Wow... having just gone through a 20+ hour byzantine nightmare of setting up postfix & dovecot (that's on top of an already deep understanding of SMTP, DKIM, SPF, DMARC, SASL, etc.) and now struggling through an even more kafkaesque nightmare of rspamd (with its 3 different programming languages needed to understand its 92+ configuration files, which you can't modify by the way, you have to add your own "override" and "merge" config files on top of that mess) for the simple purpose of getting it to DKIM-sign my stupid outgoing messages the way all the big mail systems want... I wish I had seen mox earlier!
Not sure its quality, but battling with postfix & dovecot's 20+ years of legacy cruft, I felt compelled many times to just throw them aside and build something like this on first principles - simple single binary mail server with modern protocol support, sans all the archaic UNIX-account timesharing-era sendmail bullshit that still lives on in the mainstays.
Going to have a look at this one, despite now having moderately deep postfix & dovecot knowledge.
That's not my experince - I use postfix and dovecot for years and they are rare examples of high quality software to me. I don't see any cruft. They are flexible which make learning and configuration harder compare to opinionated software where most decisions made for you by a developer and you have not choice but to accept them. I myself view sometimes see flexibility as a disadvantage but IMHO they strike a good balance. Postix often criticized by Exim user for not being flexible/configurable enough. And they don't force to use unix accounts, it's just one of options.
Having said that I would agree that using a mail server which combines all in one package is easier than unix way with multiple specialized parts combined. For a novice it could be a challenge to stichs (configure) multiple parts together, especially if you don't know how to test each part separately and blidnly follow some how-to.
Where you can find plenty of legacy cruft is mail standards and implmenting them correctly is not an esty task that's why I trust Postfix and wary of anything new until it battle tested on a large number of servers.
You may have just forgotten the pain of the learning curve? Admittedly postfix & dovecot are way more sane than rspamd. But their whole default config (and something like 50% of the options and documentation) are oriented around UNIX system accounts for each of your mail users, which seems insane and 80s-era to me (let's go dial up to the mainframe at 300 baud and see if we have any mail). It takes dozens of pages of documentation to orient yourself away from all that, understand Postfix's "address classes", that you generally want "virtual mailboxes", etc. No support for DKIM, except through sendmail-invented "milters", of which Postfix heartily recommends you to OpenDKIM, a project which hasn't been touched in 10+ years, doesn't support EC signing, is not packaged on most distros, is documented on a outdated non-https site with sparse even more out-of-date plaintext documentation, referring you to a defunct FTP site to download the code, etc. And milter requires setting up a UNIX or inet socket and tedious configuration, etc. etc.
Poor support for SASL, at least for mail users looking to god forbid send an email and relay it to the internet, and password-protect against random spammers doing the same, referring you instead to Dovecot SASL - also legacy cruft (partly the SASL protocol designers' fault), SASL has numerous "mechanisms" but nearly everybody uses just the PLAIN mechanism, ensuring a TLS channel is established first, which is about 10 lines of code to implement.
> No support for DKIM, except through sendmail-invented "milters", of which Postfix heartily recommends you to OpenDKIM, a project which hasn't been touched in 10+ years, doesn't support EC signing, is not packaged on most distros, is documented on a outdated non-https site with sparse even more out-of-date plaintext documentation, referring you to a defunct FTP site to download the code, etc. And milter requires setting up a UNIX or inet socket and tedious configuration, etc. etc.
OpenDKIM has been working fine for me for the last 10+ years. It's also in the default repos of my distro.
> Poor support for SASL, at least for mail users looking to god forbid send an email and relay it to the internet, and password-protect against random spammers doing the same, referring you instead to Dovecot SASL - also legacy cruft (partly the SASL protocol designers' fault), SASL has numerous "mechanisms" but nearly everybody uses just the PLAIN mechanism, ensuring a TLS channel is established first, which is about 10 lines of code to implement.
SASL works fine for me with Postfix and Dovecot, including sending restricted to authenticated users. Also CRAM-MD5 was recommended over PLAIN everywhere even back when I set this up.
Took me weeks to perfect our own setup based on Postfix, Dovecot, Roundcube with some patches, rspamd with attachment-type whitelisting and a bazillion other features, clamav with extra patterns, plus the many tweaks and enhancements you need to dig out from obscure places.
Like fts-flatcurve, an archive plugin for dovecot that can find stuff in 30 years worth of mails in a second, over IMAP in Roundcube. Or rspamd settings to blacklist not a single IP but an entire ASN of misbehaving colo clients. IMAP with namespaces is also a true pain to configure. Or setting bzip2 compression for an auto-expunged journal for spam, and archive without expunge. Painful.
If you made it this far, you will find that your IP address is tainted. So choosing a hoster that keeps his backyard clean from spammers is necessary, otherwise you will suffer by association. Did I mention SPF records in DNS.
So I consider our server a piece of art. 30 years in operating systems certainly helped.
Using this now, and love it. For easy mail reception and sending, mail-in-a-box does it all for you (if you don't mind opinionated, but stable) and Stalwart does it all for you and is highly configurable, including an oauth2 server and more. Keen to try Mox, but I think it went viral and their website accidentally got ddos'ed.
I've been using mail-in-a-box for 5 years and I couldn't be happier. For me, stability is the #1 concern for an email server, and mail-in-a-box is really set it and forget it. I also like that it includes CalDAV and CardDAV, so it served as a complete substitute to Google Mail+Contacts+Calendar.
OpenDKIM works fine, and is easy to configure. My first time config was like 30 mins following the guide here: https://wiki.debian.org/opendkim
And postfix is exceptionally well documented software. One of the best. It's easy to script config modifications thanks to `postconf` and do all kinds of interesting stuff with milters or policy servers, etc.
A single SOGo worker can acquire ~350 MiB RAM before it gets purged. The more ActiveSync connections you plan to use, the more RAM you will need. A default configuration spawns 20 workers.
*RAM usage examples*
A company with 15 phones (EAS enabled) and about 50 concurrent IMAP connections should plan 16 GiB RAM.
6 GiB RAM + 1 GiB swap are fine for most private installations while 8 GiB RAM are recommended for ~5 to 10 users.
Mox:
I checked with htop, and my Mox process currently takes <100 MB.
Btw, I ended up disabling webmail. I don't the users really need it. Nothing will compare to the Gmail experience anyway, so might as well just encourage people to use proper Mail clients like Mail.app or Mail on iOS.
Seconding for mailu. I've had a mailu server running for at least a couple of years that requires very little on-going maintenance, but I don't use it daily or for anything personally mission critical.
When I do need it, however, it's there, humming away happily.
And in the case of Microsoft: often the invoices, expired credit card notification from Microsoft itself are considered spam in o365... Had some inconveniences because of this.
But hey, at least it has a Copilot bar thoughtfully filling that useless vertical space on my screen!
I did that a few years ago too. Then decided to just use OpenSMTPD instead of Postfix, keep Dovecot for IMAP and rspamd for signing DKIM. I followed the guide at https://prefetch.eu/blog/2020/email-server/ and got it running relatively smoothly. However, Microsoft (and sometimes Google) kept blocking emails coming from my server's IP, so I just decided to stop messing around and pay migadu 19€ a year for dealing with that stuff for me.
This isn't a project unique in his genre. There are also others like Mailu[0] that, although different in the implementation (Docker containers abstracting away the hard parts of deploying "traditional" components) share the spirit of having a self-contained project that is easy to deploy. Are there some specific reasons why you didn't go the Mailu (or some similar project) way?
I'm asking because, every now and then, I have the itch of deploying my own mail server to be used for my side projects (nothing commercial), so if you have an opinion on those projects I would be curious to hear it.
I gave up and started self-hosting Mailcow. It’s worth paying the support fee to free yourself to do other more productive things. Let them manage the complexities.
I have no idea how/why it is hated. For me it is one of the best open source server packages. For instance if you have a specific problem you will find some configuration directives on the Internet and they will actually work.
OpenSMTPd seems easier superficially but it's not particularly well-documented. I don't remember the details but I remember struggling with setting it up because certain config flags were not documented and I had to guess their exact meaning from the few blog posts out there that discuss OpenSMTPd. (It also didn't help that there were slight changes in the config format at some point in the past.)
I’ve been using it for a decade without issue. Only problems I’ve ever had self-hosting were related to being randomly junk-black-holed by the big three independently of each other for 1~30 days for seemingly no reason, but no software is going to fix that.
User experience with it, and opinions on it, seem to vary. I, for one, rather like both postfix and dovecot: both are well-documented, maintained, lightweight, reliable, yet configurable and feature-rich software, with few dependencies and good track records.
I've hosted my mailserver myself for years now.
I recently (a number of months ago) have started using Mox for my mail server (after using stalwart, manual postfix/dovecot, a couple others). It's a perfect solution for a small personal mailserver.
It's among the simplest (/least complicated) mail servers I've used, and I have to waste basically zero time on it. Running backup & update every couple months takes <5 min.
However, I noticed: when I showcase it to some people, some of them mistake the very simple minimalist web interface for being ‘outdated’ or similar - it appears that to be "modern", things are required to be extremely bloated, and even technical people look down on fast (seriously: try it) clutter-less design.
An overstated problem IMO. Even just Thunderbird's client-side filtering works well enough to mostly ignore it and just occasionally go sweep through the spam folder to see if anything was caught inadvertantly. If you run your own server you can also setup whatever spam filter you want but personally I care more about real people being able to contact me than I care about never seing any spam (subjects only, pretty easy to tell what is worth openingn from subject + sender).
> 2. Being considered spam by major mail services (where most of one’s recipients will usually reside)?
Which may or may not be a problem for a personal mail server. Personally I have never had any problem with Gmail (YMMV) which at this point covers pretty much everyone I know who doesn't run their own server. Microsoft doesn't like my server due to others on the same block but so far I have decided that's not my problem.
personally - gmail is extremely plagued by spam. sure it goes into the spam mailbox most of the time, but enough non-spam email goes there too so you still have to check it. the current plague for me is "your package is awaiting delivery" spam - almost daily.
for being considered spam - i've had like 3 irl things set up on my old self-hosted mail, and these 3 arrived, even though while testing shortly after making the setup i did end up in spam. i don't know if companies have a whitelist of "if a user has this email on his account, don't send to spam" or something, but it hasnt been an issue.
i don't usually email too many individuals, in my social circles emails is not for that and has pretty much died long ago.
Due to the decent success i've had, i've spent some time today setting up mox to potentially replace my other solution - it is a bit of a process, many dns entries to make, and DNSSEC in my country seems to only update once a day so i'll see if i can enable it tomorrow, but so far it's working (but as usual, the first test email lands in spam.) i assume delivery will improve as soon as the domain is a bit older - i imagine most big mail services block email from a domain created the same day the mail is sent.
Besides actual spam spam, Gmail also gets more random similar-named people giving your address to service providers if you have something like initial + lastname or similar. There are too many "legit" companies that don't implement e-mail verification and just repeatedly send to whatever was provided.
> I’m honestly curious, what’s the point of a personal mail server nowadays?
There's a large number of cool things possible, my favorite is having a catch-all domain (or multiple). Most of the time when you buy mail hosting from your domain registrar for example, you pay by mailbox. Same goes for the majority of mail hosters in general.
With a catch-all domain, you can email <anything>@example.org, and I will get it. I don't have to first generate some addy.io or simplelogin.io or Firefox Relay alias; I can simply enter <company name>@example.org or <service>@example.org when registering on a website, hell I do that even on physical (paper) forms.
Later on, I can decide to add an alias with special configuration, e.g.: email arrives at <tax department>@example.org? → Route to "High importance" mailbox; I receive a Newsletter from a company I never heard of → <company name>@example.org sold my email address (and they can't strip the marker off, which they easily could with the +suffix).
> Isn’t it the case that today they have two huge disadvantages:
> 1. Being plagued by spam,
I do not remember having received a single spam email in the last months. In fact, I just looked up the stats: My personal (non-business, non-work) inbox in Thunderbird reaches back to about 2024-03-14, with about 2500 elements.
My spam folder currently contains 0 elements.
And I don't even have any advanced spam filtering or reputation blacklists or anything similar setup.
> 2. Being considered spam by major mail services (where most of one’s recipients will usually reside)?
I actually tried this out some months ago with an "email placement tester": I can comfortably reach Gmail & Google Workspace, Hotmail/Office 365/Exchange, and a few others that were tested that I forgot about.
I do not remember mails of mine not reaching their intended receiver very often - while this might happen once a year (that you send an email and one second after get a "your message could not be delivered" response), I actually hear about this more often from peers using the largest email provider in the DACH region (GMX), so apparently I rank better? It's usually a misconfiguration from the receiver setting up some scam DNS blocklist (e.g. UCEPROTECT). Wouldn't call this a problem of the mail server though, and as I said, even some rather large (commercial) providers have the same issue.
Generally speaking, if you do things right, email will go well for you - this "doing things right" has simply for a long time been quite hard (when postfix/dovecot was prevalent where you need n-number of different third-party software packages, e.g. OpenDMARC). Nowadays, with the modern mail servers available, like Mox (or Stalwart, or Maddy) doing "things right" is very simple: Choose an hoster/ISP with good IP reputation (e.g. check with https://multirbl.valli.org/ if they are on any blocklists), setup your (modern) mailserver, and you're golden.
And this will come with a nice number of advantages:
- you have your own domain, so you're portable
- you control and are able to customize your email infrastructure (how many mailboxes do I want for my use cases, how would I like different aliases to be mapped to them, catch-all/wildcard, applying scripts on these mailboxes, etc)
- privacy/security: Your email (which I consider deeply core to the modern internet infrastructure and ones digital identity (due to controlling the login to basically all websites)) lives on your infrastructure, and no-one but you can access them
- selfhosting is fun, and one gains lots of knowledge about inner workings of the internet with it
> I receive a Newsletter from a company I never heard of → <company name>@example.org sold my email address (and they can't strip the marker off, which they easily could with the +suffix).
This isn't reliable as true catch-all adresses (i.e. any local part works) are easily detected at which point spammers can just use whatever. I also don't find this too useful because usually you either can't afford to stop doing business with the company (in which case you get to be angry but can't take any real action) or you could have just used a temporary address in the first place.
Catch-all domains are supported by GMail[1], and some registrars (example, namecheap [2]) will also forward all emails. Namecheap gives you 100 pre-defined mailboxes that can forward to different outgoing boxes, in addition to a catch-all.
> However, I noticed: when I showcase it to some people, some of them mistake the very simple minimalist web interface for being ‘outdated’ or similar - it appears that to be "modern", things are required to be extremely bloated, and even technical people look down on fast (seriously: try it) clutter-less design.
The design is ugly. It could easily be made much more beautiful while adding zero clutter.
So happy to see that. Hopefully more people will run their own E-mail instead of being slaves to the large adtech "free" e-mail providers. We need more balance on the Internet.
You can't run your own e-mail, or not entirely. It's practically impossible to send SMTP from your own IP address. For sending SMTP, you need to go through a smarthost that has reputation.
If your ISP provides you with an e-mail setup that you can use with a conventional mail client where you enter IMAP4 and SMTP credentials, chances are you can use that for SMTP sending. I.e. from the perspective of sending mail, your ISP can't tell that you're a server; it thinks it's just Outlook or Thunderbird connecting to it.
Receiving mail is no problem; your ISP just must not be blocking port 25.
It's handy to give yourself mobile access. When I send mail from my phone, it connects to port 537 of my own mail server which provides authenticated SMTP over TLS. It forwards to the aforementioned ISP. (I can't connect directly to my home ISP's SMTP server from my phone because the phone is on a mobile network unrelated to that ISP; the ISP's SMTP forwarding servers are firewalled so only the subscriber addresses can talk to them.)
It is a common misconception that it is impossible to run your own email server nowadays. The claim is that the handful big email providers will simply block your email. However, you can run your own email server just fine, and your email will be accepted, provided you are doing it right.
If your email is rejected, it is often because your IP address has a bad email sending reputation. Email servers often use IP blocklists to reject email networks with a bad email sending reputation. These blocklists often work at the level of whole network ranges. So if you try to run an email server from a hosting provider with a bad reputation (which happens if they don't monitor their network or don't act on abuse/spam reports), your IP too will have a bad reputation and other mail servers (both large and small) may reject messages coming from you. During the quickstart, mox checks if your IPs are on a few often-used blocklists. It's typically not a good idea to host an email server on the cheapest or largest cloud providers: They often don't spend the resources necessary for a good reputation, or they simply block all outgoing SMTP traffic. It's better to look for a technically-focused local provider. They too may initially block outgoing SMTP connections on new machines to prevent spam from their networks. But they will either automatically open up outgoing SMTP traffic after a cool down period (e.g. 24 hours), or after you've contacted their support.
After you get past the IP blocklist checks, email servers use many more signals to determine if your email message could be spam and should be rejected. Mox helps you set up a system that doesn't trigger most of the technical signals (e.g. with SPF/DKIM/DMARC). But there are more signals, for example: Sending to a mail server or address for the first time. Sending from a newly registered domain (especially if you're sending automated messages, and if you send more messages after previous messages were rejected), domains that existed for a few weeks to a month are treated more friendly. Sending messages with content that resembles known spam messages.
Should your email be rejected, you will typically get an error message during the SMTP transaction that explains why. In the case of big email providers the error message often has instructions on how to prove to them you are a legitimate sender.
When it is blacklisted, the user/owner of the IP must go to each "anti spam" provider that blacklisted the IP. I.e. spamhaus, they have a page[1] to check if an IP is blacklisted as well as asking to remove the IP from blacklist.
I drop SMTP connections from servers that simply do not have matching forward and reverse DNS. This rule eliminates like 90% of spam. It's a good rule and I won't make any exceptions. There's no way to contact me. Your bounce message tells you what you have to do: get your DNS ducks in a row.
... and that's nearly impossible if you're on a residential connection and hence have no control over your reverse DNS... And who wants their mail server to self-identify as d203-0-113-5.res.fubar.isp.net ?
That's assuming your residential ISP even bothers to assign a generic PTR record to your IP.
What finally forced me to switch to a 3rd party for SMTP (outgoing) was a blocklist (UCEPROTECT I think) that required you to pay to be removed and my mother-in-law's email provider (AT&T) used it. My wife couldn't email her mom which was a no-go.
> the user/owner of the IP must go to each "anti spam" provider that blacklisted the IP.
Even that doesn't work all the time. hotmail is currently bouncing emails from me[0] even though Microsoft's own sender reputation thing[1] says my IP is in good standing.
Yep, this did not work. I tried for several years. The only thing that worked was manually filling out the required forms. Not sure if it changed lately. Out of the self host mail business for some years.
Spam from residential IP's should never reach SpamAssassin. The mail server should be rejecting the SMTP connection. SpamAssassin is something which deals with mail that has been accepted by a server: i.e. delivered. It shouldn't need to have any rules about residential IPs; what's the point.
Residential IPs are spammy, so if for some reason you've decided you're going to let SpamAssassin to handle them post-delivery, it would make sense to give them a high score.
That's an interesting heuristic. Given a host connecting from an apparent dynamic IP without matching forward and reverse DNS, we could take their purported e-mail domain (from where? SMTP hello? Or domain part of MAIL from?) and fetch the MX record to see if it points to that same IP address and use that as a whitelist criterion against being dropped as a residential IP. (On the hypothesis that they are trying to run an earnest self-hosted mail setup.)
However, if the host passes this check, and all other tests such that we decide to accept the mail for delivery (to be further processed by SpamAssassin), at that point why would we want to apply any score in SpamAssassin regarding the residential IP. We already decided to pass it.
This FAQ is in complete disregard of reality. Almost all IP ranges of server providers are blocked. Getting a clean IP is close to impossible.
Big providers often only support their own forms and ignore open sources trust providers.
Small providers often do not maintain their email services which will simply auto spam your mail/domain, when it does not come from the big 10 providers.
Bizarre claims. I've been running my own server for the last 25 years or so. Only once when changing server IPs I've encountered an IP that was blacklisted on some lists, and even then it only took a day or two to remove it.
Maybe it is (was?) a German problem. Here are some providers I know which Autoblock custom servers:
* web.de
* gmx.net
I also have to say that I always used a hetzner root server. Moved multiple times due to an upgrade.
I ALWAYS had to manually apply for removal of my Webserver. It worked for Yahoo. At that time it did not work for Gmail and Microsoft. I no longer was blocked but if I was writing for the first time to a recipient, I landed in the spam folder.
The software I used mailinabox and mailcow. Both had self checks. All green. I also used external scanners to check my config, all fine. You can check my GitHub (razemio). I even contributed to some issues for mailinabox.
This is not only true for selfhosting but also small providers. As an example:
* mailbox.org (auto spam Gmail and microsoft 2018)
All of this was a long time ago. Maybe I am just depressed from the bad experience and the FAQs are telling the truth. However it is hard to believe for me.
I am selfhosting since 1997 and I am working in programming / DevOps.
Source of your claim? I'm monitoring blocklists of about 20 different VPS providers, most of them are completely clean, some are in one policy blocklist because they don't allow outgoing emails and only couple are on 2+ blacklists (of 67 monitored) because there's some noisy neighbor on the /24 subnet.
Sadly only my personal experience across multiple years. I think I was selfhosting my mail for about 5 years. Multiple Hetzner root servers using mailinabox and later mailcow. All self checks green.
Using an ISP's SMTP is an incredibly obsolete and problematic concept. Poorly authenticated with even worse deliverability. It was a bad idea even 10 years ago and it's just horrid right now.
Use your email provider's SMTP, even if it's you yourself.
It's not whether the hosting provider or ISP allows it, it's whether the address they give you has reputation so that mail servers all over the world allow connections from it.
Pretty much, yes. Other providers are small enough (except for maybe Microsoft for business) that it's generally their problem if they accept less than Gmail.
If any of them hold the mailbox of someone that you or one of your users needs to reach, it quickly becomes your problem.
Now suppose you contact that server and complain about being rejected.
Wouldn't it be ironic if they respond like this: "We receive e-mails from gmail just fine; fix the problem yourself, or use gmail".
This is how self-hosted e-mail people throw each other under a bus and let gmail win, while pretending to hold self-hosting as a cherished value.
(They would most likely be right about having to fix the problem yourself, unless they imposed some locally authored and highly unreasonable/dichkeadish filtering rule. The superfluous rhetoric about gmail would be almost as obnoxious as their rule, though.)
tl;dr: If you set up an email server. You just send a few emails to gmail, etc. and you'll know if they are accepted or not. If yes you are set, if not you investigate the problem, maybe really try another IP and eventually fix the issue. It's not like all of a sudden your email becomes undeliverable, unless you start sending spam. Imagine what it would mean for all the people using the email address of a small ISP, some university, etc.
Sorry, but that's FUDish. The reality is if you do a proper email setup (DKIM, Reverse IP, etc.) you will be fine.
If you happen to actually get an IP that somewhat recently happened to be an email server, that was also sent out spam, which isn't something that's likely at all then you'll notice very quickly (just send an email to to gmail, etc.) and what you'll do then is tell your hosting provider you'd like another IP address, because it's not fit for your purposes.
I've been running, moving, switching IPs, providers, domains since 2005 and still am and there is just SO MUCH FUD. It's not hard. It's a one time thing. Personally I never ran into IP reputation issues ever. These are email addresses used in a professional capacity (B2B, communication with governments, etc.) as well as private use ones.
Pretty much every ISP, every university, etc. runs their own email server. Many companies do. Many private people do.
I have run them on the side for those 20 years now, partly as a hobby and so far the uptime was higher than Gmail's and since I use them for private, professional and sometimes for government communication I am dogfooding it and I would have very much noticed if anything bounced.
I have gotten bounces when a setup was initially broken, like when I do something like sending a test email to Gmail and that was off.
The reality is that IP and domain reputation aren't really great ways to filter spam anyways. Yes, it adds, but what makes you think that nobody sends emails from Gmail, a university or other stuff? What makes you think that spammers use static domains, etc.
Heck, not even DKIM and SPF are any guarantee. People will spam you from servers with extremely good reputation. Looking at my spam box most of them are from situations where accounts obviously simply haven't been blocked yet.
No serious spam filtering is done with IPs or domains being an "all or nothing" thing.
Also it's a two-way street. If a user of some email provider doesn't get their email and it becomes known people will be wary of it. And nobody expects the email landscape to stay static. There are newsletter and transactional email services all over the place, lots of marketing platforms running their own email servers and so on.
It's not like everyone does something magic, nor does everyone have connections, money or time to talk to all these companies. An email service not accepting emails won't exist for long.
And something that's also important to realize: If you do start using a transactional email service they oftentimes will make you pay EXTRA for a custom IP so you DO NOT share it with others, so you get BETTER reputation than the cheap one. And you configure your own domain with it. So why wouldn't these emails get delivered? And many of those don't run their own data centers and not all of them have their own IP blocks (though some have).
It's just if you couldn't even do regular private emailing, emails would not be the thing every website uses for login and communication.
If you think that you are "set" when your self-hosted setup passes the test case of communicating with Gmail and a few other big providers, you're saying that it doesn't matter if you cannot communicate with smaller providers, including other self-hosted guys like you. If they have any trouble reaching you, why they should just effin' use gmail! That works fine!
> The reality is if you do a proper email setup (DKIM, Reverse IP, etc.) you will be fine.
You're not getting reverse DNS on a dynamic home IP.
> Pretty much every ISP, every university, etc. runs their own email server.
Yes? And what did I say: if your ISP has mail servers for you, it can simplify things greatly if you use them.
> you're saying that it doesn't matter if you cannot communicate with smaller providers
Smaller providers will generally not black hole legitimate message like Hotmail does. They have (paying) customers awaiting those messages. Junk folder? Sure, that can happen sometimes.
> You're not getting reverse DNS on a dynamic home IP.
I don't think anyone here is suggesting running a mail server on a dynamic IP.
> And what did I say: if your ISP has mail servers for you, it can simplify things greatly if you use them.
Only if you want to be using their domain and if you're not sending (too many) automated messages.
So you want some third party provider to be delivering mail on behalf of a domain for which they don't have even have the basics like DKIM and SPF set up, and hope for better deliverability than you could easily obtain with your own server?
Umm, no. The SPF and DKIM is something you set up in your DNS records, not they.
Your SPF record, created by you, indicates that the certain forwarding servers you have chosen are authorized to deliver mail for your domain.
When you change SMTP providers, you update that.
E.g. a year ago I switched from Shaw to Novus (two Canadian service providers). I edited my server's SMTP credentials to the new Novus server and user ID, password and changed the SPF record to bless Novus servers as being my delivery agents. That's it; mail was flowing through thew new configuration.
The ISP doesn't know anything about my domain or any of its DNS records.
Yes, they have better deliverability than I could obtain with my own server directly, because my server is on a dynamic subscriber IP which makes it a pariah in the world of mail delivery. Sending from it directly to mail exchangers world over is a nonstarter.
I could pay for some server in a cloud data center somewhere. What for? I have no issues with mail delivery.
SPF records have flexibility. It's possible to specify a domain name. Then any host which has an A record under that domain will pass.
In my SPF record I have novus.ca.
So I don't care what IP addresses Novus's mail servers use, as long as they identify as <host>.novus.ca.
DKIM-signed messages can pass through SMTP hops. I'm not briefed up on the details of DKIM, but to my best current understanding, the originating domain signs the body and certain headers (not all of them) with its private key. When the message passes through multiple SMTP hops, some headers get added, like "Received: ...". I believe, these headers do not invalidate the DKIM signature. The relays just cannot be messing with the body of the e-mail, Subject:, From:, Date: and such. SMTP relay is not like a mailing list repost.
I'm now looking at some raw e-mails with DKIM signatures. It looks as if the signatures plainly specify the names of headers that are included in the signature, via a field that starts with h=, listing colon-separated header names.
Yes, but the process of getting Gmail, Outlook etc to receive your emails and put them in recipients' inboxes is far from painless or quick. An IP address with a clean history and SPF/DKIM/DMARC are table stakes, but then you get to play the "my emails are randomly dropped today while everything looked fine yesterday" game.
OK, well it hasn't been MY experience at all, hosting your own legit email with a 100% score on mail-tester, SPF, DKIM and DMARC does NOT work fine because Microsoft still ends up marking all your emails as spam, so maybe you could consider your experience is not universal and just because it happens to work with your IP addresses doesn't mean that's the case for everyone else? Jeez...
My experience is that Gmail accepted my emails fine... until one day it didn't. Then some time later it worked again.
I registered for their Postmaster Tools, which says
No data to display at this time. Please come back later.
Postmaster Tools requires that your domain satisfies certain conditions before
data is visible for this chart.
Refer to the help page for more details.
The help page has no useful information. I suspect that I sent too little mail for it to register in their systems at all.
Outlook was even worse, and I just told my Outlook users to change providers.
Eventually I capitulated and got Google Workspace, and now everything gets delivered perfectly.
> At 15+ years of hosting my own email through multiple IP changes this has not been my experience at all.
At 25+ years of hosting email through multiple hosting providers, this has been my experience multiple times. To be fair, happening less often with DKIM et al, but those are relatively new inventions.
15+ years hosting email on the same ip space with strict security process. Numerous numerous numerous blocks, black holes, and spam routing. This was personal.
Worked for a company self hosting famous brand emails. They would get blocked too. Imagine telling the band manager of a famous classic rock band that their email to their label was being rejected due to being black listed for spam.. (cc’ing the managers team)
Stop fooling yourself, it does not work fine. If it did you would not rely on that google outlook or yahoo account
EDIT time is over. I don't want to be misunderstood. I am not claiming to send MASS emails and having them delivered without issues or anything. If we have to do mass emails, they are done with services that provide the GUIs for them etc. There's no way you won't end up in spam lists even if you sign up each invidiual email address in person yourself.
That's true sending email from my MS Outlook box to my own gmail. At some point, it comes down to just doing the best you can and not stressing too hard.
Getting a dedicated server with an ISP that does a decent job at keeping their IP blocks clean for email is about the best you can expect. Setup the appropriate SPF/DKIM/DMARC and get along. There's really not too much more to be done these days. Even the big guys don't always get along.
Anecdotally, we have hosted email servers for old games on Hetzner without issue, as the IP pool is generally not as popular with spammers given the time cost bringing up the server OS images. It is far from perfect, but generally performs well as reporting asshats on your local network block is easy.
Almost all cloud providers with dynamic-load ephemeral IPs will show up on ban lists eventually due to vulnerability scanners, bad spiders, and spam/voip drops. However, it is far more common for Spamhaus free tiers to quietly go sideways when no one is looking.
Gmail/Outlook have their own peer policies that serve their own business posture. Google does require administrators register in their clown system as a user to exchange email, but it is effective policy that adds nuisance cost to people spinning up 30 servers a day to spam people.
Firewall Rate-limits are effective on small single-domain servers. A modern email server in Go that is isolated from each user space greatly simplifies the possible setups. =3
I am sending and receiving emails on a small rack server in a datacenter for 40+ domains, and have had no real issues with deliverability. YMMV but I believe the reputation problem is heavily skewed against cloud providers such as VPS hosts more than anything.
I’m curious to know how you could know if any emails you send are getting silently dropped. Do you check with the recipient again and/or through other modes of communication?
I, too, run 4 email servers serving 12 domains overall, for about 11 years. I don't remember any email-related issues in the last 5 years.
One of the server sends and receives emails for the forum, sometimes up to 1000 messages a day. It was set up 5 years ago.
Maybe this is a serious issue when you use popular VPS providers/IP ranges, but I use smaller providers, and just don't remember any email-related issues everybody are talking about.
For me, email self-hosting as easy as installing mail-in-a-box (for sending+receiving) or just plain exim/postfix (for sending only), with proper configuration.
Almost all of the emails being sent from these services are transactional, so we would see noticeable abandoned user activities (i.e. confirmations, 2FA) or complaints from active users about not receiving emails.
We also have receipt tracking, which isn't perfect, but shows a >93% open rate.
We did have an issue delivering to a specific provider, but that was resolved by updating our DKIM with a more robust key length.
What you have is really great. Hoeever, if I had a small rack server in a data center, I wouldn't be able to call it self-hosted with a straight face, unless I had an uncle who owns a 60% share of the data center or something.
> It's practically impossible to
> send SMTP from your own IP address.
I haven't had any problem in that regard in over 20 years of running a mail server on an old PC, on residential ISP connections. SPF, DKIM and rDNS config seemed to keep all the big players happy.
Which just made me realise I don't even have valid rDNS anymore, but it still works.
Re mail deliverability. My experience so different than what you are saying that I take comments like this as regurgitating FUD at this point. Please do not do it.
Even google is mostly OK with just spf or dkim. It really isn't that hard to host your own email.
I’m on an open source email list, where a lot of users self host their email. They have all the correct things done by the book. But gmail sends them all to my spam box, despite my continuing to mark them as not spam. Some even don’t appear in the spam box, despite other users on the list receiving the emails just fine.
If this email list does not rewrite "from" header, and modifies the email contents, that's the issue. Unfortunately, many still do. Such setup just won't work in the modern email world anymore.
They also want a PTR record on your IP to match your SMTP banner matching you hostname. Having an mx record for you sender domain also helps. Just sending form an IP address usually is tagged spam in my experience. Its weird their FAQ doesn't mention reverse DNS at all, its a very important step in having a good sender reputation.
It’s mostly Microsoft that is a problem. I’ve heard of a couple of cases in the past years where recipients used Microsoft’s services and never received emails from small self-hosted servers (where SPF, DKIM, etc were all properly set up).
If your client uses MS for email and doesn’t receive your invoices, it becomes a big deal.
I've had mild but inconsistent success sending to gmail with a perfect setup with 100% compliant dkim and spf, but Microsoft servers might be flat-out unreachable with no way to appeal:
In the end I set up a gmail account just to route all my outgoing mail through, with a whitelist of specific servers I know won't reject me for no reason (i.e. a few very small email services or friends who also self-host). Defeats half of the purpose but what can you do? There's nothing else I can possibly do to make my emails reach hotmail inboxes - I've exhausted all of their phony support channels and advice articles and clearly they just want me to go away and stop self-hosting.
I didn't say anything about it being hard; just that you may have to use some proxy for sending mail rather than doing it directly. This is not hard.
It does mean that you are slightly less than perfectly self-hosted, in some sense.
If your mail server is in a position that it can send mail directly to any mail exchanger in the world, rather than going through a forwarding host, there is the advantage in that it can use end-to-end TLS.
I tried for several years. There where to many issues. Even a perfectly configured mail server landed in spam folders of smaller providers. Had to constantly whitelist my server manually with the big providers. For 1-8 dollars a month, it was simply not worth it for me. Switch to encrypted mails where privacy matters. It is not like my emails land on private servers anyway, so the privacy aspect is more of a symbolic gesture than a real thing.
Those are the two problems caused by "big email". I've used hetzner, ovh and mythic beasts and had no issue with blacklisted IPs, and if you follow the Mox instructions you will be trusted and shouldn't get put in spam
i spent some time today buying a new domain and setting up mox on a hetzner vm. the IP was on 3 blacklists on first check, after fixing the reverse dns it's on 2, one of which is apparently fake? dkim and dmark seem to be working, sending a mail to protonmail succeeds the checks, and yet it lands in spam - however, i'm confident once the domain is older than "just now" and i've set up DNSSEC (takes 1-3 days for this to start working in my country apparently) things will improve.
worst case i'll have to request a blocklist to unblock me, but i'll see.
For your first point, the key is an IP range that isn’t on a blocklist. Pick a very reputable hosting provider (not AWS/GCP/Azure), who has strict no-spam rules, and check out some spam reports from their ranges. Hetzner I’ve heard is good, digitalocean as well, but your mileage may vary.
For your second point, you live with it. I haven’t found a solution, at least. I’ve never landed in spam for corporate offerings (cloud O365, google workspace or whatever they call it now) or (very rare these days) anyone self-hosting with rspamd or equivalent, just regular personal mail (hotmail, gmail, iCloud, etc). That’s usually pretty easy to detect and work around (“hey I sent you an email” “oh I didn’t get it” “did you check your junk?”) Irritating, but not the end of the world.
I’m going to try hosting from my residential IP sometime this year, now that I have sufficient redundancy in terms of power and networking. I don’t know if I’ll have better or worse luck than with hosting providers’ IP ranges, though.
Bro, I owned a /23 at a colo for over 10 years. Registered my ip space with ARIN, had abuse contacts, setup a mail server on a /27 on a /24 that remained mostly unused outside of dev and test servers (strictly controlled). The mail server was also strictly configured to never emit a single email that wasn’t sent by me. So no forwards, no bounces etc.
Mail server still gets blocked by random domains. Nope. Done with hosting email. Everyone assumes you are spam and won’t accept your mail unless you pay them (to be your mail provider).
How recent is your experience? Did you set up TLS, SPF, DKIM, DMARC, DANE/MTA-STS? That's what makes modern mail secure and deliverable (besides basics like matching reverse DNS). The beauty of Mox is that it tells you what exact DNS records you need to set up and it takes care of the certificates. Once it's done I found I have better internet.nl score than some big companies.
It's a damn shame. At this point it's basically in then favour of large providers to randomly block domains since otherwise hosting your own would be trivial.
Some providers are reputation based now. So you need to send emails and slowly ramp up amount over time. Difficult to do if personal though, as you won't get enough throughput.
If people just want to stick it to the Man by moving out of the cloud, then the solution might be "medium email": hosted by a commercial provider, so you don't have to do all the admin, but not self-hosted.
There are plenty of free non-adtech alternatives: Proton, Tuta, probably others. Even more options if you're willing to pay a few monetary units/month for it. You don't really need to run your own email server.
We won't have much choice, last year yahoo implemented a limit on COPY so you couldn't move or delete more than 10 mails at once. this broke claws-mail, I think its good now but I still moved on to another "free" service.
Mixing email with the drive service in the account is actively hostile.
It's cool to see some new modern all-in-one email solutions. Stalwart is another good one. Would be even cooler to see this lead to a bit of a resurgence of small and self-hosted email providers.
I've self-hosted email on and off since the mid 2000s and my impression is that with the widespread adoption of DKIM/DMARC, the large providers have toned down the spam-by-default treatment of small/unknown email servers. Even Microsoft a bit, though you still have to get your IP whitelisted to send to outlook.com addresses usually.
That's perhaps because you have been self-hosting that long. One of the advises given to new self-hosters these days is to start sending mail to your your friends' email accounts that are hosted by the bigtech. Then you have to contact each one and ask them to mark it as not-spam, so that some day your mails will go to their inboxes, rather than the spam folder.
Honestly, I don't think that DKIM/DMARC has made the situation any better. In fact, spamassassin and rspamd often seems to work better than their spam filters in identifying actual spam.
Microsoft is absolutely hell to deal with. Especially if you are hosted on Linode. They frequently ban entire linode subnets. I’ve had to resort to routing all send mail via Amazon AWS SES just because of Microsoft’s IP range bans. It’s not what I’m doing, but my neighbours.
It's funny because throughout Q1 2024 a huge range of Microsoft's own IP addresses were blacklisted by Spamcop and other blacklist providers spam/phishing attacks coming from outlook.com addresses. (Google "EX703958" (MS's issue#) for some fun reading.) They (and their enterprise customers) have been on the receiving end of the same thing they do to others.
Allegedly, Microsoft subscribes to random spam checklists like UCEProtect.
uceprotect bans entire subnets & ASNs if just one IP is suspected of sending spam.Apparently, you can pay to get your IP whitelisted for some time but it will be back on the list again. Its probably a scam/shakedown operation.
As these lists discourage self-hosting and benefit large email providers, they take their own time for fixing these issues.
I haven't tried sending to Outlook, but so far I'm getting through Google with just a strict SPF and a DNSSEC domain. Very low volume, to the point I assume reputation isn't being tracked. Just an observation
Definitely got worse since 2015 before seeming to get better the last year or two. At least with Gmail. So many variables though, so this is more an impression based on my own experience.
This doesn't seem to be a problem anymore. What is a problem, though, is big tech companies spamming us incessantly and doing almost nothing to prevent that.
I get 10-20 spam E-mails a day from AWS, Google and Microsoft. Forwarding spam to their abuse@ contacts doesn't seem to do anything. And I can't block them, like I would a smaller spammer.
Outlook is extra bad. It is apparently possible to put your email(to/recipient) in BCC, so if you have aliases, it is impossible to tell, which one was leaked and being abused, as to is marked as “undisclosed recipients”. There is no mass domain/pattern block rules, so if I block “spammer.1@hotmail.com”, then next day it arrives from “spammer.01@hotmail.com”, then blocking that, next day it arrives from “spammer.001@hotmail.com”. Outlook is actively hostile to blocking spams yet happy to quickly block small self-hosted operators.
Self-hosting email is a fool's errand. I used to do it. I'll never do it again. It requires way too much specific knowledge about how the entire email system works. You have to really want to learn everything about running an email server and everything about email to be successful, and even then your ISP could get in the way, as well as all kinds of spam blocker services that you have to deal with to get your special email server unblocked. It was a nightmare, and it's honestly worth paying a few bucks a month for someone else to deal with that. I have a ton of other way more important things to do with my time.
Email hosting is absolutely the lowest maintenance of everything I host. For anyone else reading this, if you follow 'mox quickstart' it will help you set up your DNS correctly so you don't have the above experience.
Congratulations for not hosting anything interesting, I guess? My self-hosted VPN is the lowest maintenance thing ever - it just runs, and I never have to touch it. I host quite a bit of stuff, but email was daunting. Every week it was some new fresh hell. Spam blocking lists were the worst of it, and no I wasn't spamming anyone.
I have some questions for the creator of this software if they happen to be paying attention to this thread. I have been running a small scale email server for about 10 different related business domains. Currently we use iRedMail.
1) Does the webmail client support 2FA?
2) Is it possible to do 2FA in thunderbird?
3) Can I make custom rules for BEC attacks (ideally I want to define “FirstName LastName” => email@domain.com whitelists using regex patterns. We get a LOT of very targeted BEC attacks and we have found this is the best way to handle it. We have it very locked down now. Yes we also do employee education on what to look for but this also helps.
4) does the webmail client do banners like “this sender is outside of your org” or “you have never received an email from this sender beige” etc.
1. no 2fa in the webmail yet. work is currently underway at the ietf for standardizing chained SASL (auth) mechanisms, and passkeys. i want to look at implementing passkeys already for the web interfaces, but there is much more on the todo-list...
2. i as shown by yamrzou, i don't think so. SASL auth really just uses 1 auth mechanism at the moment. i think there is also standardiziation work underway for password+totp sasl authentication. but clients (like thunderbird) would still have to implement it before it's useful. there may be a trick to get 2fa-like authentication now, using both TLS client cert authentication (mox supports this based on public key identification, no other properties of certs) and a IMAP/SMTP-level SASL authentication.
3. no, but this is interesting. what kind of rules would you set? rules to match specific message headers/content that identify a message a phishing and reject it? for when attackers send the same message to many employees? do you need to remove messages from their inboxes after it has been delivered (assuming all employees would get the email at around the same time)?
4. no, but i've considered adding it. it should be very simple to add. and it's much better than mail servers modifying the message content to add messages like that.
It's good to hear you are working on 2FA that is certainly one of the biggest requests we receive lately for our self hosted email, and has almost pushed me to switch to cloud based services.
To give you an example for the BEC filters we are using, we use the postfix header checks with a negative lookhead regex. For example:
# /etc/postfix/header_checks
# block impersonations
/^From:\s"?Firstname.*(Lastname)?"?.*?<(?!(.*@domain1\.com|.*@domain2\.com|.*@domain3\.com|personal\.email\.account@gmail\.com)>).*$/ REJECT Sorry the server is busy right now.
I would say that this approach is certainly not ideal, it's hacky and manually maintained. I personally believe that a smart mail server should be aware of what it's users use for firstname-lastname-email.address@domain.tld combinations and it should either block or soft block (show warning badges in the webmail client) mail which does not follow the pattern of the defined users.
We also use the mime header checks to block some bad attachment types (this is kind of oldschool there are certainly more modern approaches)
# /etc/postfix/mime_header_checks
# block bad attachments
/^\s*Content-(Disposition|Type).*name\s*=\s*"?([^;]*\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|htm|html|inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ops|pcd|pif|prf|reg|scf|scr\??|sct|shb|shs|sh|shm|swf|vb[esx]?|vxd|wsc|wsf|wsh)\b)(\?=)?"?\s*(;|$)/x REJECT Attachment name "$2" may not end with ".$3"
Re #4 yes, I agree, modifying the actual the mail breaks DKIM, you can really only do this in webmail.
> Another is 2FA. It would be relatively easy to implement in the web interfaces, but not with SMTP (submission) and IMAP. Most clients can at most do cram-md5 for authentication mechanism (old). I don’t know any clients doing the safer scram-sha-256-plus properly (with mutual verification and TLS channel binding, mox implements it). Interested in hearing what the thoughts are on these topics.
set this up today, the documentation is useful and the quickstart very helpful, the dns stuff pretty much works exactly as it's supposed to and is just a bunch of copypasting (in my registrar's ui).
specifically for mox there was some things i would have liked to see:
explain how the webmail isn't accessible on the public ip by default - i don't know how many of you want to be in a specific vpn for checking your email, but i sure was surprised i couldn't reach it, but had to activate it in config (and first figure out how to even do that).
mox also doesn't redirect to https by default - imo it should, since it already includes the convenient automated certificate setup (which worked great).
maybe it is intended for a different environment, but since it recommends not running another webserver on the same host, i really don't want to access the webmail from the local server or by http.
i like most of my services being available behind a reverse proxy, there it would make more sense. maybe i'll look into that variant later, but the documentation isn't quite as complete as i'd like.
How does mox compare to maddy, another Go all in one mail server ?
Does mox support antivirus addition ? Didn't see that in the docs but I may have skipped that section.
After 21 years of hosting my own email server, starting with roll-your-own (anyone else remember sendmail.cf?) and moving to boxed solutions such as mox or mailcow, I gave up. Maintaining IP reputation and keeping up with the neverending set of arbitrary rules (spf, dkim, etc) I found my time was worth something too. Doing an honest ROI calculation, I figured i was spending 2 hours on average each month keeping the plumbing going. For me, that was well-worth the ~15/month that proton charges. I bet there are other good ones out there too!
To be honest though, throughout those decades, I learned a vast amount about how email flows. That knowledge is irreplaceable.
My recommendation is to try your own until you really, REALLY understand it. Then move to a paid solution.
Haven't used Mox yet but Chasquid is great if you want something that's focused on being a streamlined modern MTA rather than "all-in-one". So kind of the opposite of the Mox approach.
I like Chasquid for its straightforward codebase and the hook system that you can use to customize it further.
Stalwart seems to be more ahead feature-wise. As a Stalwart user I will definitely keep an eye on this project. Just a couple of missing features that are a dealbreaker. One of them is also absent in Stalwart - aliases to external accounts.
A somewhat related tangent, has anyone got good desktop email client recommendations? Preferably macOS/Linux.
I have 6ish email accounts I need to monitor, and outside of Outlook (and the various hellish variations of it), I'm yet to find a good client like all smartphones seem to have - all inboxes in one client presented together. I recall having a number of issues with Thunderbird a few years ago when I last tried it, but I don't remember why.
I use a mix of Evolution[0] (GNOME's Thunderbird) and Geary[1].
Geary has a very nice UI, and can become mobile-like, and Evolution has much more support for automations and other niceities.
There's also alps[2], if you want a web based solution. I love it as well, though Geary is my most used solution.
I'm not sure what your issues were, but Thunderbird is still the king of desktop email clients. It supports a unified inbox, go to the inbox and tick View -> Folders -> Unified
The first screen shot is an e-mail from Ian Lance Taylor, the author of, arguably, the best UUCP implementation, and how I sent/received most of my e-mail up until 2010. It was really, really good at dealing with spotty wireless connections like CDPD and spotty early cellular hotspots. All my company's e-mail would come into an SMTP server, and then the last mile was UUCP to our individual laptops.
Story time: Back in maybe '93, I had a UUCP connection to a provider in Colorado. I was calling in from Nebraska (I had moved out there temporarily, but it had always been a long distance call). One day the e-mail stopped flowing. After a bunch of debugging I found that it would connect, and then sit there waiting for data packets from the remote end. I got ahold of the provider and the issue was they were using the SunOS UUCP, which stored all the files for all feeds in a single directory, and some of their users didn't call in regularly, some I get the impression were getting e-mail and not calling in anymore. Eventually this directory filled up to the point where the OS couldn't scan it within the UUCP timeout.
They ended up throwing hardware at the problem, but I suggested that they switch to taylor-uucp. Taylor stored the queues in a per-endpoint set of directories, so you didn't run into the large directory problem unless your UUCP endpoint was the offending one. However the provider replied that "tayloruucp doesn't work well with larger providers." So I asked Ian Lance Taylor about that, and he replied "That's news to [one of the largest national, probably international UUCP providers]".
How do I configure a second mox instance as a backup MX?
Unfortunately, mox does not yet provide an option for that. Mox does spam filtering based on reputation of received messages. It will take a good amount of work to share that information with a backup MX. Without that information, spammers could use a backup MX to get their spam accepted.
These days a backup MX seems pretty pointless, no?
If your mailserver is down, almost every mail platform out there with a message for you will store and retry later.
In certain contexts, waiting for redelivery is unacceptable performance. Some people lose lots of money if they aren't in the loop. Imagine a group email chain, the CEO is asking questions, everyone is responding immediately - except you.
I agree with your point, but I don't accept the premise that people are responding quickly to emails. 99% of emails are transactional these days, and places where they aren't (eg. internal at BigCorp) it's not unusual for people to be receiving 1000s a day.
Replying the same day is considered quick for places with C level.
backup MX systems are useful, but the above faq is ... naive. it's fairly simple to deploy a backup mx that does not accept mail unless the higher-priority mxes fail a health check.
Seems reasonable. I have been thinking about schemes for backup mx'es. When the primary is online, the backup would just forward the smtp connections to the primary directly. The backup mx only has to do their own work when the primary is down. I was/am concerned about the backup mx accepting spam that you don't really want to bounce later on. But that should be an exception.
I am also thinking about synchronizing all the data to another machine. It would allow a manual failover procedure. And it's nice to have another machine (IP) for outgoing email in case the primary IP gets on a block list. But this is all future work.
the backup mx shouldn't have any special delivery privileges. when the primary mx comes back online, the backup should deliver to that rather than trying to deliver anything itself. this allows those spam checks which will still work to benefit from the normal delivery path.
you can have several hosts with the same MX priority, and only spin up actual service when necessary. given modern health check tools and raft-consensus filesystems, it's very possible to build a robuse mail network on the cheap.
> this allows those spam checks which will still work to benefit from the normal delivery path.
It's not exactly the same. When a backup MX has accepted the message, it takes responsibility of the message, and will have to send a DSN when it is rejected for being spam. Mox never "delivers" messages to a spam mailbox (it's that behaviour from the bigmail providers I don't like and undermines trust in email!). Mox either accepts a message, or rejects it at the SMTP level. When the backup sends to the primary, and the primary wants to reject, the backup would have to send a DSN to the potential spammer. Not great, and not something we have to do now.
But still, if it's only needed for emergencies, when the primary is down, it probably isn't too problematic. And the backup mx (with primary offline) can always be more strict, requiring dmarc-like alignment before accepting (to prevent backscatter if the primary rejects later on).
I'd love a backup MX that acts clustered. Email is file/object based, I should be able to spin up 5 VPS and send/receive from any one of them without ending up with an out of sync email. The closest I've found so far is aerogramme that stores in their own object store implementation but it's very much alpha https://github.com/deuxfleurs-org/aerogramme
> Also, with a version number starting with 0.0. I'm left wondering if Mox is already stable enough to be entrusted with my precious email.
It's been suggested to just increase the version number since it's more stable than a 0.0.X might suggest. I'm currently considering mox at release number 14. I'm still on the fence about it. Ideally people make the decision on the merits of stability, not based on the looks of the version number. But I understand it's used as a signal for how stable software is (but mileage will vary!).
At least I'm trying hard not to break anything, so upgrades will work for all installations.
I've been using it since 0.9 and it has mostly been solid. I had two bugs receiving emails, one where incoming emails didn't work from Microsoft but they fixed that in 0.13, and another incoming issue I can't remember that they fixed in 0.10. I'm not sure if I want to move my main domain over from Exim yet but I'm considering it.
> incoming emails didn't work from Microsoft but they fixed that in 0.13
Yeah, this one was interesting. It looks like microsoft updated their TLS
stack to TLS 1.3, but incorrectly, breaking TLS connections to Go TLS
servers. I don't know how to contact Microsoft about it, but others have
raised issues with Microsoft. Mox got a workaround (disabling session tickets
for SMTP) so Microsofts TLS stack wouldn't abort the connection anymore. This
is a downside of being a small guy: You have to work around the bugs of the
big guys.
Absolutely, if you feel that the software is already usable and is not lacking essential features, i'd suggest dropping the second zero in the current version number.
I noticed the roadmap section on your "Features" page, that also helps. I consider SIEVE server side filtering to be pretty essential.
I am running multiple mailcow instances and am very happy (supports sub-addressing). The only downside is that if you need mailpiler for archiving purposes you need to set it up manually since that is part of their paid offer.
Funny that, I was looking recently for a small, local smtp server to get notifications from my printer and other stuff and... there isn't. All you get are the ginormous ones with decades of crud attached.
So I ended up writing my own of course; no need for all the fancy features, just PLEASE let me receive email over SMTP and deliver them locally with 'dma'. Pfew.
I feel like there's going to a very slow trickle of (a trivial number of) users towards either self-hosting mail or a growing cottage industry of smaller-scale mail services hosted outside the US.
Of the growing number of self-hosting options, I'm not sure how many of them are designed to scale, or to what scale they can scale...
But how do you get a "clean IP" to actually run it on? My ISP's IP changes every so often (whenever there's a power outage for example).
Last I checked, you can't run mail servers on typical cloud providers (like Azure, Oracle) and cheap VPSs are almost guaranteed to have "dirty IPs" (used for spam and thus blacklisted).
I also expected lowend VPS servers to have tainted IPs but surprisingly they are mostly clean. Currently I run Mox on very cheap $0.6/month (multi year contract) VPS and for the almost half year that I monitor the IP address there was 0 blocklist appearances, mail delivers geneally fine (only had to fish it out of outlook spam at my work address). Most other of my monitored VPS IPs are also completely clean. It seems spammers are not tolerated by those providers.
I have not tried this, but I'm reminded of the post https://rachelbythebay.com/w/2024/09/22/colo/, which describes how one can host your own infrastructure in a colocation rack, which sounds pretty rad.
I thought it was going to be a problem when I gave up the IP I've had for a mailserver at hoster A for 15 years and moved to Hetzner, but it wasn't. But of course that's only anecdata, like everything 90% of personal mail server operators will tell you, no one runs several different setups at different IPs/hosters.
I'm hoping to make this easier in the future, more often automatically taking care of updates. In the past, you've had to run a command/script here or there to fix up date, but that should all be done automatically.
If you have suggestions on how to make it less choreful to maintain, I'm interested in hearing it! Also if you had specific issues about maintenance/updates.
I love mox and was at your talk. I've been using it for a year. If I could make a few small feature requests (which may already exist) - I'd love to be able to use my external spamassassin with it instead of (or even in addition to) the built in one.
Secondly the documentation/instructions could be clearer for non-typical use cases, for instance catch-all emails. I have an Exim server with two domains pointing to it, I have catch alls on both, but the second domain is delivered into a folder in the first (it's used similar to SimpleLogin - for signing up to services). I assume this is possible with Mox but I'm not sure.
Having said that, I love Mox and I'm slowly moving all the email I host for other people onto it because it just seems to work.
> (which may already exist) - I'd love to be able to use my external spamassassin with it instead of (or even in addition to) the built in one
This isn't possible yet. For me, the builtin filtering has been enough. But
it's worth investigating what it takes to ask spamassassin for a
classification. Could you open an issue at github for this?
> the documentation/instructions could be clearer for non-typical use cases, for instance catch-all emails
Agreed, documentation is in need of improvement. So far I'm often pointing
people at https://www.xmox.nl/config/. Searching there typically pops up a
config option. But it's not the easiest to find functionality that way. The
admin web interface also needs to be made less spartan.
The catchall is possible, by configuring an address "@$yourdomain" with an
account.
> because it just seems to work
This is certainly the goal. And I think we'll only get better over time!
I'm currently running a more classic setup with postfix and dovecot, because the updates and security fixes are managed by Debian. Once things are configured, I don't need to do anything using unattended upgrades (other than upgrade Debian itself when the LTS version goes out of support, that is!).
At this point it is easier for me to not touch what I have, but in my next mail server I will consider mox!
> because the updates and security fixes are managed by Debian. Once things are configured, I don't need to do anything using unattended upgrades
This is a good point. It would be great to have mox packaged in more
distributions. I spoke with a package maintainer about this. They
understandably need to be able to upgrade unattended from old versions to a
new version. In the past year, admins have had to run an upgrade command here
and there (e.g. to reparse all the messages after the parsing code changed). I
hope to make all this more automatic this year. That should make it more
appealing for packagers (and for all non-distro-using admins too!).
I think a new debian LTS release will be coming up soonish, we probably won't
make that.
Since the late 90s I've always had the thought in the back of my mind that one day I would run my own mail server. That day never came and the task seemed more and more impossible. This looks genuinely manageable, I might actually give this a shot when I get off work.
I'm very happy to see this as I have been advocating for something like this for quite a while: a single setup and configuration that handles SPF, DKIM, DMARC all together.
I understand, and appreciate, the modular philosophy behind OpenSMTPD, etc., but in practice it is quite frustrating and difficult to piece it all together - especially if you add rspamd, etc.
Speaking of which, how is spam handled ? I see this in the FAQ:
"Mox does spam filtering based on reputation of received messages."
... but it is not further elaborated.
Also:
I assume that the web service can be fully disabled and Mox can be run with no httpd but that is also not specifically called out ... can it ?
I'm very happy with how the filtering works for me. Most email gets classified because of being a known sender. The first-time senders will go through the bayesian classifier, which keeps most spam out. For me, 1 spam message gets through every 2 days. If ham is incorrectly rejected as spam, the sender will hear about it, because mox will keep soft-rejecting the email, eventually resulting in a bounce.
> I assume that the web service can be fully disabled and Mox can be run with no httpd but that is also not specifically called out ... can it ?
You can run without the web interfaces. I think you can set it up without a public web server, but the admin interfaces are pretty convenient (though still spartan!), you could keep those internal. The webserver is needed for ACME, for MTA-STS, and for autoconfig. Btw, mox can also serve static files and do reverse proxying. The mox website is hosted by mox. I added webserver functionality (relatively tiny functionality/code compared with the email code!) so people wouldn't have to run another webserver, which greatly complicates the setup (with reverse proxying).
Nice, but it's so much easier and cheaper (in time spent) to just use a trusted and secure mail provider with your personal domain. Mailbox.org is my favorite - dkim, encryption, webdav all work out of the box with Android apps available.
Is there an implementation of the same capability as a JS lib? So that one could have an email server running as part of their Node.js / other runtime?
How does integrating all modern email protocols into a single application like Mox impact performance and security compared to using multiple separate components?
From a security perspective, it is better to have separate & isolated processes (but written in modern languages that provide safety).
Mox is currently a single process handling all connections, including deliveries over smtp, imap connections, and webmail and other http requests, which isn't great. User connections should probably be in a separate process. I'm not too afraid of the mox process being taken over (by a bug being abused, I don't think that's easy/common in software written in Go), but of course it will be a good line of defense against that. Resource limit enforcement of separate processes would perhaps be even nicer to get.
I haven't gotten around to really designing privilege separation, but I'm forseeing some complications around handling http requests (of the webmail, pass each request on to the user process? Have to figure out how to do that with the http library), and message database access (the database files can only be open by a single process, need to do quite some back and forth to the user process in various places).
For performance, I imagine it only helps to have an integrated server. Performance isn't really top of mind, I don't think mail servers are commonly highly loaded, at least not for the smallish scale servers. Btw, mox does not require a lot of resource (eg RAM) to run.
Btw, I don't think it's better to have separate _components_ as in separate software packages. Integrating this functionality into one software package prevents all kinds of complexity that would otherwise arise in the integration points. Integrated software also allows for new/user-friendlier functionality.
They are referring to the start date (2021), language (Go) and feature set (SPF, DKIM, DMARC, MTA-STS, DANE and DNSSEC etc) rather than the design. Presumably you could use it for email delivery and skip the web mail piece altogether.
I'm focusing on functionality/protocol support now. User/admin-friendliness and making it more attractive will come later. Mox will become irresistible to the masses then!
I've been hosting three servers for over a decade and only had that problem once for a month with Google about 6 years ago. As long as you setup SPF at a minimum you'll be fine
I run my own mail server and use postmark for delivery. It is really inexpensive, I don't need to rely on Gmail for anything, and after setup has required almost no interaction for 10+ years.
Yes, you can add domains, add accounts (which contain the mailboxes and messages), and configure addresses for the domains with accounts. So one account can have many addresses, at one or more domains, including catchalls.
Hi Bron! Thanks, JMAP will come at some point too! (:
Someone has already been working on JMAP support in mox. I'm currently in a refactor of the storage layer, keeping history of (deleted) mailboxes too. Should address storage requirements for JMAP.
Fantastic :) Great to hear. I really do hope to find some time to read through the code, I haven't written any Go, so it'll be a slog to understand everything, but reading code is good for you.
That definitely is an extract challenge with JMAP, keeping enough tombstone information to accurately calculate the `destroyed` ids.
On a side note, how long until we realize the current incantation of the pile of hacks upon hacks that is SMTP is fundamentally flawed and widely adopt something that has cryptography, authenticity and transport-level security built-in from the start?
If I spun this up and attached it to my domain, would my emails be received by gmail/outlook/etc?
I'm pretty happy with forwardemail.net as a mail server, I selfhost snappymail to access it through a web browser. Not sure I want to take the step to selfhosting an email server, but I love the idea of cutting that external dependency.
Yes, but it depends heavily on whether your mail server has a clean IP with no spam history, the reputation of the IP range it belongs to, whether you've correctly set up DKIM/SPF records, etc. And you might have to get MS to whitelist your IP before you can send to outlook.com address, you'll only find out in your email logs whether that's the cast when you try the first time.
You will almost certainly be able to continue to use forwardemail.net as your SMTP forwarding host for sending traffic.
That means that you do either one of two things:
- keep using forwardemail.net SMTP credentials in all your e-mail clients, such as snappy. Only point those clients to your own server for IMAP4 access (accessing the mailboxes where mail is flowing into your own server).
- or else, point SMTP to your own server, and configure your SMTP server to use forwardemail.net as the next host.
There are some advantages in that you have your own SMTP endpoint that you can use with multiple devices.
In my case, my phone can talk to my own SMTP server for sending mail, and my SMTP server talks to my residential ISP's SMTP server. My phone cannot talk directly to my residential ISP server, because it's not inside their network; it's on an unrelated mobile network. So my SMTP server acts as mail forwarding proxy for the phone.
- Sine you keep using forwardemail.net for sending, your reachability is not impacted.
Sending SMTP through forwardemail.net is covered in their FAQ. It looks like they have a few configuration hoops to jump through:
I'm guessing you know about this because you must be using that with your snappy setup. What catches my eye is that they have some configuration bits where you declare your custom domain. That's not always necessary. For instance, in my setup, my ISP knows nothing about me and my domain. I just connect to their SMTP server, and use whatever From: header I want in my e-mails. The SMTP envelope address is one assigned by the ISP. I also noticed the bit at the bottom of that FAQ about their "manual review process on a per-domain basis for outbound SMTP approval" which supposedly takes 24 hours.
I am running mailcow for about 7 years now and it worka fine. Sometimes some exchange server refuses to send my email. But it is pretty rare.
Of course I had to set up SPF and DKIM.
I think it happened once that I was grey listed. You.can request removal of such entry.
In general I do not have much problem with it. Most of the work is for migration from machine to another machine.
Mox is written in Go. What advantages does this provide in terms of performance and security compared to traditional email servers, which are often written in C?
No buffer overflows, no user-after-free and no double free issues. There is a garbage collector which stops the world here and there to cleanup, but for anything that is not constantly busy, like a small mail server, this is not noticeable.
Dude, we're living in the LLM era. If you're going in there manually searching for what you need, let me know which side you're on, because I want no part of it. That’s the losing side.
The current way of thinking is "It looks outdated", then the page is updated to look "modern" and that normally entails removing all relevant bits of information. I was going to attempt to find the Microsoft Exchange landing page, to show you what a modern landing page for a mail server looks like, and how utterly useless that is. Sadly the modernity has hit Microsoft hard and you can now only find the page for hosted Exchange/Microsoft 365 (https://www.microsoft.com/en-us/microsoft-365/exchange/email). Granted the page looks more inline with modern webdesign and it fucking pointless, there's not one bit of useful information.
Personally I love that landing page. It's simple, light, and presents exactly what I want to know. I wish that style was more common, especially in non-commercial products where you don't need to impress anyone with extra graphics.
It's one of the best landing pages I've seen in a while because it explains clearly what the software does, contains a video demo, and easy navigation to explore more. Basically, no BS.
Don't run your own mail server. You'll be attacked and get blacklisted and won't even know that it happened or why until you find out none of your emails to anyone get through.
Securing a mail server is full time plus job. Proton is great and free with their domain and cheap with yours.
This isn't true. Almost all MTA have quite sane defaults these days. Yes it's not a simple walk in the park. I mean if you have 5000 users behind you then yes, what you say can be true, one compromised user can flood you etc.
But as a "I have a small domain I host my own emails" I don't agree with your comment.
Not true. I’ve run my own server for over a decade, which has presented far fewer problems than gmail. The ability to: easily create redirects & distribution lists, back up all of my inboxes in seconds with a single rsync command, pre-filter messages with external programs, & actually see the SMTP logs and packets in real-time are game changers.
No, it's not. I say that because I am the sysadmin for two mail servers (postfix/dovecot) with hundreds of users that have been chugging along for 30 years or so with no significant security incidents -- and since I know what my full-time job entails, I can tell you that on a day-to-day basis mail requires an absolute minimum of maintenance.
This is not very hard to fix. Automatically downloading and applying public IP reputation blocklists cuts down on this by like 95%. The rest you can catch pretty trivially either with server-side filtering or just filter in the client. I do bad-IP filtering, but not spamassassin/rspamd. The client-side filtering in Mail.app kills nearly 100% of the few spam messages that get through.
Wow... having just gone through a 20+ hour byzantine nightmare of setting up postfix & dovecot (that's on top of an already deep understanding of SMTP, DKIM, SPF, DMARC, SASL, etc.) and now struggling through an even more kafkaesque nightmare of rspamd (with its 3 different programming languages needed to understand its 92+ configuration files, which you can't modify by the way, you have to add your own "override" and "merge" config files on top of that mess) for the simple purpose of getting it to DKIM-sign my stupid outgoing messages the way all the big mail systems want... I wish I had seen mox earlier!
Not sure its quality, but battling with postfix & dovecot's 20+ years of legacy cruft, I felt compelled many times to just throw them aside and build something like this on first principles - simple single binary mail server with modern protocol support, sans all the archaic UNIX-account timesharing-era sendmail bullshit that still lives on in the mainstays.
Going to have a look at this one, despite now having moderately deep postfix & dovecot knowledge.
> postfix & dovecot's 20+ years of legacy cruft
That's not my experince - I use postfix and dovecot for years and they are rare examples of high quality software to me. I don't see any cruft. They are flexible which make learning and configuration harder compare to opinionated software where most decisions made for you by a developer and you have not choice but to accept them. I myself view sometimes see flexibility as a disadvantage but IMHO they strike a good balance. Postix often criticized by Exim user for not being flexible/configurable enough. And they don't force to use unix accounts, it's just one of options.
Having said that I would agree that using a mail server which combines all in one package is easier than unix way with multiple specialized parts combined. For a novice it could be a challenge to stichs (configure) multiple parts together, especially if you don't know how to test each part separately and blidnly follow some how-to.
Where you can find plenty of legacy cruft is mail standards and implmenting them correctly is not an esty task that's why I trust Postfix and wary of anything new until it battle tested on a large number of servers.
You may have just forgotten the pain of the learning curve? Admittedly postfix & dovecot are way more sane than rspamd. But their whole default config (and something like 50% of the options and documentation) are oriented around UNIX system accounts for each of your mail users, which seems insane and 80s-era to me (let's go dial up to the mainframe at 300 baud and see if we have any mail). It takes dozens of pages of documentation to orient yourself away from all that, understand Postfix's "address classes", that you generally want "virtual mailboxes", etc. No support for DKIM, except through sendmail-invented "milters", of which Postfix heartily recommends you to OpenDKIM, a project which hasn't been touched in 10+ years, doesn't support EC signing, is not packaged on most distros, is documented on a outdated non-https site with sparse even more out-of-date plaintext documentation, referring you to a defunct FTP site to download the code, etc. And milter requires setting up a UNIX or inet socket and tedious configuration, etc. etc.
Poor support for SASL, at least for mail users looking to god forbid send an email and relay it to the internet, and password-protect against random spammers doing the same, referring you instead to Dovecot SASL - also legacy cruft (partly the SASL protocol designers' fault), SASL has numerous "mechanisms" but nearly everybody uses just the PLAIN mechanism, ensuring a TLS channel is established first, which is about 10 lines of code to implement.
Just a ton of unnecessary legacy cruft IMHO.
> No support for DKIM, except through sendmail-invented "milters", of which Postfix heartily recommends you to OpenDKIM, a project which hasn't been touched in 10+ years, doesn't support EC signing, is not packaged on most distros, is documented on a outdated non-https site with sparse even more out-of-date plaintext documentation, referring you to a defunct FTP site to download the code, etc. And milter requires setting up a UNIX or inet socket and tedious configuration, etc. etc.
OpenDKIM has been working fine for me for the last 10+ years. It's also in the default repos of my distro.
> Poor support for SASL, at least for mail users looking to god forbid send an email and relay it to the internet, and password-protect against random spammers doing the same, referring you instead to Dovecot SASL - also legacy cruft (partly the SASL protocol designers' fault), SASL has numerous "mechanisms" but nearly everybody uses just the PLAIN mechanism, ensuring a TLS channel is established first, which is about 10 lines of code to implement.
SASL works fine for me with Postfix and Dovecot, including sending restricted to authenticated users. Also CRAM-MD5 was recommended over PLAIN everywhere even back when I set this up.
Took me weeks to perfect our own setup based on Postfix, Dovecot, Roundcube with some patches, rspamd with attachment-type whitelisting and a bazillion other features, clamav with extra patterns, plus the many tweaks and enhancements you need to dig out from obscure places.
Like fts-flatcurve, an archive plugin for dovecot that can find stuff in 30 years worth of mails in a second, over IMAP in Roundcube. Or rspamd settings to blacklist not a single IP but an entire ASN of misbehaving colo clients. IMAP with namespaces is also a true pain to configure. Or setting bzip2 compression for an auto-expunged journal for spam, and archive without expunge. Painful.
If you made it this far, you will find that your IP address is tainted. So choosing a hoster that keeps his backyard clean from spammers is necessary, otherwise you will suffer by association. Did I mention SPF records in DNS.
So I consider our server a piece of art. 30 years in operating systems certainly helped.
There is also https://github.com/stalwartlabs/mail-server
Using this now, and love it. For easy mail reception and sending, mail-in-a-box does it all for you (if you don't mind opinionated, but stable) and Stalwart does it all for you and is highly configurable, including an oauth2 server and more. Keen to try Mox, but I think it went viral and their website accidentally got ddos'ed.
I've been using mail-in-a-box for 5 years and I couldn't be happier. For me, stability is the #1 concern for an email server, and mail-in-a-box is really set it and forget it. I also like that it includes CalDAV and CardDAV, so it served as a complete substitute to Google Mail+Contacts+Calendar.
Is it known to be compatible with OpenBSD as-is, or with minimal tweaking?
OpenDKIM works fine, and is easy to configure. My first time config was like 30 mins following the guide here: https://wiki.debian.org/opendkim
And postfix is exceptionally well documented software. One of the best. It's easy to script config modifications thanks to `postconf` and do all kinds of interesting stuff with milters or policy servers, etc.
OpenDKIM is unmaintained and does not support Ed25519 signatures.
It does in my Linux distro for the last 4.5 years.
https://github.com/trusteddomainproject/OpenDKIM/commits/7c7...
Auch. Now that you say... last commit in 2018 and last release in 2014. And a couple beta releases in 2018.
> Wow... having just gone through a 20+ hour byzantine nightmare of setting up postfix & dovecot
Did you do this by hand / manually, or use a 'pre-canned' solution like:
* https://mailcow.email
* https://workaround.org
Comparison between Mailcow and Mox:
Mailcow (from https://docs.mailcow.email/getstarted/prerequisite-system/#m...):
Mox:I checked with htop, and my Mox process currently takes <100 MB.
Manually - I want as slim/minimal/resource-efficient a setup as I can, and to understand what I'm configuring.
https://workaround.org has pretty good instructions for each component that allows one to understand things: very little magic involved.
* https://workaround.org/ispmail-bookworm/big-picture/
I just gave up and now use https://github.com/docker-mailserver/docker-mailserver
It hasn’t given me many issues so far! Nice to see new options popping up, though!
I once set up qmail on a home server. Looking back, I have no idea how I managed.
It is a rite of passage. That config system…
It's a lot better than sendmail.cf, which I had to use in a previous job.
I ended up changing to mailu recently, very happy with it. https://mailu.io
Btw, I ended up disabling webmail. I don't the users really need it. Nothing will compare to the Gmail experience anyway, so might as well just encourage people to use proper Mail clients like Mail.app or Mail on iOS.
> Nothing will compare to the Gmail experience
I think this might be a matter of personal preferences. Personally I find GMail very confusing, and not that user friendly.
FastMail UI is so much more intuitive. For me.
I used to think Gmail’s interface was excellent until I moved to Fastmail.
Seconding for mailu. I've had a mailu server running for at least a couple of years that requires very little on-going maintenance, but I don't use it daily or for anything personally mission critical.
When I do need it, however, it's there, humming away happily.
One does not simply send mail these days
Or receive.. depends how you look at it. Big players like Microsoft and Google defines what goes into spam box.
And in the case of Microsoft: often the invoices, expired credit card notification from Microsoft itself are considered spam in o365... Had some inconveniences because of this.
But hey, at least it has a Copilot bar thoughtfully filling that useless vertical space on my screen!
I did that a few years ago too. Then decided to just use OpenSMTPD instead of Postfix, keep Dovecot for IMAP and rspamd for signing DKIM. I followed the guide at https://prefetch.eu/blog/2020/email-server/ and got it running relatively smoothly. However, Microsoft (and sometimes Google) kept blocking emails coming from my server's IP, so I just decided to stop messing around and pay migadu 19€ a year for dealing with that stuff for me.
This isn't a project unique in his genre. There are also others like Mailu[0] that, although different in the implementation (Docker containers abstracting away the hard parts of deploying "traditional" components) share the spirit of having a self-contained project that is easy to deploy. Are there some specific reasons why you didn't go the Mailu (or some similar project) way? I'm asking because, every now and then, I have the itch of deploying my own mail server to be used for my side projects (nothing commercial), so if you have an opinion on those projects I would be curious to hear it.
[0] mailu.io
Maddy did it for me. Pretty awesome.
IME postfix + dovecot + opendkim were pretty easy to set up. No idea why you'd need to go through a "20+ hour byzantine nightmare" for that.
I gave up and started self-hosting Mailcow. It’s worth paying the support fee to free yourself to do other more productive things. Let them manage the complexities.
Check out mailcow
I use this for one of my domains, had it running for over a year and it's been rock solid
I’ll never understand why postfix is so popular given how hated it is. OpenSMTPd has worked wonders for many years and in much easier to set up.
I have no idea how/why it is hated. For me it is one of the best open source server packages. For instance if you have a specific problem you will find some configuration directives on the Internet and they will actually work.
OpenSMTPd seems easier superficially but it's not particularly well-documented. I don't remember the details but I remember struggling with setting it up because certain config flags were not documented and I had to guess their exact meaning from the few blog posts out there that discuss OpenSMTPd. (It also didn't help that there were slight changes in the config format at some point in the past.)
if you started with sendmail (and sendmail.cf) then postfix was alright
That's it, also Qmail was a nightmare (still is?) Perspective most of times is everything.
Oh I miss qmail, felt much easier to deal with than the alternatives.
I’ve been using it for a decade without issue. Only problems I’ve ever had self-hosting were related to being randomly junk-black-holed by the big three independently of each other for 1~30 days for seemingly no reason, but no software is going to fix that.
User experience with it, and opinions on it, seem to vary. I, for one, rather like both postfix and dovecot: both are well-documented, maintained, lightweight, reliable, yet configurable and feature-rich software, with few dependencies and good track records.
haters gonna hate
Probably popular because it’s the default mta in Debian-based installs.
Hey it could be worse, at least it’s not sendmail.
Dealing with Linux email servers and related things is easily the worst experiences I have ever had working in IT. Just miserable.
You are probably on Debian, this adds a lot of complexity.
My exim config became10x smaller after I started using upstream directly.
I've hosted my mailserver myself for years now. I recently (a number of months ago) have started using Mox for my mail server (after using stalwart, manual postfix/dovecot, a couple others). It's a perfect solution for a small personal mailserver.
It's among the simplest (/least complicated) mail servers I've used, and I have to waste basically zero time on it. Running backup & update every couple months takes <5 min.
However, I noticed: when I showcase it to some people, some of them mistake the very simple minimalist web interface for being ‘outdated’ or similar - it appears that to be "modern", things are required to be extremely bloated, and even technical people look down on fast (seriously: try it) clutter-less design.
I’m honestly curious, what’s the point of a personal mail server nowadays? Isn’t it the case that today they have two huge disadvantages:
1. Being plagued by spam,
2. Being considered spam by major mail services (where most of one’s recipients will usually reside)?
Do you face these problems? How do you manage? Are there any potential problems I don’t see?
> 1. Being plagued by spam,
An overstated problem IMO. Even just Thunderbird's client-side filtering works well enough to mostly ignore it and just occasionally go sweep through the spam folder to see if anything was caught inadvertantly. If you run your own server you can also setup whatever spam filter you want but personally I care more about real people being able to contact me than I care about never seing any spam (subjects only, pretty easy to tell what is worth openingn from subject + sender).
> 2. Being considered spam by major mail services (where most of one’s recipients will usually reside)?
Which may or may not be a problem for a personal mail server. Personally I have never had any problem with Gmail (YMMV) which at this point covers pretty much everyone I know who doesn't run their own server. Microsoft doesn't like my server due to others on the same block but so far I have decided that's not my problem.
personally - gmail is extremely plagued by spam. sure it goes into the spam mailbox most of the time, but enough non-spam email goes there too so you still have to check it. the current plague for me is "your package is awaiting delivery" spam - almost daily.
for being considered spam - i've had like 3 irl things set up on my old self-hosted mail, and these 3 arrived, even though while testing shortly after making the setup i did end up in spam. i don't know if companies have a whitelist of "if a user has this email on his account, don't send to spam" or something, but it hasnt been an issue.
i don't usually email too many individuals, in my social circles emails is not for that and has pretty much died long ago.
Due to the decent success i've had, i've spent some time today setting up mox to potentially replace my other solution - it is a bit of a process, many dns entries to make, and DNSSEC in my country seems to only update once a day so i'll see if i can enable it tomorrow, but so far it's working (but as usual, the first test email lands in spam.) i assume delivery will improve as soon as the domain is a bit older - i imagine most big mail services block email from a domain created the same day the mail is sent.
Besides actual spam spam, Gmail also gets more random similar-named people giving your address to service providers if you have something like initial + lastname or similar. There are too many "legit" companies that don't implement e-mail verification and just repeatedly send to whatever was provided.
With a catch-all domain, you can email <anything>@example.org, and I will get it. I don't have to first generate some addy.io or simplelogin.io or Firefox Relay alias; I can simply enter <company name>@example.org or <service>@example.org when registering on a website, hell I do that even on physical (paper) forms.
Later on, I can decide to add an alias with special configuration, e.g.: email arrives at <tax department>@example.org? → Route to "High importance" mailbox; I receive a Newsletter from a company I never heard of → <company name>@example.org sold my email address (and they can't strip the marker off, which they easily could with the +suffix).
I do not remember having received a single spam email in the last months. In fact, I just looked up the stats: My personal (non-business, non-work) inbox in Thunderbird reaches back to about 2024-03-14, with about 2500 elements.My spam folder currently contains 0 elements.
And I don't even have any advanced spam filtering or reputation blacklists or anything similar setup.
I actually tried this out some months ago with an "email placement tester": I can comfortably reach Gmail & Google Workspace, Hotmail/Office 365/Exchange, and a few others that were tested that I forgot about.I do not remember mails of mine not reaching their intended receiver very often - while this might happen once a year (that you send an email and one second after get a "your message could not be delivered" response), I actually hear about this more often from peers using the largest email provider in the DACH region (GMX), so apparently I rank better? It's usually a misconfiguration from the receiver setting up some scam DNS blocklist (e.g. UCEPROTECT). Wouldn't call this a problem of the mail server though, and as I said, even some rather large (commercial) providers have the same issue.
Generally speaking, if you do things right, email will go well for you - this "doing things right" has simply for a long time been quite hard (when postfix/dovecot was prevalent where you need n-number of different third-party software packages, e.g. OpenDMARC). Nowadays, with the modern mail servers available, like Mox (or Stalwart, or Maddy) doing "things right" is very simple: Choose an hoster/ISP with good IP reputation (e.g. check with https://multirbl.valli.org/ if they are on any blocklists), setup your (modern) mailserver, and you're golden.
And this will come with a nice number of advantages:
- you have your own domain, so you're portable
- you control and are able to customize your email infrastructure (how many mailboxes do I want for my use cases, how would I like different aliases to be mapped to them, catch-all/wildcard, applying scripts on these mailboxes, etc)
- privacy/security: Your email (which I consider deeply core to the modern internet infrastructure and ones digital identity (due to controlling the login to basically all websites)) lives on your infrastructure, and no-one but you can access them
- selfhosting is fun, and one gains lots of knowledge about inner workings of the internet with it
> I receive a Newsletter from a company I never heard of → <company name>@example.org sold my email address (and they can't strip the marker off, which they easily could with the +suffix).
This isn't reliable as true catch-all adresses (i.e. any local part works) are easily detected at which point spammers can just use whatever. I also don't find this too useful because usually you either can't afford to stop doing business with the company (in which case you get to be angry but can't take any real action) or you could have just used a temporary address in the first place.
> true catch-all adresses (i.e. any local part works) are easily detected
This may be true in theory, but in practice, on my domain at least, it has never happened.
Catch-all domains are supported by GMail[1], and some registrars (example, namecheap [2]) will also forward all emails. Namecheap gives you 100 pre-defined mailboxes that can forward to different outgoing boxes, in addition to a catch-all.
[1] https://support.google.com/a/answer/12943537?hl=en
[2] https://www.namecheap.com/support/knowledgebase/article.aspx...
For Gmail, it's only possible for paid accounts nowadays.
They took away the free "bring your own domain" around 13 or 14 years ago.
I never said it was free. Hosting your own server is also not free.
Just wanted to be clear, since self-hosting can be highly fiscally effective by utilizing internet and machines you already own. Cheers.
> However, I noticed: when I showcase it to some people, some of them mistake the very simple minimalist web interface for being ‘outdated’ or similar - it appears that to be "modern", things are required to be extremely bloated, and even technical people look down on fast (seriously: try it) clutter-less design.
The design is ugly. It could easily be made much more beautiful while adding zero clutter.
Are you referring to the projects website or the webinterface (https://www.xmox.nl/screenshots/#hdr-admin-web-interface)?
Looking at this picture for example https://www.xmox.nl/files/admin-domain.png I could call the design many adjectives, but 'ugly' would not be among them.
The admin interface is pretty, the webmail interface is ugly
What made you switch away from stalwart? Was considering giving it a shot
So happy to see that. Hopefully more people will run their own E-mail instead of being slaves to the large adtech "free" e-mail providers. We need more balance on the Internet.
You can't run your own e-mail, or not entirely. It's practically impossible to send SMTP from your own IP address. For sending SMTP, you need to go through a smarthost that has reputation.
If your ISP provides you with an e-mail setup that you can use with a conventional mail client where you enter IMAP4 and SMTP credentials, chances are you can use that for SMTP sending. I.e. from the perspective of sending mail, your ISP can't tell that you're a server; it thinks it's just Outlook or Thunderbird connecting to it.
Receiving mail is no problem; your ISP just must not be blocking port 25.
It's handy to give yourself mobile access. When I send mail from my phone, it connects to port 537 of my own mail server which provides authenticated SMTP over TLS. It forwards to the aforementioned ISP. (I can't connect directly to my home ISP's SMTP server from my phone because the phone is on a mobile network unrelated to that ISP; the ISP's SMTP forwarding servers are firewalled so only the subscriber addresses can talk to them.)
Mox's FAQ addresses this question:
https://www.xmox.nl/faq/#hdr-won-t-the-big-email-providers-b...
Won't the big email providers block my email?
It is a common misconception that it is impossible to run your own email server nowadays. The claim is that the handful big email providers will simply block your email. However, you can run your own email server just fine, and your email will be accepted, provided you are doing it right.
If your email is rejected, it is often because your IP address has a bad email sending reputation. Email servers often use IP blocklists to reject email networks with a bad email sending reputation. These blocklists often work at the level of whole network ranges. So if you try to run an email server from a hosting provider with a bad reputation (which happens if they don't monitor their network or don't act on abuse/spam reports), your IP too will have a bad reputation and other mail servers (both large and small) may reject messages coming from you. During the quickstart, mox checks if your IPs are on a few often-used blocklists. It's typically not a good idea to host an email server on the cheapest or largest cloud providers: They often don't spend the resources necessary for a good reputation, or they simply block all outgoing SMTP traffic. It's better to look for a technically-focused local provider. They too may initially block outgoing SMTP connections on new machines to prevent spam from their networks. But they will either automatically open up outgoing SMTP traffic after a cool down period (e.g. 24 hours), or after you've contacted their support.
After you get past the IP blocklist checks, email servers use many more signals to determine if your email message could be spam and should be rejected. Mox helps you set up a system that doesn't trigger most of the technical signals (e.g. with SPF/DKIM/DMARC). But there are more signals, for example: Sending to a mail server or address for the first time. Sending from a newly registered domain (especially if you're sending automated messages, and if you send more messages after previous messages were rejected), domains that existed for a few weeks to a month are treated more friendly. Sending messages with content that resembles known spam messages.
Should your email be rejected, you will typically get an error message during the SMTP transaction that explains why. In the case of big email providers the error message often has instructions on how to prove to them you are a legitimate sender.
That FAQ doesn't address anything. Suppose you're in a blacklisted block. Now what? Most residential IPs are blacklisted.
When I say I'm self-hosting, I mean I have a machine under a table right here in my home: True Scotsman's cotsman's self-hosting.
When it is blacklisted, the user/owner of the IP must go to each "anti spam" provider that blacklisted the IP. I.e. spamhaus, they have a page[1] to check if an IP is blacklisted as well as asking to remove the IP from blacklist.
[1] https://check.spamhaus.org/
Some blacklists say "this is a residential subscriber IP". Some mail servers block based on that. An IP cannot be removed from such a database.
https://www.rbl-dns.com/dul
I drop SMTP connections from servers that simply do not have matching forward and reverse DNS. This rule eliminates like 90% of spam. It's a good rule and I won't make any exceptions. There's no way to contact me. Your bounce message tells you what you have to do: get your DNS ducks in a row.
... and that's nearly impossible if you're on a residential connection and hence have no control over your reverse DNS... And who wants their mail server to self-identify as d203-0-113-5.res.fubar.isp.net ?
That's assuming your residential ISP even bothers to assign a generic PTR record to your IP.
What finally forced me to switch to a 3rd party for SMTP (outgoing) was a blocklist (UCEPROTECT I think) that required you to pay to be removed and my mother-in-law's email provider (AT&T) used it. My wife couldn't email her mom which was a no-go.
> the user/owner of the IP must go to each "anti spam" provider that blacklisted the IP.
Even that doesn't work all the time. hotmail is currently bouncing emails from me[0] even though Microsoft's own sender reputation thing[1] says my IP is in good standing.
[0] with a link to [1] just to rub it in.
Yep, this did not work. I tried for several years. The only thing that worked was manually filling out the required forms. Not sure if it changed lately. Out of the self host mail business for some years.
You can still do that by tunneling the IP address of a cheap VPS to your home network
Blacklisted residential IPs add 0.1 in the default spam assassin config
Spam from residential IP's should never reach SpamAssassin. The mail server should be rejecting the SMTP connection. SpamAssassin is something which deals with mail that has been accepted by a server: i.e. delivered. It shouldn't need to have any rules about residential IPs; what's the point.
Residential IPs are spammy, so if for some reason you've decided you're going to let SpamAssassin to handle them post-delivery, it would make sense to give them a high score.
> Spam from residential IP's should never reach SpamAssassin.
If the residential IP is in the MX record for the domain, even more so if the domain passes DKIM, why not?
That's an interesting heuristic. Given a host connecting from an apparent dynamic IP without matching forward and reverse DNS, we could take their purported e-mail domain (from where? SMTP hello? Or domain part of MAIL from?) and fetch the MX record to see if it points to that same IP address and use that as a whitelist criterion against being dropped as a residential IP. (On the hypothesis that they are trying to run an earnest self-hosted mail setup.)
However, if the host passes this check, and all other tests such that we decide to accept the mail for delivery (to be further processed by SpamAssassin), at that point why would we want to apply any score in SpamAssassin regarding the residential IP. We already decided to pass it.
This FAQ is in complete disregard of reality. Almost all IP ranges of server providers are blocked. Getting a clean IP is close to impossible.
Big providers often only support their own forms and ignore open sources trust providers.
Small providers often do not maintain their email services which will simply auto spam your mail/domain, when it does not come from the big 10 providers.
Bizarre claims. I've been running my own server for the last 25 years or so. Only once when changing server IPs I've encountered an IP that was blacklisted on some lists, and even then it only took a day or two to remove it.
Maybe it is (was?) a German problem. Here are some providers I know which Autoblock custom servers:
* web.de
* gmx.net
I also have to say that I always used a hetzner root server. Moved multiple times due to an upgrade.
I ALWAYS had to manually apply for removal of my Webserver. It worked for Yahoo. At that time it did not work for Gmail and Microsoft. I no longer was blocked but if I was writing for the first time to a recipient, I landed in the spam folder.
The software I used mailinabox and mailcow. Both had self checks. All green. I also used external scanners to check my config, all fine. You can check my GitHub (razemio). I even contributed to some issues for mailinabox.
This is not only true for selfhosting but also small providers. As an example:
* mailbox.org (auto spam Gmail and microsoft 2018)
All of this was a long time ago. Maybe I am just depressed from the bad experience and the FAQs are telling the truth. However it is hard to believe for me.
I am selfhosting since 1997 and I am working in programming / DevOps.
I did not find this to be the case.
I set up a mail server with NixOS 5 times in a row with 5 different Hetzner Cloud IPs and each of them arrived fine at Google.
With fine you mean not in the SPAM folder the first time? That would be an improvement.
Also works for Microsoft services?
Source of your claim? I'm monitoring blocklists of about 20 different VPS providers, most of them are completely clean, some are in one policy blocklist because they don't allow outgoing emails and only couple are on 2+ blacklists (of 67 monitored) because there's some noisy neighbor on the /24 subnet.
Sadly only my personal experience across multiple years. I think I was selfhosting my mail for about 5 years. Multiple Hetzner root servers using mailinabox and later mailcow. All self checks green.
Sure, it's not technically "impossible", but like...
> It is a common misconception that it is impossible to run your own email server
... the FAQ then goes on to give all the reasons that argue it's really really hard and probably not worth it for most people.
Don't they say that those perceived problems aren't actual ones?
Using an ISP's SMTP is an incredibly obsolete and problematic concept. Poorly authenticated with even worse deliverability. It was a bad idea even 10 years ago and it's just horrid right now.
Use your email provider's SMTP, even if it's you yourself.
This just isn't true, of course you can, you just need to use a hosting provider or ISP that allows it. Plenty do.
It's not whether the hosting provider or ISP allows it, it's whether the address they give you has reputation so that mail servers all over the world allow connections from it.
I setup mox a year ago with a new domain on a new server and delivered straight to Gmail within half an hour.
"The deliver-to-gmail test case passed; ship it!"
Pretty much, yes. Other providers are small enough (except for maybe Microsoft for business) that it's generally their problem if they accept less than Gmail.
If any of them hold the mailbox of someone that you or one of your users needs to reach, it quickly becomes your problem.
Now suppose you contact that server and complain about being rejected.
Wouldn't it be ironic if they respond like this: "We receive e-mails from gmail just fine; fix the problem yourself, or use gmail".
This is how self-hosted e-mail people throw each other under a bus and let gmail win, while pretending to hold self-hosting as a cherished value.
(They would most likely be right about having to fix the problem yourself, unless they imposed some locally authored and highly unreasonable/dichkeadish filtering rule. The superfluous rhetoric about gmail would be almost as obnoxious as their rule, though.)
tl;dr: If you set up an email server. You just send a few emails to gmail, etc. and you'll know if they are accepted or not. If yes you are set, if not you investigate the problem, maybe really try another IP and eventually fix the issue. It's not like all of a sudden your email becomes undeliverable, unless you start sending spam. Imagine what it would mean for all the people using the email address of a small ISP, some university, etc.
Sorry, but that's FUDish. The reality is if you do a proper email setup (DKIM, Reverse IP, etc.) you will be fine.
If you happen to actually get an IP that somewhat recently happened to be an email server, that was also sent out spam, which isn't something that's likely at all then you'll notice very quickly (just send an email to to gmail, etc.) and what you'll do then is tell your hosting provider you'd like another IP address, because it's not fit for your purposes.
I've been running, moving, switching IPs, providers, domains since 2005 and still am and there is just SO MUCH FUD. It's not hard. It's a one time thing. Personally I never ran into IP reputation issues ever. These are email addresses used in a professional capacity (B2B, communication with governments, etc.) as well as private use ones.
Pretty much every ISP, every university, etc. runs their own email server. Many companies do. Many private people do.
I have run them on the side for those 20 years now, partly as a hobby and so far the uptime was higher than Gmail's and since I use them for private, professional and sometimes for government communication I am dogfooding it and I would have very much noticed if anything bounced.
I have gotten bounces when a setup was initially broken, like when I do something like sending a test email to Gmail and that was off.
The reality is that IP and domain reputation aren't really great ways to filter spam anyways. Yes, it adds, but what makes you think that nobody sends emails from Gmail, a university or other stuff? What makes you think that spammers use static domains, etc.
Heck, not even DKIM and SPF are any guarantee. People will spam you from servers with extremely good reputation. Looking at my spam box most of them are from situations where accounts obviously simply haven't been blocked yet.
No serious spam filtering is done with IPs or domains being an "all or nothing" thing.
Also it's a two-way street. If a user of some email provider doesn't get their email and it becomes known people will be wary of it. And nobody expects the email landscape to stay static. There are newsletter and transactional email services all over the place, lots of marketing platforms running their own email servers and so on.
It's not like everyone does something magic, nor does everyone have connections, money or time to talk to all these companies. An email service not accepting emails won't exist for long.
And something that's also important to realize: If you do start using a transactional email service they oftentimes will make you pay EXTRA for a custom IP so you DO NOT share it with others, so you get BETTER reputation than the cheap one. And you configure your own domain with it. So why wouldn't these emails get delivered? And many of those don't run their own data centers and not all of them have their own IP blocks (though some have).
It's just if you couldn't even do regular private emailing, emails would not be the thing every website uses for login and communication.
If you think that you are "set" when your self-hosted setup passes the test case of communicating with Gmail and a few other big providers, you're saying that it doesn't matter if you cannot communicate with smaller providers, including other self-hosted guys like you. If they have any trouble reaching you, why they should just effin' use gmail! That works fine!
> The reality is if you do a proper email setup (DKIM, Reverse IP, etc.) you will be fine.
You're not getting reverse DNS on a dynamic home IP.
> Pretty much every ISP, every university, etc. runs their own email server.
Yes? And what did I say: if your ISP has mail servers for you, it can simplify things greatly if you use them.
> you're saying that it doesn't matter if you cannot communicate with smaller providers
Smaller providers will generally not black hole legitimate message like Hotmail does. They have (paying) customers awaiting those messages. Junk folder? Sure, that can happen sometimes.
> You're not getting reverse DNS on a dynamic home IP.
I don't think anyone here is suggesting running a mail server on a dynamic IP.
> And what did I say: if your ISP has mail servers for you, it can simplify things greatly if you use them.
Only if you want to be using their domain and if you're not sending (too many) automated messages.
Running a mail server dynamic IP is the primary self hosting option for most people. I've been doing it without problems for 15 years now.
> Only if you want to be using their domain
No, that's simply not how SMTP routing works.
> No, that's simply not how SMTP routing works.
So you want some third party provider to be delivering mail on behalf of a domain for which they don't have even have the basics like DKIM and SPF set up, and hope for better deliverability than you could easily obtain with your own server?
Umm, no. The SPF and DKIM is something you set up in your DNS records, not they.
Your SPF record, created by you, indicates that the certain forwarding servers you have chosen are authorized to deliver mail for your domain.
When you change SMTP providers, you update that.
E.g. a year ago I switched from Shaw to Novus (two Canadian service providers). I edited my server's SMTP credentials to the new Novus server and user ID, password and changed the SPF record to bless Novus servers as being my delivery agents. That's it; mail was flowing through thew new configuration.
The ISP doesn't know anything about my domain or any of its DNS records.
Yes, they have better deliverability than I could obtain with my own server directly, because my server is on a dynamic subscriber IP which makes it a pariah in the world of mail delivery. Sending from it directly to mail exchangers world over is a nonstarter.
I could pay for some server in a cloud data center somewhere. What for? I have no issues with mail delivery.
Ok, SPF could work if your provider has a fixed and published ip range for its outgoing mail servers. (Is that common?)
DKIM though.. ?
But I get your point: it might beat a home server on a dynamic IP on deliverability. Both options seem troublesome.
SPF records have flexibility. It's possible to specify a domain name. Then any host which has an A record under that domain will pass.
In my SPF record I have novus.ca.
So I don't care what IP addresses Novus's mail servers use, as long as they identify as <host>.novus.ca.
DKIM-signed messages can pass through SMTP hops. I'm not briefed up on the details of DKIM, but to my best current understanding, the originating domain signs the body and certain headers (not all of them) with its private key. When the message passes through multiple SMTP hops, some headers get added, like "Received: ...". I believe, these headers do not invalidate the DKIM signature. The relays just cannot be messing with the body of the e-mail, Subject:, From:, Date: and such. SMTP relay is not like a mailing list repost.
I'm now looking at some raw e-mails with DKIM signatures. It looks as if the signatures plainly specify the names of headers that are included in the signature, via a field that starts with h=, listing colon-separated header names.
hetzner allows outbound smtp by request. the process is relatively painless and quick.
Yes, but the process of getting Gmail, Outlook etc to receive your emails and put them in recipients' inboxes is far from painless or quick. An IP address with a clean history and SPF/DKIM/DMARC are table stakes, but then you get to play the "my emails are randomly dropped today while everything looked fine yesterday" game.
At 15+ years of hosting my own email through multiple IP changes this has not been my experience at all. Hosting your own legit email works fine.
OK, well it hasn't been MY experience at all, hosting your own legit email with a 100% score on mail-tester, SPF, DKIM and DMARC does NOT work fine because Microsoft still ends up marking all your emails as spam, so maybe you could consider your experience is not universal and just because it happens to work with your IP addresses doesn't mean that's the case for everyone else? Jeez...
My experience is that Gmail accepted my emails fine... until one day it didn't. Then some time later it worked again.
I registered for their Postmaster Tools, which says
The help page has no useful information. I suspect that I sent too little mail for it to register in their systems at all.Outlook was even worse, and I just told my Outlook users to change providers.
Eventually I capitulated and got Google Workspace, and now everything gets delivered perfectly.
No one is “right”.
> At 15+ years of hosting my own email through multiple IP changes this has not been my experience at all.
At 25+ years of hosting email through multiple hosting providers, this has been my experience multiple times. To be fair, happening less often with DKIM et al, but those are relatively new inventions.
15+ years hosting email on the same ip space with strict security process. Numerous numerous numerous blocks, black holes, and spam routing. This was personal.
Worked for a company self hosting famous brand emails. They would get blocked too. Imagine telling the band manager of a famous classic rock band that their email to their label was being rejected due to being black listed for spam.. (cc’ing the managers team)
Stop fooling yourself, it does not work fine. If it did you would not rely on that google outlook or yahoo account
That's commercial email. Of course you get flagged for spam. Use a service for that kind of thing.
Personal/private/family email can be easily self-hosted. You just need to know a few things to get it set up properly.
Perhaps you're replying to another comment.
EDIT time is over. I don't want to be misunderstood. I am not claiming to send MASS emails and having them delivered without issues or anything. If we have to do mass emails, they are done with services that provide the GUIs for them etc. There's no way you won't end up in spam lists even if you sign up each invidiual email address in person yourself.
That's true sending email from my MS Outlook box to my own gmail. At some point, it comes down to just doing the best you can and not stressing too hard.
Getting a dedicated server with an ISP that does a decent job at keeping their IP blocks clean for email is about the best you can expect. Setup the appropriate SPF/DKIM/DMARC and get along. There's really not too much more to be done these days. Even the big guys don't always get along.
Anecdotally, we have hosted email servers for old games on Hetzner without issue, as the IP pool is generally not as popular with spammers given the time cost bringing up the server OS images. It is far from perfect, but generally performs well as reporting asshats on your local network block is easy.
Almost all cloud providers with dynamic-load ephemeral IPs will show up on ban lists eventually due to vulnerability scanners, bad spiders, and spam/voip drops. However, it is far more common for Spamhaus free tiers to quietly go sideways when no one is looking.
Gmail/Outlook have their own peer policies that serve their own business posture. Google does require administrators register in their clown system as a user to exchange email, but it is effective policy that adds nuisance cost to people spinning up 30 servers a day to spam people.
Firewall Rate-limits are effective on small single-domain servers. A modern email server in Go that is isolated from each user space greatly simplifies the possible setups. =3
Follow the mox quickstart instructions and you might be surprised how successful and maintenance free it is.
I am sending and receiving emails on a small rack server in a datacenter for 40+ domains, and have had no real issues with deliverability. YMMV but I believe the reputation problem is heavily skewed against cloud providers such as VPS hosts more than anything.
I’m curious to know how you could know if any emails you send are getting silently dropped. Do you check with the recipient again and/or through other modes of communication?
I, too, run 4 email servers serving 12 domains overall, for about 11 years. I don't remember any email-related issues in the last 5 years.
One of the server sends and receives emails for the forum, sometimes up to 1000 messages a day. It was set up 5 years ago.
Maybe this is a serious issue when you use popular VPS providers/IP ranges, but I use smaller providers, and just don't remember any email-related issues everybody are talking about.
For me, email self-hosting as easy as installing mail-in-a-box (for sending+receiving) or just plain exim/postfix (for sending only), with proper configuration.
Almost all of the emails being sent from these services are transactional, so we would see noticeable abandoned user activities (i.e. confirmations, 2FA) or complaints from active users about not receiving emails.
We also have receipt tracking, which isn't perfect, but shows a >93% open rate.
We did have an issue delivering to a specific provider, but that was resolved by updating our DKIM with a more robust key length.
What you have is really great. Hoeever, if I had a small rack server in a data center, I wouldn't be able to call it self-hosted with a straight face, unless I had an uncle who owns a 60% share of the data center or something.
Been running my own mail server since 1999 or so. No issues.
> Been running my own mail server since 1999 or so.
Same.
> No issues.
Many issues.
You're grandfathered in. Fresh starts face an uphill battle with taint and reputation.
Been running a mailserver running Mox with a brand new domain on a brand new OVH IP for a year, no issues delivering to anyone.
> It's practically impossible to > send SMTP from your own IP address.
I haven't had any problem in that regard in over 20 years of running a mail server on an old PC, on residential ISP connections. SPF, DKIM and rDNS config seemed to keep all the big players happy.
Which just made me realise I don't even have valid rDNS anymore, but it still works.
> You can't run your own e-mail, or not entirely. It's practically impossible to send SMTP from your own IP address.
I beg to disagree, as I've been running my own E-mail and sending from my own IP address for [checks notes] the last 25 years or so.
https://www.mailreach.co/
Re mail deliverability. My experience so different than what you are saying that I take comments like this as regurgitating FUD at this point. Please do not do it. Even google is mostly OK with just spf or dkim. It really isn't that hard to host your own email.
I’m on an open source email list, where a lot of users self host their email. They have all the correct things done by the book. But gmail sends them all to my spam box, despite my continuing to mark them as not spam. Some even don’t appear in the spam box, despite other users on the list receiving the emails just fine.
If this email list does not rewrite "from" header, and modifies the email contents, that's the issue. Unfortunately, many still do. Such setup just won't work in the modern email world anymore.
Was your intention to prove the point about why it is important that more people host their own mail servers, or did you not realize you were?
I wasn’t stating anything moral, just disagreeing with the claim that you can do “just spf or dkim” and not have any issues.
They also want a PTR record on your IP to match your SMTP banner matching you hostname. Having an mx record for you sender domain also helps. Just sending form an IP address usually is tagged spam in my experience. Its weird their FAQ doesn't mention reverse DNS at all, its a very important step in having a good sender reputation.
The PTR match is a signal, but it's not required.
I send mail from several domains out of my mail server. The PTR record for that host actually doesn't match any of the forward hostnames.
It’s mostly Microsoft that is a problem. I’ve heard of a couple of cases in the past years where recipients used Microsoft’s services and never received emails from small self-hosted servers (where SPF, DKIM, etc were all properly set up).
If your client uses MS for email and doesn’t receive your invoices, it becomes a big deal.
I've had mild but inconsistent success sending to gmail with a perfect setup with 100% compliant dkim and spf, but Microsoft servers might be flat-out unreachable with no way to appeal:
https://news.ycombinator.com/item?id=35691618
In the end I set up a gmail account just to route all my outgoing mail through, with a whitelist of specific servers I know won't reject me for no reason (i.e. a few very small email services or friends who also self-host). Defeats half of the purpose but what can you do? There's nothing else I can possibly do to make my emails reach hotmail inboxes - I've exhausted all of their phony support channels and advice articles and clearly they just want me to go away and stop self-hosting.
I didn't say anything about it being hard; just that you may have to use some proxy for sending mail rather than doing it directly. This is not hard.
It does mean that you are slightly less than perfectly self-hosted, in some sense.
If your mail server is in a position that it can send mail directly to any mail exchanger in the world, rather than going through a forwarding host, there is the advantage in that it can use end-to-end TLS.
I tried for several years. There where to many issues. Even a perfectly configured mail server landed in spam folders of smaller providers. Had to constantly whitelist my server manually with the big providers. For 1-8 dollars a month, it was simply not worth it for me. Switch to encrypted mails where privacy matters. It is not like my emails land on private servers anyway, so the privacy aspect is more of a symbolic gesture than a real thing.
- Where does one get an affordable server that isn't on a blacklist somewhere?
- What happens when one of the big cloud providers arbitrarily start putting your emails in spam?
Are there solutions to this? It feels like the biggest value provided by "big email" are these two things
Those are the two problems caused by "big email". I've used hetzner, ovh and mythic beasts and had no issue with blacklisted IPs, and if you follow the Mox instructions you will be trusted and shouldn't get put in spam
since a lot of people are sharing anecdotes..
i spent some time today buying a new domain and setting up mox on a hetzner vm. the IP was on 3 blacklists on first check, after fixing the reverse dns it's on 2, one of which is apparently fake? dkim and dmark seem to be working, sending a mail to protonmail succeeds the checks, and yet it lands in spam - however, i'm confident once the domain is older than "just now" and i've set up DNSSEC (takes 1-3 days for this to start working in my country apparently) things will improve.
worst case i'll have to request a blocklist to unblock me, but i'll see.
For your first point, the key is an IP range that isn’t on a blocklist. Pick a very reputable hosting provider (not AWS/GCP/Azure), who has strict no-spam rules, and check out some spam reports from their ranges. Hetzner I’ve heard is good, digitalocean as well, but your mileage may vary.
For your second point, you live with it. I haven’t found a solution, at least. I’ve never landed in spam for corporate offerings (cloud O365, google workspace or whatever they call it now) or (very rare these days) anyone self-hosting with rspamd or equivalent, just regular personal mail (hotmail, gmail, iCloud, etc). That’s usually pretty easy to detect and work around (“hey I sent you an email” “oh I didn’t get it” “did you check your junk?”) Irritating, but not the end of the world.
I’m going to try hosting from my residential IP sometime this year, now that I have sufficient redundancy in terms of power and networking. I don’t know if I’ll have better or worse luck than with hosting providers’ IP ranges, though.
Bro, I owned a /23 at a colo for over 10 years. Registered my ip space with ARIN, had abuse contacts, setup a mail server on a /27 on a /24 that remained mostly unused outside of dev and test servers (strictly controlled). The mail server was also strictly configured to never emit a single email that wasn’t sent by me. So no forwards, no bounces etc.
Mail server still gets blocked by random domains. Nope. Done with hosting email. Everyone assumes you are spam and won’t accept your mail unless you pay them (to be your mail provider).
How recent is your experience? Did you set up TLS, SPF, DKIM, DMARC, DANE/MTA-STS? That's what makes modern mail secure and deliverable (besides basics like matching reverse DNS). The beauty of Mox is that it tells you what exact DNS records you need to set up and it takes care of the certificates. Once it's done I found I have better internet.nl score than some big companies.
It's a damn shame. At this point it's basically in then favour of large providers to randomly block domains since otherwise hosting your own would be trivial.
Some providers are reputation based now. So you need to send emails and slowly ramp up amount over time. Difficult to do if personal though, as you won't get enough throughput.
Strange, I don't have that experience
I self host on hetzner. ticket to support to open 25 and mailbox on a 5euro machine.
If people just want to stick it to the Man by moving out of the cloud, then the solution might be "medium email": hosted by a commercial provider, so you don't have to do all the admin, but not self-hosted.
My ISP, Zen, in the UK, gives static IPs. That, combined with residential fiber and a thin client makes excellent mini server at home.
There are plenty of free non-adtech alternatives: Proton, Tuta, probably others. Even more options if you're willing to pay a few monetary units/month for it. You don't really need to run your own email server.
We won't have much choice, last year yahoo implemented a limit on COPY so you couldn't move or delete more than 10 mails at once. this broke claws-mail, I think its good now but I still moved on to another "free" service.
Mixing email with the drive service in the account is actively hostile.
It's cool to see some new modern all-in-one email solutions. Stalwart is another good one. Would be even cooler to see this lead to a bit of a resurgence of small and self-hosted email providers.
Stalwart does seem much more modern and feature-complete however.
I hope it does. We have to get through the challenging issue of convincing big tech companies that our small email servers are not spam however.
I've self-hosted email on and off since the mid 2000s and my impression is that with the widespread adoption of DKIM/DMARC, the large providers have toned down the spam-by-default treatment of small/unknown email servers. Even Microsoft a bit, though you still have to get your IP whitelisted to send to outlook.com addresses usually.
That's perhaps because you have been self-hosting that long. One of the advises given to new self-hosters these days is to start sending mail to your your friends' email accounts that are hosted by the bigtech. Then you have to contact each one and ask them to mark it as not-spam, so that some day your mails will go to their inboxes, rather than the spam folder.
Honestly, I don't think that DKIM/DMARC has made the situation any better. In fact, spamassassin and rspamd often seems to work better than their spam filters in identifying actual spam.
> Then you have to contact each one and ask them to mark it as not-spam
That presumes the email is accepted into the spam folder rather than being rejected outright at SMTP time.
You're right. I don't know the situation now, but Outlook used to behave exactly like this.
Microsoft is absolutely hell to deal with. Especially if you are hosted on Linode. They frequently ban entire linode subnets. I’ve had to resort to routing all send mail via Amazon AWS SES just because of Microsoft’s IP range bans. It’s not what I’m doing, but my neighbours.
It's funny because throughout Q1 2024 a huge range of Microsoft's own IP addresses were blacklisted by Spamcop and other blacklist providers spam/phishing attacks coming from outlook.com addresses. (Google "EX703958" (MS's issue#) for some fun reading.) They (and their enterprise customers) have been on the receiving end of the same thing they do to others.
Allegedly, Microsoft subscribes to random spam checklists like UCEProtect.
uceprotect bans entire subnets & ASNs if just one IP is suspected of sending spam.Apparently, you can pay to get your IP whitelisted for some time but it will be back on the list again. Its probably a scam/shakedown operation.
As these lists discourage self-hosting and benefit large email providers, they take their own time for fixing these issues.
Yeah they are definitely the worst of the bunch. But that's unsurprising I guess.
I haven't tried sending to Outlook, but so far I'm getting through Google with just a strict SPF and a DNSSEC domain. Very low volume, to the point I assume reputation isn't being tracked. Just an observation
That's really great to hear, I haven't self hosted since maybe 2015. I must admit I assumed things would surely have gotten worse, not better.
Definitely got worse since 2015 before seeming to get better the last year or two. At least with Gmail. So many variables though, so this is more an impression based on my own experience.
This doesn't seem to be a problem anymore. What is a problem, though, is big tech companies spamming us incessantly and doing almost nothing to prevent that.
I get 10-20 spam E-mails a day from AWS, Google and Microsoft. Forwarding spam to their abuse@ contacts doesn't seem to do anything. And I can't block them, like I would a smaller spammer.
Haha the best part is when the same Gmail or outlook address spams you again two weeks after reporting that very same address to abuse@gmail/outlook.
Outlook is extra bad. It is apparently possible to put your email(to/recipient) in BCC, so if you have aliases, it is impossible to tell, which one was leaked and being abused, as to is marked as “undisclosed recipients”. There is no mass domain/pattern block rules, so if I block “spammer.1@hotmail.com”, then next day it arrives from “spammer.01@hotmail.com”, then blocking that, next day it arrives from “spammer.001@hotmail.com”. Outlook is actively hostile to blocking spams yet happy to quickly block small self-hosted operators.
With AWS I reported 3-4 spams from a certain company every day for 3 weeks.
Nothing changed.
They just ignore the reports.
Stalwart isn't really an all-in-one solution, it doesn't have webmail functionalities, just a backend.
the FAQ claims it does have a web interface; is it not really functional, or something else? never used it myself
https://stalw.art/docs/faq#does-it-have-a-web-interface
That's an admin interface, to configure the server. Webmail is something that one uses to read the mails.
Self-hosting email is a fool's errand. I used to do it. I'll never do it again. It requires way too much specific knowledge about how the entire email system works. You have to really want to learn everything about running an email server and everything about email to be successful, and even then your ISP could get in the way, as well as all kinds of spam blocker services that you have to deal with to get your special email server unblocked. It was a nightmare, and it's honestly worth paying a few bucks a month for someone else to deal with that. I have a ton of other way more important things to do with my time.
Email hosting is absolutely the lowest maintenance of everything I host. For anyone else reading this, if you follow 'mox quickstart' it will help you set up your DNS correctly so you don't have the above experience.
Congratulations for not hosting anything interesting, I guess? My self-hosted VPN is the lowest maintenance thing ever - it just runs, and I never have to touch it. I host quite a bit of stuff, but email was daunting. Every week it was some new fresh hell. Spam blocking lists were the worst of it, and no I wasn't spamming anyone.
I have some questions for the creator of this software if they happen to be paying attention to this thread. I have been running a small scale email server for about 10 different related business domains. Currently we use iRedMail. 1) Does the webmail client support 2FA? 2) Is it possible to do 2FA in thunderbird? 3) Can I make custom rules for BEC attacks (ideally I want to define “FirstName LastName” => email@domain.com whitelists using regex patterns. We get a LOT of very targeted BEC attacks and we have found this is the best way to handle it. We have it very locked down now. Yes we also do employee education on what to look for but this also helps. 4) does the webmail client do banners like “this sender is outside of your org” or “you have never received an email from this sender beige” etc.
Thanks!
1. no 2fa in the webmail yet. work is currently underway at the ietf for standardizing chained SASL (auth) mechanisms, and passkeys. i want to look at implementing passkeys already for the web interfaces, but there is much more on the todo-list... 2. i as shown by yamrzou, i don't think so. SASL auth really just uses 1 auth mechanism at the moment. i think there is also standardiziation work underway for password+totp sasl authentication. but clients (like thunderbird) would still have to implement it before it's useful. there may be a trick to get 2fa-like authentication now, using both TLS client cert authentication (mox supports this based on public key identification, no other properties of certs) and a IMAP/SMTP-level SASL authentication. 3. no, but this is interesting. what kind of rules would you set? rules to match specific message headers/content that identify a message a phishing and reject it? for when attackers send the same message to many employees? do you need to remove messages from their inboxes after it has been delivered (assuming all employees would get the email at around the same time)? 4. no, but i've considered adding it. it should be very simple to add. and it's much better than mail servers modifying the message content to add messages like that.
It's good to hear you are working on 2FA that is certainly one of the biggest requests we receive lately for our self hosted email, and has almost pushed me to switch to cloud based services.
With regards to thunderbird and 2FA, it appears that there are some third party solutions, i don't quite understand how they work, looks like they are using SAML or something. https://www.miniorange.com/thunderbird-2fa-mfa-two-factor-au...
To give you an example for the BEC filters we are using, we use the postfix header checks with a negative lookhead regex. For example:
I would say that this approach is certainly not ideal, it's hacky and manually maintained. I personally believe that a smart mail server should be aware of what it's users use for firstname-lastname-email.address@domain.tld combinations and it should either block or soft block (show warning badges in the webmail client) mail which does not follow the pattern of the defined users.We also use the mime header checks to block some bad attachment types (this is kind of oldschool there are certainly more modern approaches)
Re #4 yes, I agree, modifying the actual the mail breaks DKIM, you can really only do this in webmail.Apparently, it doesn't support 2FA (yet). From https://discuss.privacyguides.net/t/mox-modern-full-featured...:
> Another is 2FA. It would be relatively easy to implement in the web interfaces, but not with SMTP (submission) and IMAP. Most clients can at most do cram-md5 for authentication mechanism (old). I don’t know any clients doing the safer scram-sha-256-plus properly (with mutual verification and TLS channel binding, mox implements it). Interested in hearing what the thoughts are on these topics.
You can have 2Fa in mailcow, for admin UI and sogo.
set this up today, the documentation is useful and the quickstart very helpful, the dns stuff pretty much works exactly as it's supposed to and is just a bunch of copypasting (in my registrar's ui).
specifically for mox there was some things i would have liked to see: explain how the webmail isn't accessible on the public ip by default - i don't know how many of you want to be in a specific vpn for checking your email, but i sure was surprised i couldn't reach it, but had to activate it in config (and first figure out how to even do that). mox also doesn't redirect to https by default - imo it should, since it already includes the convenient automated certificate setup (which worked great).
maybe it is intended for a different environment, but since it recommends not running another webserver on the same host, i really don't want to access the webmail from the local server or by http. i like most of my services being available behind a reverse proxy, there it would make more sense. maybe i'll look into that variant later, but the documentation isn't quite as complete as i'd like.
How does mox compare to maddy, another Go all in one mail server ? Does mox support antivirus addition ? Didn't see that in the docs but I may have skipped that section.
> Does mox support antivirus addition
No, not currently possible. I think it needs milter-like functionality in the smtp server. Would be good to have eventually.
https://github.com/mjl-/mox/issues/1
After 21 years of hosting my own email server, starting with roll-your-own (anyone else remember sendmail.cf?) and moving to boxed solutions such as mox or mailcow, I gave up. Maintaining IP reputation and keeping up with the neverending set of arbitrary rules (spf, dkim, etc) I found my time was worth something too. Doing an honest ROI calculation, I figured i was spending 2 hours on average each month keeping the plumbing going. For me, that was well-worth the ~15/month that proton charges. I bet there are other good ones out there too!
To be honest though, throughout those decades, I learned a vast amount about how email flows. That knowledge is irreplaceable.
My recommendation is to try your own until you really, REALLY understand it. Then move to a paid solution.
Has someone compared this to other modern alternatives? Stalwart (open core), chasquid, maddy, ...?
Stalwart seems to be Rusty, while this one is Gooey.
Haven't used Mox yet but Chasquid is great if you want something that's focused on being a streamlined modern MTA rather than "all-in-one". So kind of the opposite of the Mox approach.
I like Chasquid for its straightforward codebase and the hook system that you can use to customize it further.
I've compared iRedMail, Mail-in-a-box, Mailcow, Modoboa, in 2021, if that helps (its in Russian)
https://www.linux.org.ru/forum/general/16654099?cid=16658164
I'm not really interested in these setups that combine postfix, dovecot, opendkim etc. Those aren't what I consider modern all-in-one email servers.
Stalwart seems to be more ahead feature-wise. As a Stalwart user I will definitely keep an eye on this project. Just a couple of missing features that are a dealbreaker. One of them is also absent in Stalwart - aliases to external accounts.
A somewhat related tangent, has anyone got good desktop email client recommendations? Preferably macOS/Linux.
I have 6ish email accounts I need to monitor, and outside of Outlook (and the various hellish variations of it), I'm yet to find a good client like all smartphones seem to have - all inboxes in one client presented together. I recall having a number of issues with Thunderbird a few years ago when I last tried it, but I don't remember why.
I use a mix of Evolution[0] (GNOME's Thunderbird) and Geary[1]. Geary has a very nice UI, and can become mobile-like, and Evolution has much more support for automations and other niceities.
There's also alps[2], if you want a web based solution. I love it as well, though Geary is my most used solution.
[0]: https://gitlab.gnome.org/GNOME/evolution/-/wikis/home
[1]: https://wiki.gnome.org/Apps/Geary
[2]: https://sr.ht/~migadu/alps/
I'm not sure what your issues were, but Thunderbird is still the king of desktop email clients. It supports a unified inbox, go to the inbox and tick View -> Folders -> Unified
With that top screen shot, I'm surprised that it does't have UUCP support.
I think it looks amazing. No non-sense, clear labeling on buttons and nice colours.
The first screen shot is an e-mail from Ian Lance Taylor, the author of, arguably, the best UUCP implementation, and how I sent/received most of my e-mail up until 2010. It was really, really good at dealing with spotty wireless connections like CDPD and spotty early cellular hotspots. All my company's e-mail would come into an SMTP server, and then the last mile was UUCP to our individual laptops.
Story time: Back in maybe '93, I had a UUCP connection to a provider in Colorado. I was calling in from Nebraska (I had moved out there temporarily, but it had always been a long distance call). One day the e-mail stopped flowing. After a bunch of debugging I found that it would connect, and then sit there waiting for data packets from the remote end. I got ahold of the provider and the issue was they were using the SunOS UUCP, which stored all the files for all feeds in a single directory, and some of their users didn't call in regularly, some I get the impression were getting e-mail and not calling in anymore. Eventually this directory filled up to the point where the OS couldn't scan it within the UUCP timeout.
They ended up throwing hardware at the problem, but I suggested that they switch to taylor-uucp. Taylor stored the queues in a per-endpoint set of directories, so you didn't run into the large directory problem unless your UUCP endpoint was the offending one. However the provider replied that "tayloruucp doesn't work well with larger providers." So I asked Ian Lance Taylor about that, and he replied "That's news to [one of the largest national, probably international UUCP providers]".
From the FAQ
How do I configure a second mox instance as a backup MX?
Unfortunately, mox does not yet provide an option for that. Mox does spam filtering based on reputation of received messages. It will take a good amount of work to share that information with a backup MX. Without that information, spammers could use a backup MX to get their spam accepted.
These days a backup MX seems pretty pointless, no? If your mailserver is down, almost every mail platform out there with a message for you will store and retry later.
In certain contexts, waiting for redelivery is unacceptable performance. Some people lose lots of money if they aren't in the loop. Imagine a group email chain, the CEO is asking questions, everyone is responding immediately - except you.
I agree with your point, but I don't accept the premise that people are responding quickly to emails. 99% of emails are transactional these days, and places where they aren't (eg. internal at BigCorp) it's not unusual for people to be receiving 1000s a day.
Replying the same day is considered quick for places with C level.
It's quick if you are the CEO, it's slow if you are reporting to the CEO. :)
Or magic link logins...
backup MX systems are useful, but the above faq is ... naive. it's fairly simple to deploy a backup mx that does not accept mail unless the higher-priority mxes fail a health check.
Seems reasonable. I have been thinking about schemes for backup mx'es. When the primary is online, the backup would just forward the smtp connections to the primary directly. The backup mx only has to do their own work when the primary is down. I was/am concerned about the backup mx accepting spam that you don't really want to bounce later on. But that should be an exception.
I am also thinking about synchronizing all the data to another machine. It would allow a manual failover procedure. And it's nice to have another machine (IP) for outgoing email in case the primary IP gets on a block list. But this is all future work.
the backup mx shouldn't have any special delivery privileges. when the primary mx comes back online, the backup should deliver to that rather than trying to deliver anything itself. this allows those spam checks which will still work to benefit from the normal delivery path.
you can have several hosts with the same MX priority, and only spin up actual service when necessary. given modern health check tools and raft-consensus filesystems, it's very possible to build a robuse mail network on the cheap.
> this allows those spam checks which will still work to benefit from the normal delivery path.
It's not exactly the same. When a backup MX has accepted the message, it takes responsibility of the message, and will have to send a DSN when it is rejected for being spam. Mox never "delivers" messages to a spam mailbox (it's that behaviour from the bigmail providers I don't like and undermines trust in email!). Mox either accepts a message, or rejects it at the SMTP level. When the backup sends to the primary, and the primary wants to reject, the backup would have to send a DSN to the potential spammer. Not great, and not something we have to do now.
But still, if it's only needed for emergencies, when the primary is down, it probably isn't too problematic. And the backup mx (with primary offline) can always be more strict, requiring dmarc-like alignment before accepting (to prevent backscatter if the primary rejects later on).
I'd love a backup MX that acts clustered. Email is file/object based, I should be able to spin up 5 VPS and send/receive from any one of them without ending up with an out of sync email. The closest I've found so far is aerogramme that stores in their own object store implementation but it's very much alpha https://github.com/deuxfleurs-org/aerogramme
I believe the main issue is keeping them in sync.
Sounds interesting.
I didn't find anything about sub-addressing in the features list. Is it a supported feature?
Also, with a version number starting with 0.0. I'm left wondering if Mox is already stable enough to be entrusted with my precious email.
Other options i'm considering are mailcow running in docker.
> I didn't find anything about sub-addressing in the features list. Is it a supported feature?
Yes, assuming you mean addresses like user+<anything>@domain. The "+" is configured by default when you add a new domain. See https://www.xmox.nl/config/#cfg-domains-conf-Domains-x-Local....
> Also, with a version number starting with 0.0. I'm left wondering if Mox is already stable enough to be entrusted with my precious email.
It's been suggested to just increase the version number since it's more stable than a 0.0.X might suggest. I'm currently considering mox at release number 14. I'm still on the fence about it. Ideally people make the decision on the merits of stability, not based on the looks of the version number. But I understand it's used as a signal for how stable software is (but mileage will vary!).
At least I'm trying hard not to break anything, so upgrades will work for all installations.
I've been using it since 0.9 and it has mostly been solid. I had two bugs receiving emails, one where incoming emails didn't work from Microsoft but they fixed that in 0.13, and another incoming issue I can't remember that they fixed in 0.10. I'm not sure if I want to move my main domain over from Exim yet but I'm considering it.
> incoming emails didn't work from Microsoft but they fixed that in 0.13
Yeah, this one was interesting. It looks like microsoft updated their TLS stack to TLS 1.3, but incorrectly, breaking TLS connections to Go TLS servers. I don't know how to contact Microsoft about it, but others have raised issues with Microsoft. Mox got a workaround (disabling session tickets for SMTP) so Microsofts TLS stack wouldn't abort the connection anymore. This is a downside of being a small guy: You have to work around the bugs of the big guys.
The latest version is 0.0.14 which is lower than 0.9 (i guess you mean 0.0.9)?
Yeah I missed the extra 0s :)
Thanks.
Absolutely, if you feel that the software is already usable and is not lacking essential features, i'd suggest dropping the second zero in the current version number.
I noticed the roadmap section on your "Features" page, that also helps. I consider SIEVE server side filtering to be pretty essential.
I've been stuck running my own inbound email since back in the 90's when I set the catchall separator to '-' on my domain.
I am running multiple mailcow instances and am very happy (supports sub-addressing). The only downside is that if you need mailpiler for archiving purposes you need to set it up manually since that is part of their paid offer.
Enjoy the presentation of Mox at Golang Rotterdam: https://youtu.be/KiDP_JoomOY?si=CyiUEgc8J5WfNZ5R
That webmail screenshot made me realize how much I desperately miss threaded mail/news readers. <3 I should figure out how to make Roundcube do that.
Funny that, I was looking recently for a small, local smtp server to get notifications from my printer and other stuff and... there isn't. All you get are the ginormous ones with decades of crud attached.
So I ended up writing my own of course; no need for all the fancy features, just PLEASE let me receive email over SMTP and deliver them locally with 'dma'. Pfew.
This seems like a good place to ask - does anyone have recommendations for a mail server and webmail integrated with CalDAV and CardDAV?
I was looking at Horde's Imp, Kronolith and Turba so far - https://www.horde.org/apps - they seem OK but is there anything else in this area?
https://github.com/mjl-/mox/issues/242
They're thinking of doing this already and apparently have some pox/prototype code, and a user has suggested a thing in the meantime.
I appreciate the Plan 9 colors in the webmail UI.
Most of mox is written with acme (also some vim)!
I feel like there's going to a very slow trickle of (a trivial number of) users towards either self-hosting mail or a growing cottage industry of smaller-scale mail services hosted outside the US.
Of the growing number of self-hosting options, I'm not sure how many of them are designed to scale, or to what scale they can scale...
But how do you get a "clean IP" to actually run it on? My ISP's IP changes every so often (whenever there's a power outage for example).
Last I checked, you can't run mail servers on typical cloud providers (like Azure, Oracle) and cheap VPSs are almost guaranteed to have "dirty IPs" (used for spam and thus blacklisted).
I also expected lowend VPS servers to have tainted IPs but surprisingly they are mostly clean. Currently I run Mox on very cheap $0.6/month (multi year contract) VPS and for the almost half year that I monitor the IP address there was 0 blocklist appearances, mail delivers geneally fine (only had to fish it out of outlook spam at my work address). Most other of my monitored VPS IPs are also completely clean. It seems spammers are not tolerated by those providers.
I have not tried this, but I'm reminded of the post https://rachelbythebay.com/w/2024/09/22/colo/, which describes how one can host your own infrastructure in a colocation rack, which sounds pretty rad.
I thought it was going to be a problem when I gave up the IP I've had for a mailserver at hoster A for 15 years and moved to Hetzner, but it wasn't. But of course that's only anecdata, like everything 90% of personal mail server operators will tell you, no one runs several different setups at different IPs/hosters.
I have used them[1] in the past with good results.
* No affiliation
[1] https://www.pubconcierge.com/email-marketing
Hetzner served me just well for this purpose for 2 decades now.
Some ISPs can provide you a static IP either for free or by paying a premium.
Set it up in mid 2023, still running good! Getting it going was fun, staying on top and maintaining it isn't really...
I'm hoping to make this easier in the future, more often automatically taking care of updates. In the past, you've had to run a command/script here or there to fix up date, but that should all be done automatically.
My talk at FOSDEM was about this for a good part, https://fosdem.org/2025/schedule/event/fosdem-2025-5364-mox-....
If you have suggestions on how to make it less choreful to maintain, I'm interested in hearing it! Also if you had specific issues about maintenance/updates.
I love mox and was at your talk. I've been using it for a year. If I could make a few small feature requests (which may already exist) - I'd love to be able to use my external spamassassin with it instead of (or even in addition to) the built in one.
Secondly the documentation/instructions could be clearer for non-typical use cases, for instance catch-all emails. I have an Exim server with two domains pointing to it, I have catch alls on both, but the second domain is delivered into a folder in the first (it's used similar to SimpleLogin - for signing up to services). I assume this is possible with Mox but I'm not sure.
Having said that, I love Mox and I'm slowly moving all the email I host for other people onto it because it just seems to work.
> (which may already exist) - I'd love to be able to use my external spamassassin with it instead of (or even in addition to) the built in one
This isn't possible yet. For me, the builtin filtering has been enough. But it's worth investigating what it takes to ask spamassassin for a classification. Could you open an issue at github for this?
> the documentation/instructions could be clearer for non-typical use cases, for instance catch-all emails
Agreed, documentation is in need of improvement. So far I'm often pointing people at https://www.xmox.nl/config/. Searching there typically pops up a config option. But it's not the easiest to find functionality that way. The admin web interface also needs to be made less spartan.
The catchall is possible, by configuring an address "@$yourdomain" with an account.
> because it just seems to work
This is certainly the goal. And I think we'll only get better over time!
Thank you, this is essential!
Reading mox FAQ, it looks close enough to the ideal: https://www.xmox.nl/faq/#hdr-how-do-i-stay-up-to-date
I'm currently running a more classic setup with postfix and dovecot, because the updates and security fixes are managed by Debian. Once things are configured, I don't need to do anything using unattended upgrades (other than upgrade Debian itself when the LTS version goes out of support, that is!).
At this point it is easier for me to not touch what I have, but in my next mail server I will consider mox!
> because the updates and security fixes are managed by Debian. Once things are configured, I don't need to do anything using unattended upgrades
This is a good point. It would be great to have mox packaged in more distributions. I spoke with a package maintainer about this. They understandably need to be able to upgrade unattended from old versions to a new version. In the past year, admins have had to run an upgrade command here and there (e.g. to reparse all the messages after the parsing code changed). I hope to make all this more automatic this year. That should make it more appealing for packagers (and for all non-distro-using admins too!).
I think a new debian LTS release will be coming up soonish, we probably won't make that.
Since the late 90s I've always had the thought in the back of my mind that one day I would run my own mail server. That day never came and the task seemed more and more impossible. This looks genuinely manageable, I might actually give this a shot when I get off work.
I've been using maddy. It seems this has more features (like web interface, reputation tracking etc).
I'm very happy to see this as I have been advocating for something like this for quite a while: a single setup and configuration that handles SPF, DKIM, DMARC all together.
I understand, and appreciate, the modular philosophy behind OpenSMTPD, etc., but in practice it is quite frustrating and difficult to piece it all together - especially if you add rspamd, etc.
Speaking of which, how is spam handled ? I see this in the FAQ:
"Mox does spam filtering based on reputation of received messages."
... but it is not further elaborated.
Also:
I assume that the web service can be fully disabled and Mox can be run with no httpd but that is also not specifically called out ... can it ?
There is some more information about spam filtering at the features page:
https://www.xmox.nl/features/#hdr-junk-filtering
I'm very happy with how the filtering works for me. Most email gets classified because of being a known sender. The first-time senders will go through the bayesian classifier, which keeps most spam out. For me, 1 spam message gets through every 2 days. If ham is incorrectly rejected as spam, the sender will hear about it, because mox will keep soft-rejecting the email, eventually resulting in a bounce.
> I assume that the web service can be fully disabled and Mox can be run with no httpd but that is also not specifically called out ... can it ?
You can run without the web interfaces. I think you can set it up without a public web server, but the admin interfaces are pretty convenient (though still spartan!), you could keep those internal. The webserver is needed for ACME, for MTA-STS, and for autoconfig. Btw, mox can also serve static files and do reverse proxying. The mox website is hosted by mox. I added webserver functionality (relatively tiny functionality/code compared with the email code!) so people wouldn't have to run another webserver, which greatly complicates the setup (with reverse proxying).
Nice, but it's so much easier and cheaper (in time spent) to just use a trusted and secure mail provider with your personal domain. Mailbox.org is my favorite - dkim, encryption, webdav all work out of the box with Android apps available.
Is there an implementation of the same capability as a JS lib? So that one could have an email server running as part of their Node.js / other runtime?
What use case do you have in mind? It requires more than just ingesting incoming e-mail?
How does integrating all modern email protocols into a single application like Mox impact performance and security compared to using multiple separate components?
From a security perspective, it is better to have separate & isolated processes (but written in modern languages that provide safety).
Mox is currently a single process handling all connections, including deliveries over smtp, imap connections, and webmail and other http requests, which isn't great. User connections should probably be in a separate process. I'm not too afraid of the mox process being taken over (by a bug being abused, I don't think that's easy/common in software written in Go), but of course it will be a good line of defense against that. Resource limit enforcement of separate processes would perhaps be even nicer to get.
I haven't gotten around to really designing privilege separation, but I'm forseeing some complications around handling http requests (of the webmail, pass each request on to the user process? Have to figure out how to do that with the http library), and message database access (the database files can only be open by a single process, need to do quite some back and forth to the user process in various places).
For performance, I imagine it only helps to have an integrated server. Performance isn't really top of mind, I don't think mail servers are commonly highly loaded, at least not for the smallish scale servers. Btw, mox does not require a lot of resource (eg RAM) to run.
> multiple separate components
Btw, I don't think it's better to have separate _components_ as in separate software packages. Integrating this functionality into one software package prevents all kinds of complexity that would otherwise arise in the integration points. Integrated software also allows for new/user-friendlier functionality.
Nice work.
Does it include shared folders? I look forward to seeing one of these projects include either that or NNTP support. Then we can get rid of Slack.
Can I use this instead as a frontend for an existing server? UI is perfect for me but I don't want to fully self host anything but the UI.
No, that won't work. The webmail uses a simple custom protocol.
Perhaps someone can rewrite it using JMAP in the future...
JMAP seems opinionated and somewhat limiting as an API, migrating to it from a more featureful/ergonomic API might be a pain.
What do you mean by JMAP is 'limiting as an API'?
It actually lifts the IMAP protocol to be used by web apps easily.
Really nice- I want a distro package. Managing updates manually gets out of control fast if you run many services.
Wow this looks great! Email was such a hassle a few years ago that I kind of just gave up on hosting it myself.
Definitely trying this!
I like old school interfaces as much as the next nostalgic hackernews reader, but nothing about this looks “modern”.
They are referring to the start date (2021), language (Go) and feature set (SPF, DKIM, DMARC, MTA-STS, DANE and DNSSEC etc) rather than the design. Presumably you could use it for email delivery and skip the web mail piece altogether.
The looks match the intended audience. (:
I'm focusing on functionality/protocol support now. User/admin-friendliness and making it more attractive will come later. Mox will become irresistible to the masses then!
> The looks match the intended audience
I thought it looked refreshing. Efficient, light, and no-nonsense. So you're right, it does match the intended audience.
oh man, I wrote the same thing down below and then got so many down votes.
Nattering on about llms didn't do you any favours.
I used mailinabox[1] for years before finally biting the bullet and switching everything over to a hosted email platform.
Hosting your own email servers sounds good, until:
- Gmail and MS fling your emails in junk, despite ranking 10/10 on mailtester.net
- You have to search for old emails through RoundCube's byzantine UI (and eventually giving up)
[1] https://mailinabox.email/
Do you have plans to support docker, perhaps by creating an official Mox container image?
[dead]
The biggest problem with running your own hosted email server is that the giants (Google, Microsoft, Yahoo ...⁾ tend to block all the incoming mail.
Sometimes you can contact them and ask to be removed from whatever list or be allowed.
In my experience that lasts about a week, then blocks again.
I eventually gave up.
Tons of bots out there looking for SMTP serveres too, .
I've been hosting three servers for over a decade and only had that problem once for a month with Google about 6 years ago. As long as you setup SPF at a minimum you'll be fine
I run my own mail server and use postmark for delivery. It is really inexpensive, I don't need to rely on Gmail for anything, and after setup has required almost no interaction for 10+ years.
perhaps this is a FAQ but does this handle virtual domains like Postfix and Dovecot can?
i.e
person@fred.com and person@mary.com are completely separate domains/imap accounts on the same server?
Yes, you can add domains, add accounts (which contain the mailboxes and messages), and configure addresses for the domains with accounts. So one account can have many addresses, at one or more domains, including catchalls.
Sad that the documentation isn't very friendly. Is this a replacement for Gmail? Can i use it with Thunderbird? Is it going to
It says right on the homepage it supports IMAP, so yes, you can use Thunderbird.
You should investigate Gmail do not fully implement IMAP standard so any attempts to migrate from it will need some concessions to be made.
Always interesting to see another implementation of IMAP4! Congrats.
Hi Bron! Thanks, JMAP will come at some point too! (:
Someone has already been working on JMAP support in mox. I'm currently in a refactor of the storage layer, keeping history of (deleted) mailboxes too. Should address storage requirements for JMAP.
Fantastic :) Great to hear. I really do hope to find some time to read through the code, I haven't written any Go, so it'll be a slog to understand everything, but reading code is good for you.
That definitely is an extract challenge with JMAP, keeping enough tombstone information to accurately calculate the `destroyed` ids.
how does it compare to migadu?
Migadu is a hosted service, this is the software to run your own email server... So I probably wouldn't compare the two.
does this support JMAP yet
On a side note, how long until we realize the current incantation of the pile of hacks upon hacks that is SMTP is fundamentally flawed and widely adopt something that has cryptography, authenticity and transport-level security built-in from the start?
Oh wait, yes, that'll never happen.
If I spun this up and attached it to my domain, would my emails be received by gmail/outlook/etc?
I'm pretty happy with forwardemail.net as a mail server, I selfhost snappymail to access it through a web browser. Not sure I want to take the step to selfhosting an email server, but I love the idea of cutting that external dependency.
Yes, but it depends heavily on whether your mail server has a clean IP with no spam history, the reputation of the IP range it belongs to, whether you've correctly set up DKIM/SPF records, etc. And you might have to get MS to whitelist your IP before you can send to outlook.com address, you'll only find out in your email logs whether that's the cast when you try the first time.
Of course I can't speak for everyone, but I used mox with a brand new domain on an OVH IP a year ago and it could immediately deliver to Gmail.
You will almost certainly be able to continue to use forwardemail.net as your SMTP forwarding host for sending traffic.
That means that you do either one of two things:
- keep using forwardemail.net SMTP credentials in all your e-mail clients, such as snappy. Only point those clients to your own server for IMAP4 access (accessing the mailboxes where mail is flowing into your own server).
- or else, point SMTP to your own server, and configure your SMTP server to use forwardemail.net as the next host. There are some advantages in that you have your own SMTP endpoint that you can use with multiple devices. In my case, my phone can talk to my own SMTP server for sending mail, and my SMTP server talks to my residential ISP's SMTP server. My phone cannot talk directly to my residential ISP server, because it's not inside their network; it's on an unrelated mobile network. So my SMTP server acts as mail forwarding proxy for the phone.
- Sine you keep using forwardemail.net for sending, your reachability is not impacted.
Sending SMTP through forwardemail.net is covered in their FAQ. It looks like they have a few configuration hoops to jump through:
https://forwardemail.net/en/faq#do-you-support-sending-email...
I'm guessing you know about this because you must be using that with your snappy setup. What catches my eye is that they have some configuration bits where you declare your custom domain. That's not always necessary. For instance, in my setup, my ISP knows nothing about me and my domain. I just connect to their SMTP server, and use whatever From: header I want in my e-mails. The SMTP envelope address is one assigned by the ISP. I also noticed the bit at the bottom of that FAQ about their "manual review process on a per-domain basis for outbound SMTP approval" which supposedly takes 24 hours.
I am running mailcow for about 7 years now and it worka fine. Sometimes some exchange server refuses to send my email. But it is pretty rare. Of course I had to set up SPF and DKIM. I think it happened once that I was grey listed. You.can request removal of such entry. In general I do not have much problem with it. Most of the work is for migration from machine to another machine.
Mox is written in Go. What advantages does this provide in terms of performance and security compared to traditional email servers, which are often written in C?
No buffer overflows, no user-after-free and no double free issues. There is a garbage collector which stops the world here and there to cleanup, but for anything that is not constantly busy, like a small mail server, this is not noticeable.
I'm not sure whether to use stalwart or mox
[dead]
It claims to be modern, yet the landing page looks outdated.
You say "outdated", I see "no-nonsense". It's clearly organized and all the information is right there where you want it; what's to complain about?
Dude, we're living in the LLM era. If you're going in there manually searching for what you need, let me know which side you're on, because I want no part of it. That’s the losing side.
> yet the landing page looks outdated.
The current way of thinking is "It looks outdated", then the page is updated to look "modern" and that normally entails removing all relevant bits of information. I was going to attempt to find the Microsoft Exchange landing page, to show you what a modern landing page for a mail server looks like, and how utterly useless that is. Sadly the modernity has hit Microsoft hard and you can now only find the page for hosted Exchange/Microsoft 365 (https://www.microsoft.com/en-us/microsoft-365/exchange/email). Granted the page looks more inline with modern webdesign and it fucking pointless, there's not one bit of useful information.
Personally I love that landing page. It's simple, light, and presents exactly what I want to know. I wish that style was more common, especially in non-commercial products where you don't need to impress anyone with extra graphics.
I, for one, appreciate a simple design. "Modern" tends to end up being bloated and slow.
It's one of the best landing pages I've seen in a while because it explains clearly what the software does, contains a video demo, and easy navigation to explore more. Basically, no BS.
It's an SMTP server, not a web design app.
Don't run your own mail server. You'll be attacked and get blacklisted and won't even know that it happened or why until you find out none of your emails to anyone get through.
Securing a mail server is full time plus job. Proton is great and free with their domain and cheap with yours.
This isn't true. Almost all MTA have quite sane defaults these days. Yes it's not a simple walk in the park. I mean if you have 5000 users behind you then yes, what you say can be true, one compromised user can flood you etc. But as a "I have a small domain I host my own emails" I don't agree with your comment.
Not true. I’ve run my own server for over a decade, which has presented far fewer problems than gmail. The ability to: easily create redirects & distribution lists, back up all of my inboxes in seconds with a single rsync command, pre-filter messages with external programs, & actually see the SMTP logs and packets in real-time are game changers.
Securing a mail server is full time plus job.
No, it's not. I say that because I am the sysadmin for two mail servers (postfix/dovecot) with hundreds of users that have been chugging along for 30 years or so with no significant security incidents -- and since I know what my full-time job entails, I can tell you that on a day-to-day basis mail requires an absolute minimum of maintenance.
Don't tell me what to do or what not to do, and especially don't tell me using provable lies and falsehoods.
I almost forgot... You'll also be receiving all the spam that the big providers filter for you, and that's a lot.
This is not very hard to fix. Automatically downloading and applying public IP reputation blocklists cuts down on this by like 95%. The rest you can catch pretty trivially either with server-side filtering or just filter in the client. I do bad-IP filtering, but not spamassassin/rspamd. The client-side filtering in Mail.app kills nearly 100% of the few spam messages that get through.