How To Create A Diy Email Service

How to run your own e-mail server with your own domain, part 1 — Aurich Lawson

Electronic mail is old and complex. Information technology's the oldest however-recognizable component of the Cyberspace, with its modern incarnation having coalesced out of several different decades-former messaging technologies including ARPANET node-to-node messaging in the early 1970s. And though information technology remains a cornerstone of the Internet—the original killer app, really—it'due south also extraordinarily hard to do right.

Nosotros most oft collaborate with electronic mail servers through friendly Spider web-based front-ends or applications, but a tremendous amount of work goes into hiding the complexity that allows the whole system to piece of work. Email functions in a poisoned and hostile environment, flooded by viruses and spam. The seemingly uncomplicated exchange of text-based letters operates under complex rules with complex tools, all necessary to keep the poison out and the organization functioning and useful in spite of the abuse information technology's constantly under.

From a normal person's perspective, e-mail seems similar a solved problem: sign up for Internet access and your ISP gives y'all an eastward-post address. Google, Apple, Yahoo, or whatsoever number of other costless email providers will claw y'all up with e-mail accounts with gigabytes of space and plenty of absurd value-added features. Why do battle with cabalistic dragons to roll your own e-mail solution?

I'll tell you why: because if information technology's in the cloud, information technology's not yours.

Enlarge / From my inbox. Wrong Ken Fisher, but still creepy, Google.

Because you must rely on others for your security. You take no command over who tin read your correspondence—you lot must allow your data to be mined and your marketing profile extracted. Y'all won't be told if your metadata is collected or if your inbox is vacuumed upwardly by a secret authorities request. You lot consent to be not a customer but a product, and a product has no rights.

Well, to hell with that. It's your e-mail. And nosotros're going to take information technology back.

This is difficult and even a chip scary...

E-mail is difficult. If you lot want an easier sysadmin project, go set up a Web server. Email is a lot more than complex, with many more moving parts. On the other mitt, your correspondence with others is one of the nigh personal aspects of your online life—in a medium ultimately made of text, your words are yous. It'due south worth learning how to claw your online life dorsum from those who would information mine and monetize information technology.

There are pitfalls and caveats—the biggest of which is that if y'all run your own e-mail server, you will be the sysadmin. The upside of this is that no bored or tired customer service rep nearly to become off-shift is going to autumn for a social engineering attack and reset your e-mail password. The downside is that you are responsible for the care and feeding of your system. This is not an incommunicable job—information technology's not even really difficult—but information technology is non-picayune and never-ending. Applying critical updates is your responsibility. When practice critical updates come out? That's your responsibility to continue rails of, likewise.

Worst of all, if you screw upward and your server is compromised or used equally spam relay, your domain will nigh certainly wind up on blacklists. Your power to send and receive electronic mail volition exist macerated or peradventure even eliminated altogether. And totally scrubbing yourself from the multitude of east-postal service blacklists is about as difficult as trying to get off of the TSA'south No Fly list.

You lot have been warned.

...merely it'due south too worth doing

OK, that ought to be enough to scare abroad the people who aren't serious. For those of y'all still with me: this is going to be a hell of a lot of fun, and you're going to learn a lot.

This is going to be multi-part series, and here in this first part we're going to ask (and reply) a agglomeration of questions about how we're going to set up our eastward-mail server upward. Nosotros'll too outline the applications we're going to use and talk about what they practise. We await this serial will run over the course of the next few weeks; different our series on setting up a Web server, though, you won't be able to get started firing off e-mails afterwards role 1—you need the whole thing in social club for it all to work correct.

This certainly isn't the just DIY due east-post tutorial on the Web. If you're eager to skip ahead and become started now, we suggest consulting Christoph Hass' excellent tutorial on Workaround.org—he makes many (but nowhere near all) of the same configuration choices that nosotros will be making. Still, Ars wouldn't exist putting this guide together if we didn't have a few tricks up our sleeves—we've been in an due east-mail configuration cave for the past month, and we have a lot of proficient information to share.

Prerequisites and assumptions—the where and the how

So yous want your own east-mail server. Excellent! The showtime conclusion, before we even go into things similar operating systems and applications, is where you're going to put it. If you're on a residential ISP connection, you will confront a number of challenges in running an e-mail server out of your closet. In addition to almost certainly finding the standard set of e-mail TCP ports blocked, your IP address is also well-nigh certainly already on one or more blacklists in order to cut downwardly on the corporeality of spam being spewed out by virus-infected domicile computers. Whether or not you lot're actually spewing any spam is irrelevant—that ship has long since sailed, and residential IP addresses are well-nigh universally considered poisoned. There are numerous tools you can employ to see if your address is on a blacklist—make sure to cheque before you beginning.

If you simply want to mostly follow forth at home with a not-functional test domain for learning, then a virtual machine or spare closet server volition practise just fine; if you want to do it for existent, y'all'll either need to be on a business-class connection with unblocked ports and a non-blacklisted IP accost, or you'll demand a hosting service. You don't demand a monster dedicated server or anything, but yous exercise demand at least a VPS you can install software on from the command line. There are many options; I always recommend A Small Orange or Lithium Hosting, but if you're willing to cede some functioning, y'all can almost certainly host a small due east-post server on a free Amazon EC2 instance.

Y'all're also going to need a domain (once again, unless you lot're going to just play along and use a nonexistent test domain), and that ways you're going to need a registrar and an external DNS provider. My personal recommendations for registrars are Namecheap and Gandi.net; both took hard anti-SOPA stances (see these links) and both offering two-cistron hallmark options. I have used both registrars, and they are both splendid.

One of the lessons reinforced past the recent @North Twitter account theft is that you lot should segregate your online services where it makes sense to practise then. A meaning component of the @Due north compromise came from the attacker gaining access to Naoki Hiroshima's GoDaddy account, with GoDaddy functioning not only as his registrar only likewise every bit the authoritative DNS source for Hiroshima's domains. Once in, the attacker was able to alter at to the lowest degree one of those domains' MX records and thereby hijack delivery of that domain'due south email.

Nosotros're going to endeavor to mitigate that specific risk by using a divide DNS provider—specifically, nosotros're going to use Amazon's Route 53 DNS service. That will limit the amount of immediate damage an assailant tin practice in the unlikely consequence of a compromise at your registrar.

"Ah," y'all say, "but if I use Amazon EC2 for my e-mail service server and Amazon Road 53 for DNS, then I'one thousand non segregating at all!" This is true, but Amazon gives you rich access control between dissimilar services; information technology'southward not difficult to ensure that one set of login credentials can only alter your EC2 server and a different set of credentials can only modify your Route 53 DNS settings.

There are also many other DNS providers if you desire to physically distribute your eggs rather than rely on admission command—and being paranoid about security is never unwise. For this guide, though, nosotros'll be walking through the specific steps that I took when taking my own existing Google Apps-hosted domain and due east-mail private—that means a concrete server and Route 53 DNS (which ends up costing me about $ii a month).