Run Your Own Mail Server or A Long Days Journey Into Night

Running your own mail server is easy. I’ve done it for 25 years.

Back in the day we were just a bunch of long hair hippies, believing in peace, justice and free love. You fired up sendmail and away you’d go. For the less technically inclined there were install discs for a distro that would get you up and running pretty quickly. You couldn’t talk to anyone outside your school or work but internal email alone was a great boon for business.

It didn’t take much to communicate with those outside your walls. By the time the internet came to Australia there were Domain Name Servers where you could map your IP address to a name. Enter some values in the record and you could mail either nextdoorneighbour.com.au or pentagon.mil.

Then the dark side sprang into action. There was spam and scam, worms and viruses, trojans and phishes and a host of other types of malware. It was a whole new industry.

And another whole new industry grew up to counter it - antivirus software, firewalls and intrusion systems, layered internal defence systems and the like.

One used to just publish your mail IP addresses in your DNS record but these days you also need Sender Policy Framework (SPF), DomainKeys Indentified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC) for your mail to reach its target. Large, fancy organisations can also add a Brand Indicators for Message Indentification (BIMI) so their logo shows up in your email client next to the sender’s name.

SPF states which servers can send mail on your behalf. It could be you or it could be Google or Yahoo or a dedicated mail service like Sendgrid, Postmark or Mailgun. DKIM signs your outgoing mail using public key encryption.

If these two both pass a recipient can be pretty sure that an email has come from your mail server(s). However, most users never look at the headers of any email and a spoofed from address in the GUI would pass if it were not for DMARC. DMARC also specifies what senders should do if either or both SPF and DKIM fail. If you are just starting out sending mail you can set the value to none meaning it goes the recipient’s Inbox. Quarantine with drop it into the Junk folder and reject emails are not processed by the email client.

DMARC can also provide feedback to senders on how their mail is being processed by receiving systems. Is the mail passing or failing SPF and DKIM? As the sender improves their success rates on these two parameters they can change their DMARC to increasingly aggressive settings.

So life is good. Well, not quite. It is possible for large organisations to get hundreds of DMARC reports each day and processing those manually is nigh impossible. Even for a small site like HLB it is tedious to process these reports and for those email list providers sending out thousand of emails per second it is essential to have highly efficient DMARC processing. Groups like Red Sift, easyDMARC and DMARCReport provide this service.

However, as homelabbers we like to do our own thing. patschi has created the “dockerized self-initializing parsedmarc docker stack for lazy people”.

After hitting a number of random keys over the course of a few hours I was able to create this chart for discourse.homelabbrisbane.com.au. I don’t know what it means, if anything, but it looks pretty and was my first entry into the ELK stack.

parsedmarc1889×934 97.1 KB

Hopefully over the next few months I will learn how to drive it.

I too have grown up with mail over that period. After reselling some hosting and setting things up for others in the late 90s, my first “self-hosted” experience (well, responsibility for administering someone else’s complete end-to-end set up for mail) was in 2000. I was maintaining an Exchange 5.5 machine that would dial up every 4 hours to send/receive mail from within the building to a smart host off site. Not long after starting, I migrated that setup to a “permanent” dial-up link which would send SMTP mail directly, with a secondary MX off site in case the dial up link failed. Being able to send and receive email immediately was pretty cool. Diagnosing issues involved telnet <x> 25 followed by MAIL FROM RCPT TO and DATA… I doubt I’d get anywhere with that approach today because as you elude to in your post, a lot has changed since then!

Definitely. It’s somewhat amazing that a ~40 year old plain text, unencrypted protocol is still the standard for mail delivery today, but it’s also brilliant that any device from any era that “speaks” SMTP will theoretically still be able to send mail. We’ve collectively persisted with SMTP, and it’s become one of those things that greatly upsets people if it doesn’t work because we all rely on it so heavily now days. The arms race between malicious actors (I’m lumping spammers in there) and security teams has added so many extensions and a lot of complexity to email, particularly self-hosted mail. SPF/DMARC/DKIM is something that I see a lot of commercial organisations not getting right. If I had a dollar for every time I got an email from a misconfigured MailChimp setup, I would be able to fund a lot more toys for the homelab… even the marketing departments and IT departments of large organisations send email without SPF/DMARC/DKIM set up correctly.

The parsedmarc and parsedmarc docker stack projects look fantastic. I’m thrilled to see a self-hosted and non-commercial alternative for analysing DMARC reports. I will add that to the list of things that I’ll try out in the homelab myself!

Now that you’ve got DMARC/DKIM/SPF working for the sending side, you can continue the descent into mail delivery madness by looking into MTA-STS, DANE, and WKD for the receiving side… . Purely anecdotally, MTA-STS cut out a lot of spam. I wonder whether the major “spam vendors” (for lack of a better term) are a bit slow to implement STARTTLS or if I’m seeing something that isn’t there.

Please report back if you decide to ratchet up the SPF and DMARC settings. I’m curious to see how things play out in parsedmarc as the dust settles.