Experiences from hosting your own email server

After too much time spent configuring my email server I decided to close it down.

I started out with my email server around 2 years ago and while it has been working fine most of the time – it does end up stealing a lot your precious time and attention. Sometimes for more than what you want it to.

To know why email can be troublesome you need to know a bit of history:

The predecessor to email was invented in the early 60s and email was we know it today was not invented until 1972. That makes it at least 44 years old. When setting up the services you sure notice that the technology is old.

To make up for this old piece of technology (and email is not going away some time soon) you have a lot of non-standard extensions such as email blacklists (RBL or Real-time Blacklist), DMARC (Domain-based Message Authentication, Reporting & Conformance) and SPF (Sender Policy Framework).

All of which are not very easy to set up.

You also have to ask yourself these questions before rolling your own email service:

  • Which MTA (Mail Transfer Agent) will I use?
  • What protocols do I need to support when fetching email (IMAP, POP3 or by any other means)?
  • Which software provides implementations for these protocols?
  • How are the messages stored on the server and how can I back them up?
  • How am I going to block any unauthorized usage of sending emails (i.e. not abused by spammers)?
  • How do I get notified when an issue arises such as bouncing or rejected emails?

Point is that there are lots of things to consider.

Although you may quickly be able to set up something which can receive or send emails – it will most likely need a lot of tinkering to get it working just the way you want it. A common mistake is to allow postfix to act as an open relay which allows anyone to send emails without authorization. Port scanners will swiftly pick up that you are hosting an email server. It will not take long before a spammer shows up on your doorstep.

Here is an (somewhat outdated but still valid) schema of the the email client/server architecture (from http://homepages.uel.ac.uk/u0315352/introduction2.htm).

The pros of hosting your own email

  • Privacy
  • You learn something

The cons of hosting your own email

  • Steep learning curve
  • Time consuming
  • Requires security monitoring
  • Critical emails may not be received or sent (and you may not know about it until the damage is done).

Commercial email providers

Instead of hosting your own email I compared a few of the commercial alternatives. Neither of which are very expensive.

The price tag is most likely justified in comparison to the countless hours you spend on administration and monitoring of your own email service.

Runbox

Runbox is an email and web server provider located in Norway. They claim to be a privacy oriented email provider.

While that may be true a lot of their privacy policy is related to the web service regarding the use of cookies, tracking and ads. In terms of privacy and security I feel they could do more. Encrypted mail storage and Two Factor Authentication would be great (they are currently looking into the latter).

I did run into an issue while using a trial account. After importing some of my old emails the mailbox quickly got full and any incoming emails bounced off. This behaviour caused some issues and is seemingly undocumented – or very well hidden from sight.

Pros

  • No ads (and no systematic scanning of email text)
  • Cheap
  • Their datacenter runs on renewable energy.
  • Their company values (on ethics, privacy and environment)

Cons

  • Poor web interface
  • Unclear documentation regarding trial account and data usage.

Neutral

  • They claim to not be required to do any logging. However they do log basic information for administration purposes. Email delivery logs are stored for 1 week.
  • Norway (where Runbox is hosted) is currently considering a law which would open up tapping into email and phone communications – in a similar fashion to what Sweden currently is doing.
    Source: http://www.aftenposten.no/norge/Myndighetenes-nye-overvakingsmetoder-197770b.html (in Norwegian)
  • As Runbox provides a virus scanner your email content is scanned in a limited (and likely unobtrusive) way.

Protonmail

Protonmail is a fully encrypted email service located in Switzerland. Initially they were funded through the crowdfunding site IndieGogo but is now offering paid subscriptions.

They call one of their features Swiss Privacy although Switzerland in contrast recently approved a new surveillance law. Seeing as the email content is stored encrypted it may still open up the possibility of interception of email content while it still is in transit.

While they with no doubt are strong on both privacy and security their security model is not compatible with IMAP, POP3 nor SMTP and as such can not be used with traditional email clients.

Pros

  • Encrypted mail storage (and is only decrypted client side)
  • Free and open source!
  • No ads (and no systematic scanning of emails)

Cons

  • No IMAP/SMTP support
  • Limited HTML formatting tools when writing emails.

Neutral

  • While traditionally Switzerland (where Protonmail is hosted) has been a stronghold on privacy they recently voted in favour of mass surveillance. The new law which was approved just recently (in September 2016) and explicitly opens up for tapping into email and phone communications.
  • The mobile applications (only tested iOS) are good enough but nothing out of the extraordinary.

Gmail

The popular email service from Google has a market share of about 70% according to MailChimp (among web service providers) and cannot be neglected. The usability and user experience from the service itself is great.

Google is however well known for creating a profile of its users and to automatically scan your (and others) email content in order to serve you advertisements. At the same time Gmail is also taking up the battle with state sponsored surveillance. It definitely is a mixed bag.

Pros

  • Beautiful mobile applications (iOS and Android)
  • Free (unless hosted with Google Apps and a custom domain)
  • Offers Two Factor Authentication
  • Warns you of suspected state sponsored surveillance.

Cons

Further reading