[HN Gopher] Poste.io - Complete Mail Server
___________________________________________________________________
Poste.io - Complete Mail Server
Author : favourable
Score : 122 points
Date : 2023-02-22 19:57 UTC (3 hours ago)
(HTM) web link (poste.io)
(TXT) w3m dump (poste.io)
| sourcecodeplz wrote:
| If I want to send unlimited emails from my domain (not 500 max or
| 2000 per day) and I don't want to worry about hacks AND don't
| want to pay for overages, simple shared hosting is the (cheapest)
| way!?
| JadoJodo wrote:
| I _love_ playing around with (and sometimes actually) self-
| hosting stuff. But email is something that I will HAPPILY pay
| someone like FastMail or ProtonMail ~$5/mo to handle and avoid
| myself the hassle. It just works. I can add whatever
| subdomains/addresses/sending profiles/etc., and I don't ever have
| to think about data backups, blacklists, spam reputation, or any
| of the dozen other issues I've heard about since I became aware
| of how email hosting works in ~2006.
|
| Kudos to those of you in this thread who live the dream, though
| (really).
| sam_lowry_ wrote:
| Dovecot, Roundcube, ClamAV, Rspamd are all battle-tested and
| reasonable choices, but the choice of Haraka, a Node.js-based
| SMTP server, feels dubious.
|
| Why not exim or something similarly solid and well-understood?
| rnk wrote:
| They do have a nice list of features: SMTP + IMAP + POP3 +
| Antispam + Antivirus Web administration + Web email, ...on your
| server in ~5 minutes
|
| I was running helm (a hardware device plus mail with many of
| those features) but they couldn't get anywhere in the
| marketplace.
| dubcanada wrote:
| What is wrong with Haraka it's like 10 years old?
| sam_lowry_ wrote:
| Node.js
| cvalka wrote:
| Postfix
| dsr_ wrote:
| I generally recommend replacing Roundcube with SnappyMail
| (https://snappymail.eu) -- not having to deal with a database
| by not maintaining much state is a win.
|
| I was expecting to see Postfix instead of Haraka. I wouldn't
| have been very surprised at exim.
| andix wrote:
| Does it sync contacts via CardDAV?
|
| I never understood what use Webmail is, if you can't access
| your contacts. Every email client I use, needs access to my
| contacts.
| stonogo wrote:
| What is solid about exim? Not only does it have more CVEs than
| any other mail transport agent (including _four_ , all critical
| or high, _just last year_ ), they tend to respond by doing
| infamous things like releasing security patches on Christmas
| morning. I'm not the biggest fan of Haraka, but exim is easily
| the biggest security hassle you can ask for in an email server.
| zacharyvoase wrote:
| > All passwords are by default stored as salted SHA512 hash (5000
| rounds). Attackers will have hard time to crack your passwords.
|
| SHA512 isn't a good choice for this, because it's optimized for
| fast low-memory computation. Why not use bcrypt or argon2, which
| are industry-accepted best practices for password hashing?
| velcrovan wrote:
| First thought: oh, huh, a self-hosted CVE generator.
|
| In seriousness, installing Roundcube on my own server circa 2006
| was the cause of the first and only time I've had a server
| hacked. It's probably improved since then or it wouldn't still be
| around, but it put me off ever hosting my own email. The risks
| only get worse the further away you get from personal/hobby use.
| m348e912 wrote:
| >>First thought: oh, huh, a self-hosted CVE generator.
|
| Haha, same. I've run my own mail servers, got the tshirt, and
| don't want to have to do it again. Point your domain to one of
| a bazillian email services instead.
| foobarbecue wrote:
| Hm. Been running mailinabox since 2012 or so, no issues. I like
| the idea of consolodating executables a bit and simplifying the
| system, so I'll have a look at poste.io.
| fullstop wrote:
| I've used https://mailu.io. It works well, but your biggest
| problem is going to be getting over the spam filter hurdles of
| the email giants of the world. Even if everything is properly
| configured (including dkim / spf / whatever else they've added)
| your messages will get plopped in the spam folder.
| moremetadata wrote:
| >getting over the spam filter hurdles of the email giants of
| the world
|
| You mean global monopolies, for which there is no legislation
| for. Ergo the US Govt is holding the rest of the world
| hostage via its tech companies.
| andix wrote:
| My experience is, that the ,,quality" of the mail server's IP
| really matters. The worst experience I got was with digital
| ocean. A lot of providers just don't accept email from their
| IP ranges. Some of them just completely block all DO IPs on
| router level, and refuse unblocking.
|
| For my current server I had to switch IPs a few times, until
| I got one that was not blocked by any of the major providers.
| Unblocking a once blacklisted IP seems to be practically
| impossible.
|
| And hotmail or outlook.com just mark a lot of email as spam.
| I see it now as a problem of the recipients. Office365 just
| accepts the same emails, it seems to be a strategy of the
| free mail providers, to give their non-paying customers a
| worse experience.
| fullstop wrote:
| We got a /24 at our data center and the reputation was,
| unfortunately, poor. I went through all of the public
| reputation lists and asked to be removed. It took about
| three months of incremental effort, but the reputation for
| the entire /24 is clean now.
|
| This is with a "real" mail server, and not mailu.io, but
| the idea is the same.
| andix wrote:
| I just went to my cloud provider of my choosing and
| started to add floating IPs. After a few tries I got a
| good one. I went through the unblocking process once, and
| I decided not to do it again. Especially Microsoft gave
| me a hard time, they started to request documents and
| then let me wait a few weeks until they replied: we don't
| unblock, and we don't tell you why.
| andix wrote:
| I'm hosting mail servers for over a decade now. They are all
| very low frequency, so probably not a lot of attackers find
| them. I try to enable as many automatic updates as possible,
| because I don't operate them professionally. Just every few
| months I check if all updates are installed, and if there is
| something wrong. So far I only had two hacked accounts
| (probably the users got phished or used compromised public PCs
| while logging in to webmail - the country of the attacker was
| the same where they were on holiday).
|
| So far no break-ins that I noticed. But it is for sure possible
| that somebody broke in without me noticing (and did nothing
| worth noticing).
| capableweb wrote:
| There is also basic forms of protection you should put in front
| of everything you make public, in order to reduce the attack
| surface. Firewall that blocks everything by default, strip all
| headers unless you veto them manually, aggressive rate-limiting
| you increase the limit only for specific IPs and so on.
|
| Putting up any type of software on a unprotected server even in
| 2006 is begging for trouble.
| velcrovan wrote:
| Define "unprotected". The particular server had a firewall
| and fail2ban along with other measures. But Roundcube is a
| webmail service, so you're leaving 443 open in any case. No
| amount of firewalls or rate limiting will help you if the
| thing you're running is a web service that turns out to have
| a SQL injection vulnerability in one of its endpoints.
|
| Email servers in particular are going to be under attack all
| day long just from normal email activity, and that's before
| you throw in any kind of web interface. It can be a big help
| to point your MX records at some other filtering service, but
| at that point why are you bothering hosting your own?
| oarsinsync wrote:
| I use http basic auth in front of every https internet
| exposed service.
|
| The services may have their own auth system on top of that,
| but htpasswd in front solves the vast majority of problems.
| Can't exploit an SQL injection vulnerability if you can't
| reach the endpoint in the first place.
|
| I'm less concerned about apache2 and nginx http basic auth
| vulnerabilities. They'll get fixed much quicker than random
| webapps.
|
| Anything else goes behind a VPN.
| sconi wrote:
| why not vpn for the https services?
| wankle wrote:
| I looked it over. If I were starting out today I might try it. I
| disagree with the usual horde of "ohh there be dragons in there"
| since I generally do not have blocking issues with
| deliverability.
|
| Gmail from my gmail to my personal email account the past couple
| of months can take anywhere from a minute to over an hour, that's
| been odd. Gmail from my gmail to one of my other gmail's or from
| Hotmail to my personal or from Yahoo to my personal are all fine.
|
| Delivering from my personal to my gmail has been fast and
| consistent. It's odd that from my own gmail to my own personal
| can sometimes be slow the past couple of months.
|
| Other than that though, I've found running my own server to be
| liberating to have the option. Probably doesn't mean anything any
| more but I feel good to be able to do it.
| that_courtney wrote:
| I feel like this solution is optimizing the wrong problem.
|
| The bulk of work with managing a mail server (these days) isn't
| software setup and admin. On the receiving side, it's all the
| work dealing with abuse and attacks. On the sending side -- and
| this is the tough one -- it's getting sites to accept your email.
| When I finally gave up managing my own mail server (about two
| years ago), I found that about every six months I was involved in
| some panic where some large mail provider (Microsoft and Google
| most frequently) decided they didn't want to accept email from my
| server. Solving these issues is neither easy nor quick.
|
| These days I'm very happy to pay somebody else to run email
| services using my provided domains.
| andix wrote:
| No, that kind of software optimizes a very important problem.
| It's quite cumbersome to set up all components of a mail server
| by yourself. At some point you start hosting a domain for a
| friend. Then then friend wants to create some mailboxes,
| forwardings and so on by themselves. So you just give them SSH
| and tell them to edit the postfix config? Having a web
| interface that does it all and doesn't break things is very
| important.
| richwater wrote:
| Who does this...?
| andix wrote:
| Giving out free email addresses to friends and family? Me.
|
| Hey, we are starting this charity and need email for 15
| people, what should we do? - order domain, create admin-
| account in the web interface, pass it on, done.
| anon291 wrote:
| simple-nixos-mailserver... One step deploy. Hasn't broken in
| years (it's never broken for me). Extremely stable. Can
| handle all your use cases. Declarative config, so no messy
| state.
| stonogo wrote:
| This problem is solvable without a web interface:
| https://manpages.ubuntu.com/manpages/bionic/man5/dot-
| qmail.5...
| andix wrote:
| How many people understand that man page, and how many
| people understand a web interface? I think it's a clear
| winner.
| c0l0 wrote:
| Having been a part-time postmaster for more than a decade by
| now, I fully agree, and would even go further: Ingress spam is
| pretty much a solved problem if you play your cards right.
| ChatGPT et al. might change that again - but the mechanisms you
| can deploy today are very effective against the current UBE
| landscape.
|
| The _real_ problem is reliably getting your 100% legit mail
| into your consenting recipients' inboxes.
| user3939382 wrote:
| > The _real_ problem is reliably getting your 100% legit mail
| into your consenting recipients' inboxes
|
| It's amazing that having someone in your address book isn't
| enough in many cases. Like, why?
| layer8 wrote:
| Because the from address can be forged, probably.
| rspoerri wrote:
| from can be forged, but spf is there so only valid
| servers can send mail (or at least non valid can be
| filtered).
| layer8 wrote:
| SPF can break with email forwarding (though DKIM usually
| shouldn't).
| c0l0 wrote:
| Not really a problem in the age of DKIM, _if_ you want to
| solve it.
| stevenjgarner wrote:
| Even with DKIM, all you need is the recipient of one
| email from one user on one domain (I have hundreds of
| domains) of your mail server to file a spam report, and
| WHAM you are blacklisted. So yes, it is a problem even
| with DKIM. If you have a solution, I would LOVE to hear
| about it.
| layer8 wrote:
| If you're blacklisted, the mail usually doesn't even
| reach the spam folder.
| mbreese wrote:
| I file this under "you can't have a technical solution to
| a social problem". We can do all we want to protect
| e-mail, but when it comes down to it, someone is going to
| figure out a way around it and ruin it for others.
|
| The current situation is that we have technical solutions
| for authenticating smtp sending domains. But there will
| always be someone who flags an email too quickly or just
| wants to spite you. And so we're back at square one.
| layer8 wrote:
| Yeah, it may be a combination of "not everybody uses
| DKIM" and "too few users actually use their address
| book".
| roywashere wrote:
| I hosted my own mail for some time and got into trouble with
| the school of my kids because they did not receive my reply to
| their mail.
|
| I self hosted because I wanted to prefer not to be part of the
| huge o365/Gmail/iCloud monocultures.
|
| Last year I moved my mail to an old fashioned shared webhosting
| account at Hetzner. Very happy with it!
| ascar wrote:
| > Last year I moved my mail to an old fashioned shared
| webhosting account at Hetzner. Very happy with it!
|
| How exactly is that solving the problem? If anyone does
| something remotely spammy from that ip, your mails are spam
| again too. And you probably got lucky that the ip you're
| sitting on was warm and trusted to begin with. You didn't
| really find a solution, the problem simply hasn't occurred
| yet for you or you are not aware of it yet.
|
| GP is right. Self hosting email sending (and by that I mean
| any solution where you control the mail server) doesn't work
| unless you accept that you will randomly end up in spam
| folders and sometimes not delivered at all.
| nik736 wrote:
| Any solution for CalDAV?
| arthurcolle wrote:
| If I was running a service that required parsing emails from
| external sources, could I easily write a script that could parse
| inbound emails and then do $SOMETHING with them easily? If so,
| where would that sit in Poste?
| _joel wrote:
| Done mail admin for 20+ years at unis/ISPs etc.. still use
| fastmail for my personal stuff now.
| rkagerer wrote:
| Was interested to learn more but the poor English in the first
| couple paragraphs of their page turned me away.
| pharos92 wrote:
| I really have zero complaints or reason to move off Mailcow
|
| https://mailcow.email/
| stofzuiger wrote:
| Does not run on anything other than x64. Otherwise it's
| perfect.
| andix wrote:
| If you want to host email on your raspberry at home, your
| main issue is usually that your IP will be in a known ,,dial-
| up" IP range, that is blocked by all major email providers.
| And most home internet providers block port 25 too. And you
| need a fixed IP, it's a nightmare if your mail server's ip
| ever changes.
| flangola7 wrote:
| Who is running a mail server on their phone?
| mcmcmc wrote:
| Probably no one, but plenty of people run services on SBCs
| Mazzen wrote:
| Equally happy! Would recommend!
| andix wrote:
| I evaluated it once, and ended up using https://mailcow.email
|
| I think the fact that it includes SoGO with Cal/CardDAV and
| active sync was the main reason, poste.io doesn't seem to provide
| a solution for contacts and calendars.
|
| I'm still very happy with mailcow. And they include all features
| in the free version.
| koen_hendriks wrote:
| [dead]
| stevenjgarner wrote:
| >> User database is stored in SQLite database - in file
|
| How much of the configuration can be data-driven from SQL
| sources? Just the users? What about multiple domains? Aliases?
| etc. Something like the MySQL interface with PostFix [1]
|
| [1] https://www.postfix-tutorial.com/
___________________________________________________________________
(page generated 2023-02-22 23:00 UTC)