jamon
Michael W Lucas 
I didn't plan on this, but it turns out that releasing my new book on running your own email server was SUPER TIMELY. #sysadmin
Colin Cogle 
@mwl Running port 25 behind a residential IP is an instant block. I have everything running like clockwork behind a mid-sized hosting provider, but I'm always looking to improve things.
a
Ryan Castellucci (they/them) 
@colin @a @mwl My experience using RBLs was that I needed to run DNS lookups on the same IP as the mail server which is annoying with socks.
If you have IPv6 at home, you can get a dual stack VPS and use proxy arp to relocate its ipv4 address to the other end of a SIT tunnel (ipv4 over ipv6) terminating on your actual server.
I used to have a web server set up this way.
slash@a @mwl @colin I've been looking at this solution. My email VPS (running for longer than I can recall) is still priced much higher than most.
So I'm thinking about just doing a 1:1 NAT on a (cheaper) VPS and letting my home machine handle all the real work.
In my case, it's to ensure all my _data_ stays on my machines, yet accessible from anywhere on the net. (My corp. blocks my webmail, but not Google or Kolab... I want to be a full peer, dammit!)
Cassandrich@a @mwl @colin You don't run the mail server on the VPS, just proxy thru its IP. The TLS is terminated on your premises, so as always, if certificate is validated correctly (this is what you need DANE for; otherwise TLS on mail is opportunistic), MITM is impossible even if the attacker fully controls the VPS.
@dalias @mwl @colin I doubt the impossible words can be used here. I guess people with more evil imagination than me can think of ways to do so. Just a data point https://notes.valdikss.org.ru/jabber.ru-mitm/
@a @mwl @colin Cryptographically impossible (assuming the cipher isn't broken which isn't a realistic threat).
Where compromises like the one you cited happen are by compromising one party in the cryptographic chain, not by breaking the crypto. With DANE the only parties who can potentially be compromised are your registrar, the TLD authority, and the DNS root.
@a @mwl @dalias Dang, I do use Linode.
On the bright side, yes, I have a Let’s Encrypt CA and DNSSEC/DANE, MTA-STS, CAA, and all the acronyms. I also edited the Postfix config files to require TLS for outbound connections to some servers that I know will never not support it, like Google, Microsoft, and a few others.
@colin @mwl @dalias I'm personally not super concerned about all that because: (a) sending emails means that someone will received and you still need to rely on their infra not to be breached (good luck with that) and (b) I use email mostly to receive messages and as an ID for a bunch of accounts mostly. If I want to share something more personal I would use other mechanism
Nux@a @mwl @colin Never noticed anything and you'll laugh, but my uplink at home is 5G.. so significantly higher latency than your usual broadband. However http and smtp are very forgiving of that.
Of course, you can only sustain so much upload, but if all you're hosting is some blogs and emails, then it's no problem at all. Even 5-10 Mbps is OK for me.
In fact I've just measured now on pingdom and my crappy 5G hosted static site beats the heck out of our $dayjob corporate wordpress one!
Of course, you can only sustain so much upload, but if all you're hosting is some blogs and emails, then it's no problem at all. Even 5-10 Mbps is OK for me.
In fact I've just measured now on pingdom and my crappy 5G hosted static site beats the heck out of our $dayjob corporate wordpress one!
MarjorieR@mwl The best thing about RYOMS is that it allows you to own the means of production.
I have need for privacy and autonomy that's likely edging towards pathological. RMOMS satisfies that need for at least my most frequent use case.
Now I just need my own Fedi instance, and maybe a caching web proxy with automation to keep my favorite sites updated. (Plus some junk sites to widen the bell curve for data brokers.)
⊥ᵒᵚ Cᵸᵎᶺᵋᶫ∸ᵒᵘ ☑️
Eleanor Saitta@mwl
It's very appropriate that the cover looks like the Linux mascot fighting a war in hell
(Yes yes I know but still)
Jyrgen N
Punished Bernadetta 
@mwl this cover 😭
Run Your Own Mail Server or All Quiet on the SMTP Front
Run Your Own Mail Server or All Quiet on the SMTP Front
Jaime Herazo@mwl
Don't see it mentioned on the book blurb and i gotta ask after seeing your other books: Is the book setup/instructions based on Linux or a BSD? Or is it OS agnostic?
Don't see it mentioned on the book blurb and i gotta ask after seeing your other books: Is the book setup/instructions based on Linux or a BSD? Or is it OS agnostic?
Seth Hanford 🐡@jherazob @mwl Largely software agnostic, and essentially OS agnostic (you could do this on any OSS stack without needing to seriously considering buying a different book).
It uses Postfix, Dovecot, rspamd and a few others, but the author takes painstaking care to explain WHAT needs to be done, then gives examples in HOW to do this in the given software, but also isn't afraid to say things like "You'll need to spend some time familiarizing yourself with rspamd to be successful -- here's how I do that. Go do that so you can do X, Y, or Z as appropriate for your situation."
You should have limited difficulty replicating this in comparable software, though it will be more straightforward of course if you make the same choices.
Phillip Vuchetich@mwl the marketing genius in your head somehow knew to plan a decade ahead with all those other tech books that are needed to set up and maintain a server and network... 
@mwl irrefutable proof that Seat of Your Pants'ing things CAN work out for the best.
🍻 alfajet 🇫🇷 🇬🇧@mwl
If you planned all these events to promote your book, you went a bit too far imo.
If you planned all these events to promote your book, you went a bit too far imo.
Plan? Me, plan? 
Steve D. Ballantyne@mwl I have longed for the days when people would wake up, smell the coffee, and realize that "the cloud" may not be the best idea, especially for your email, and especially with Microsoft - who has never, ever, practiced sensible security practices, ever.
ferricoxide@mwl
Been running my own mail server since late 1995 (so, coming up on three decades, now). Up until about 5 years ago, it was fairly straight-forward. Then started getting blocked by 900lb gorillas like Google and Microsoft because my MTA wasn't trustworthy (nevermind that I adopted SPF, DKIM, DMARC and other anti-spam measures while they were still beta or advisory-only features). Now I'm stuck having to relay everything through freaking SES (or equivalent) if I don't want bounce DSNs every time I or one of my family members tries to send messages to someone whose mailbox is hosted through O365 or gSuite.
Been running my own mail server since late 1995 (so, coming up on three decades, now). Up until about 5 years ago, it was fairly straight-forward. Then started getting blocked by 900lb gorillas like Google and Microsoft because my MTA wasn't trustworthy (nevermind that I adopted SPF, DKIM, DMARC and other anti-spam measures while they were still beta or advisory-only features). Now I'm stuck having to relay everything through freaking SES (or equivalent) if I don't want bounce DSNs every time I or one of my family members tries to send messages to someone whose mailbox is hosted through O365 or gSuite.
Django@mwl Pardon, but why should I put 15€/$ on your desk, when all informations for an one MX is free available on a WIKI?
alexx@mwl TIL BIMI="Brand Indicators for Message Identification" and my mail server is from 2018