away | through inaction. This means doing some things right: DMARC, | DKIM, SPF of course, server maintenance, good password policies | and of course IP reputation. The best way I can recommend for IP | reputation is to use a dedicated provider or VPS provider that | disallows things like VPN endpoints, where it is less likely | they'll assign an address with a poor reputation. A good provider | might also ask you what you intend to host, and you might be able | to discuss IP addresses with them. | bornfreddy wrote: | Agree completely. | | To those that still persist, there is a page I found recently | that helps you make sure that your outgoing mail is configured | correctly: https://appmaildev.com/en/dkim. They generate an | e-mail address, you send a mail to them, they do the check and | display results (not affiliated, just a happy user). | Avamander wrote: | EU's MECSA is nice as well https://mecsa.jrc.ec.europa.eu/en/ | flyinghamster wrote: | I've also been self-hosting email for years, and the only | deliverability problem I've ever had has been with AT&T. If I | try to send something to an AT&T customer, I get an automated | "your message has been eaten" notice, and following its | directions accomplishes precisely nothing. At this point, I can | only guess they're hellbanning the IP block in which my VPS | resides, because it does not show up on any public DNSBLs. | | Google? No problem. Comcast? No problem. Charter? No problem. | AT&T? Problem. | DanAtC wrote: | At least you get notified. Microsoft/Outlook on the other | hand silently drops emails leaving you and the recipient in | the dark. | pas wrote: | that seems new, or maybe a different beast from the MS zoo | of madness. | | gmail on the other hand does what others said, report smtp | 250 and silently discard some emails. (mostly those that | lack DKIM) | yomkippur wrote: | was just gonna ask how you would handle DKIM and SPF stuff. | Hetzner? Digitalocean? | zahllos wrote: | I use a small datacentre in my country, actually not far from | where I live. DKIM/SPF are independent of the provider. The | easiest way to understand is to consider how receiving works. | If I'm getting an email from hnemail.example, the first thing | I do is consider the IP address. Oh, 257.257.257.1? Ok. So I | then ask DNS "what is the SPF record for hnemail.example?" | and it returns v=spf1 mx -all | | This tells me only to accept emails from 'MX' entries for | that domain. So I query 'MX' against the DNS server and I get | a list of A records, which I can get IPs from. If the IP is | in the list, spf passes. Otherwise it fails, mark as spam. | | For DKIM, when the email was sent it was signed with a key by | the sending server. It is identified by a UUID in the | incoming email. So the receiving server again queries DNS for | TXT <UUID>._domainkey.hnemail.example and receives the public | key as a response. Signature verification passes? Accept | email. It fails? Mark as spam. | | This doesn't have a lot to do with IP reputation. This is | different. If you are a very large email provider, you might | develop custom spam filters. IPs are allocated to 'autonomous | systems' i.e. who actually uses them and hands them out to | users, and depending on the business you might make some | decisions about reputation. For example, if the IP address is | part of a consumer ISP block that is handed out to users of | broadband, chances are high that if they're sending email, it | is probably a Windows PC compromised by malware. | | Similarly, you might decide some ASNs are better than others. | Some hosters are more liberal in what they will accept, such | as VPN endpoints, tor nodes and such and as a consequence of | this more spam comes from these ranges. | | Rightly or wrongly, larger email providers try to add these | extra filters to the process to protect their users from | spam. This obviously sucks if you are genuinely trying to run | an email server on your symmetric home fibre connection with | a dedicated IP, but that's the world we live in. | | I can't make any general statement on which providers might | be best, and some people will have no issue whereas others | will find themselves unable to send anything. I don't work | for Outlook/Microsoft or Google and never have, so I don't | know exactly what rules they use, and in all likeliness they | shift constantly depending on spammer patterns. I can only | say I've found running from a small DC to work pretty well. | PinguTS wrote: | I completly agree with you. While Hetzner is my actual neighbor | as their headquarters is right in the neighboring town, I still | use a server at very small scale provider. I have no problem | with my email server. I receive some spam here and there, | mostly from Russia. But I immediatly block the according IP | addresses for some time. | | For years I avoided to use any external service to decide | whether its Spam or not. But about 2 years ago I started to | rely on some of the external Blocklists. | | Till today I have no problem sending Email. Even as I don't use | DKIM or DMARC. | exabrial wrote: | How do people that work for Google on HN continue to work there | without their conscience bothering them? These are terrible | monopoly abuses and you're contributing. | znpy wrote: | In fairness, things like postfix usually ship with very poor (not | to say "moronic") defaults. | | Like, postfix won't even try to connect to tls-enabled smtp for | outgoing email by default, and you have to explicitly point it at | the certificate bundle it's supposed to consider valid. | | And you have to tell explicitly to reject incoming plaintext | connections from the public internet. | | And quite a bit more... Like, why doesn't postfix have its own | freaking spf/dkim implementation BUILT IN? | Avamander wrote: | There are so many mesolithic defaults in email software. So | many things have to be constantly reinvented. I really wish it | weren't like that. | | Things like Maddy (https://maddy.email/) aim to simplify all | this. Really great potential, but they're still work in | progress. | baskethead wrote: | Nah. I'm glad that people like the OP are squeezed out of sending | their own email. I have no problem with an email oligopoly at | this point. | | For every "good" email server owner, there's probably a million | bad ones. And the problem of spam is a big one. If you want to | send your own email, get used to telling people to check their | spam lists and/or add your email account. | recroad wrote: | Couldn't agree more. I had to leave Zoho even though I didn't | want to. Google just blocked emails to my Gmail customers and | left me with no choice. | | Write about it here https://bitbytebit.substack.com/p/customer- | hacquisition | rabite wrote: | > Blacklists should not include whole IP blocks. I am not | responsible for what my IP neighbor is doing with their server. | | This is obviously laughably naive and creates infinite sources of | spam. | | Before doing a proposal on a core Internet technology you should | be required to be on the other side for a while. Do anti-spam at | a large retail e-mail service provider for a year and then you | can understand the problem space. | | You might not be responsible for what your neighbor is doing with | their server, but the ESP is responsible for filtering it. The | idea that they need to treat each and every comcast IP with equal | weight is nuts. IP reputation is the single most valuable tool in | the industry; the largest statistical predictor of whether or not | an email is abusive. | kuon wrote: | I just moved from fastmail to self hosted and it works with no | email blocked so far. Had that setup for 6 months. The most | important point being sure to have a static IP with reverse DNS. | jwildeboer wrote: | My little e-mail Server on an OVH VPS is happily sending and | receiving e-Mails to/from the big ones without problems for my | 20+ domains. Just a basic postfix/dovecot setup with letsencrypt | certificates and SPF/DKIM/DMARC working the way it should. I | described everything in a short blog series at | https://jan.wildeboer.net/2022/08/Email-0-The-Journey-2022/ in | case you are interested. | jwr wrote: | I've been hosting my mail for 20+ years now, with minor issues. I | guess I've been lucky. | | Reading the comments here makes me incredibly sad. Every answer | that tells me to use a provider misses the point. The Internet | was created so that there could be many independent nodes, not so | that everybody has to rely on one of several blessed providers. I | should be able to run my own E-mail. | | The real problem is lack of incentives. The big corps do not care | about e-mail. It doesn't make money and isn't easily | controllable. You can't turn it into a walled garden and lock | users in. So, it gets minimal attention, and only defensive | measures are developed. | | Either we solve the spam problem, or things will get worse. The | big tech corps won't solve it for us. | neop1x wrote: | I have also been self-hosting email for 15 years and only had | couple of problems at the beginning, mainly until my IP got | enough reputation. I have been hosting it on a bare metal | Supermicro server in a proper datacenter, though. It has | reverse-DNS, SPF, DKIM, TLS, MTA-STS and even DANE with DNSSEC | (on a self-hosted BIND but that's another story). It is | implemented using Exim, Dovecot, SpamAssasin, DNSBL and | Roundcube with OpenLDAP auth. I can recommend this awesome | hand-on guide provided by Netherlands Domain Registration | Foundation as a basis of a nice configuration | https://www.sidn.nl/en/news-and-blogs/hands-on-implementing-... | | I had some troubles with IMAP search. I set up CLucene, it was | easy and enough for me (no need for Java Lucene). It just took | me a long time to figure out why it wouldn't search a domain | part of email addresses. It just required to set up the | tokenizations in such a way to split words also on @ character, | i.e. don't consider a full email address as a word. :P I also | had some troubles with OpenLDAP until I finally decided to read | the docs and examples there properly. Since then I have been | using this setup happily and it appears I will continue to do | so! I also share the LDAP with NextCloud btw. | rootusrootus wrote: | The problem is that collectively we love 'free' (at the point | of sale) so much that we'll gladly allow gmail to just walk in | and own almost the entirety of the email infrastructure. Then | later we realize this gives them the ability to unilaterally | make the rules, and we complain. But it's too late. | Barrin92 wrote: | >the Internet was created so that there could be many | independent nodes, not so that everybody has to rely on one of | several blessed providers. | | any community that grows large enough needs some mechanism to | manage trust, this is a universal issue. The early internet was | more permissive and less differentiated simply because it was | smaller. | | The big corps do an alright job at managing spam given the | sheer size of the problem, and more importantly you don't just | need to solve spam, you need to do so _economically_ , because | for your system to stay distributed the nodes need to do the | job competitively. | | Given that there's intrinsic benefits to managing these things | at scale that's not really realistic, in large systems you're | always going to have division of labor and stratification for | that reason. | pas wrote: | spam is solved between the big players, they already use | various feedback mechanisms ... it's just not enabled for | small fish. | | https://en.wikipedia.org/wiki/Feedback_loop_(email) | | gmail silently drops emails (while reports smtp 250 accepted) | - they could just as easily report that it's blackholed. | spammers already do get through their fancy AI filters. | | microsoft proactively blocks half of the world, rejects the | incoming mail, and sends the sysadmin on a wild goose chase | to get the IP/domain/whatever allowed. then you diligently | register, and wait. and then no signal from them, and the | problem still persists. | | so big corps, small shops, everyone and their dog flocks to | the good old microsoft/google duopoly. | | and at this point if someone asks what to use for email | knowing ... well, it's hard to not recommend folks to just | use google workspace and have some kind of backup ready for | when G bans their whole account just because. | jms703 wrote: | Email is broken. Fix that first so that hosting it isn't such a | terrible chore. | noncoml wrote: | Forget about self hosting. Even a custom domain is a pain | sometimes. | | According to a lot of web apps, my email is not valid and can't | use it. | | Also I have been told by a customer support person that my email | is not right as it has to end with gmail.com | johnklos wrote: | The fact that it's too hard for you doesn't mean it's too hard | for everyone else. | [deleted] | unixhero wrote: | I am self hosting. It works and I have no problems. | | I use https://cloudron.io for orchestration, security - to run it | on a VPS. Everything just works. | ryan-c wrote: | I've been self-hosting since 2004. I currently route via a VPS. | The only issues I have seem to be with | outlook.com/hotmail.com/etc - free Microsoft accounts. That goes | to junk, though replies seem to work fine. Paid Outlook365 seems | fine. | | Even after speaking with Microsoft's email admin team on the | phone a couple times, I still have issues. It's kind of | infuriating. | | I have properly configured SPF+DKIM (selector rotated | daily)+DMARC, and I've gotten set up with dnswl.org. | okasaki wrote: | All that "security" just to fight spam. IIRC it was estimated | that globally spammers make $300M per year from their spam. It | doesn't seem like much. Somebody joked that it would be better if | we just paid them that much to do nothing. | iamgopal wrote: | For Poor country 300 million is a huge sum of money. | pkulak wrote: | Kinda makes the point even more valid. | warent wrote: | I think they mean 300 mil isn't a lot in the scope of an | entire market. The entire spam market isn't centralized in | one poor country | b0afc375b5 wrote: | I wonder what the underlying problem is. | | Gabe Newell once said that "Piracy is not a pricing issue. It's | a service issue". I believe this has been proven by | netflix/spotify as well. | | Is spam just a symptom of a much deeper problem? If so what is | it? Or is it naive to think of spam this way? | PragmaticPulp wrote: | > I wonder what the underlying problem is. | | The underlying problem is that a sufficiently motivated | spammer can target tens or hundreds of millions of people | with their spam without too much effort. | | As a result, every possible scam and spam with even the | slightest possibility of converting 0.00001% of recipients | can now be a viable spam campaign. | | The underlying problem is that it's so easy to scale spam to | a lot of targets. | bornfreddy wrote: | Yup. Just requesting the sender to solve some riddle (and | waste their energy in process) would turn the tables | completely because the cost of sending would be non-zero. | Unfortunately it would also mean that we would be | sacrificing our planet again. But maybe the difficulty of | the challenge could adapt according to some trust score? | structural wrote: | Spam is just the opposite, it is actually a pricing issue and | not a service issue. | | As long as the expected value per message of spam sent is | positive, someone in the world will send as many messages as | they are able to. You either fix this by raising their costs | so that spam no longer has a positive expected value, remove | their ability to send an unlimited number of messages, or | both. | | This is not exclusive to the e-mail system, robocalls are | still a major annoyance, and the global telephone system is | much more regulated. Mobile phones now automatically filter | calls, even! It's wild. | robertlagrant wrote: | I think the deeper problem is sending an email (or a billion | emails) triggers someone else's servers to do most of the | work. Email is beautifully cooperative computing, but that | means it can easily be taken advantage of. | andruby wrote: | I think it is different. With Piracy people want something | (product/service/media). The quote from Gabe is about the | fact that they are willing to pay for it, if it is convenient | and affordable. | | Nobody wants spam or the things promoted in the spam. The | companies want attention from the users. I think the better | version is targeted ads on Facebook, etc. Maybe that's the | closest analogy to Gabe's quote. | luckylion wrote: | > Nobody wants spam or the things promoted in the spam. | | Lots of people want Viagra without having to see a doctor. | There definitely is a market for it, and now there are | companies that do provide it, I wonder if this will cause | spam to shift to other products. | johannes1234321 wrote: | Many also wants to be heir to a Nigerian prince worth a | few million ... | luckylion wrote: | That's true! I had considered those to be scams rather | than "normal" spam. When I look at what my filter | catches, it broadly falls into three categories: scams, | viagra/dating/sex-related products, and every day | products ("buy this great ladder for your garage"). Too | bad you usually can't analyze how many clicks and sales | they generate. | katbyte wrote: | I think you can exclude Netflix from that list. Streaming | services have fractured into a dozen different ones so piracy | has come back. | | Still applies to games/music and probably audio books. | dogleash wrote: | Steam and Netflix made it possible for people to play/watch | media more easily than going to the pirate bay. | | What are spammers trying to accomplish, that a better product | would prevent them from using email (that isn't just them | shitting up the other service the way they shit up email)? | pcai wrote: | > Somebody joked that it would be better if we just paid them | that much to do nothing. | | I know this is in jest, but in economics there's this concept | called "induced demand" that comes to mind. | | "Public extortion" would be an interesting challenge, as it | would be difficult to solve the problem of "Hey why don't you | also pay ME to do nothing too?" | EGreg wrote: | Here's an idea | | Make a new protocol for this decade, that isn't email. | | HTTP is supported nearly everywhere SMTP is. Just build something | over that, and this time around make sure to avoid SPAM bullshit. | | People shouldn't be able to just message you based on your | address. They receive a capability to email you. People can be | empowered to give out your capabilities. If a particular such | branch leads to spam, you simply cut off that branch and boom, no | new user can reach you with that capability anymore. Hashes of | Public keys can identify users. | tayiorrobinson wrote: | I did training provided by a large email security firm, and one | thing the presenter said was along the lines of "this spam filter | defaults to block the senders domain & IP, you can set an | expiration on that block butI don't see a reason why you would". | One misconfigured server sending out a single email and I assume | by extension someone impersonating your domain could get you | perma-blocked from sending emails to that company, and I assume | it'd reduce your trust rating for other orgs using that provider. | psyfi wrote: | I hosted my mailman stack on VPS for some time, it worked well | | I stopped self-hosting because it's too much hassle, but it was | any difficult to maintain, (by difficult I mean complex) | | It didn't worth the time I spent though, so I quit, but I would | do it again if I need to | | If I had to maintain a server at home and my ISP blocks it, I | would get a VPS and host proxies on the VPS and use VPN tunnel to | keep the mails stored locally | | But I don't have any reason to do that currently, as well as most | people | ShowalkKama wrote: | >I implemented all the acronyms, secured antispam measures, | verified my domain, made sure my server is neither breached nor | used to relay actual spam, added new servers with supposedly | clean IPs from reputable providers, tried all the silver bullets | recommended by Hacker News, used kafkaesque request forms to | prove legitimity, contacted the admins of some blacklists. | | I cloned a repo, edited two lines in a yaml file, ran docker- | compose, logged into a web ui, added my domain, added a couple of | dns records (MX, spf, dkim, dmarc) and everything worked (yes, I | can deliver emails to gmail and outlook). | | I honestly have no idea why so many people say that self hosting | emails is hard. | [deleted] | nine_k wrote: | IP addresses and whole address blocks may have a bad karma: if | somebody ever sent spam from them, they may be marked as | untrusted in various databases, and unblocking them is pretty | hard. The filters prefer to err on the side of mis-marking a | few legitimate self-hosted emails, instead of passing a spam | salvo. | | Decentralized trust is still hard. | spijdar wrote: | You can deliver email to gmail and outlook until you ... can't. | Whether the IP block your mail server is on gets blacklisted, | some heuristic shifts against you (domain name becomes "bad" | and shifts a point score over a threshold for being spam), or | some other external factor happens, your perfectly configured | mail server will suddenly and possibly with no warning or sign | that it's failed, fail. | | For even personal mail this is pretty annoying, but if you're | relying on mail for business reasons, this is completely | unacceptable. You need to be able to assume that mail you send | reaches your clients/customers. The chance of your private mail | server getting banned might be low, but it's not low enough, | and over time that chance only increases (especially if you're | hosting from a server on big shared IP blocks with naughty | tenets like on most major cloud providers). | frostwarrior wrote: | Maybe it's a joke, but a problem I see in every "open source | self hosted alternative" is that people tend to underestimate | how much work is to self-host everything. | | It's either paid hosting like AWS, some intermediate docker- | compose solution or your own personal server machine. In every | case someone has to do the gritty work. It's either a paid | service, a volunteering open-source contributor, or you. | palata wrote: | I guess try to use it as your main e-mail for a few years and | you may see... ___________________________________________________________________ (page generated 2022-09-04 23:00 UTC)