Mail server

How to run your own mail server with your own domain, part 1

Aurich Lawson

Email is old and complex. It is the oldest still recognizable component of the Internet, with its modern incarnation stemming from several decades-old messaging technologies, most notably ARPANET node-to-node messaging in the early 1970s. ‘Internet – the original killer app, really – it’s also extraordinarily hard to do to the right.

We most often interact with mail servers through user-friendly web-based interfaces or applications, but a tremendous amount of work goes into hiding the complexity that keeps the whole system running. Email operates in a poisoned and hostile environment, flooded with viruses and spam. The seemingly simple exchange of text messages operates according to complex rules with complex tools, all necessary to keep the poison out and to keep the system functioning and useful despite the constant abuse it receives.

From the perspective of a normal person, email seems like a problem solved: sign up to access the Internet and your ISP gives you an email address. Google, Apple, Yahoo, or a number of other free email providers will log you in with email accounts with gigabytes of space and lots of great value-added features. Why fight arcane dragons to launch your own messaging solution?

I’ll tell you why: because if it’s in the cloud, it’s not yours.

From my inbox.  Bad Ken Fisher, but still creepy, Google.
Enlarge / From my inbox. Bad Ken Fisher, but still creepy, Google.

Because you have to rely on others for your safety. You have no control over who can read your correspondence – you must authorize the extraction of your data and the extraction of your marketing profile. You won’t be told if your metadata is being harvested or if your inbox is sucked up by some secret government request. You agree not to be a customer but a productand one product has no rights.

Well, to hell with that. This is your email. And we’ll take it back.

It’s hard and even a little scary…

E-mail is hard. If you want a simpler sysadmin project, go set up a web server. Email is much more complex, with many more moving parts. On the other hand, your correspondence with others is one of the most personal aspects of your life online – in a medium that is ultimately text, your words are you. It’s worth learning how to reclaim your online life from those who would mine the data and monetize it.

There are pitfalls and caveats, the most important of which is that if you are using your own mail server, you will be the system administrator. The upside is that no bored or tired customer service representative about to leave their shift will fall for a social engineering attack and reset your email password. The downside is that you are responsible for maintaining and powering your system. It’s not an impossible task—it’s not even really difficult—but it’s non-trivial and endless. Applying critical updates is your responsibility. When do critical updates come out? It is also your responsibility to keep track.

Worse still, if you mess it up and your server is compromised or used as a spam relay, your domain will almost certainly end up on blacklists. Your ability to send and receive e-mail will be diminished or perhaps even eliminated altogether. And totally getting rid of the multitude of email blacklists is about as difficult as trying to get off the TSA’s no-fly list.

You were warned.

…but it’s also worth it

OK, that should be enough to scare off people who aren’t serious. For those of you who are still with me: it will be great fun and you will learn a lot.

This is going to be a multi-part series, and here in this first part, we’re going to ask (and answer) a bunch of questions about how we’re going to set up our mail server. We’ll also describe the apps we’ll be using and talk about what they do. We expect this series to unfold over the next few weeks; unlike our series on setting up a web server, however, you won’t be able to start emailing after part 1 – you need everything to get everything working properly.

It’s certainly not the only DIY tutorial on the web. If you’re itching to go ahead and get started now, we suggest you check out Christoph Hass’ excellent tutorial on Workaround.org – he does many (but not nearly all) of the same configuration choices we’ll To do. However, Ars wouldn’t be writing this guide if we didn’t have a few tricks up our sleeves – we’ve been in an email setup cave for the last month, and we have a lot of good information to share. .

Requirements and assumptions—where and how

So you want your own mail server. Excellent! The first decision, before even getting into things like operating systems and apps, is where are you going to put it. If you’re on a residential ISP connection, you’ll face a number of challenges running a mail server from your closet. In addition to almost certainly finding the standard set of blocked e-mail TCP ports, your IP address is also almost certainly already on one or more blacklists to reduce the amount of spam rejected by virus-infected personal computers. Whether or not you spit spam doesn’t matter – this ship has been sailing for a long time, and residential IP addresses are almost universally considered poisonous. There are plenty of tools you can use to see if your address is blacklisted – be sure to check before you start.

If you just want to follow most of the time at home with a non-functional test domain for learning, a spare virtual machine or closet server will do; if you want to do this for real, you’ll either need to be on a business class connection with unblocked ports and a non-blacklisted IP address, or you’ll need a hosting service. You don’t need a monster dedicated server or anything, but you do need at least a VPS where you can install software from the command line. There are many options; I always recommend a small Orange or Lithium hosting, but if you’re willing to sacrifice some performance, you can almost certainly host a small mail server on a free Amazon EC2 instance.

You’ll also need a domain (again, unless you’re just playing the game and using a test domain that doesn’t exist), which means you’ll need a registrar and from an external DNS provider. My personal recommendations for registrars are Namecheap and Gandi.net; both have taken tough anti-SOPA stances (see these links) and both offer two-factor authentication options. I’ve used both registrars, and they’re both excellent.

One of the lessons reinforced by the recent @N Twitter account theft is that you should Separate your online services where it makes sense to do so. A significant element of @N’s compromise came from the attacker’s access to Naoki Hiroshima’s GoDaddy account, with GoDaddy functioning not only as his registrar, but also as the authoritative DNS source for Hiroshima domains . Once inside, the attacker was able to modify at least one of the MX records for these domains and thus hijack the delivery of emails from this domain.

We will attempt to mitigate this specific risk by using a separate DNS provider. Specifically, we’ll be using Amazon’s Route 53 DNS service. This will limit the amount of immediate damage an attacker can cause in the unlikely event of a compromise at your registrar.

“Ah”, you say, “but if I’m using Amazon EC2 for my mail server and Amazon Route 53 for DNS, then I’m not doing any segregation!” That’s true, but Amazon gives you rich access control between different services; it’s not hard to make sure one set of login credentials can only change your EC2 server and another set of credentials can only change your Route 53 DNS settings .

There are also plenty of other DNS providers if you want to physically distribute your eggs rather than relying on access control – and being paranoid about security is never unwise. For this guide, however, we’ll walk through the specific steps I took when I took my own domain hosted by Google Apps and private my emails, i.e. a physical server and a DNS Route 53 (which ends up costing me about $2 a month).