[HN Gopher] Poste.io - Complete Mail Server ___________________________________________________________________ Poste.io - Complete Mail Server Author : favourable Score : 122 points Date : 2023-02-22 19:57 UTC (3 hours ago) (HTM) web link (poste.io) (TXT) w3m dump (poste.io) | sourcecodeplz wrote: | If I want to send unlimited emails from my domain (not 500 max or | 2000 per day) and I don't want to worry about hacks AND don't | want to pay for overages, simple shared hosting is the (cheapest) | way!? | JadoJodo wrote: | I _love_ playing around with (and sometimes actually) self- | hosting stuff. But email is something that I will HAPPILY pay | someone like FastMail or ProtonMail ~$5/mo to handle and avoid | myself the hassle. It just works. I can add whatever | subdomains/addresses/sending profiles/etc., and I don't ever have | to think about data backups, blacklists, spam reputation, or any | of the dozen other issues I've heard about since I became aware | of how email hosting works in ~2006. | | Kudos to those of you in this thread who live the dream, though | (really). | sam_lowry_ wrote: | Dovecot, Roundcube, ClamAV, Rspamd are all battle-tested and | reasonable choices, but the choice of Haraka, a Node.js-based | SMTP server, feels dubious. | | Why not exim or something similarly solid and well-understood? | rnk wrote: | They do have a nice list of features: SMTP + IMAP + POP3 + | Antispam + Antivirus Web administration + Web email, ...on your | server in ~5 minutes | | I was running helm (a hardware device plus mail with many of | those features) but they couldn't get anywhere in the | marketplace. | dubcanada wrote: | What is wrong with Haraka it's like 10 years old? | sam_lowry_ wrote: | Node.js | cvalka wrote: | Postfix | dsr_ wrote: | I generally recommend replacing Roundcube with SnappyMail | (https://snappymail.eu) -- not having to deal with a database | by not maintaining much state is a win. | | I was expecting to see Postfix instead of Haraka. I wouldn't | have been very surprised at exim. | andix wrote: | Does it sync contacts via CardDAV? | | I never understood what use Webmail is, if you can't access | your contacts. Every email client I use, needs access to my | contacts. | stonogo wrote: | What is solid about exim? Not only does it have more CVEs than | any other mail transport agent (including _four_ , all critical | or high, _just last year_ ), they tend to respond by doing | infamous things like releasing security patches on Christmas | morning. I'm not the biggest fan of Haraka, but exim is easily | the biggest security hassle you can ask for in an email server. | zacharyvoase wrote: | > All passwords are by default stored as salted SHA512 hash (5000 | rounds). Attackers will have hard time to crack your passwords. | | SHA512 isn't a good choice for this, because it's optimized for | fast low-memory computation. Why not use bcrypt or argon2, which | are industry-accepted best practices for password hashing? | velcrovan wrote: | First thought: oh, huh, a self-hosted CVE generator. | | In seriousness, installing Roundcube on my own server circa 2006 | was the cause of the first and only time I've had a server | hacked. It's probably improved since then or it wouldn't still be | around, but it put me off ever hosting my own email. The risks | only get worse the further away you get from personal/hobby use. | m348e912 wrote: | >>First thought: oh, huh, a self-hosted CVE generator. | | Haha, same. I've run my own mail servers, got the tshirt, and | don't want to have to do it again. Point your domain to one of | a bazillian email services instead. | foobarbecue wrote: | Hm. Been running mailinabox since 2012 or so, no issues. I like | the idea of consolodating executables a bit and simplifying the | system, so I'll have a look at poste.io. | fullstop wrote: | I've used https://mailu.io. It works well, but your biggest | problem is going to be getting over the spam filter hurdles of | the email giants of the world. Even if everything is properly | configured (including dkim / spf / whatever else they've added) | your messages will get plopped in the spam folder. | moremetadata wrote: | >getting over the spam filter hurdles of the email giants of | the world | | You mean global monopolies, for which there is no legislation | for. Ergo the US Govt is holding the rest of the world | hostage via its tech companies. | andix wrote: | My experience is, that the ,,quality" of the mail server's IP | really matters. The worst experience I got was with digital | ocean. A lot of providers just don't accept email from their | IP ranges. Some of them just completely block all DO IPs on | router level, and refuse unblocking. | | For my current server I had to switch IPs a few times, until | I got one that was not blocked by any of the major providers. | Unblocking a once blacklisted IP seems to be practically | impossible. | | And hotmail or outlook.com just mark a lot of email as spam. | I see it now as a problem of the recipients. Office365 just | accepts the same emails, it seems to be a strategy of the | free mail providers, to give their non-paying customers a | worse experience. | fullstop wrote: | We got a /24 at our data center and the reputation was, | unfortunately, poor. I went through all of the public | reputation lists and asked to be removed. It took about | three months of incremental effort, but the reputation for | the entire /24 is clean now. | | This is with a "real" mail server, and not mailu.io, but | the idea is the same. | andix wrote: | I just went to my cloud provider of my choosing and | started to add floating IPs. After a few tries I got a | good one. I went through the unblocking process once, and | I decided not to do it again. Especially Microsoft gave | me a hard time, they started to request documents and | then let me wait a few weeks until they replied: we don't | unblock, and we don't tell you why. | andix wrote: | I'm hosting mail servers for over a decade now. They are all | very low frequency, so probably not a lot of attackers find | them. I try to enable as many automatic updates as possible, | because I don't operate them professionally. Just every few | months I check if all updates are installed, and if there is | something wrong. So far I only had two hacked accounts | (probably the users got phished or used compromised public PCs | while logging in to webmail - the country of the attacker was | the same where they were on holiday). | | So far no break-ins that I noticed. But it is for sure possible | that somebody broke in without me noticing (and did nothing | worth noticing). | capableweb wrote: | There is also basic forms of protection you should put in front | of everything you make public, in order to reduce the attack | surface. Firewall that blocks everything by default, strip all | headers unless you veto them manually, aggressive rate-limiting | you increase the limit only for specific IPs and so on. | | Putting up any type of software on a unprotected server even in | 2006 is begging for trouble. | velcrovan wrote: | Define "unprotected". The particular server had a firewall | and fail2ban along with other measures. But Roundcube is a | webmail service, so you're leaving 443 open in any case. No | amount of firewalls or rate limiting will help you if the | thing you're running is a web service that turns out to have | a SQL injection vulnerability in one of its endpoints. | | Email servers in particular are going to be under attack all | day long just from normal email activity, and that's before | you throw in any kind of web interface. It can be a big help | to point your MX records at some other filtering service, but | at that point why are you bothering hosting your own? | oarsinsync wrote: | I use http basic auth in front of every https internet | exposed service. | | The services may have their own auth system on top of that, | but htpasswd in front solves the vast majority of problems. | Can't exploit an SQL injection vulnerability if you can't | reach the endpoint in the first place. | | I'm less concerned about apache2 and nginx http basic auth | vulnerabilities. They'll get fixed much quicker than random | webapps. | | Anything else goes behind a VPN. | sconi wrote: | why not vpn for the https services? | wankle wrote: | I looked it over. If I were starting out today I might try it. I | disagree with the usual horde of "ohh there be dragons in there" | since I generally do not have blocking issues with | deliverability. | | Gmail from my gmail to my personal email account the past couple | of months can take anywhere from a minute to over an hour, that's | been odd. Gmail from my gmail to one of my other gmail's or from | Hotmail to my personal or from Yahoo to my personal are all fine. | | Delivering from my personal to my gmail has been fast and | consistent. It's odd that from my own gmail to my own personal | can sometimes be slow the past couple of months. | | Other than that though, I've found running my own server to be | liberating to have the option. Probably doesn't mean anything any | more but I feel good to be able to do it. | that_courtney wrote: | I feel like this solution is optimizing the wrong problem. | | The bulk of work with managing a mail server (these days) isn't | software setup and admin. On the receiving side, it's all the | work dealing with abuse and attacks. On the sending side -- and | this is the tough one -- it's getting sites to accept your email. | When I finally gave up managing my own mail server (about two | years ago), I found that about every six months I was involved in | some panic where some large mail provider (Microsoft and Google | most frequently) decided they didn't want to accept email from my | server. Solving these issues is neither easy nor quick. | | These days I'm very happy to pay somebody else to run email | services using my provided domains. | andix wrote: | No, that kind of software optimizes a very important problem. | It's quite cumbersome to set up all components of a mail server | by yourself. At some point you start hosting a domain for a | friend. Then then friend wants to create some mailboxes, | forwardings and so on by themselves. So you just give them SSH | and tell them to edit the postfix config? Having a web | interface that does it all and doesn't break things is very | important. | richwater wrote: | Who does this...? | andix wrote: | Giving out free email addresses to friends and family? Me. | | Hey, we are starting this charity and need email for 15 | people, what should we do? - order domain, create admin- | account in the web interface, pass it on, done. | anon291 wrote: | simple-nixos-mailserver... One step deploy. Hasn't broken in | years (it's never broken for me). Extremely stable. Can | handle all your use cases. Declarative config, so no messy | state. | stonogo wrote: | This problem is solvable without a web interface: | https://manpages.ubuntu.com/manpages/bionic/man5/dot- | qmail.5... | andix wrote: | How many people understand that man page, and how many | people understand a web interface? I think it's a clear | winner. | c0l0 wrote: | Having been a part-time postmaster for more than a decade by | now, I fully agree, and would even go further: Ingress spam is | pretty much a solved problem if you play your cards right. | ChatGPT et al. might change that again - but the mechanisms you | can deploy today are very effective against the current UBE | landscape. | | The _real_ problem is reliably getting your 100% legit mail | into your consenting recipients' inboxes. | user3939382 wrote: | > The _real_ problem is reliably getting your 100% legit mail | into your consenting recipients' inboxes | | It's amazing that having someone in your address book isn't | enough in many cases. Like, why? | layer8 wrote: | Because the from address can be forged, probably. | rspoerri wrote: | from can be forged, but spf is there so only valid | servers can send mail (or at least non valid can be | filtered). | layer8 wrote: | SPF can break with email forwarding (though DKIM usually | shouldn't). | c0l0 wrote: | Not really a problem in the age of DKIM, _if_ you want to | solve it. | stevenjgarner wrote: | Even with DKIM, all you need is the recipient of one | email from one user on one domain (I have hundreds of | domains) of your mail server to file a spam report, and | WHAM you are blacklisted. So yes, it is a problem even | with DKIM. If you have a solution, I would LOVE to hear | about it. | layer8 wrote: | If you're blacklisted, the mail usually doesn't even | reach the spam folder. | mbreese wrote: | I file this under "you can't have a technical solution to | a social problem". We can do all we want to protect | e-mail, but when it comes down to it, someone is going to | figure out a way around it and ruin it for others. | | The current situation is that we have technical solutions | for authenticating smtp sending domains. But there will | always be someone who flags an email too quickly or just | wants to spite you. And so we're back at square one. | layer8 wrote: | Yeah, it may be a combination of "not everybody uses | DKIM" and "too few users actually use their address | book". | roywashere wrote: | I hosted my own mail for some time and got into trouble with | the school of my kids because they did not receive my reply to | their mail. | | I self hosted because I wanted to prefer not to be part of the | huge o365/Gmail/iCloud monocultures. | | Last year I moved my mail to an old fashioned shared webhosting | account at Hetzner. Very happy with it! | ascar wrote: | > Last year I moved my mail to an old fashioned shared | webhosting account at Hetzner. Very happy with it! | | How exactly is that solving the problem? If anyone does | something remotely spammy from that ip, your mails are spam | again too. And you probably got lucky that the ip you're | sitting on was warm and trusted to begin with. You didn't | really find a solution, the problem simply hasn't occurred | yet for you or you are not aware of it yet. | | GP is right. Self hosting email sending (and by that I mean | any solution where you control the mail server) doesn't work | unless you accept that you will randomly end up in spam | folders and sometimes not delivered at all. | nik736 wrote: | Any solution for CalDAV? | arthurcolle wrote: | If I was running a service that required parsing emails from | external sources, could I easily write a script that could parse | inbound emails and then do $SOMETHING with them easily? If so, | where would that sit in Poste? | _joel wrote: | Done mail admin for 20+ years at unis/ISPs etc.. still use | fastmail for my personal stuff now. | rkagerer wrote: | Was interested to learn more but the poor English in the first | couple paragraphs of their page turned me away. | pharos92 wrote: | I really have zero complaints or reason to move off Mailcow | | https://mailcow.email/ | stofzuiger wrote: | Does not run on anything other than x64. Otherwise it's | perfect. | andix wrote: | If you want to host email on your raspberry at home, your | main issue is usually that your IP will be in a known ,,dial- | up" IP range, that is blocked by all major email providers. | And most home internet providers block port 25 too. And you | need a fixed IP, it's a nightmare if your mail server's ip | ever changes. | flangola7 wrote: | Who is running a mail server on their phone? | mcmcmc wrote: | Probably no one, but plenty of people run services on SBCs | Mazzen wrote: | Equally happy! Would recommend! | andix wrote: | I evaluated it once, and ended up using https://mailcow.email | | I think the fact that it includes SoGO with Cal/CardDAV and | active sync was the main reason, poste.io doesn't seem to provide | a solution for contacts and calendars. | | I'm still very happy with mailcow. And they include all features | in the free version. | koen_hendriks wrote: | [dead] | stevenjgarner wrote: | >> User database is stored in SQLite database - in file | | How much of the configuration can be data-driven from SQL | sources? Just the users? What about multiple domains? Aliases? | etc. Something like the MySQL interface with PostFix [1] | | [1] https://www.postfix-tutorial.com/ ___________________________________________________________________ (page generated 2023-02-22 23:00 UTC)