[ale] Why Run your own email server?

Alex Carver agcarver+ale at acarver.net
Thu Sep 29 21:15:03 EDT 2016


Actually, I do have my own physical server in addition to sucking down
the free service emails and leaving those accounts blank.  It was a bit
of a pain at first (and I did get blacklisted once when the server was
rooted[1]) but it's gotten much easier since then.  My server is
personal so the only account on it is me.  I run it at home on my DSL
line and I take a glance at the logs every couple days looking for
probes.  when I find one, I drop the entire subnet (I use ipset to bring
in a totally different thread).  Spam is virtually non-existent now.
For anything I can't or won't block directly the ACLs take care of spam
detection (Spamhaus RBL, plus some generous rules for headers like no
spoofing my own domain, localhost, etc.)

I get one or two messages per month that manage to make it through the
filters and into the inbox.

I have SSL set up for transport.  If I send email from my phone, it
connects and sends through the server with a SASL authenticated
connection.  Anyone other inbound connection is requested to set up an
SSL encrypted connection first.  The vast majority of servers that send
me email will encrypt:

ale-bounces at ale.org H=mail.ale.org (www.ale.org) [209.195.3.75]
I=[10.0.0.6]:25 P=esmtps X=TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256
S=4048 id=20160929204555.6cc3df2e at mydesk.domain.cxm


I almost spend no time on it now other than making sure it stays patched
(fairly easy, daily script) and adding firewall entries.  The firewall
job becomes less time consuming as the block list grows.  Now I spend
maybe an average of 10-15 minutes per month keeping up with the physical
server.


[1] A relatively nasty zero-day in Exim showed up one day.  It was
patched fairly quickly but I was in the hospital for about a week so I
didn't see the announcement and had no access to the system even if I
did.  The zero-day was exploited which replaced the sshd binary with a
compromised one (along with other binaries).  However, because of the
massive firewall in front of it (with only port 25 open), the C&C server
could not reach the machine nor could the rootkit report out (the same
netblocks are also blocked outbound).  I discovered the rooting fairly
quickly after I returned from the hospital (ssh into the box from the
local network was not working properly).  The evidence was still on the
box because they were unable to log in (firewall) and do any further
work.  Recovered, patched, and blocked the offending netblock (different
from the C&C).

On 2016-09-29 10:21, George P. Burdell wrote:
> Anybody who has actually run their own mail servers for a while knows how much 
> of a tremendous chore it is just to keep your mail from being blacklisted.   
> Most major providers will, if one person acts up in your datacenter and you're 
> not at some enormous facility with a name brand, simply ban the entire netblock. 
>    They don't care about collateral damage.   I even get mail server admins who 
> block my Google Business email ... and that's a PAYING space, and ergo one of 
> the least polluted netblocks for spam on the entire internet.
> 
> Oh yea, you can still do your own mail server.  But why on Earth would you want 
> to?   How much money is your time worth?   How valuable are your emails?   How 
> much does it cost you if an important one doesn't make it?   And I say that as a 
> card carrying member of the EFF who has more than a passing distaste for the 
> surveillance state we have become.   The NSA didn't kill private email servers 
> ... spam did.
> 
> It also doesn't help that pretty much every stand alone mail client is varying 
> degrees of unsatisfactory (at least for my multi-account needs).   Opera Mail 
> was PERFECT.  And they killed it.
> 
> And we'll assume for the sake of argument that spam filtering isn't a problem 
> and there are tremendous mail clients available.    That doesn't fix that the 
> overwhelming majority of email traffic goes over in clear text, and the NSA will 
> almost certainly see and record it in transit with their strategy of putting 
> snooping stations just upstream (up-pipe?) from major people of interest like 
> Google.   If one day all email is traversing over SSL, Alex's idea will be the 
> simplest way to defend your privacy without signing up for the headache of 
> running your own mail server.
> 
> On Thu, Sep 29, 2016 at 12:01 PM, Alex Carver <agcarver+ale at acarver.net 
> <mailto:agcarver+ale at acarver.net>> wrote:
> 
>     On 2016-09-29 02:30, DJ-Pfulio wrote:
>     > Even client/lawyer communications aren't safe from DHS prying:
>     >
>     >http://www.homelandsecuritynewswire.com/dr20160927-feds-we-can-read-all-your-email-and-you-ll-never-know
>     <http://www.homelandsecuritynewswire.com/dr20160927-feds-we-can-read-all-your-email-and-you-ll-never-know>
> 
>     Yes, this is why I run my own server and download my free email services
>     (gmail, etc.) to my local hard drive on a regular basis (deleting the
>     server side copies after download).



More information about the Ale mailing list