Slashdot Mirror
Ask Slashdot: Self-Hosted Gmail Alternatives?
linkedlinked writes "I'm tired of building my sandcastles on Google's beachfront. I've moved off Docs, Plus, and Analytics, so now it's time to host my own email servers. What are the best self-host open-source email solutions available? I'm looking for 'the full stack' — including a Gmail-competitive web GUI — and don't mind getting my hands dirty to set it up. I leverage most of Gmail's features, including multi-domain support, and fetching from remote POP/IMAP servers. Bonus points: Since I'm a hobbyist, not a sysadmin, and I normally outsource my mail servers, what new security considerations do I need to make in managing these services?"
Well, for starters, you want a damn good spam filter.
Especially with email, I like the fact that I'm not going to accidentally break something, miss an email and lose my job.
I also like that I'm not updating everything all the time with security updates. Google does all that for me.
I also like the integration between all the services.
I also like the two-factor authentication. (Good luck getting that set up on a self-hosted system, I suppose you could use X.509 on a USB drive or something).
Don't fix what ain't broke.
Grab yourself a Zimbra appliance from http://www.turnkeylinux.org/email - up and running in a few minutes, and it should give you most of what you'd expect coming from Gmail.
SquirrelMail is awesome for being simple, fast, and non-JavaScript.
If you want something more JavaScripty, there's Roundcube.
It's not gmail, but the point is your data's yours.
Postfix/Dovecot setup tutorials
I'm not a lawyer, but I play one on the Internet. Blog
You do know that whatever email solution you choose, unless you use full encryption in all your email messages, outbound and inbound (good luck with that) it's still pretty much in the open, and anyone who knows what they're doing in the intermittant path, especially your internet provider, can intercept and read (parts of) those emails?
At least google has proven their worth with standing up to the US gov't in stead of just bending over and giving them all plus some extra as some others have.
Manuals are your last resort only
My company uses Zimbra. It works pretty well for us.
The best webmail UI I've used other than Gmail is Roundcube. It's simple, clean, and works quite well.
I used to get high on life, but I developed a tolerance. Now I need something stronger.
You have to be blind if you consider Squirrelmail anywhere close to comparable to a modern interface like Gmail. It pretty much embodies the visual style of '90s Perl scripts, and that's certainly not a good thing.
I used to get high on life, but I developed a tolerance. Now I need something stronger.
He can't use that! It's hosted on Google Code!
As a guy who ran email servers for a small organization, let me say enjoy it while you can, because email admin is a never-ending pain in the butt. The spam management, the 24x7x365 server monitoring for security issues, the blacklisting and DNS issues, and that people get really bitchy when their email service is disturbed in any way.
That being said, I hear nice things about Zimbra.
... and I can safely write that there is no way you will ever achieve anything comparable to gmail.
You can try:
- squirrelmail, ugly and so last century
- openwebmail, old-fashioned Perl webmail, not maintained any longer
- zimbra mail, lots of functionalities and fancy features
- roundcube, decent but nowhere near what you're hoping for
Spam control on the server side is going to be an issue. You will have to use a combination of solutions (e.g. custom sendmail configs, RBL/XBL blacklists, spamassassin, greylisting, procmail rules, smf-spf, j-chkmail) and it will take quite some time and effort to get everything fine-tuned.
For anti-virus, clamav works well
For IMAP I found that dovecot does a decent job. If you want to fetch from remote servers into your own server then fetchmail can do the job.
Usual security considerations apply - patch early, patch often.
You will spend long hours maintaining this, highly recommend using a log colorizer to help watching logs e.g. ccze
In the end you will feel you got a half-baked solution that doesn't even come close to comparing to gmail in terms of functionality, ease of user interface, security and spam control. But hey, it'll be your own stuff.
I've run Zimbra for 3 years now, back to 5.0.9, which I installed for my then employer. The architectural people there have taken, right along, an attitude that I can characterize only as "RFCs? Who cares about those?"
It doesn't handle fixed-pitch well; its editor won't re-wrap (though they might have finally fixed that in 7), it doesn't uknow from RFC 2369 -- in fact, it handles mailing lists poorly in general; notably, you can't change the Reply-To in any way when replying, if you generally want HTML off (as I do), the only way to turn it on is to dive into the Preferences and switch it, then reload; same turning off...
Check for bugs filed on their bugzilla by jra@baylink.com if you want a full list of the ignominy. But in general, I would say: evaluate it pretty thoroughly to see if you can deal with its crap before deploying.
It's *very* pretty. I just don't know if it's worth the trouble.
For over 15 years, I spent my time doing my own servers. Figured out that I was spending too much time doing server admin and not enough building sand castles. Now, I am on Google.
I prefer the "u" in honour as it seems to be missing these days.
I'm also a big Roundcube fan, and use it on several sites. The nice thing about it is that you can just point it at an IMAP server, and it uses the IMAP server for authentication. It's quite easy to set up, and the GUI is a lot nicer than other competitors, like SquirrelMail.
Zimbra is nice too, but seems to lock you into a full stack of software. (There have been promises of a stand-alone version, but I've never been able to find it.) That might be the right answer for the original poster, but I found it too limiting and inflexible for my needs.
Software sucks. Open Source sucks less.
The whole beauty of gmail isn't that you get a lot of neat features. It's the fact that your email almost always gets from point a to point b. This is because you have the luxury of being on a "big" mail server. Smaller mail servers, like one that you or I would set up do not get special treatment. The whole system right now is stacked against small mail servers. The minute you hit operation, you'll find that you might already be on spam lists, and that you have to fight to get yourself off of them. The minute you find that you're off the lists, you'll probably end up back on them because someone three ip addresses away has been sending welcome emails from his web site, and someone forgot that they asked for one.
If none of that scares you, the following list will get you close to what gmail can do.
So here is what you need first and foremost:
1. A dedicated server just for Zimbra with Domain Keys installed
2. A block of 24-32 ip numbers. (49 ip numbers would be ideal, but it's harder to buy odd blocks like that.) Put your mail server as close to the middle of that range as possible. It sounds like a lot, but most collocation facilities can hook you up with this for 300-500 usd a month.
3. Proactive attention to getting your ip block removed from all spam lists (especially Barracuda, their list is the most annoying for the high number of false positives) before the fact. Just let them know you exist.
4. Pray that all of the hundreds of moving pieces you've just put in place don't break, that bad hackers don't brute force their way into your server. Strong passwords don't really help as much as people tell you they do either. That's now something you have to worry about too.
So there you go.
It doesn't make sense to me that you would try to do this for something that only you would use.
The expense is too high, and the benefit just isn't there.
Over the last few years, I've been offloading my email to the social networks and blogs. Facebook, Linked In, personal Drupal installations, Twitter, etc.
They don't have a lot of the core problems that email has, and pretty much everyone I communicate with will use one or multiples of those.
For everything else, I use Gmail for domains because, even if I end up upgrading and paying per account... it's still less of a headache than the Dante inspired hell that is managing my own email server.
I hate running fucking email servers.
Hate them.
Hate.
Hate.
Hate.
There. I feel better now.
This signature has Super Cow Powers
The previous "why" poster has it right. It's like you're complaining about success. You are never going to do it 50 percent as well as Google. -- don't try. Rolling your own is an academic exercise. Zimbra is ok-- if you can live in the 90s. Google is it. Just backup your data.
The open source web mail interfaces are not even close to what gmail does.
On this point I have to disagree. gmaill is highly capable and all, but I actually prefer roundcube's interface over gmail's.
I also disagree that maintaining a mail server competently is that hard for a single domain with maybe a half-dozen users. If you stick to packages provided by a linux distribution, distribution updates will handle most security updates. Many ISPs have blessed relays for your use that alleviates the blacklist problem significantly.
That said, I have co confess current state of gmail makes it hard to find reason to do it yourself. The only reason I could think of is fear for what google could do in the future given the fact they really can hold your email address hostage. If you pay for your own domain (using any subdomain like offered by dyndns or co.cc is begging for them to hold your domain hostage down the road (as dyndns already has done to its users), landing you in the same place. Since so many free offerings from other companies have either evaporated or 'altered' in unacceptable ways, it's not unreasonable to be wary of Google's take on the perceived business value of free email with ads. If data suggests the cost is higher than the revenue sometime later, say goodbye to your email.
XML is like violence. If it doesn't solve the problem, use more.
I hope this doesn't sound too negative, roundcube is pretty good, but I've found it to be somewhat troublesome if you're running it over SSH - accessing it across a slow network, or any network with latency issues (wifi / 3g etc) tends to bog apache down to the point where it (apache) can require a restart. CPU load is pretty high when this happens too. The ajax thing isn't so good for trigger happy mouse clickers either - it often just stops responding, the only thing that gets it running again is a page reload.
For sure it looks a whole bunch nicer than squirrelmail, but it doesn't have nearly as many features - also configuring plugins for roundcube can be an exercise in frustration at times, not a whole lot of documentation - the forum while very helpful, tends to assume you know a great deal about the underlying mail server as well as systems administration in general.
1) Install Linux
2) Put all the software on it
3) Be happy with yourself for mail actually working
4) Get blocked by your friends email hosts because they have no idea who the hell your server is
5) Learn about reverse dns, all the fucking host entries that you have to add so that you don't get automagically blocked by half the populated world
6) Some asshole user sends email with no subject and an executable attachment, it comes back to them bounced and they scream at you.
7) Same asshole user bitches and moans 3 times a day about how much spam they get and what a piece of shit your server is
This ends up with the following consequences:
1) Give up your life as an actual person. You're now a mail server admin
2) You stop giving a shit about said asshole user.
3) You start to second guess your decision to run your own mail server after somebody exploits something (weak password from asshole customer?) and sends half a million spam messages, and 2/3 of them bounce back at you.
4) You start growing pale and have hideous dark bags under your eyes
5) You're "that guy" in your apartment complex ("he never leaves!")
6) Eventually you miss your life, the outside world, and what is left of your sanity.
7) You start prioritizing your life and you finally give up and.....go back to Gmail.
Nobodies Prefect
Tidbits for Techs Technology Blog
It's ironic for me that you should post this on the day after I just abandoned my last home-maintained mail server in favour of Google.
For the past 15 years I've been a mail administrator in some capacity for a variety of mail systems ranging from my own personal colo to a vast multi-national corporation. Solving the technical problems of building and maintaining a functional and reliable system was fun for a number of years, especially when email was dominated by geeks. But nowadays, running your own server is a perpetual nightmare.
First, there's the problem of where to host it. It has to be accessible wherever you are, and it has to be able to send mail out. If you're planning on hosting it at home, on the end of a cable/DSL/fios connection, bear in mind that your IP address will almost certainly be blackhole listed. Also, your ISP may well be blocking outgoing mail to prevent spam. You will probably have to configure your system to route all out going mail via your ISP's SMTP server. Why are you hosting an SMTP server again?
If you're hosting it in a nice VM or in a colo, you're better off, but paying. Google costs you nothing.
Next, storage. Obviously that's no problem because you have a mirrored RAID eleventy-five array you built yourself. If that's in the colo then you can forget about it - except when a drive goes bad or it crashes unexpectedly. But then it's fine because you're paying for support aren't you. And backups. You are backing it up aren't you?
Next the server software. Personally I've had a lot of success with Sendmail/Cyrus IMAP/IMSP/Squirrelmail and friends, despite enduring jeers from other sysadmins who think they have a better combination. In the end, it doesn't matter. They all suck. They all need patching regularly. They all break. They all need tweaking on a regular basis.
Then the final turd in the swimming-pool: spam. It costs you so, so much; bandwidth, around 95% of all of the inbound traffic is spam; time, configuring and maintaining spamassassin and various blackhole lists that occasionally start rejecting mail indescriminately; pride, the only time your clients contact you will be to ask why the mail is so slow and why there's so much spam. "But my gmail doesn't get this much spam - can't you filter it" they say, while you bite chunks out of your tongue. Spam to a mail administrator is like the gopher in Caddyshack: it will keep you awake and turn you into a monster. And the day will come where you, spam-slayer and junk-mail terminator, get put on a blackhole list for being a spammer. That's really fucking harsh the first time.
I could go on. but we're already in the TL;DR territory.
Most people do not host their own mail server. They live longer and healthier lives as a result. Follow their example and let Google worry about all of that for you - and in return you just have to pay them...nothing.
lkjdsafj;dklas
An excellent example of a self-hosted mail server with encodings issues.
If you're running the SMTP server on your machine, and set it up to accept encrypted SMTP, most SMTP MTAs systems will encrypt mail to you and your ISP won't have access to it. The real issue is getting other people to accept SMTP from you, as opposed to deciding that any home internet connection that tries to send mail is a spam botnet zombie.
And gmail may not be proactively handing the Feds everything they want on a whim, but if the Feds hand them a subpoena and a "don't tell the customer" order, they'll hand over your mail, IP records, and anything else in the subpoena, and won't tell you, because they don't have a choice.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Some NAS devices support a complete email server, even if it's not always installed or active by default (usually it's not). We have a Synology NAS, and use its email server to combine local email (for our dyndns "domain") and accounts on a number of external hosts. Since it's on the NAS, useful features such as automated backup to external disk include the email with little extra configuration.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Even before opening this article I knew it would be overflowing with cries to drop this self-dependency stupidity and just surrender to the corporate gods.
What the fuck?
What is the purpose of free software if you are not supposed to use your freedom? You can build your system using open standards, install an open source OS with an open source mail server. But you will get blocked because you are not a business? More over, what is the purpose of freedom when you are not supposed to exercise it? It really has come to the point where "freedom" means "freedom to work for the system".
It should not be like this, it doesn't have to be like this. There's plenty of solutions, something like WoT can be build to prevent spam much better than a simple "block everything not from gmail yahoo or hotmail" that's just business whoring.
But... the future refused to change.
Isn't Squirrel just an interface? He's going to need something a little more than that - Postfix is the thing you need.
Now, having done exactly this for a long time (and having also moved everything over to Gmail for domains) I have a few observations:
- running your own email server gives you a warm inner glow and feeling of independence, but that's about it.
- check your logs daily, intrusion attempts happen constantly.
- dedicate the box to email only, that is - close down every port you don't need.
- don't run anything you don't need on that box.
- for the love of god don't run php (which might cut out squirrel mail).
- you'll need a set of good spam handlers. There's some good suggestions in posts below.
Personally, if you were really going to do this, I'd get a Mac mini. It comes with everything you need in terms of unix tools by default. It runs low power, it runs quiet. And there's slightly less chance of you getting owned. Always kep your patches up to date.
I eventually moved away from this because I got tired of being a paranoid sys-admin at home. Dealing with uptime issues also made me rethink what I was doing when email started to become critical to my finances - you'd be surprised how unreliable home dsl and power systems are when you really, really need them.
lemonade was a popular drink and it still is
Out of curiosity, why not? Apart from attracting poorly educated programmers who use it to create insecure crap, what is inherently problematic about it?
Be wary of any facts that confirm your opinion.
Do you know my password? No? Security by obscurity.
Almost all security* is based on someone not knowing something. Very very often, that something is either a password or very large random number. Or the physical pattern on a key. Or door/alarm code. Or something read via RFID. Or the algorithm that determines the number on my RSA fob. More commonly when making that claim, it's just a nonstandard port for a service, hidden URL, or combination of several.
If an attacker has the exact same set of information that I have, then that attacker has access to the same systems I do. The amount of information they need (or the level of obscurity, if you will) determines the level of security. Something where you need to be on my VPN to get access to a whitelisted IP and then SSH in to the system where password-only auth is disabled is going to be a hell of a lot harder than something where you just need to know to hit port 8080 instead. But ultimately, my passwords and private keys are just very obscure information.
And in terms of end results, not being a target absolutely makes me more secure than an equivalent system that is a target.
* As far as authentication and encryption is concerned, at least. SQL injection and XSS protection being the two best examples where it comes down to actual implementation details.
How are sites slashdotted when nobody reads TFAs?
Postfix 2.8.x for the MTA (2.8 has the new postscreen feature which is great to help with SPAM control)
Dovecot for IMAP POP3 as well as for SASL AUTH
Roudcube or Squirrlmail (take your pick) for webmail
PostgreSQL or MySQL for database backend
Spamassassin to catch what SPAM is missed by postscreen.
ClamAV to scan for viruses
Amavisd-new to interface psotfix to spamassassin and clamav
PostfixAdmin for managing your domains and accounts from the web.
Use virtual domains with postfix "virtual" for the delivery agent, use maildir format for your mailboxes (mailbox path needs to end in "/"). Make sure and use the submission port (587) for your outbound emails, not the SMTP port (25) which should only be for inbound emails. Don't use SMTPS (which works over port 465) unless you have to support a really old email client that doesn't support STARTTLS (which works over the submission and smtp ports). Stitch all the pieces together and if done right you'll have a great email system like all the pros use.
If you need help come into #postfix on freenode IRC network.
Windows is a bonfire, Linux is the sun. Linux only looks smaller if you lack perspective.
How many teams of for-profit hackers will be targeting your personal server?
Thousands. Have you ever run a server and looked at access logs? There are thousands of bots running automated attempts to exploit any vulnerability they can find. There are no automated vuln bots that will ever make it into Google's servers. And skilled for-profit hackers don't even bother trying... there are better, smaller, more vulnerable fish that can be fried in much less time.
"Secret" is not the same thing as "obscure". Your password is not "obscure", it's a secret - the same goes for all your examples. Yes, security-through-obscurity is more often cited in the example of "but my port wasn't 8080!", but I mention that here because the claim that teams of for-profit hackers will most likely not be targeting your system.
Sure, that might be the case - but that shouldn't set your mind at ease when it comes to security. Chances are you're going to be using an off-the-shelf or open source mail handling software - and that means you're as vulnerable to attacks on that. If that particular program is cracked elsewhere, spammers looking for mail servers to cover their activities will find a way to identify systems running the software on default settings and exploit it. So while your particular instance might not be the primary target, you could still get hit by issues.
I'm not saying that you should stick with Google - just don't believe that you can slack on security just because you're small and so unlikely to be a target. In a fair percentage of cases, this means leaving it up to a larger entity with expertise - be it Google, Microsoft or some other provider - can be worth the trade-off.
Man who leaps off cliff jumps to conclusion.