So Iāve been running self-hosted email using Mailu for a couple of months (after migrating out of Google Workspace). Today it turned that although my server seems to be capable of sending and receiving emails, it also seems to be used by spammers. Iāve stumbled upon this accidentally by looking through logs. This seems to have been going on for all this time (first āunknownā access happened just a couple of hours after Iāve set everything up).
While browsing the logs there were just so many crazy things happening - the incoming connections were coming through some kind of proxy built-in to Mailu, so I couldnāt even figure out what was their source IP. I have no idea why they could send emails without authorization - the server was not a relay. Every spammy email also got maximum spam score - which is great - but not very useful since SMTP agent ignored it and proceeded to send it out. Debugging was difficult because every service was running in a different container and they were all hooked up in a way that involved (in addition to the already mentioned proxy) bridges, virtual ethernet interfaces and a jungle of iptables-based NAT that was actually nft under the hood. Nothing in this architecture was actually documented anywhere, no network diagrams or anything - everything has to be inferred from netfilter rulesets. For some reason ādocker composeā left some configuration mess during the ādownā step and I couldnāt ādocker compose upā afterwards. This means that every change in configuration required a full OS reboot to be applied. Finally, the server kept retrying to send the spammy emails for hours so even after (hypothetically) fixing all the configuration issues, it would still be impossible to tell whether they really were fixed because the spammy emails that were submitted before the fix already got into the retry loop.
I have worked on obfuscation technologies and Iām honestly impressed by the state of email servers. I have temporarily moved back to Google Workspace but Iām still on the lookout for alternatives.
Do you know of any email server that could be described as simple? Ideally a single binary with sane defaults, similarly to what dnsmasq is for DNS+DHCP?
I agree that a static IP address is an absolute requirement for a mail server to send messages these days. You also need a host of checks in place like SPF, DKIM, and DMARC, along with a strong set of blocklists and spam filters. My own setup includes dual ISP connections from two different providers, and even with all that in place, Microsoft has always been a thorn. They will block me for no apparent reason, their own tools donāt even show any detected spam activity, and sometimes they donāt even block the same IP address (or provider) that my emails were sent from. Every other spam service on the planet behaves in a rational way, but of course Microsoft has made a point of locking in so many businesses to their own spam-ridden service that you simply canāt run a mail server any more without being able to talk to them.
Overall, yeah it can be a pain to run your own mail server. I canāt imagine trying to use a pre-built mail server and expect it to run, thereās so much that you have to configure to each specific setup. Itās not like a web server where you load up a docker container and it just works.
Wellā¦ ok? Iāve only been running mine since around 2001, I guess I should give up?
Iāve had similar experiences trying to send mail to Microsoft-hosted email addresses. My current āsolutionā is to send all outgoing mail directly from my VPS-hosted Mailu serverā¦ EXCEPT for Microsoft-destined mail. For those messages, they get transparently relayed from Postfix to a third-party email sending service that Microsoft apparently trusts.
The upshot is I can still use my own Postfix daemon for all mail sent to sane (non-Microsoft) providers.
Iāve never heard of anybody relaying just the Microsoft e-mails, but thatās a really funny spiteful solution.
Lately Iāve been able to send to outlook just fine (maybe itās just dumb luck, who knows). I think I had troubles initially because theyāre really picky about rDNS matching the MX exactly. I also signed up for SNDS just in case, but I donāt know if they factor that inā¦
ProtonMail. 100%.
I set up custom DNS and catchall so yourcompanyname@saltycowboy.org is really how I filter spam.
Please note, saltycowboy.org isnāt really my domain.
unless you realllllly enjoy self hosting your email, IMO itās just not worth it anymore with the state of things. I use Fastmail and could not be happier.
I use fastmail, and I enjoy it a lot. Their masked email is very nice as well, and integrates with bitwarden. So quite convenient to use my personal domain for stuff where my identity matters, and use masked @fastmail addresses for more disposable stuff.
The only thing that ticks me a tiny bit is that their mobile app doesnāt have offline mode; but you can use imap client or w/e, so itās not too much of an issue.
Also hear good things about protonmail; I would consider it if I didnāt already use/trust fastmail.
im an old school email admin. i gave up on my personal exchange box for protonmail years agoā¦ multiple domains, lots of dns nonsense on my part. zero problems.
i highly recommend them.
