#email #self_hosted

I was about to write an article on the surreal experience of hosting your own mail server in 2022, but this guy has already written all the things that I wanted to write.

I find it surreal that email is one of the oldest protocols on the Internet, one of the most openly documented, and yet a very small group of actors (with Google and Microsoft on the front line) have managed to make it impossible to self-host. I've also bounced through a lot of the holes mentioned by the author of the article, and I've also got the same impression: everything in the world of email services is designed to only benefit a small subset of actors and discard emails from anybody else. Spam checks are very robust and effective nowadays, but why bother to run them when you can just blacklist the whole IP subnet of a VPS provider with no explanation, and make sure that your friends in your illegal cartel do the same?

My current solution is to use ProtonMail with my own domains linked to it, run the bridge on my VPS, tunnel the IMAP and SMTP ports over SSH on my VPN, and use that as my private mail server. But it's a workaround, and I'm not entirely happy with it. I wish I could just run my Postfix server to manage my domains and send emails like it's 2005. Unfortunately, that's not possible: if you want to use email today either you pay someone for the service, or you accept that your private communications are stored on Google's or Microsoft's servers. Even if you have the skills to run your own server, you no longer have that choice. And it's time for @FRA to break this mafia.

cfenollosa.com/blog/after-self

As everyone is pointing out, this is not a technological issue - this is a problem with megalomaniac corporations like Goggle and Microsoft.

Blockchains suppose to help transition from email to other, better type of messaging, but I know only a few solutions and I do not fully understand how they work (yet). In the meanwhile I have good success with hosting my BIND stack, using the YunoHost default email configuration, and taking care of DNSSEC myself. My domains still get blocked or marked as spam, but for those domains I use Skiff or other "corporate" provider.

@FourOh-LLC @FRA @blacklight
this defeatism is exactly what the big players want.

i self host mail for > 10 years and have few problems. then, i don't write many mails to people on google or microsoft addresses. i don't even have setup complicated shenanigans like DNSSEC.

if nobody uses gmail etc. there is no problem with mail. that's the beauty with federation. if people have to expect that they have to deal with other providers than the big few, things will work. i think we need to route around them, not give in.

also, don't scream for more government regulation, enable others to break free of the shackles of those corporations. host mail servers for others, etc.

maybe i'm just lucky that in germany many people use the email provided by their ISP or even pay for a mail service. i haven't seriously dealt with a gmail address for a long time.

@bonifartius @FourOh-LLC @FRA using a Google or MS address just to email people with a Google or MS address doesn't sound like a good trade-off. Most of the people in my "real life" circle use a Gmail address (even though Microsoft is probably the main offender in my experience when it comes to blocking), so my private email would only be used to write to the few people in my "privacy-aware" circle. I used to encrypt all my emails with PGP until a few years ago when sending them to Gmail addresses, but nowadays even finding somebody who knows what PGP is (let alone having a keypair and configuring mobile clients to use it) is quite rare.

And it's not only a problem with email addresses that end with gmail.com or outlook.com: many businesses and public entities nowadays use mail services powered by Google or Microsoft, even if the domain is different, and those would apply the same restrictions to incoming emails.

And then there's a problem with email addresses associated to services. I run a Mastodon instance, a Gitea server, a Matrix homeserver and an SSO service - all things that offer user registration and things like confirmation and notification emails. When I used to run my Postfix server for the platypush.tech domains, most of the registration emails sent to Google or Microsoft addresses would bounce back, basically preventing those users from registering to my services - and, even if I hate Google and Microsoft, I don't want to create such barriers for users.

I'm calling for public intervention because that's IMHO the only way to solve this problem. We can't expect the industry to self-regulate: they have created their own little cartel, and they are happy to ban whole subnets instead of performing granular spam checks, especially when the nice side effect of this behaviour is that they manage to keep any competitors out. And we can't expect people like us to move the needle either: even if we build the perfect solution, we're a tiny minority in a world of billions of Google and Microsoft addresses. And, even if the alternative solution gets enough traction (like Tutanota did, at least on a small scale), Microsoft will just do what it did a couple of days ago - blacklist the domain, or prevent users from using that email address to register to Microsoft services.

We need public intervention because big fines imposed on these giants are the only way to get them to change - the language of profit is the only one they understand. The solution is also straightforward: you can't ban a whole IP subnet just because a spam email came from one of its servers, you are compelled to run granular checks on individual emails instead of applying draconian measures, and the rules to get emails from a new mail server accepted should be transparent, not the current kafkaesque bureaucratic nightmare that we have today.

Follow

@blacklight
> [...] and, even if I hate Google and Microsoft, I don't want to create such barriers for users.

that's the wrong line of thought imo. it just normalizes that it's ok to use these things which are the equivalent to shitting in the streets ignoring everyone who says that that's not ok. gmail etc. are big spammers themselves. just because everyone you know is shitting in the streets doesn't make it ok.

it's appeasing to people who don't care about these things. that's completely fine choice for them, but _they_ should face the consequences, not people who host things. this hand-holding and accepting bullshit has been slowly fucking up everything in IT. from linux on the desktop which brought so many bad things to linux it's a disaster, to the weird thing browsers are now, to "mail is now centralized because google is so comfy". it's beyond me why i should cater to those who don't fucking care.

i don't see that any governmental action would help because of things like this:

> More than a year after being asked by the European Union to standardize their Office 2003 XML formats, Microsoft submitted 2,000 pages of documentation for a new file format to the Ecma International consortium for it to be made into an open standard.

that's exactly what would happen to mail - or has happened already, only that google and ms don't have really good complicated standards to show and can't say "we did what you wanted us to" as nobody has asked. all the spam protection standards that got pushed and are "required" now are bullshit: DKIM, DMARC, SPF (which is the sanest one of the bunch). that's what happens if committees get involved, only that the plain google and ms solutions would be much more worse. they would lament about their business and how unfair it would be to drop these practices that politicians would ask them to specify how others should behave.

also those rules you proposed would equally be applied to everyone else. you know what happens next? ms and google start to send spam from single random addresses with plausible deniability because "it was a spammer!!1" and "we deleted the account!11". have fun complying to that self made sword of damocles of fearing a lawsuit or whatever the bureaucrats think of.

i want the government and regulation as far away from the net as possible. everyone hosting things is living in a legal twilight already.

@FourOh-LLC @FRA

Β· Β· 1 Β· 0 Β· 0

@bonifartius @FourOh-LLC @FRA my point is that I want my services to be as inclusive as possible, because if entry barriers are lower then more people are likely to jump to more privacy-aware alternatives. Many people taking some small steps in the right direction usually have more impact than a smaller group taking bigger steps in the same direction.

If somebody registers to my Mastodon/Pixelfed instance or my Matrix server with a Gmail address, I still want them to be able to participate. Because they may like what they find here and stay, and, even if they use a shitty mail provider, at least we've got a user who spends less time on Facebook, Twitter or Instagram, or has one more use-case for using a private messaging app. If instead we require higher entry barriers (like having to use another email address, or another browser, or not being able to consume some content), then we're likely to lose momentum and only attract people that are already privacy-aware and ready to accept these trade-offs.

About committees - I agree with you on how dysfunctional they are today because of big tech derailing all the discussions to bring water to their mill. But they are the only tool we have, together with legislation, to change things. If regulation doesn't work because it's too slow, then we need to think of how to improve it, not dismiss it. If committees and open standards don't work because big tech throws too much weight at the table, then we need to think of how to enlarge the table so their weight gets diluted, not dismiss the process of open standards.

@blacklight
i understand your intentions but i think it doesn't work. free software "replacements" for closed services will never be able to compete with those, but they shouldn't try to in the first place. they bring so many other features to the table which the closed counterparts never will be able to have, but some of these features outright frighten people. like that there is no higher instance to appeal to. it's learned helplessness and most people like it this way.

i don't see that catering to those who aren't caring will help any more than it has helped in the last decade: we got ubuntu etc. only for them to include things like amazon search. we had a good firefox, only to get it dumbed down and features nobody in the userbase asked for (like aquiring pocket) being added. meanwhile never publishing a non shitty sync server to self-host. redhat added so many bespoke parts for "desktop linux" shit, that almost every distribution is now the same as it is so hard to fight the systemd bullshit layer.

i really don't know why this watering down and compromising is so popular. the strength of free software is precisely that it isn't like the closed source parts and often completely different.

regarding committees, the "write an RFC and publish it" method has served well for decades now. the net is very good at self organizing, many now follow the lure of "doing things the way big tech does", but i think this will be the source of much pain in the future.

@FourOh-LLC @FRA

@bonifartius @FourOh-LLC @FRA Ubuntu and Firefox are only products. They got funded by someone, they built something, then that somebody came back and said "looks pretty cool, but now how do you make money out of it?". This has happened countless times and it will keep happening. I personally don't care of what Ubuntu or Mozilla specifically do, as long as I have other distros to pick and an open Linux kernel underneath that I can customize and package however I like. Or as long as I have an open-source Chromium/Firefox codebase that I can fork to remove the stuff that I don't like.

I also don't believe in compromise built around mere *inclusion*. I believe in *extension* - the same bitter pill that big tech made us swallow for 40 years. We don't just include some of their things through paid partnerships. We force them to open up their APIs and protocols, and when they don't do that we scrape, reverse, mock and hack the shit out of them, until our containers contain all of their stuff, plus ours. We force the level playing field whatever the means, we force them to fight the competition around openness, not closeness, and that is a battle that we know much better than them how to win.

We should never forget that they don't *own* users, nor any form of content. They only own the container - the infrastructure that holds and processes a bunch of files and database records. We should pick our battle against the container, not against the content.

Sign in to participate in the conversation
Qoto Mastodon

QOTO: Question Others to Teach Ourselves
An inclusive, Academic Freedom, instance
All cultures welcome.
Hate speech and harassment strictly forbidden.