💾 Archived View for diesenbacher.net › blog › entries › run-your-own-mailserver.gmi captured on 2024-06-16 at 12:08:43. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
On my journey to get rid of $BIG-CORPORATION[1] having power over my own data, and make the net de-centralized again, I finally took again a step forward running my own mail server.
I have the deep understanding, that decentralization and having standards (so that YOU can use whatever software on YOUR data) is a necessity for a free internet. Otherwise [Enshittification] will progress, and we are damned to serve an oligarchy of corporations in the net...[2]
I run my own mail server about 25 years ago the last time. Things have changed in the meanwhile, got more complicated: DMARC, DKIM, certificates, etc. Email is a rather hostile environment, always with the danger, that your mail server gets blacklisted by rather obscure services. Even misbehaving servers in your IP-neighborhood can have an impact, whether other mail servers accept you sending email to them.
But I highly object the saying "email service is so complicated, leave it to the experts like Google, Microsoft, ...". Digging into the documentation, getting aware of current practices, and actual setup and configuration of my email service took me only about half a day.
And the outcome - at the one hand having a fine email setup under my own governance, on the other hand, having learned a lot, how email works today - was for sure worth the investment of half a day!
Of course the first thing you need is access to a domain (and according DNS configuration). Be aware, if this is a newly registered domain, this will already give you for the first week (up to one month) already a penalty to get blacklisted, so be patient. For DNS-hosting I am using [gandi] for about 20 years. I have no complains so far.
Second - you need a physical or virtual machine running your email server 24/7. Choosing a hosting partner, be aware, not every hosting service allows you to run your own email server, they are probably afraid, that you misconfigure your email server and pollute your IP-neighborhood, as mentioned above.
I can highly recommend [OpenBSD Amsterdam] for a small to medium non-profit setup. You get a virtual OpenBSD[3] server for a fair amount of money, Additionally, they donate a part of your rent to the OpenBSD foundation.
Following, you'll have to decide, how your setup will look like. For sure you need a [SMTP] server for receiving and sending email and a strategy to access your received email, f.e. via [IMAP], [POP3], or other obscure methods. F.e. simply copying your Maildir via rsync?
I chose:
Receiving the necessary certificates from [let's encrypt] for the SMTP server I handle with acme-client and httpd (also both out of the box in OpenBSD). Benefit - having set up httpd, it also serves my web page / this blog.
Regarding user management (adding users, etc) - I handle all via ordinary user management in OpenBSD with useradd, etc. If you want to prevent your users to log in to the server, just give them nologin as shell. For the typical family- or small-organization-setup that's IMHO sufficient.
For the specific configuration and setup I consulted the according man pages at OpenBSD (fabulous read as always) and the following blog posts:
https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/
https://blog.obtusenet.com/byoes-build-your-own-email-server/
https://www.tumfatig.net/2023/self-hosted-email-services-on-openbsd/
https://sr.ht/~guidocella/personal-email-server-guide/
Where I haven't found a proper solution is redundancy and backup. Normally you would provide a MX entry in your DNS record with lower priority as backup, resulting in being addressed if the entry with highest priority is not reachable. But therefore - that it actually makes sense - you would need an additional server, probably on another machine or even better in another data center.
On the other side, if a sending mail server can't connect to the destination server, it should queue the message and retry lateron. Currently, I assume OpenBSD.amsterdam won't have more than 1-2 days downtime over a year - so, for a privately run mail server it seems bearable to run just with this one instance. Of course you'll still have to do ordinary backups of data and config files, for the worst case, that you have to fully reestablish the environment because of f.e. a full disaster recovery.
If you don't have the need for special spam-fighting mechanisms, that's it. Doesn't sound that complicated? I can fully recommend going that path, as mentioned, I learned a lot and it is actually a good feeling, being again in power of my own email without advertising-, AI-, or whatever-algorithm sniffing in my mails (at least on my side).
Footnotes
_________
[1] Yep, I am aware - actually working for a kind of $BIG-CORPORATION this is a hypocrite statement.
[2] please read [THE INTERNET CON: HOW TO SEIZE THE MEANS OF COMPUTATION].
[3] I am a big fan of [OpenBSD]. Secure, rock-stable and probably the best documented unix-like operating system available? I switched about 10 years ago nearly all my server-side projects to OpenBSD. Never regretted that choice.