Hosting your own mail server for security

Posted on Sun 25 September 2016 in Security

Here's some tips from a security-focused system administrator.

If you're an experienced sysadmin ready to embrace Murphy's law:

Go ahead, you already know what to do and what to expect. Good luck!

If you're the average user and don't know much about servers:

Why host your own mail server:

  • The government won't be able to ask Google for your emails, even if Google probably wouldn't give them anything without a search warrant. By the way, please search for facts and precedents before trusting some leaked powerpoint and shouting shit you don't understand and can't prove on twitter. It would be SO great.

  • Evil corps won't be able to use your very precious data to build sentient AIs and control the world. Or just quickly parse your emails and display it nicely. Who knows.
    Not unlike spam filter have been doing for years and everybody was happy, but hey if you don't see it you don't get scared I guess.

Why not host your own mail server:

  • You're not a security expert nor a very good sysadmin.

    • The government will easily pwn your server.
    • Russian kids will easily pwn your server.
    • Half the world will use your badly configured postfix to relay spam.
    • Your TLS will be bad or you will just forget it. Someone will probably steal your password on a public wifi someday.
    • Your server's TLS will be bad or you will just forget about it too. NSA will still see all your emails.
    • You won't discover any of those for a year because you have no security team watching your server at all times and monitoring is so hard you will give up.
  • Of course you will have no 2-Factor Authentication. That's quite rare (inexistent) with self-hosted mail servers, even if it's one of the most effective ways to protect anything these days.

  • The previous owner of that IP address had the same brilliant idea and ended up relaying spam without knowing it. If you want to reply to that one person using Outlook, you will have to ask Microsoft to remove you from their blacklist. It may take hours just to find the right page, weeks until it's processed and you may have to try a few times.

    • Hosting this at home? You're already blacklisted by most of the world. Maybe using another server to send mail is a good compromise.
  • Your hardware will eventually fail.

    • Since you only have a cheap dedicated server, it will take between 24h and 48h to fix.
    • If you have a VPS from a competent provider you're lucky, it will only take a few minutes at most.
  • You want full disk encryption? You better, considering the providers re-using disks without bothering to properly erase them. Everyone knows that's stupid but it still happens.

    • That also means entering the key every time your server boots. It may happen at a bad time. A keyfile is probably good enough, it will be less data to overwrite.
  • That server cost money, you may want to install a web server and a wordpress and a seedbox on it too.

    • One has a security issue and will get your server hacked. But you have a job, can't spend your time patching things!
    • DMCA. Don't mess with HBO. Your VPS provider will shut down your server while you're in vacations without your laptop. (I don't worry about the NSA nearly as much as about the TSA. These fuckers are plain wrong and dangerous.)
      • It's the third time and they killed your server and closed your account with no refund? Well, fuck. Enjoy your vacations.
  • One of these issues will get your server badly broken or compromised. Then what?

    • All your emails are potentially leaked and used against you. They were also all encrypted end-to-end, right?
    • Your latest backup will be 6 months old because that shell script was broken by an upgrade and Murphy's law.
      • You should have backups on another server. Append-only. Encrypted. And you should have a backup of the encryption key somewhere else.
    • Following the same law, a very important email is to arrive now, and their mail server is also very bad and won't retry anymore after a few hours.
    • At this point you've not just lost access to your emails, you're losing incoming emails until it's fixed.

These are not made up, most I've seen myself on servers I manage or others'.

If you really have special requirements:

Then you should find experts to set it up for/with you and teach you how it works. This is no simple task a quick guide will help you make.
And make sure it's really your case, I know a lot of people like to include themselves here but they really have no idea how unimportant they are or how simple their problems can actually be.

My point

Often people come to me asking how to set up a mail server to get away from big companies and governments, because some people told them self-hosting is easy and cool. Short answer: don't, it's not. Just use GMail or another good and serious provider and PGP or other end-to-end encryption for anything sensitive.

The current situation of self-hosted email is bad. Tools are often incomplete, broken, lacking documentation, and very unsafe when used even in a slightly imperfect way. Most are made to be part of larger systems and not ready for use. Maintaining a server is a huge and continuous amount of work that requires knowledge, experience and time to be done correctly.

I'm not saying no one should host a mail server, but you shouldn't think it will be anything close to easy or reliable. It's also true for everything else you can host, but email is often more sensitive.
If you don't have much time or knowledge about servers, it will hurt you.