This blog post is a guide explaining how to setup a full-featured email server on OpenBSD 7.5. It was commissioned by a customer of my consultancy who wanted it to be published on my blog.
Setting up a modern email stack that does not appear as a spam platform to the world can be a daunting task, the guide will cover what you need for a secure, functional and low maintenance email system.
↫ Solène Rapenne
If you ever wanted to set up and run your own email server, this is a great way to do it. Solène, an OpenBSD developer, will help you through setting up IMAP, POP, and Webmail, an SMTP server with server-to-server encryption and hidden personal information, every possible measure to make sure your server is regarded as legitimate, and all the usual firewall and anti-spam stuff you are definitely going to need.
Taking back email from Google – or even Proton, which is now doing both machine learning and Bitcoin, of all things – is probably one of the most daunting tasks for anyone willing to cut ties with as much of big tech as possible. Not only is there the technical barrier, there’s also the fact that the major email providers, like Gmail or whatever Microsoft offers these days, are trying their darnest to make self-hosting email as cumbersome as possible by trying to label everything you send as spam or downright malicious.
It’s definitely not an easy task, but at least with guides like this there’s some set of easy steps to follow to get there.
I’ve been successfully running my own email server (with full delivery success) with mailcow in docker in a Linux VM in FreeBSD (yes, I am slowly migrating everything to freebsd).
The hardest, and key, part of the setup, was to get my providers to set up reverse DNS accordingly. But, where I live, I pay only ~5 EUR for a private IPv4 IP. I have two providers, each at ~30 EUR each, both offer me fixed V4 and reverse DNS, so the setup is pretty robust.
The rest is just a matter of being careful with DMARC, DKIM, etc, picking up a DNS provider that offers good service and support (I’ve been a happy customer of no-ip for 20 years), and make sure everything is set up right before trying to send your first email, avoiding having your IP blacklisted.
I didn’t cut out gmail because my girlfriend likes our youtube premium account, but 90% of my correspondence now goes to my private server, and I have migrated most of my accounts to my private server as well. A friend of mine runs an eshop and another his entire startup out of my server as well, and downtime is insignficant.
At this point it feels like SMTP and HTTP are truly the only widely used open protocols left that have not been abandoned or replaced by proprietary methods from the large monopoly sized companies (such as XMPP being abandoned for proprietary chat protocols, or FTP for proprietary file sync protocols) . So I would always encourage users on the more technical side to help keep the Internet decentralized by running your own HTTP or SMTP server. For less technical users, when it comes to email servers you can use packaged setups such as Mail-in-a-Box (https://mailinabox.email/). For users not technical or don’t want to go through the hassle, then support a non-monopoly based email service provider that values open protocols, one example is Imageway: https://www.imageway.com/open-standard-protocols
It feels like even at this point companies like Google are manipulating HTTP at the browser level with their monopoly control of the Chrome web browser, and Google/Microsoft with their SMTP controls in place making it harder and harder for small email servers to not be categorized as spam on their systems. This is why having real alternative browsers (such as Firefox and Safari), open protocol service providers, and the ability to run your own servers at home will be important to keep what we have left of the Internet open and decentralized.
lancealot,
I agree. I feel very strongly that federated protocols are critical to an open internet, and yet corporations are killing them in favor of proprietary technology that they have exclusive control over. It saddens me.
This is good advice. Even if you cannot/don’t want to self host, at least help support the little guys instead of the monopolies.
I have to agree with you, but my confidence in keeping the internet open long term may not be as high as yours.
We are an old and dying breed of people. 🙁
For less technical users: I would just recommend a hosting provider.
But own your own domain, etc. so you can take it and go somewhere else.
Your data will just sit in some datacenter of smaller player, not Google, Microsoft, etc. on a paid service instead of some free service where they take your data.
Thom Holwerda,
If you have any interest in doing it there are many of us who can help you set things up. You probably cannot host at home because both your ISP as well as other email providers may block you. Maybe your ISP is less restrictive? You can test to see if port 25 is open for you. Outbound needs to be open for sending emails and inbound to be open for receiving them.
You could rent a cheap VM with a dedicated IP and run email from there. Unfortunately you may find some of these blacklisted as well due to other spammers on the service.
You’ll find that when it works, it works great is hassle free for years. When it breaks it’s typically a problem with spam filters, either your own or another company’s. If the delivery issue is on your end, great you can take care of it and move on. As an example, one client was having issues with emails related to government contracts. The government email server lacked reverse DNS entries, which is a major red flag and we were blocking it.
https://mailivery.io/blog/what-is-a-reverse-dns-record-and-why-is-it-crucial-for-email-deliverability
For whatever reason this government entity would not fix their server so I whitelisted them and it solved the problem for my client. But when customers ring you up to fix delivery issues that aren’t caused on your side, things can suddenly get a lot more stressful. You may find that you are not a high enough priority for the other party to give a damn (ahem…google).
For these reasons I wouldn’t suggest self hosting primary emails for amateurs. But if you want to try it as an educational challenge, then I know you could do it. You’d have to decide if it’s worthwhile.
Exactly. Not feasible for any SME, sorry. The risk/reward ratios is way off here, even for OS/Linux enthusiasts like us.
Andreas Reichel,
Well, I don’t want to discourage people who do want to try, but I think people will need the right temperament to fully commit long term. 95% is easygoing and carefree, but the remaining 5% can make you want to give up. YMMV.
I hate that our industry has consolidated around so few tech giants, but I understand why people do it. It’s easier and less stressful to outsource responsibilities to someone else and the big brands are the most familiar choice.
I agree with not liking the fact so much consolidation is happening with just so few monopolies. In many instances they use their monopolist hold in one area (such as Google in search), to dominate other areas (such as Google with the Chrome Browser). They cross market in one dominate product, to become dominate in another, continuing to expand their level of monopolist activities unchecked. That is one reason why they become the familiar choices, along with their massive marketing budgets. Some businesses might go with these tech giants since nobody gets fired when a company that size is at fault, since they are the defacto standard and it effects everyone at that point, so it just considered part of the deal since we are all on the same boat (just like what will happen with Crowdstrike).
It becomes very stressful with a big brand when you try to use their support, which is non-existent or severely lacking for most. That is one big reason to consider one of the non-giants, you are more likely to get a much higher level of support. I don’t know how many times I have had people with Microsoft or Google issues and I tell them to contact their support, and their usual stressful response is their support is basically unusable or gave them answers that really didn’t resol.ve their issues. Once again they assume all MSPs are like this since they usually stick to only the tech giants. The sad thing is people don’t even make an effort to support a smaller MSP, they just go with the big tech companies, and just figure whatever happens is part of the deal.
Greetings!
I am so much in favor of being independent and self hosting as possible. We don’t use any Reddit, Google Office/Cloud, Youtube, LinkedIn and stuff and we get many very “surprised” reactions from clients.
That said: in today’s reality self hosting email servers is not feasible. This war has been lost: Even on rather large and established providers, emails get silently swallowed on client’s side and when you try to get whitelisted, they tell you moving to Microsoft or Google.
Its a nightmare we simply can’t afford since e-mail is mission critical to us.
>>> This war has been lost
Agree. I tried to run my own e-mail server in mid-2000, with OpenBSD 3.6 back then. Got spam-related false blocks all the time.
>”Proton, which is now doing both machine learning and Bitcoin, of all things”
Actually, Proton Wallet sounds pretty freaking amazing. I hope (and expect) they expand to include Etherium and Monero.
Yeah, without Monero it is pointless.
I’ve been running my email server for almost 10 years now. Once set up it just works. The only unexpected problem I’ve encountered is that VPS providers occasionally go out of business or change their business model, usually to managed services etc. This is a problem because moving an SMTP server to different IPs is quite annoying, not least because some recipients (Microsoft) require us to request a permission to send them emails (nothing to do with blacklists they just feel special enough).
I’ve been also thinking about hosting SMTP on my own hardware but since residential network operators are even less stable I gave up doing it for now. Does anyone know how to proxy traffic between a VPS (SMTP) and a local machine (storage + IMAP)?
ndrw,
Yes! Tons of ways you can do this 🙂
If you have a static IP, you can use iptables to redirect the packets to your home IP on an unblocked port.
If all your ports are blocked, you can use a VPN to create a virtual network that you control.
On of my favorite tools OpenSSH can do it too! It’s a jack of all trades and can do so many things that people aren’t aware of. It can even be used to create a full VPN. Anyway that’s off topic. You can try this…
That should be all you need to get it to work. You can use socat to test the connection from your home computer:
“If you ever wanted to set up and run your own email server, ” … Have fun but don’t rely on it. Its hard as everyone else here has put. Even domain experts hate it. No one likes administering it even for a small group of people or themselves. its nice that its an established open protocol. Its also ancient and varying newer protocols have been heaped upon it, that require some level of dark arts, sophistication, and mercy of the large email providers to work correctly. for a small period of time.
1000% agree with this. It is not the actual software that will give you headaches, it is all the stuff on top, like making sure to get and keep SPF/DKIM correct, having reverse DNS, and most fun of all, building up enough trust to get your emails to delivered reliably. Then if you are ever unlucky enough to get on one of the anti spam blacklist, which can easily happen even if you or your server does nothing wrong other than being part of the wrong IP group, then you discover what a lawless hell those faceless anti spam services are. Then when you finally figure out how to get off the list, then the fun begins as some mail servers are good at picking up new records, but not that good at removing old ones, so you will have random bounces, or worse, email being silently dropped, for months.
So yeah, most people really should not run their own SMTP service. Mailbox hosting, sure, but send through an external service.
That’s not at all true. I haven’t encountered any problems with my server since it was installed. Yes, there are quite a few moving parts, and different tutorials aim at different deployment scenarios and combinations of tools. But once you find what you want it is far easier than e.g. deploying Nextcloud (which, BTW, is an unmaintainable PoS).
Make sure you’ve got a clean IP from a reputable provider and control your DNS. Than install a base Postfix+Dovecot, without any user databases. You will need an SSL certificate (letsencrypt is fine) to communicate with most SMTP servers. I also use a sieve filter to sort mail from multiple aliases but that’s a bonus. At the end you will have to kindly ask Microsoft to accept your emails. This all takes a few hours of work.
Large servers, spam filters, webmail UI would take more effort but I didn’t find them needed for a small installation.
ndrw,
I don’t think we can objectively cover this topic in absolutes. What Bill Shooter of Bul said has truth for many, but it also shouldn’t be taken as an absolute. The truth is murky. 🙂
Poor wording, sorry. My point is, it is easy to moderately hard to install (and that’s only because of all the available options, stick to basic setup and it is quite easy) and it is very easy to maintain, unlike some moderns services with their constant changes to dependencies, database schemas or plain incompatibilities between versions.
Other than Microsoft no one had asked me to request a permission to send them email. Provided the IP of the server is not blacklisted, normal technical means (SPF, DKIM) suffice and these are well documented. There are still thousands of smaller servers, usually maintained by companies (believe or not, not everyone wants all their mail go through Google or Microsoft), so the concept of individual SMTP servers is not going away.
ndrw,
I do agree with your points. The email infrastructure and configuration, while a bit cumbersome to set up, isn’t a deal breaker for someone who’s technically savvy. But IMHO that’s not the biggest problem, it’s the the non-delivery of innocent emails that are casualties of the war on spam. False positives and false negatives are realities. Sometimes things work for many months at a time, but when a customer calls in because they’re experiencing a problem, it becomes a whole process especially if you weren’t planning to spend your day working on email delivery issues. I have plenty of real world examples I can share, but I feel I’m already a broken record 🙂
If anyone want to do it, I support them and more power to them I say. Just understand that sometimes there are pain points.
I guess most such non-delivery issues are caused by not enabling SPF, DKIM or DMARC. These are all trivial to set up and by now they are seen as a requirement for sending emails.
ndrw
Well, yeah I know those things can cause delivery failures, but it is wrong to assume that a fully configured server can never experience delivery problems. Do spammers use properly configured email servers? It’s a rhetorical question, they absolutely do, The point being that although SPF/DKIM/DMARC/rDNS/etc are important, the fact of the matter is these things are NOT sufficient to guarantee delivery, especially if you are a small provider.. You also have to get through other spam blocking technology and those are never 100% accurate. If your neighbors are blacklisted, the chances of you getting blocked increase as well.
And though it’s easy to blame other admins for aggressive blocking, I have to admit that I am guilty of it too. When I see malicious traffic coming from russia or india, sometimes I give in and block the whole network because I can’t spend all day watching them hop from one IP to the next. These things suck, but it is what it is.
I’ve outsourced some of this to real time blacklists, which helps a lot but they too have false positives as well as false negatives.
I ran an OpenBSD mail server with a similar, if more primitive spam-filtering, setup for years. I ended up switching to ProtonMail not because any of the protocols were hard to configure, the system was hard to maintain (it really wasn’t!) or even that spam was getting through. It was just all the grief I got from other people’s mail servers that looked poorly at “some guy running an smtpd” compared to “a mail providing company.” If email-provider white listing was punishable by flogging the owners of a company, I’d love to take another shot at this.