bobbricoleur
As someone in infosec, how do you handle your personal email?

I got tired of Gmail reading everything, so I built a self-hosted
alternative with:
- X25519 + AES-256-GCM encryption
- Postfix/Dovecot on a French VPS
- SPF/DKIM/DMARC + fail2ban
- An AI cockpit that classifies urgent vs noise

Curious what setups other infosec people use. ProtonMail?
Self-hosted? Something else?

#infosec #email #privacy #selfhosted #encryption
4:09pmWeb
Show threadbobbricoleur15h ago
I'm using standard email solution right now, and want to see if there is good alternative ?
Show threadABSURD15h ago
@bobbricoleur
I use tuta mail
Show threadmrfoostang15h ago
@[email protected] @[email protected] I ran a #WildDuck server for a while. I had to use an smtp relay to send because non-ISP source servers tend to score higher on spam filters even with DKIM, SPF and DMARC in place, so it became a game of diminishing returns.

When I got tired of that I just went to Proton like a normie.
Show threadbobbricoleur14h ago

@mrfoostang @relay
Ha, the deliverability game is real. I got almost lucky with a clean datacenter IP — no relay needed so far, but I know it can change overnight if the IP range gets flagged.

That's the thing with self-hosting email — technically it works great, but you're always one spam report away from trouble.

Proton is solid though. My only gripe is the lock-in — try exporting 10 years of emails from it.

Did WildDuck give you any specific headaches beyond deliverability?

Show threadmrfoostang14h ago
@[email protected] @[email protected] @mrfoostang Agree about the IP reputation issue. These days it goes even farther than that, such as checking the ASN the IP comes from and if it’s not a residential IP it gets scored higher as spam (generally). The mailing list services are constantly fighting that battle because they have no choice but to use non-ISP senders.

For wild duck, it was pretty easy to get running. The docs are good. The challenge was finding a client that can handle encrypted email. I ended up using Canary Mail which is ios, I am not sure if there’s a Android version.

Canary Mail in the App Store says “AI email” now, so I’m not sure what horrible sins have been committed on it during the intervening time since I used it.

Basically, I had a proton mail setup at that point. Encrypted at rest with the key on my device rather than the server.

If it wasn’t for the deliverability issue I’d probably still be running it.

Godspeed!
Show threadmrfoostang14h ago
Also, I used- at different times - both ForwardMX and ForwardEmail as my smtp relay.
Show threadPatrick Laimbock 🇳🇱 🇪🇺15h ago
@bobbricoleur I use proton because AFAICT dovecot 2.4.3 still has TLS/LDAP issues. When that is resolved I'll probably return to self-hosting. What do you use for SPF, DMARC and DKIM?
Show threadnoplasticshower15h ago
@bobbricoleur proton mail
Show threadbobbricoleur14h ago
@noplasticshower I self-host with Dovecot 2.3 + Postfix on a VPS.
No issues with TLS so far — using Let's Encrypt with SNI for multiple domains.

SPF/DKIM/DMARC all set up with hard fail. Deliverability has been surprisingly good.

Honestly the hardest part was getting the PTR record right with the hosting provider. Once that matched, everything was ok.

What TLS issues are you seeing on 2.4? Curious before I upgrade.
Show threadSudo Sudo Sudo ⒶⒺⓋ15h ago
@bobbricoleur proton with my own domain. I love all the services that proton has. It works well from my Graphene OS phone without Google Play. The calendar, Simlelogin,and the email services are my daily goto's. Minus Lumo+, which I signed up for and now have abandoned for multiple reasons.
Show threadbobbricoleur14h ago
@Prometheus nice to know, any other similar services you know ?
Show thread a HOT Rubie 14h ago

@bobbricoleur Self-hosting is always preferred. It is a lot of work. Many mail services still pre-emptively block self-hosting for spam despite spammers not doing self-hosting. It is too easy to add self-hosting to blocklists and some people do this automatically and without cause. Once on it is difficult to get off. Most mail services do collect and retain mail messages. Tuta and proton say they do not retain mail. Tuta and Proton encrypt mail at rest but they possess the keys. Proton may only allow entprise accounts to use smtp. Tuta seems to allow only imaps.

Ymmv.

Bonne chance.

Show threadbobbricoleur14h ago
@hotarubiko thanks a lot for this view , very interesting. so basically Proton, provide you the key that they also have in their server ?
Show thread a HOT Rubie 14h ago

@bobbricoleur For the mail at rest? Proton will show you the key. It is your settings last time I checked. It is PGP. Strictly TLS is used to send/receive mail for imaps and smtp.

You can download mail messages though they do not make it easy. The messages will be decrypted for download.

Show threadbobbricoleur14h ago

@hotarubiko Right, so the E2E is really between Proton users only. Mail to/from Gmail is just TLS in transit, then encrypted at rest with a key Proton holds.

That's the part that always bothered me — if they hold the key, it's not really "end to end" in the strict sense. It's "encrypted at rest with
provider-managed keys."

True E2E would mean they can't read it even if subpoenaed. But then you lose search, spam filtering, all the server-side features...

It's a real trade-off. Have you found anything that solves both?

Show thread a HOT Rubie 13h ago

@bobbricoleur Each user has it´s own key which only encrypts mail at rest. I do not know if they made the effort to encrypt internal mail transfers. I do not know of any service that does so. I do not know if messages in queue are also encrypted. It would be reasonable to encrypt filesystems that the queues are on.

The only reasonable solution I find so far is encrypt messages before sending provided that correspondents agree and share keys.

Proton is in Switzerland and subject to Swiss privacy laws. It would be extremely difficult for foreign powers to get around them. Self-hosters in Switzerland probably are protected as well, but less so, if at all, in most other countries.

Switzerland, like almost every other country has tax treaties which allow tax and enforcement authorities to get information on financial transactions, such as those paying for mail services, almost on demand. That is pretty much all they can get without approval of a Swiss court. They may be unable to get messages from the servers or seize the servers but when the sender or recipient is known they can get their financial metadata. This metadata is how a Proton user sending criminally threatening emails recently was caught.

Show threadSarah Sammis14h ago
@bobbricoleur self hosted since 1997.
Show threadbobbricoleur14h ago
@pussreboots Since 1997 — that's before spam filters even existed. :)

What's kept you going all these years? At some point most people give up and go to a provider.
Show threadSarah Sammis13h ago
@bobbricoleur It works. And when it doesn't work, I know who broke it.
Show threadPatrick.sh14h ago
@bobbricoleur proton with lifetime proton pass/simple login for aliasing. I’ll probably selfhost email to test at some point but I don’t want my main email put on block lists.