Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Monday September 02 2019, @09:45AM   Printer-friendly
from the needs-more-XML dept.

OpenBSD developer, Gilles Chehade, debunks multiple myths regarding deployment of e-mail services. While it is some work to deploy and operate a mail service, it is not as hard as the large corporations would like people to believe. Gilles derives his knowledge from having built and worked with both proprietary and free and open source mail systems. He covers why it is feasible to consider running one.

I work on an opensource SMTP server. I build both opensource and proprietary solutions related to mail. I will likely open a commercial mail service next year.

In this article, I will voluntarily use the term mail because it is vague enough to encompass protocols and software. This is not a very technical article and I don't want to dive into protocols, I want people who have never worked with mail to understand all of it.

I will also not explain how I achieve the tasks I describe as easy. I want this article to be about the "mail is hard" myth, disregarding what technical solution you use to implement it. I want people who read this to go read about Postfix, Notqmail, Exim and OpenSMTPD, and not go directly to OpenSMTPD because I provided examples.

I will write a follow-up article, this time focusing on how I do things with OpenSMTPD. If people write similar articles for other solutions, please forward them to me and I'll link some of them. it will be updated as time passes by to reflect changes in the ecosystem, come back and check again over time.

Finally, the name Big Mailer Corps represents the major e-mail providers. I'm not targeting a specific one, you can basically replace Big Mailer Corps anywhere in this text with the name of any provider that holds several hundred of millions of recipient addresses. Keep in mind that some Big Mailer Corps allow hosting under your own domain name, so when I mention the e-mail address space, if you own a domain but it is hosted by a Big Mailer Corp, your domain and all e-mail addresses below your domain are part of their address space.

Earlier on SN:
Protocols, Not Platforms: A Technological Approach to Free Speech (2019)
Re-decentralizing the World-Wide Web (2019)
Usenet, Authentication, and Engineering - We Can Learn from the Past (2018)
A Decentralized Web Would Give Power Back to the People Online (2016)
Decentralized Sharing (2014)


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Insightful) by Anonymous Coward on Monday September 02 2019, @11:23AM (13 children)

    by Anonymous Coward on Monday September 02 2019, @11:23AM (#888783)

    It's dealing with all the stuff in place to prevent spam (you have to get a bunch of stuff signed, and Microsoft's basically doesn't work at all but you still need it to talk to anything using their email server), then you have to get your isp to allow access to port 25 - forget doing it at home, and even most hosting companies are touchy about it - and then you have to provide clients that people want to use, because there's no free equivalent to Gmail.

    Starting Score:    0  points
    Moderation   +3  
       Insightful=3, Total=3
    Extra 'Insightful' Modifier   0  

    Total Score:   3  
  • (Score: 4, Insightful) by NateMich on Monday September 02 2019, @12:14PM (1 child)

    by NateMich (6662) on Monday September 02 2019, @12:14PM (#888793)

    The users are the hard part.

    • (Score: 2) by PartTimeZombie on Monday September 02 2019, @10:22PM

      by PartTimeZombie (4827) on Monday September 02 2019, @10:22PM (#889003)

      I modded you +1 Touche, but could just have easily been Insightful, Informative, or Funny.

  • (Score: 5, Interesting) by Grishnakh on Monday September 02 2019, @02:38PM (8 children)

    by Grishnakh (2831) on Monday September 02 2019, @02:38PM (#888834)

    This is it right here.
    Even if you didn't have to worry about the roadblocks and could just set up your own SMTP server, actually using it for mail is a waste of time unless you redirect it all to your GMail account, because otherwise you'll just be spending all your time sifting through spam. Spam has almost completely ruined email.

    • (Score: 0) by Anonymous Coward on Monday September 02 2019, @05:02PM (2 children)

      by Anonymous Coward on Monday September 02 2019, @05:02PM (#888883)

      Spam has almost completely ruined email.

      It has completely ruined traditional email. There would still be hope with user definable addresses that can be dropped as soon as the spammers pick up on them, perhaps combined with a postage system where a token must be included in the message.

      Even if the postage were free, it could be useful to have human involvement before a sender is allowed to pass email: Answer these random math questions and include the string it sends back to you in your email.

      Both the user definable addresses and the postage system can permit mail to be rejected during the transaction.

      • (Score: 1, Informative) by Anonymous Coward on Tuesday September 03 2019, @02:05AM

        by Anonymous Coward on Tuesday September 03 2019, @02:05AM (#889070)

        Your post advocates a

        (X) technical ( ) legislative ( ) market-based ( ) vigilante

        approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

        ( ) Spammers can easily use it to harvest email addresses
        (X) Mailing lists and other legitimate email uses would be affected
        ( ) No one will be able to find the guy or collect the money
        ( ) It is defenseless against brute force attacks
        ( ) It will stop spam for two weeks and then we'll be stuck with it
        (X) Users of email will not put up with it
        ( ) Microsoft will not put up with it
        ( ) The police will not put up with it
        ( ) Requires too much cooperation from spammers
        (X) Requires immediate total cooperation from everybody at once
        ( ) Many email users cannot afford to lose business or alienate potential employers
        ( ) Spammers don't care about invalid addresses in their lists
        ( ) Anyone could anonymously destroy anyone else's career or business

        Specifically, your plan fails to account for

        ( ) Laws expressly prohibiting it
        (X) Lack of centrally controlling authority for email
        ( ) Open relays in foreign countries
        ( ) Ease of searching tiny alphanumeric address space of all email addresses
        ( ) Asshats
        ( ) Jurisdictional problems
        ( ) Unpopularity of weird new taxes
        ( ) Public reluctance to accept weird new forms of money
        (X) Huge existing software investment in SMTP
        ( ) Susceptibility of protocols other than SMTP to attack
        ( ) Willingness of users to install OS patches received by email
        ( ) Armies of worm riddled broadband-connected Windows boxes
        (X) Eternal arms race involved in all filtering approaches
        ( ) Extreme profitability of spam
        ( ) Joe jobs and/or identity theft
        ( ) Technically illiterate politicians
        ( ) Extreme stupidity on the part of people who do business with spammers
        ( ) Dishonesty on the part of spammers themselves
        ( ) Bandwidth costs that are unaffected by client filtering
        (X) Outlook

        and the following philosophical objections may also apply:

        (X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
        ( ) Any scheme based on opt-out is unacceptable
        ( ) SMTP headers should not be the subject of legislation
        ( ) Blacklists suck
        ( ) Whitelists suck
        ( ) We should be able to talk about Viagra without being censored
        ( ) Countermeasures should not involve wire fraud or credit card fraud
        ( ) Countermeasures should not involve sabotage of public networks
        (X) Countermeasures must work if phased in gradually
        (X) Sending email should be free
        (X) Why should we have to trust you and your servers?
        ( ) Incompatiblity with open source or open source licenses
        ( ) Feel-good measures do nothing to solve the problem
        ( ) Temporary/one-time email addresses are cumbersome
        ( ) I don't want the government reading my email
        ( ) Killing them that way is not slow and painful enough

        Furthermore, this is what I think about you:

        (X) Sorry dude, but I don't think it would work.
        ( ) This is a stupid idea, and you're a stupid person for suggesting it.
        ( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

      • (Score: 1, Informative) by Anonymous Coward on Tuesday September 03 2019, @02:37PM

        by Anonymous Coward on Tuesday September 03 2019, @02:37PM (#889193)

        Postage for email system using math has existed for a long time. It was called HashCash basically a bitcoin like proof of work system for email that predates bitcoin by several years.

    • (Score: 2, Touché) by Anonymous Coward on Monday September 02 2019, @11:04PM (3 children)

      by Anonymous Coward on Monday September 02 2019, @11:04PM (#889014)

      because otherwise you'll just be spending all your time sifting through spam. Spam has almost completely ruined email.

      Nope. Run my own email, on my own server, on my home internet link. Have been doing so since circa. 2000 (so about 19-20 years or so now). My main email address has been unchanged in all that time.

      I get, maybe, 1 spam getting paste the filter every 6 months. Otherwise, Crm114 cleans all the rest up and I simply don't see any spam.

      And that one every 6 months, feed it back into crm114 so it can learn, and wait another six months.

      So, no, one will not spend all their time sifting through spam, provided one knows to use a good spam filter.

      • (Score: 1) by nekomata on Tuesday September 03 2019, @05:45PM (1 child)

        by nekomata (5432) on Tuesday September 03 2019, @05:45PM (#889240)

        I have been running OpenBSD with OpenSMTP for 5-ish years. My SPAM filtering is just greylisting and bgpd based black/whitelisting (http://bgp-spamd.net/). I get literally zero spam mails. Not kidding, I can't remember getting a single spam email since I set this up. Also the setup is generally pretty good, I don't have problems with getting into other ppls spam boxes etc.

        The whole setup takes a weekend, and then an openbsd update every 6 months wich is the most painless, best documented system upgrade I have ever experienced. YMMV of course, but I have not found a personal email server to be a hassle at all.

        • (Score: 0) by Anonymous Coward on Wednesday September 04 2019, @04:25AM

          by Anonymous Coward on Wednesday September 04 2019, @04:25AM (#889375)

          One of my coworkers was half a beat from pulling the trigger on changing our our mail server for a hosted solution, despite the fact that we run plenty of other servers. He happened upon an article about greylisting. He set it up, and it made a huge difference according to him. Apparently, just the act of delaying mail keeps most spammers from trying again. In addition, it also buys just enough time for other automated anti-spam systems to flag the sender as suspicious. In addition, most addresses where we need an email RIGHT NOW, send us email often enough that they don't get caught by the greylist.

      • (Score: 1) by DECbot on Tuesday September 03 2019, @06:57PM

        by DECbot (832) on Tuesday September 03 2019, @06:57PM (#889257) Journal

        I have Comcast run my spam filter for the mail server in my basement. I get zero spam, just updates from my FreeBSD server whining about 'update this' and 'new release that' and 'the raspberry pi detects that you're out of salt in your water softener tank'. Though I've noticed there are a lot of false positives with Comcast's filtering. Perhaps I should get around to asking them to stop blocking port 25 or set up my server and router for port 587, but then I'd have to do something about the spam.

        --
        cats~$ sudo chown -R us /home/base
    • (Score: 3, Interesting) by Hyperturtle on Tuesday September 03 2019, @02:45PM

      by Hyperturtle (2824) on Tuesday September 03 2019, @02:45PM (#889195)

      I am not sure how to best reply, but I am disappointed when I read that people are willing to let an advertiser block ads because it is too hard to set up something themselves.

      It isn't hard nor inconvenient; but there are obstacles that can stymie one's chances for success.

      Email addresses themselves don't just start receiving advertisements -- they have to be harvested or handed out. If you create an "amazon@mydomain.wtf" account on your email server hosting mydomain.wtf, and only use it for amazon, you will get only amazon and their marketplace seller info. If you get anything else, chances are someone there sold you out. I have numerous accounts and no I don't have them all linked on my phone. I check then when I need to. I have accounts that I've sent to and from the internet and other servers for years and years, and never have once received an unsolicited message. It can be done, but if that is too inconvenient, then it can't be done for people unwilling to take the steps necessary to keep things private.

      If you have an email address for just here -- for just ebay, for just facebook, for just this or that, you can significantly diminish the amount of spam, and identify where it comes from. If you use one adress for everything, or just a few for everything else, they're going to get spammed and keep getting spammed because you're regualrly using them for everything and/or everything else.

      And for the love of god, do not use html in email unless you have some sort of non-email related network edge filtering to block well-known 1x1 single pixel.gif server hosts. Once your carefully protected email address is used in webmail or an html rendering email client to pull down that "LOOK A LIVE EMAIL ADDRESS CHARGE!!!" pixel, there is no undo button. That is hard to track over the long term, so the best bet is to not enable HTML in your email client unless you have a good reason to for a specific message.

      These controls are not easy for someone like my mom to abide to, but I still don't steer her to google... even if it is easy to become a host for the internet's version of the cordyceps mushroom of email ecosystem content harvesting.

      That all stated, and I didn't really explain much...I can't get into ISP stuff or actual effort involved in setting up a server--the article covers much of that ground anyway. I fully agree that there are inconveniences, ISPs that get in the way, the matter of hosting such a server, setting it up. It's all a value proposition. What is it worth to a person to be in control? To accept that maintenance may need to be done from time to time? I am not the type to throw in the towel and let an advertising company manage the filtering of unwanted ads, but that is just me... I'd much rather get ads by mistake than by design. And it really hurts when a preventable situation takes place, usually by someone else sharing my contact info (on purpose or not). People don't read the EULAs, and really, harvesting your email is a business model, and google and the others that provide email services are enriched much much more when you let them read the emails as well to better target ads to you that will not be stopped by their advertising revenue supported unsolicited advertising filter.

      I also understand and appreciate and experience myself... that sometimes one doesn't have the time, nor the inclination, to do stuff like this. I'd never admonish anyone that doesn't have the time to put up with BS, but I also think that the BS comes indifferent sizes and grows over time depending on choices. I'd rather receive email due to my own operation mistakes than to get them by design from a company funded almost entirely by ad revenue, and further expect them to not read those emails to then present ads to you... outside of emails.

      Have you looked at the gmail past order tracking? Have you tried to delete stuff in it? One at a time. Some people i know have years and years of amazon orders and ebay orders and shipping info and google tracks it all, because their spam filters do that, too.

      To me, the inconvenience of not using gmail seems to spiritually or metaphysically outweigh the challenges of having to check a few different accounts I set up myself on a domain or two that I control, but I am weird like that I guess. I am lazy, don't get me wrong, but I'll put in as much effort as I can to ensure that I *can* be lazy.

      That said, gmail is a great solution for people that don't share my views, in whole or in part, and I don't hold it against them--like I said, not everyone cares, and sometimes, what they do care about is using that time otherwise spent on server stuff, and using it on family or life or work or anything more interesting. I can't argue with what makes a priority a priority, but I for one don't want some tech company finding out what my priorities are so that they and their valued third party business affiliates with seperate privacy policies and security policies can better advertise to me about these priorities of mine that I didn't share with them to begin with.

      sorry if this was disjointed; I couldn't write it all at once and so this may not appear fluid or cohesive.. but I think the point is made. Also, Grishnakh, this isn't an attack in any way... please don't take it like one. My opinion is sort of strong but I am biased in that in both work and outside of work, I approach internet use the same way, but get paid/rewarded for it as well as a job choice. At least I have no affiliate links to send to you in email!)

  • (Score: 0) by Anonymous Coward on Monday September 02 2019, @02:41PM

    by Anonymous Coward on Monday September 02 2019, @02:41PM (#888836)

    I don't need Gmail. I'm pretty sure I can totally screw up IMAP all by my self.

  • (Score: 5, Informative) by nobu_the_bard on Tuesday September 03 2019, @01:24PM

    by nobu_the_bard (6373) on Tuesday September 03 2019, @01:24PM (#889182)

    Yeah he doesn't address the hardest parts in my opinion.
    * Keeping your systems up to date. This is admittedly more of an issue with someone like me that has to run many mail systems besides doing many other things. Mail systems have a lot of moving parts. Changing out some parts (updating) sometimes causes problems in other parts, and merely running apt-get update or whatever does not necessarily update things like what ciphers you are using. You need to be reviewing what updates will do before you run them, anticipate what will break and handle those things, and then also handle what actually breaks when you try the update.
    * Dealing with mail systems that are not correctly configured. Tons of small scale mail systems are not configured correctly. Example: You can set up to block mails conditionally based on a domain's SPF record, but you will quickly find all kinds of places violate their own screwed up SPF records all of the time (banks, marketers, etc) and you will not be able to make everyone in the world learn to fix their own things, nor can you simply block out every goofball that has a mess of a mail system, so you need to learn how to compromise on this sort of thing. Then there's other examples of goofed up systems: people running ancient MTAs with only ciphers from the 90s, people sending mails with bizarre formatting, systems that send huge amounts of junk mail but trickles of critically important mail...

    I could go on, that's adequate for now.