Follow

In my experience (10+ years of running my own mailserver) some problems have gone away. With SPF/DKIM/DMARC, getting blacklisted because of the IP address being at a hosting company is not happening the way it did, say 5-7 years ago.

I just moved my mail server from hosteurope to OVH. And I was ready to find myself blacklisted. But, now, weeks later, zero problem. Mails flow from and to gmail, microsoft etc. I get DMARC reports and no blacklisting at all thus far. Fingers crossed :)

My mail server runs all mails for 20+ domains. Not a lot of traffic, though. And no mailing lists newsletters. Really just mostly my private e-mail. I also don't get a lot of SPAM, surprisingly, even though I have no spam filter set up ATM.

@jwildeboer this is great to hear. I want to do this sometime this year

@mnw I'll post some blog entries on my setup of postfix/dovecot with DKIM, DMARC, SPF, multi-domain, mail-crypt in the next few days. If you're used to some Linux and config stuff, it should work.

@jwildeboer @mnw GMX/web.de tend to be the most unreasonably aggressive at blacklisting. Try them.

@jwildeboer @mnw They're the only ones regularity refusing email from me. But I worked at those spam factories, so I'm not really seeing much of a downside.

@jens @mnw Proof: I just sent an e-mail to my mum at web.de. From my mail-server at OVH. Convinced? ;)

@jwildeboer @jens very cool. Yes please on a write up on how you did it :-)

@jens @mnw Not even grey listing. Went through immediately, no questions asked.

@jens @mnw And because I know my mum, she immediately replied. Which also made it back to my mailserver without any problem.

@jens @mnw And thanks to the dovecot mail-crypt plugin, that mail is stored encrypted on my mailserver, so even if you get a dump of my machine, no dice in reading my mails ;)

@jwildeboer @mnw you might want to review mailinabox.email/ and mailcow.email/ for that too.

Mail has a *lot* of moving parts, and doing one tiny thing wrong might breach security and/or get you blacklisted forever. So it really pays off to piggyback off communities who automated all those best practices into a single script or setup.

Contrary to most other self hosted tools, mail is the pivot point of all your online security. So must be solid

@berkes @mnw Ive been doing Linux since 1993 and am lucky to have all those years of experience and knowledge so I can do this myself. And I will blog about all details. But for those who don't have that, your proposals are helpful too.

@jwildeboer @mnw I've been running my Linux servers since '95. Back then SUSE, though, sorry😋

But mailservers are hard, and eve moving. Today there is SPF, tomorrow DKIM, then DNSSEC. Hard to keep up with this year's best practice. So for mail I've moved to mailinabox, exactly because of that.

@mnw @berkes it took me 2 days to get DNS, SPF, DKIM, DMARC, mail-crypt, letsencrypt for my mailserver working. I‘ll blog all details. It’s not that complicated, when you know the basics of a linux box.

@jwildeboer the M$ or Google-banhammer may strike later due to "unaware" users.

example:
1) users autoforwarding their account on your server to their account at Outlook.com, Gmail etc,
2) then receiving spam (slipped through your rspamd, or even accidental newletter via you server'
3) Hitting "it's spam" on the Webmail at the operators above.

been in that trap a few times, needing to educate users or disable the option of automatic forwarding. (YMMV)

@adorfer Sure. That is a risk. But not in my case because the only users I have are me, myself and I. And family members who have been through my School of Internet since many years (AKA as my kids ;)

@jwildeboer Did you also send to @t-online.de or @magenta.de?
These are 'special' for me, in that they do not accept mails from me, they requested me to put a full impressum including phone number etc. onto my site, which I refused to do. So they did set up own rules for systems they accepted mails from.

@globalc No, in all my years I have never sent an e-mail to any t-online/magenta address. If they blacklist themselves that way, that's not my problem. But it seems that according to their current policy, postmaster.t-online.de/index.e they have relaxed their requirements a bit in the last few years.

@jwildeboer
I just rechecked, but as since some years I get
[..] status=deferred (host mx03.t-online.de[..] refused to talk to me: 554 IP=[..] - A problem occurred. (Ask your postmaster for help or to contact tosa@rx.t-online.de to clarify.))
..and tosa@ then says that since whois no longer provides name/phone number, I need that on my website hosted on the same domain. Name is good style, but phone I refuse. Anyway, made my peace with it. Was just curious how widely others are affected. :)

@globalc Well, they refuse to use SPF and DKIM, have completely over the top "requirements" that remind of the dark ages of Bundespost - I don't consider them a member of the normal e-mail community. So I ignore them since many years and it has never been a problem for me and my mailserver :)

@jwildeboer Yes, when I discussed these 'own requirements' from t-online in various communities, pointing out it's their own spleen/house rules and not something agreed upon in wide community and then recorded in RFC's was one of the things we did.

@jwildeboer I think one of the worst thing at the moment is T-Online when it comes to self hosting mail. They blacklist all IPs per default and require you to have a full imprint with name and address on the webpage of your domain, even if you only host a private mail server...

@j_r Which s not a problem for me, as I run my blog jan.wildeboer.net on the same domain, with full Impressum as required by German law/EU regulations.

@jwildeboer okay that's convenient, but at jugendhacker.de I just run a small website and I don't see why I should doxx myself just for a shitty mail provider... rather my server now bounces mails coming from them with a nice message, that their provider is garbage and that the person who wants to write me should think about switching to somewhere else...

@jwildeboer Yeah, I had the same experience. It's just Telekom (or was it T-Online?) are making a hassle again, requiring a postal address and phone number permanently on the mail servers website or they deny incoming mail.

@blindcoder the fact that they ask you for an imprint is not really annoying in my option. Microsoft and its email policies are much more annoying and sometimes they won't accept your mail even if you have implemented all the modern anti spam techniques...

Microsoft and email is cancer - no matter where you look.

@jwildeboer

@thomas @jwildeboer well, I really don't like having my phone number hang naked on the internet. Literally got a second phone number and implemented a simple character replacement "cipher" in JavaScript so I don't get all the scam phone calls. Works so far.

@blindcoder @thomas You don't have to add a phone number. A (German) Ladungsfähige Anschrift is sufficient.

@jwildeboer @thomas for the imprint, yes, but T-Online wanted a phone number to accept emails from my server.

@blindcoder @thomas In all my years of running my mailserver, I have never sent an e-mail to a t-online or magenta address. So I'll keep it that way. If they blacklist themselves that way, fine with me :)

@jwildeboer @thomas easy to say, yet my sister-in-law needed to send some documents to her attorney who only listed such an address on his site. Should I tell her to "just use Gmail"?

@blindcoder @thomas Yes. Going through all those hoops you described means my e-mail wouldn't arrive in time anyway. And as it is a German lawyer, I am sure you can also fax those documents ;)

@blindcoder @thomas I have a proton mail account as a fallback solution for such cases. I never had to use it so far, but it exists if needed.

@jwildeboer @thomas I don't think I owned such a device since the late nineties, and not seen one in a decade and a half.
But yes, a proton mail address sounds like a good fallback, thanks for the idea!

Sign in to participate in the conversation
social.wildeboer.net

Mastodon instance for people with Wildeboer as their last name