this post was submitted on
15 points (85% like it)
18 up votes 3 down votes
shortlink:
to anything interesting: news article, blog entry, video, picture...

14
15

Anyone know of a "private" email service? Should I host my personal mail locally? (self.linux)

submitted ago* by privateemailanywhere

Hey,

I've been thinking about my emails, they're personal and I'd like to think private but in these modern times I'm starting to doubt it more and more.

I'm technically capable of hosting my own mail (confident with linux and love a good tutorial), but is it the only way I can go? Are there service providers preferably in Europe, who have decent privacy policy and who you have experience with? I've looked around but nothing spring up. I'd trust a fellow Redditor's opinion and experience than Google's "search ranking".

This doesn't seem like a big topic either, who do you guys host your email with? Do you have any concerns about this subject? Am I being too paranoid?

Sorry if this is in the wrong sub too, I wanted r/technology as it's the broadest but it appears it's link submissions only (never realised previously :S ).

EDIT: Thanks for all the replies so far, You guys F(%&$ng rock :D

EDIT 2: Reddit seriously! You've all been awesome! I've checked out the online services but none hit all requirements so I'm going to try host it locally as a project until I can find a decent VPS with the same privacy requirements :D

all 69 comments
sorted by:
best
hot
new
controversial
top
old

[–]execrator 10 points11 points ago*

Postfix. Dovecot for IMAP. Spamassassin to set junk headers + 'Trust Spamassassin' on the client end. This is a common setup and there should be tutorials all over the place. I recommend something like http://www.mxtoolbox.com/diagnostic.aspx to check you haven't accidentally set up an open relay.

I run my own mail server and have no problems whatsoever. I understand that the real headaches come with supporting other users. If you're doing it just for yourself, go nuts.

Edit: to increase the chances your mail is delivered, look into these guys:

[–]privateemailanywhere[S] 1 point2 points ago

Postfix is the server part? Dovecot for allowing mail to be downloaded/accessed over IMAP?

I guess Postfix would be using POP3 to send the mail? Is it easy enough to set up SSL?

Is there a way to access my mail over a "webmail" interface?

Thanks for the info dude :) I'm really starting to consider going through with this. It would be for myself and maybe one or two other users. Nothing major. :)

[–]execrator 2 points3 points ago

Postfix is the 'server', aye (quotation marks because it's technically several different things - see http://en.wikipedia.org/wiki/E-mail_agent_(infrastructure) ). In this setup, Dovecot just does IMAP. The two can cover a variety of overlapping roles. If you wanted to use Sieve (configurable server-side filters like 'move mail from sender X to folder Y') I believe you need Dovecot also being the mail delivery agent.

SSL should "just work" if you're happy with self-signed certificates. Perhaps some minor config required to disable non-SSL. If you want something signed by a certificate authority it should also be straightforward as long as you have the certificate files in the right format. From memory I needed a separate intermediate certificate file whereas other programs might expect that intermediate data to be part of the certificate. Certainly a Google-solvable problem, anyway.

I looked into using Roundcube for webmail. It accesses your mail via IMAP so it won't conflict with using regular clients on your phone/desktop/etc, however it required me to turn off a certain PHP security setting before it would work. Perhaps it's totally harmless to do so, but I've just stuck with local clients.

[–]nodiscc 1 point2 points ago*

upvoted for roundcube. Installing an running it on a Debian system was painless for me.

[–]metamatic 0 points1 point ago

Don't forget to configure Postfix and Dovecot for Maildir+ storage format, rather than mbox. Especially if you're going to be using OS X Mail.

[–]honcas 8 points9 points ago

Are all of your contacts also doing this? Most people I e-mail use Gmail or Yahoo, so my conversations are pretty much not private anyway.

[–]privateemailanywhere[S] 2 points3 points ago

Email I care about is mainly between family or the SO, so setting up the server would allow me to setup users for these people. It's a chance to look into the technical bits of email as well.

I would never attempt this for anything other than a personal project. :) Thanks dude.

[–][deleted] ago

[deleted]

[–]privateemailanywhere[S] 1 point2 points ago

Lol! Point taken :|

[–]MarkTraceur 2 points3 points ago

So....

I've had some bad experience with hosting-my-own. Admittedly, because I've done it on a home network with a "dynamic" IP. I use quotation marks, by the way, because it rarely, if ever, changes.

Probably you'll be better off using your ISP's email, or potentially get a personal website and use their email hosting.

Best case scenario would be to have a static IP, but I'm not sure that's a cost-effective solution....

[–]privateemailanywhere[S] 0 points1 point ago

I have access to a VPS with a static IP, I don't have much mail so that shouldn't be an issue. My concerns are more with dealing with spam, hacking attempts. Using SSL to login and download mail etc. How much work is it to setup and is maintaining it a difficult task?

Any pearls of wisdom? Anything you wish you'd have known in advance?

And finally, which email server do I use? I've got basic experience with setting up a send-only exim4 server. Postfix or Dovecot seem to be highly spoken of. Any suggestions?

[–]PEPCK 0 points1 point ago

If you're concerned about security, qmail is probably what you want.

[–]privateemailanywhere[S] 0 points1 point ago

Why do you suggest qmail over any other setup?

When people talk about security and email is it just prevent people from accessing and sending mail from my server? Are there any other issues relating to email hosting?

[–]DrGirlfriend 1 point2 points ago

If you go Qmail, you will absolutely need this site.

[–]privateemailanywhere[S] 0 points1 point ago

Thanks dude! :)

[–]PEPCK 0 points1 point ago

Security and email consists of several goals: preventing access to private data, preventing malicious attacks through a vulnerability in the MTA, spam defense, and ensuring received/sent email is authenticated and is not tampered with. qmail was designed with security as the first priority, not as a addon, but is think the creator of qmail would be more informative.

[–]privateemailanywhere[S] 0 points1 point ago

Thanks for the link. If I use qmail I would still need Dovecot for the IMAP part?

If I use SMTP over POP3 would I need to ensure my ISP allows port outgoing traffic on port 25? Is there a big difference between the two?

I never realised how separate the sending and accessing of mail is. I guess a lot of these bits overlap. Would qmail alone suffice?

[–]PEPCK 0 points1 point ago

I really don't know- email stuff is not exactly my area of expertise :(

[–]privateemailanywhere[S] 0 points1 point ago

Not a problem dude, you've been a great help!

[–]execrator 0 points1 point ago

Mail is always sent with SMTP. POP3 and IMAP are two alternative ways of accessing mail. You're probably aware, but in case not, accessing mail with POP means the mail is removed from the server. This is only awesome if you read mail from exactly one place. Otherwise, you want IMAP. In either case you'll need port 25 unblocked to SMTP mail to the outside world.

[–]privateemailanywhere[S] 0 points1 point ago

Thanks for clearing that up :) Makes loads more sense now!

[–]MarkTraceur 0 points1 point ago

The problem I had was the dynamic IP, so I have nothing to say past that. exim4 seemed OK to me, since all of my frustration was caused by a principle of SMTP that I didn't know in advance. I'd imagine you could use SSH and your favourite mail client on the server to send and receive mail, eliminating SSL problems, but I don't know past that.

Here's a tutorial I was going to use: http://flurdy.com/docs/postfix/index.html

[–]lxskllr 2 points3 points ago

I've been thinking of going with these guys...

http://lavabit.com/features.html

Their paid services offer encryption on their servers, and the rates are reasonable.

[–]malpingu 1 point2 points ago

I don't see anything about domain mapping so I presume that one must use a @lavabit.com email address. Also, they seem to support pop3 only, not imap.

[–]audaxxx 1 point2 points ago

They support imap, I don't know why they don't list it.

[–]malpingu 0 points1 point ago

I was mistaken about the IMAP support. It is mentioned in the text on the page describing personal accounts. I don't know why it's not listed with other features.

[–]privateemailanywhere[S] 0 points1 point ago

Domain Mapping is a bit requirement for me :D Thanks for pointing this out :D

[–]malpingu 0 points1 point ago

I was mistaken. It is available for 'corporate' accounts; indeed, that's probably the distinction.

[–]icebraining 0 points1 point ago*

I don't see anything about domain mapping so I presume that one must use a @lavabit.com email address.

They have this:

Catchall Address

For those of you who choose our services for your personal or corporate domain names, the Lavabit e-mail server supports catchall addresses. This feature allows us to redirect all of the e-mail for a domain that isn’t addressed to a valid user into a specific catchall account.

So they must support domain mapping.

EDIT: it's probably only for "corporate email" plans, though.

[–]privateemailanywhere[S] 0 points1 point ago

Thanks for the reply dude, I like the service they seem to offer but it's just lacking a few touches. It's a shame too, looks like a nice system.

[–]malpingu 0 points1 point ago

What requirements are not met? (BTW, I was mistaken about the lack of domain mapping and IMAP support.)

[–]privateemailanywhere[S] 0 points1 point ago

I've signed up and have been looking into it. The only downside I have is that it appears to be US based. The webmail is lacking but it'll give me a chance to try out a new email client or ten. :)

[–]malpingu 0 points1 point ago

Ah, that is a significant downside. ;-(

I was a huge Kmail fan for the longest time until it (and the rest of KDE) just got too bloated for me. I rather like Claws on Xfce, although it is available for a wide range of platforms.

[–]malpingu 0 points1 point ago

Yes, you're right! Looking again I see this for the corporate accounts:

Have your own domain but want someone else to handle your e-mail? Whether you’re a company of one or 1,000 ...

Also, the description for personal accounts states that IMAP is supported.

[–]jimicus 1 point2 points ago

Their paid services offer encryption on their servers, and the rates are reasonable.

That doesn't even make any sense. In order for you to download the email over SSL, they'd have to decrypt the email first then re-encrypt it with the negotiated keys. Which means that even if they do encrypt the email on their own servers, they have the means to decrypt it immediately to hand without requiring your co-operation.

EDIT: Okay, I've just checked. Looks like they wrote their own custom server code which decrypts the email on the fly when you enter your password. This reduces the risk of "some bad guy gets their hands on their hard disks" but doesn't really help much as far as, say, law enforcement is concerned. They'll just get subpoena'd to keep a copy of your unencrypted key the next time you login.

[–]wadcann 0 points1 point ago

This is why one (a) doesn't use webmail, (b) uses pgp/gpg, and (c) doesn't put any crucial data in subject lines.

[–]privateemailanywhere[S] 0 points1 point ago

lavabit looks great but it appears to be an American company. After everything I think i'd like to avoid the Ol' US of A like the plague.

The service itself seems 90% compatible with what I'm wanting but I think I'd rather host my own for security, reliability and being in complete control. Plus I love a challenge :D

[–]lxskllr 1 point2 points ago

Yea, I hear ya. I'm trying to de-Google my life, and I don't currently have the infrastructure to host my own mail. I figure the encryption will negate server location. I may lose my mail, but it'll be useless to anyone else also :-D

[–]privateemailanywhere[S] 1 point2 points ago

de-Google is the perfect way to put it!!! :P

[–]jollybobbyroger 2 points3 points ago

I've been looking into paying for an alternative to Gmail. So far I've found:
* Hushmail
* FriPost
Fripost seems like a good choice as they are a democratic organization who emphasize on privacy and a free Internet.

[–]sadf 2 points3 points ago

Hushmail used to be really popular because they claimed that they were unable to decrypt their users' mail, therefore they could not provide plaintext emails to government subpoenas. Then, one day, they were subpoenaed and ponied over the unencrypted contents of several people's inboxes.

So much for that idea.

[–]privateemailanywhere[S] 0 points1 point ago

Damn!!!!!! Thanks for the info though :)

[–]privateemailanywhere[S] 0 points1 point ago

Thanks dude!!! FriPost has a thing about wanting Swedish members. I'll try apply and see what happens anyway but it does look good.

I'm looking for a provider who will allow me to use my own domain name too. FriPost seems to allow it :)

[–]sethbrown 2 points3 points ago

(SME Server)[http://wiki.contribs.org)

True story. My brother, a Windows only guy at this point, calls me one day and says he needs an email server ASAP and what can he download to get it to work NOW.

I point him at the site and say 'call me back when you have it downloaded. I'll walk you through'.

He never calls back.

Six months later, he calls back to say he's installing it at a customer site and how does he get it to send email to the net again, coz he forgot.

I tell him, 'what are you talking about?' He explains he never called back becoz it was so simple to install, he didn't need to. It's been working fine for the last six months, he hasn't needed to touch it at all, so he's forgotten how he set up the email in the first place.

I sigh, tell him the menu option he's missed, which says 'Allow access from the internet' and he's good.

No previous Linux experience, but since then he's running Mint, Ubuntu, XBMC, some usenet thing. His biggest problem now is continually running out of disk space coz his wife's soap opera and his kids' favourite shows eat up the available space. Windows? He runs that in a VirtualBox VM now for his day job.

One download, 15 minute install = running email server that doesn't need to be touched for six months. By a Windows guy.

I know there are guys who just love to tweak stuff, but 20 years on, it gets old. When you finally understand it all, what you'll end up with, is SME Server.

Simple, easy, rock solid. Do yourself a favour.

[–]mrchilly0 1 point2 points ago

I've been running my own email server for a few years now...my ip changes twice a year, and it only takes 5 minutes to log in to change it on the hosting site. You can, however, set up a free account on dyndns.com that has a program that automates this. When your ip changes, the program will send the host your new ip and it will change you records.

[–]privateemailanywhere[S] 0 points1 point ago

Thanks dude! Where does the static IP come into it? Is it for the MX records or does the email server need to know what it's external IP is?

Also dude, any tips or advice? :)

[–]malpingu 1 point2 points ago

Both. A sender needs your MX record and your SMTP needs to know its own address (whether specified as a DNS A record, host file entry or an explicit IPv4 or IPv6 address). A static IP address is just easier to configure and maintain for DNS records than a dynamic address. Moreover, a static IP address may be less likely to end up on a relay blocking list owing to the mischief of someone sharing your ISP's dynamic address range.

[–]mrchilly0 0 points1 point ago

you don't have to have a static ip. The internet just needs to know where to go to find your mail server. So as long as you update your mx record when your ip changes, you're fine. It literally takes 5 min and is updated on the internet in less than 10-15 min.

[–][deleted] ago

[deleted]

[–]privateemailanywhere[S] 0 points1 point ago

PGP as far as I am aware would require all my other contacts to use PGP to actually encrypt the email. Not too difficult as it's for personal email only but It's something I decided would be "backup" to look into. Is my understanding correct?

[–]execrator 0 points1 point ago

Your mail client won't send encrypted mail to any contacts it doesn't have public keys for. Setting up PGP doesn't require your contacts to do the same, but you can't use it otherwise.

You can however digitally sign any email you send. This proves the mail wasn't tampered with along the way, and I believe it doesn't require any setup for your recipients.

[–]privateemailanywhere[S] 0 points1 point ago

I'll have to look into it in more depth then. Thanks dude. :)

How does the digital signing work and what is it's "technical" name?

[–]execrator 0 points1 point ago

I'm not sure how the digital signing works to tell the truth. Functionally the signature appears as an attachment to the email. Clients that know about digital signatures will hide the attachment and instead indicate that it was signed. Unfortunately gmail does not do this.

If I had to guess I'd say the attachment contained your public key and a derivative of the email encrypted with your private key.

If you have Thunderbird, try Options -> Digitally Sign This Message when composing. It should complain about not having a key and hopefully set one up for you.

Note that you can encrypt/sign email with S/MIME or PGP/MIME and they're mutually exclusive. PGP/MIME is what you'll use if you install OpenPGP. I believe this has better infrastructure for sharing keys, e.g. keyservers, whereas if you use S/MIME you'll have to manually email your key to your contacts. That's mostly speculation; I'd look into it further if you wanted to set it up.

[–]malpingu 1 point2 points ago

Yes, that's a fairly accurate description. To elaborate ...

The digital signature is essentially a hash digest of the message which has been encrypted with the sender's private key and attached to the message. During signature valididation, the recipient client uses the sender's public key to decrypt the digital signature, thereby unwrapping the hash value (or message authentication code), which is then compared with a value computed using the received message; if the two values compare, then the message is authentic. The S/MIME and PGP/MIME specifications detail the format for the messages and related cryptographic parameters.

In order to send or receive a S/MIME or PGP/MIME message, one needs a digital certificate.

The X.509 specification describes the Public Key Infrastructure for managing keys and digital certificates. In a conventional PKI, a digital certificate identifying the holder of the private key associated with the public key contained therein is typically issued by a Certification Authority (CA) and is digitally signed thereby. Certificates for end-users are available from CA, generally for a fee. A relying party, in order to to trust a digital certificate, needs to verify the issuer's signature, for which the Root CA public key is required and available in a self-signed Root CA certificate from the issuing CA. This is a hierarchical trust management structure which may have various policies governing the issuance of certificates, such as cryptographic parameters, identity information, identity verification criteria and process, validity period, revocation, etc.

PGP operates under a Web of Trust model based more on a mesh network; there is no central certifying authority. Certificates are simply containers for public keys bearing the signatures of parties who attest that the public key therein has been verifiably associated with the identified private key holder. For a relying party, trust may appear in the eye of the beholder but this system is perhaps more robust than the classical hierarchical CA model.

[–]privateemailanywhere[S] 0 points1 point ago

Pfft! Did a great job for someone who doesn't know :P Thanks! I'll definitely look into this even if it's just to know about it :D

[–]jimicus 0 points1 point ago

If I had to guess I'd say the attachment contained your public key and a derivative of the email encrypted with your private key.

IIRC that's exactly what it is.

[–]mthode 1 point2 points ago

I host my own and use gmail as a backup at the moment (mail gets delivered to me then I deliver it to gmail).

[–]skreak 1 point2 points ago

I've hosted my own mail before and to be honest, I hated it. Had a 'server' in my basement on a static IP on a DSL connection. Slackware linux (this was back in the day) using qmail and spamassasin and it was such a pain in the ass. The hardest thing by far is not filtering spam, but getting people to trust your server as a sender. Eventually I gave up and just told it relay mail through my isp's on the way out, but I would still occasionally get black listed and people were always having my legit mail show up in their spam folder. Total pain in the ass and I don't recommend it.

If you're worried about mail being safe and secure, use GPGP to encrypt your messages.

[–]privateemailanywhere[S] 0 points1 point ago

Thanks for the reply dude, you've given me another great point to think about. This is all just for personal mail so I'm not too bothered about it all, plus it would be a great learning experience.

Scary to think how much goes into ensuring the server is fully functional :|

[–]skreak 0 points1 point ago

http://www.mxtoolbox.com/SuperTool.aspx?action=smtp%3agoogle.com

Make sure your dns is perfect. PTR records, aname, cnames, mx, etc. If they don't hold up perfectly, you're mail will get spam foldered.

[–]elusive_one 0 points1 point ago

LOL, that brought back so many terrible memories with qmail and spamassassin.

[–]n0suchth1ng 1 point2 points ago

I ran my own mail server for years on a Linode, but got sick of the constant battle against spam. I finally switched over to the mail service Tuffmail. $24/year for one mailbox, unlimited aliases and domains. Works for me, and I've been very happy with their reliability and spam prevention.

[–]phillymjs 1 point2 points ago

Thanks for this, I just checked them out and like what I see. The support is pretty great, too. I emailed asking if they had any kind of bulk import of addresses because I have a lot of aliases, and they offered to whip up a script to import them for me if I sent them a list.

[–]privateemailanywhere[S] 1 point2 points ago

Thanks dude. I'm more concerned about the privacy. Is it US owned and hosted? Is my mail and info safe?

I'll check it out in detail :)

[–]gustavopr 1 point2 points ago

I run my mail server on a linode machine with postfix + dovecot + dspam and have 0 problems with it. The only catch: hotmail accounts doesn't receive mail from my mail server, but I don't know anyone with a hotmail account anymore.

When I have some free time, I will try this: Automatically Encrypting all Incoming E-mail.

[–]privateemailanywhere[S] -1 points0 points ago

Thanks dude, You had no issues with spam? Do you have a secret? Hotmail wouldn't be much of an issue for me either :D Did you ever find out why though?

Thanks for the link too, I've not stopped reading about email in days lol. Following through the imaginary configs in my head because I don't have time to spin up a VM and test anything out.

I'm all for hosting it on a VPS too but just not Linode, I want to avoid US whenever possible :) I'm in the process of setting up a development box so I supposed there's no extra hosting costs. Cheers :)

[–]gustavopr 0 points1 point ago

Yep, I have a problem with it being in the US too and I'm considering moving it to another country. I'm using this setup for ~ 8 months, and haven't received a single spam (my spam filter is there, lying untrained). I just give my e-mail to people I trust, and I think spammers haven't discovered my not usual domain yet. Luck, I guess.

And it seems hotmail does not think my server is trustful, but I didn't try to discover why and what I could do to solve it since it's not a problem for me...

[–]privateemailanywhere[S] -1 points0 points ago

I'm pretty much in the same boat. I'd like to do it as a project non the less but signed up to lavabit.com for a trial. The only downside is it's US based and even with all the encryption and decent terms and privacy policy they'll give up data if requested by the Government. I contacted them to ask what kind of data and if they are able to decrypt my mail but have received no response.

Thanks for the reply dude. :)

[–]malpingu 0 points1 point ago

I've been hosting my own email domains for many years on a Debian GNU/Linux platform with a static IP address using postfix with various add-ons and related packages:

  • postfix - smtp(s)
  • maildrop - filtering & maildir delivery
  • dovecot - imap(s)
  • clamsmtp - anti-virus
  • spamassassin - Bayesian anti-spam
  • dkim-filter - DKIM anti-spoofing
  • postfix-policyd-spf-python - SPF anti-spoofing
  • gross - grey-listing & relay blocking

(I also have a convoluted setup whereby I also relay most of my email through gmail accounts for added spam protection, plus the benefit of webmail.)

Postfix can get kinda complex. The documentation at postfix.org is excellent, albeit a bit overwhelming at times. Yet, you should also be able to find some good tutorials and recipes for getting started - just be careful to avoid the high-end configurations intended for enterprises. (It's been too long since I've looked at any to offer recommendations.)

I'd start simple with postfix + maildrop + dovecot + spamassassin, then fine-tune and add other capabilities as you get more comfortable with it.

Ironically, I'm considering migrating to a hosted service, although I haven't started looking seriously yet.

[–]insanemal 0 points1 point ago

I run citadel I'm happy. I use most of the features. Mail, calendar and contacts.. not so much the other groupware bits.. but you get that.

[–]syntax_erorr -1 points0 points ago

e Mail itself is un-secure. I'm pretty sure messages are transmitted un-encrypted. So anyone in between or anyone sniffing on your local network could read them.

I'm pretty sure if your paranoid about it, the standard I see most people using is the PGP / GPG to encrypted the body of the email.

Use of this site constitutes acceptance of our User Agreement and Privacy Policy. © 2012 reddit inc. All rights reserved.

REDDIT and the ALIEN Logo are registered trademarks of reddit inc.

π Rendered by PID 15464 on app-15 running 86c9e1d.