"Run Your Own Mail Server" by M.W.Lucas

bvdw78 said:
No, it doesn't. Having your own AS won't fix that either. That wasn't the point. In fact, setting up shop for yourself opens you up to a whole lot more potential abuse, suppression and harrassment.
Click to expand...
Yes, that is very much what I would expect.

bvdw78 said:
I'm on IPv6 and have been for years now. Google works just fine from any of the /48 prefixes I have available.
Click to expand...
Lucky you.

bvdw78 said:
Seems like you have a major problem with your ISP. That problem isn't the fault of IPv6 but rather your ISP's apparently strange policies and crummy reputation. Complain to them about those or vote with your wallet and get a connection elsewhere.
Click to expand...
The ISP and the IPv6 here is not the same.
But if You say, multiple /48, then Yours is probably a shop, and that likely makes things a bit different.
 
PMc said:
Yes, that is very much what I would expect.


Lucky you.


The ISP and the IPv6 here is not the same.
But if You say, multiple /48, then Yours is probably a shop, and that likely makes things a bit different.
Click to expand...
I have simple consumer internet service here in the Netherlands and I rent a server from another party that's physically located in Finland. Both have IPv6 prefixes allocated to them. Both work just fine. As have any of the prefixes I've used before. They do all come from RIPE, as the only common factor between them.
 
PMc said:
That's true - but then where do you get reverse DNS for the IPv6? (Except from HE, which do not allow port 25)
Click to expand...

I do run our own mailserver on both IPV4 and IPV6, set IPv6 /48 nameservers to Cloudflare's and you can assign any ipv6 ip in that /48 a reverse DNS.

So far only Google is on IPv6 mailservers I think.
 
bvdw78 said:
I have simple consumer internet service here in the Netherlands and I rent a server from another party that's physically located in Finland. Both have IPv6 prefixes allocated to them. Both work just fine. As have any of the prefixes I've used before. They do all come from RIPE, as the only common factor between them.
Click to expand...
Hm. If consumer internet service give you static IPv6 with rDNS delegation, that's a good service.
 
Nope, we're lucky to have Freedom Internet here (freedom.nl) which takes requests for rdns from residential customers and sets them up on both the IPv4 and IPv6 side of things for you. Shameless plug, I know, but they deserve it fair and square. I am, however, only hosting stuff from the VPS I rent. Having a residential/consumer IP block still runs you into blocklists from time to time when it comes to hosting mail.

The mainstream old telco dinosaur ISP doesn't do rdns for consumers, obviously. There are ways round that using GRE tunnels etc. but that's a whole different cookie.
 
bgavin said:
Comcast/Xfinity is my ISP, and no servers allowed on their wire, unless paying ludicrous "business" rates.
Years ago, I hosted my own mail server (still own the domain).
I got endless spam, and wound up blocking entire continents (Europe, Asia, Africa, etc)
It was a giant PITA.
Click to expand...
I used to have Comcast Business Internet Access service, when it was $99 per month with 2 years contract. For that price, we got 5 static IPs and Pass Through routing, which I asked for. The connection speed rates were nothing to brag about (100/20 Mbps), but enough for our SOHO operations that included self hosted OpenSMTPD with OpenDKIM, Dovecot with SpamAssassin, Apache and Drupal CMS with SMTP module. Those days I was playing with OpenBSD and my friend, who ran the show with me, was a FreeBSD fan and web developer. We were not OpenBSD or FreeBSD experts, but we've made it all work, including BIND for locally hosted Secondary DNS, with help from Draytek FW/Router for LAN/WAN routing and front end security. We didn't have any problems with email routing to and from all major SMTP servers, Google, MS, Yahoo and the rest, using TCP/IP port 25. Sadly, after months of trouble free email service, our email server was turned into SMTP relay, for couple of days before we noticed, by a hacker who exploited a bug in OpenSMTPD. After that incident I decided NOT TO play with locally hosted email services or any other locally hosted servers. It was too much work for our small web project. But, self hosting with your own hardware is not a big deal, if your ISP let's you do it, you want to learn and are willing to take a chance using software, sometimes with bugs, written by others.

Note:
Comcast had nothing to do with our DNS. We used joker.com as primary and our own as the secondary DNS.
 
covacat said:
more fun just now
someone blocks me because they run https://www.uceprotect.net/ RBL which just blocks a /13 of my isp aka 500k ips
my ip is not blacklisted but they want $$ for whitelisting it
sonsabitches
Click to expand...
Some RBLs can be quite nasty. But there is a difference between whitelisting vs getting removed from blacklist. Nonetheless I think it's bad practice to ask money for whitelisting. But in this case just create ticket with your provider to contact UCE.

 
many sites use some kind of rbl like spamhaus. the problem is many of them suck or people use it incorrectly etc
the rule seems to be : don't block googl or msft. the rest can suck it
 
hasbeen said:
I used to have Comcast Business Internet Access service, when it was $99 per month with 2 years contract. For that price, we got 5 static IPs and Pass Through routing, which I asked for. The connection speed rates were nothing to brag about (100/20 Mbps), but enough for our SOHO operations that included self hosted OpenSMTPD with OpenDKIM, Dovecot with SpamAssassin, Apache and Drupal CMS with SMTP module. Those days I was playing with OpenBSD and my friend, who ran the show with me, was a FreeBSD fan and web developer. We were not OpenBSD or FreeBSD experts, but we've made it all work, including BIND for locally hosted Secondary DNS, with help from Draytek FW/Router for LAN/WAN routing and front end security. We didn't have any problems with email routing to and from all major SMTP servers, Google, MS, Yahoo and the rest, using TCP/IP port 25. Sadly, after months of trouble free email service, our email server was turned into SMTP relay, for couple of days before we noticed, by a hacker who exploited a bug in OpenSMTPD. After that incident I decided NOT TO play with locally hosted email services or any other locally hosted servers. It was too much work for our small web project. But, self hosting with your own hardware is not a big deal, if your ISP let's you do it, you want to learn and are willing to take a chance using software, sometimes with bugs, written by others.

Note:
Comcast had nothing to do with our DNS. We used joker.com as primary and our own as the secondary DNS.
Click to expand...

Using third party software like OpenSMTPD can be a problem if you don't update it regularly. I use Dovecot and Postfix which are not simple to setup but it does the job very well. I used to get 10,000 spams a day in my inbox and now it is only around 20 a day. I have my own server hosted at the data center and I occasionally use third party to test my mail server for any vulnerabilities.
 
I've been running my own mail systems for ... I guess at least 20 years. Very small of course, only a "family" domain with a handful of accounts.

Back in the days, I got away with setting up some MTA at home, making sure it does proper authentication (and doesn't relay), then getting some random "dyndns" service. All the mail to my system happily arrived even without an MX record (and, indeed, according to some RFC, in absence of an MX record, delivery should be attempted directly to the A record for the target domain). More importantly, all outgoing mail also happily arrived.

These days are gone, for good reasons. Nowadays, a rented VPS is an important part of my installation, it's my mail gateway (both directions), also doing filtering with rspamd, talking to my internal MTA still hosted at home via VPN. I made sure to get a service where I'm in full control of the zone file for my domain (needed for exact reverse mapping, SPF, DKIM etc...). There's no way to have the public-facing MTA on your home line any more, it starts with almost all sites these days rejecting anything from any address that's listed as "dynamic dialup". But still, I ensure any mail is only ever stored on my own private infrastructure, and that's something I intend to keep that way!

And yes, I once ended up on blocklists, which was a major PITA to solve, for a surprising configuration issue that spammers somehow discovered to abuse my legitimate mail domain for their crap. The "public" RBLs weren't a huge issue, most of them removed my domain again after a week. Also, the experience with Microsoft was nice, reaching out to them explaining what happened and that it's fixed for good got me a prompt response, confirming they don't block me any more. Google OTOH: No reply whatsoever. They kept blocking me for weeks to go.

So, yes, running your own mail system is hard, and you also can't have it "for free" on your consumer line. But here's what I think about the book (assuming quality content, but I didn't see it...):

On the one hand, I think it's nice to encourage people by debunking the claim it was "outright impossible" to run your own mailsystem nowadays; it isn't. On the other hand, it worries me a bit, because its availability could mislead people into thinking "hey, this might be a fun thing to do, let's just buy this book", and then they shoot their own foot badly and might even add to the global problem of UCE/UBE.
 
zirias@ said:
On the one hand, I think it's nice to encourage people by debunking the claim it was "outright impossible" to run your own mailsystem nowadays; it isn't. On the other hand, it worries me a bit, because its availability could mislead people into thinking "hey, this might be a fun thing to do, let's just buy this book", and then they shoot their own foot badly and might even add to the global problem of UCE/UBE.
Click to expand...

By the time you buy a book then it will be obsolete or outdated. I always google for latest info how to setup and perform updates. Having your own mail server gives you more power and privacy. Google used to scan emails for advertising purpose.
 
No fears with that book unfortunately, it's so generic and lacking in detail you'd be better served using the internet, yes, and I did buy it and read through a bit of it, but in the end was so disappointed I've not gone back to it.
 
it verifies senders ip into a database (usually reverse dns to a custom dns address). if it resolves (it is in db) it rejects it
you tipicaly run this on your smtp server to block bad reputation ips
 
covacat said:
more fun just now
someone blocks me because they run https://www.uceprotect.net/ RBL which just blocks a /13 of my isp aka 500k ips
my ip is not blacklisted but they want $$ for whitelisting it
sonsabitches
Click to expand...
I remember when I did this professionally, we had to pay ransom to some IP whitewashing service. I wish I could remember the name. Hopefully nowadays if people actually follow the RFCs, and use at least SPF, most of these "services" should be obsolete.

I did wind up on a blacklist when one of my users' way-too-trivial password was guessed, and some spammer used my tiny VPS to send out hundreds of thousands of messages. I installed Policyd after that incident to meter outgoing mail, but I'm frankly not super happy with it. I need something way simpler. Maybe someday I'll get to writing an outgoing mail limiter that is not so heavy.
 
Jose said:
It's configurable. You can reject with a NOQUEUE right away if you want to be nice. Some very special spammers get tarpitted.
Click to expand...

It seems, that depends on MTA being used.

sendmail's configuration with FEATURE(dnsbl, ...) seems to be used only to block the connection with a listed server.
 
You must log in or register to reply here.
Back
Top