1

Hi team, all this post is about personal use,

Since few months, or even years, having all my mails on google servers is bothering me. So I am seriously thinking about creating a standalone mail server here in my home. The aim is not either to create huge security braches in my private network and my personal datas. So I imagined a solution like this:

Buying a RaspberryPi, installing proxmox on it, making a virtual debian server (so i can install a small kali vm besides for personal purposes). I would host a mail server with apache on the debian VM, with a certbot to create a selfmade certificate for a domain i would buy. Then I think I have to open some ports on my ISP router, and maybe do NAT/PAT. I might have to open some firewall ports (567 or smth). Then I would take a NAS to backup my mail every 3 or 4 days or every day i’m still not sure.

Considering this I have some questions:

Does the general plan looks good?

Would a standalone mail server work correctly on 2Gb of RAM?

Do you have some recommandations for mailserver packages?

Is it mandatory in a security approach to force connection on the mail server via VPN? Like with an OpenVPN server? Even if this would increase performance needs.

Thanks

31 Spice ups
2

Unfortunately, Google has made running email yourself very hard. Without being on the authorized list as a valid SMTP server, most of your emails will always go to spam or never get delivered at all. What you could do is use an SMTP service in order to send emails. Receiving email is always doable, it is sending that is hard. You will 100% have to have SPF/DKIM/DMARC configured to not be flagged and even then if you get one blacklist it’s a cascading event that gets your server blacklisted real quick.

6 Spice ups
3

Hosting your own email used to be super simple. Little small application to listen for smtp and pop3 requests. Forward some ports on the router. MX record in your DNS. Start sending and receiving email!

But now - wow it has become quite complex. I still self host my company’s email and my personal email but if I was starting out fresh today I’m not sure I’d want to self host.

Unless you plan to use an smtp relay service for outgoing mail you’re going to need a static ip address at home. Dynamic won’t work. And you’ll probably want two in case your main one gets blacklisted. SPF is certainly important. DKIM/DMARC are good to have. The mail server will need a valid certificate for both smtp and pop3 use. And your ISP will need to allow traffic on port 25 which might require a business account.

i have no suggestions on mail server options for linux. But I’ve used both Mail Enable and hmailserver on Windows. There are pros and cons to each. But i think mail enable is the superior offering particularly since their free version has a lot of good features.

Good luck! Have no doubt that it is/will be a fun project to work on.

2 Spice ups
4

You would likely need several things to run an email server

  • dedicated Internet address
  • MX records (Internet DNS)
  • security system (firewall and/or other systems to protect the internal network)

I would rather look at how to backup your Gmail & options to migrate to another platform if required rather than create your email server.

1 Spice up
5

@adrianyong4136 ​ the aim is to get my data at home to get 0 risks on some personal and sensitive informations, moving to another platform would clearly just move the problem, not solve it.

Having a static IP was something I already identified as a potential problem. I clearly need to get informations on is it even possible to have one with my ISP.

I have to read about SMTP relays im not sure how it works. For the SPF/DKIM/DMARC points, we did in my company but I will try it myself at home. I will tell you.

6

Having the data as a backup is more in case Google closes down or suddenly stop offering Gmail ? Or that if emails or files were corrupted or accidentally deleted ?

But as for security, I would never think that homes or even mid sized businesses could have more security than the major cloud providers (AWS, Azure or Google) as they are really much larger than they seem (Gmail, hotmail, O365, youtube etc). There are other business offerings in these clouds like VDI, cloud computing (AI, machine learning, web servers, databases with redundancies in multi-zone and/or multi-nations).

Some people say “Seems all spicers wear tin foil hats”… but some of us wear a modified Magento Helmet that have a layer of Vibranium, Beskar and Valyrian steel.

5 Spice ups
7

Backuping to avoir eventually service stop or offer stop is a thing. Keeping datas at home because we don’t want an IT company to use our datas in a shady way, considering they usually take fines on the way they treat user datas etc… This is a real point, dont you think so? I mean if you are fine giving your whole life to GAFFAM its good for you, but for my personal datas I dont like this way of thinking.

In a professional context, I clearly know the big cloud companies are usually the best solutions, considering they almost never have services down and all. No problem on that. But for my personal life, its always preferrable to have everything on my hands. Even if its hard, if its doable, Im starting to prefer homemade on-prem solution. This doesn’t mean I think im better than big IT cloud companies. Just my compromission-value is smaller than GAFFAM ones. And I definitely think I have sufficient skills to provide my local network a solid protection.

8

If security is the concern, I would use a hosted email service but use encrypted email from your client. That way the email on the provider server is encrypted.

This requires all senders/recipients to be able to use the encryption.

Using an independent email hosting company is very different to gmail. Gmail actively scans your email to advertise etc. simple email providers do not.

1 Spice up
9

@matt7863 What you mean by hosted mail service is hiring a small server somewhere like digitalocean, or creating an email in a smaller mail provider?

I know I can force encrypted mails when sending one, but can I force encryption in server receive recipient from my client? (e.g. if I use thunderbird?)

10

One option would be to get a VM and static ip addresses from somewhere like linode. Then encrypt your VM so that it’s not accessible to anyone in a powered off state. That might require a bit more work on your part if it were to accidentally reboot and get stuck at an encryption password prompt but you wouldn’t have to worry about any restrictions your ISP might have.

11

I thought about something like this but it sounds definitely unmanageable

12

I would look for a privacy focused mail hosting company. There are plenty of other email providers, and hosting your own email at home is pretty much not possible (at least on an American ISP). AT&T, Spectrum, and Xfinity/Comcast all explicitly forbid web servers, email servers, and other types of hosted content on residential accounts. If you do somehow have the ability to host your own email with your ISP, then you are now facing all the problems that the first reply mentioned. Basically, no one will be able to receive and/or read the email you send.

Fastmail, OnMail, Apple mail are all feasible alternatives to Gmail. There may be some that cater to your country, language, or continent that I’m not aware of. I would at least look for a paid email service provider before spending any money setting up my own system/server.

13

I clearly heard all you guys mentionned, I think, firstly I will try buying a small server on OVHCloud, buy a domain and try to setup SPF/DMARK/DKIM, then see if it works. This would remove all problems due to ISP which even in France is such a pain. Then I might archive mails from the webserver and get then at home with a mechanism or something. So the server would handle the less sensitive data possible. But Im defenitely will give it a try

14

you might have already decided to go this route but i’d start with a test domain. then start with the very very basics of emailing - a server with a mail application and an mx record. then expand out from there - certificate, spf, etc etc. once you have all of that working you can then start the process of moving your main domain over.
something else to think about is spam filtering. on my personal server i use the home version of sophos utm 9. it has a really good spam filter on it.

15

I still havn’t begin anything. Yes I will of course use a test domain. And thx for the anti-spam advice! But, it might be tricky to place an UTM in front of my mail server if I host it on a VPS or a hosted server. I don’t really know I never tried this

16

all depends on how the VPS allows you do setup networking. i have mine running in hyper-v on a server with two nic. 1 nic goes into my modem and is the WAN on sophos, and the other nic goes into my switch and is the “LAN” for both the sophos and the mail server. both the sophos and mail server are VMs on the same host.

i remember my first mail server about 20 years ago. some little mail server application running on my windows xp machine. i didn’t even use a pubic domain. but man it was such a great feeling when i sent the first email to my real email address through outlook express and it came through.

i also remember the first time i found out what an open relay is. Oops! LOL

17

It is quite technically doable to set up and run a mail server on your home network behind your ISP.

It is against their terms of service and they won’t listen to you if they outright block your outbound SMTP ports.

Do you want to? Up to you.

Can you? Yes, technically.

Should you? Probably not for e-mail that matters that it gets through and is seen.

As the discussion already has said, there is a lot of details in different DNS records that you will learn. All the big guys require that you have these records.

The public IP address that you are sending from has a reputation and history. Your provider is very likely also outright publishing it to the Internet to contribute to the systemic methods old and new to stomp down spam.

Raising a virtual machine on some cloud server, setting up SMTP (eg. procmail or sendmail) and putting in the right DKIM, DMARC and such records may all meet the requirements, but the infrastructure of cloud services is also going to be noticing and fighting back to suppress your mail. It is also against the terms of service.

So, if this is what you want to deal with all this, have fun.

If you’re trying to run a business and getting your mail into mailboxes matters then go to a reputable vendor who is in the business of providing the service you don’t want to pay for a make the investment with them to get it done properly.

Oh and do understand there is a significant difference between using a service designed to provide mailboxes for humans sending e-mail but you are setting up a program and sending out volumes of marketing e-mail. You’re fighting their infrastructure heuristics and it is also against their AUP which you agreed to when you signed up. Use a vendor who offers services for such things. The is know as bulk e-mail.

1 Spice up
18

Perhaps you’re looking at the solution to your problem in the wrong way. You say no to google, (love to hear it!) But want to host your own email server. For privacy? Safety of your data? I looked into the same thing years ago, and decided not to host an email server, the reasons are all listed in the comments above. I’m no expert, I don’t trust myself to find the holes I may have created.

Maybe instead going down the road of creating a lot of work for yourself, pay someone? I would consider some ‘secure’ email provider, and look into how to secure your other data thats not in email.

https://cybernews.com/secure-email-providers/

2 Spice ups
19

One item that hasn’t been mentioned yet is the PTR entry. You’ll have to get with the provider of your public ip address to have that set. Most mail servers will reject email from a server without a valid PTR.

2 Spice ups
20

I like Mailtraq. It won’t execute server based instructions and is a small target, so hackers don’t spend time trying to breach it.

I’d also suggest a front-end firewall; only open ports and narrowly as possible. Maybe consider PFSense; I’m running it inside a VM on my home system, works pretty well as far as I can tell.

Finally; consider a third party spam filter for inbound/outbound email. It bypasses the certificate requirement and you can configure your firewall to only allow your email server to connect to your third party spam filter; so much higher security.