My preference for email is to have a local, and essentially unlimited, archive. To date, that has meant pop3 access supplemented by GMail for much of my access to mailing lists. Backing up and migrating my entire archive from machine to machine is a simple matter of rsync, and I’ve hosted it on Windows, Ubuntu, and Mac OS/X machines alike.
Lately I’ve been moving around more between my netbook, laptop, and desktops, so having any single machine being designated as my mail portal at the moment often means that I often don’t have convenient access to my email.
I figured it was time to investigate running my own mail server. In the past, this always seemed like there was a bewildering options of various packages, many of which were alternatives to one another with no clear way for me to decide which to pick, and all of which can be assembled and recombined in a number of different ways.
With the latest Ubuntu, some of this has become simpler with the introduction of the dovecot-postfix package. This selects and integrates two of the key components.
Installation was a snap. I selected the option to configure my machine as Internet with smarthost: Mail is received directly using SMTP or by running a utility such as fetchmail. Outgoing mail is sent using a smarthost.
This meant that I only had to answer two questions. System mail name? intertwingly.net. SMTP relay host? smtp-server.nc.rr.com.
I then pointed Thunderbird at this server, and it didn’t like what it saw. It seems that installation had generated a certificate with an CN=ubuntu, which didn’t happen to match my host’s name, so it cried foul.
As this point, this made three self-signed certificates I was hosting: one for EJabberD, one for Apache, and now one shared by Dovecot and Postfix. And all were causing me grief for one reason or another.
I hadn’t realized it, but my EJabberD certificate had expired. The version of Pidgin that came with Ubuntu 9.04 was OK with that, but the version of Pidgin that comes with Ubuntu 9.10 complains every time I log on.
And Chrome flat out didn’t like my self signed certificate at all.
The formats for each are different, but identifying what to change is straightforward in each. Each can use the same (private) certificate, though in the ejabberd case, copying the file to /etc/ejabberd and chown ejabberd:ejabberd is in order.
Thunderbird is now happy. Pidgin and Firefox each asked me once if I wanted to accept the new certificate. This took care of everybody except Chrome, which involved copying my public key (a.k.a. “pem” file) to the client machine(s) and following the following instructions:
fetchmail: connection to localhost:smtp [::1/25] failed: Connection refused.
The problem is that localhost is listed twice in /etc/hosts, and apparently by default fetchmail picked the ipv6 route but the postfix that is packaged with Ubuntu is only configured for ipv4. Specifying --smtphost addressed this problem.
Squirrelmail seemed to basically just work out of the box until I copy and pasted large portions of my archive into the IMap server, at which point it bailed with:
Fatal error: Allowed memory size of 16777216 bytes exhausted (tried to allocate 4097 bytes)
Initial config of your mail server is the least of it. I bailed after years running a household qmail server. Does your ISP reverse dns? Probably not, and some organizations will reject mail from you if they can’t. That was the biggest hassle: over time more and more organizations started rejecting our mail because our unblessed IP was attempting to connect. Also, periodically check the blacklists. Your server will end up on one or another eventually. Next you have to become ever vigilant for the spammers using you as a relay. You can config that away but you’ll see tons of hits. Make sure you get this right or you’ll end up in blacklist hell. Finally, you get to do your own spam filtering. There’s a lot of it. I forget about that, using gmail.
Why is reverse DNS relevant? I’m currently sending email direct from Thunderbird to my ISP. After this is deployed, I will still being sending email direct from Thunderbird. The only change that touches my ISP is that I will be using fetchmail.
I agree with Hugh, I looked into running my own mail server on a rented virtual root box, but postfix and friends were too much black magic for me. And in particular the effort that goes into spam fighting, be it avoiding to be abused as a relay or filtering the incoming spam doesn’t seem to be worth the hassle. Also, both squirrelmail and roundcube (the latter being better) are not even close to GMail.
Google Apps solved the whole issue for me. I still download my complete mail occasionally for off-site backups, but I now have very decent IMAP enabled, properly spam filtered email service for my own domain, for free, with a nice web GUI.
I still run my own web server, but for certain things I think I’m just not very qualified, and other people can obviously do it much better than I can.
I do something very similar with one minor tweak: Incoming email goes through a Google Apps for Domains account first. This solves the Squirrelmail problem and the spam problem in one hit.
The hit being to your privacy of course.
Currently I’m not opening the IMAPD port to the net, instead relying on an SSH tunnel. It’s that part that scares me somewhat, and you need that for phone email access.
My preferred key/cert generation method is easy-rsa, although significant effort savings over doing it manually only occur if you’re running a private CA. PKIX SSL certs are as cheap as $10/year so I have one of those as well from Namecheap, which makes access from random machines a lot less hassle.
[Hello, I’m new here again despite cookies. Are you matching on (my dynamic) IP address or something?]
I do some spam filtering on my host. Thunderbird does a second pass. As far as I can see PostFix adds an additional place where I can hook some filtering, but doesn’t remove anything.
Anybody who can get on my wireless network can send mail directly through my ISP, they need not go through the additional hassle of interfacing with my MTA.
I’m not predisposed to use Google Apps, or anything that is not self hosted.
I’m also not likely to open up my IMap port to the internet.
openvpn looks very promising! The thought of having full access to my LAN while traveling (even if only to a coffee shop) has me salivating.
My recognition of returning users is not currently based on cookies, but rather based on the IP address and what is in the URI field at the time you begin entering a comment, and based on people who have commented in the last 90 days. http://trs80.ucc.asn.au/ is in my list of recent commenters. Not sure what is going on here.
Postfix can also do SMTP time policy checking (RBLs/greylisting/policyd-weight), but since you’re using fetchmail and not receiving mail directly it wouldn’t do anything.
Hmm, I may have entered trs80.ucc.asn.au after starting the comment previously, but definitely did it before
typing this time but the warning still appeared.
Currently TB2. Once I migrate, I should be able to experiment a lot more.
I checked my logs. What you have in your form is http://trs80.ucc.asn.au. Once it comes back from your openid server, it gets transformed into http://trs80.ucc.asn.au/. It is the latter that is considered known in my database.
Sam Ruby has a useful post about setting up a personal mail server and getting all the SSL...
Sam Ruby has a useful post about setting up a personal mail server and getting all the SSL certificates right (which I am all too familiar with, given all the “example.org” certs that seem to come with Fedora). Unfortunately, some of the comments...
James Holderness Andrewartha is right about Apache James. I’m a developer and will gladly build things that I want to experiment with, but here I want something I can install and forget about, with security upgrades being pushed out automatically.
As someone who does email for a living, there’s a good reason email is complex (including the Turing complete Sendmail.cf macro language).
People have different requirements, and most MTAs support those. Given the plethora of techniques which have evolved against incoming abusive behaviour like spam and the need to not be abusive to others, there are a lot of knobs to twiddle.
The system configuration here isn’t complex, and it’s not unusual either. There are three major components in a mail system:
The SMTP server
The POP3/IMAP server
The user database.
In Sam Ruby’s case, the user database is the system password file, which every major Unix MTA supports out of the box.
SMTP servers are more or less fungible for the volume of mail this system will handle, use the one you like. They all support mbox and maildir (which will be your most important considerations for this case). Your biggest problem is going to be the configuration syntax.
POP3/IMAP servers are slightly less fungible, since they have to understand the on-disk format of the mail store. Courier supports only maildir, uw-imap is restricted to mbox, Dovecot supports both formats. They will all work out of the box for this setup.
Take your pick out of the combinations. There’s a lot of them, but unless you are doing extremely advanced stuff, you can use almost anything and get away with it.
(Also, for the IPv6 issue, sudo postconf -e ‘inet_protocols = ipv4,ipv6’ && sudo postfix reload should work and remove the need for the --smtphost).
Continuing my explorations that started last year at this time. My goal is to continue to self host my mail archive, while adding allow concurrent access and offline replication on a number of machines. Following are the components I have...
[more]
OK, so I made the plunge and purchased my first ever “smart” phone. Things I noticed in the first day As my wife and I previously had VZ Navigator on our phones, and saw that this was preinstalled...
[more]