Okay let's do this
1 like = 1 bad fact about email
1 There's no way to guarantee transport security (encryption) for email sent to the public internet. Sending email is like sending postcards
2 MX records cannot point to a CNAME per RFC 2181 but basically everyone will resolve CNAMEs anyways ¯\_(ツ)_/¯
3 Postfix transport and milters are one of the only places I've ever used a unix socket
4 If your forward your mail (e.g. custom domain to gmail), people who send you email are more likely to get marked as spam because SPF fails
5 I run my own spam filter on an inotifywait loop in my home directory. It's some sketchy linear regression filter a prof of mine wrote
6 Because said spam filter is on an inotifywait loop, if you send me too many emails, it misses events and they won't get filed properly >_>
7 DMARC rules are useless for people who run a mailing list or sends email to people who forward their mail, since it requires SPF+DKIM pass
8 DMARC is kinda cool because you get emailed aggregate reports of when your mail passes/fails DKIM and SPF. No one sends forensic mails tho
9 I started running my own email server after gmail forced me to compose email in a pop up chat window. Final straw. Why break your UI?!
10 A popular FOSS webmail client, roundcube, makes me super nervous because it's a pile of PHP. I want to put client cert auth in front
11 Run my mailserver on @digitalocean. I've been told I'm one of the only IPs in that datacenter whose reputation lets me deliver to Google
12 PGP encrypted email sucks. The only client I've ever been able to get to work is mutt. People yell at you when you don't send pgp/mime
13 I have been running my own mail since Aug. 2013, having moved off gmail. At least one year since then I had better uptime than Google!
14 Despite making many, many mistakes, I have only had 1 month where gmail frequently marked me as spam: that was this year, after 4 years!
15 I run mail for at least 3 domains, but only have DKIM set up for hashman.ca. Setting up postfix virtual maps to unix users is pretty easy
16 IP reputation is a huge problem for many people: once you're blacklisted, super hard to fix, and IPv4 addresses are limited.
17 As a result, a lot of big mail distributors (e.g. mailchimp) run dedicated infrastructure, because available cloud IPs are wrecked
18 IPv6 promises to fix this, maybe, but reputation/bans are set at the /64 level. Many infra providers won't even give you a /64, so :(((
19 Google postmaster tools refuses to give me reports because I don't send enough email (under 10 per day, usually). They require thousands
20 Once upon a time I violated the mail spec and set TLS to "requires". To talk to the public internet you must allow unencrypted delivery \
HOWEVER I didn't even notice I had a problem with dropping mail from non-TLS MTAs for months until an Eventbrite ticket wouldn't deliver
21 It's fun to run your own email and try to decentralize from Google, but that doesn't matter. They are too big! https://t.co/wejNE6OmcV
/ht @makoshark for this awesome blog post I still refer back to :)
22 I scared my mom once by digging up MX records to figure out who hosted $nonprofit's email. Usually Google or Outlook (Microsoft)...
me: mom, if this information wasn't public, then how would my computer know where to send the email???
mom: oh that makes sense
23 I've used both Postfix and Exim. Postfix has some of the best documentation I've ever read. I use it as my MTA and it runs @watcsc's mail
24 Exim's configuration is super annoying; I don't like it very much. It runs @mathsoc's mail. It does do easy mailing lists via aliases tho
25 There is no good way to start learning how to run email. It's so big, and there are so many RFCs. I jumped in. I still muck up after 4yrs
26 It took me well over a year to correct some of the most embarrassing mistakes with my mailserver. Didn't have SPF for a year, DKIM for 3
27 Did you know many clients don't append a mail-id header? I realized emails from my mobile client were getting spambinned for this!
28 You can have your MTA fix broken headers like a missing mail-id, but at the risk of possibly breaking DKIM :(
29 The email protocol is super simple and 100% text-based. You can talk to mailservers via telnet! Used this to debug a work MUA issue once
30 When you start setting up TLS/STARTTLS, you can use openssl to help out in the same way. Yes, openssl has direct support for this...
31 SPF and DMARC are really easy to set up because they're 100% TXT record-based in DNS and you can cargo cult some reasonable defaults!
32 I put off setting up DKIM for years because it's kind of painful. Requires a pubkey in DNS plus some fun milter config in Postfix, bleh
33 Email has envelopes. That tell you where to deliver mail. Really!
Your envelope FROM doesn't even have to match your message FROM inside
34 You can identify spammers if envelope FROM doesn't match the message FROM, and if the connecting machine's hostname doesn't match either
35 That forms the basis of SPF: put a rule in DNS that says email will only come from these IPs/hosts for this domain, otherwise it's junk
36 We need this because it's utterly trivial to spoof senders. Mail spec doesn't require specified info to match reality, so we verify it
37 DKIM is a cryptographic signature attached to each email you send in the headers. We pull public keys out of DNS in order to verify them
DKIM keys are small (1024 bit RSA), the idea being that while they can be broken, it's too hard to do that at the fast-paced scale of email
Although I think Google is now pushing to start upgrading to 2048 bit keys! And as mentioned before they basically rule email
38 How is mail stored on disk? Usually plaintext files. You can have one giant file (a mail spool) or each mail as a separate file (maildir)
39 Your MUA probably has its own database for storing your mail (Roundcube uses MySQL), but under the hood it's all ~1980s~
Mail thread is currently paused for me to eat lunch, but I promise to honour up to 50 likes :)
40 When an MTA attempts to send an email, it says "hello". Literally. The extended hello (EHLO) allows the server to identify itself.
41 I heavily filter based on EHLOs to the point of losing some legitimate mail. I verify rDNS exists, and that it matches the sender.
42 Why would that drop legitimate mail? Many mailservers (*cough* VIA rail) identify themselves with a .local FQDN, which doesn't resolve!
43 You can use known blocklists to plug right into your MTA configuration to dynamically autoblock spammers. ex: https://t.co/P6jdR2kM91
44 Sender and receiver TLS are configured separately in Postfix. I accidentally had my mail configured to encrypt inbound but not outbound..
45 I run a bunch of mailman2 mailing lists, too. They are surprisingly easy to get set up once you have virtual maps working in Postfix
46 I can't link you to a tutorial on how to set up your own mail. I've seen some valiant attempts but they all miss important details.
47 I've been thinking about blogging about my adventures with email, but I'm not quite sure what to write about or when I'll have time...
48 When I say 4 years in I am still tweaking configs for my mail, that is no joke. It's relatively stable but there's so much more to fix
49 One of the most rewarding parts of running my own mail is catchall addresses. I have all sorts of rules configured, run two real accounts
/ht @worldwise001 for that one :)
50 I get thousands of driveby brute force login attacks on my auth, even with fail2ban. Lately, they enumerate through lots of Chinese names
Okay y'all got to 69 likes let's do a few more 😎
51 Keeping email security locked down is so damn hard. On top of securing the server it runs on, you have mail auth, TLS configs, etc.
52 Figuring out how to set up SASL auth for dovecot (IMAP server) so I could use my unix logins was "fun". Dovecot was less work than Cyrus
53 Here's a map of my mail setup:
- mobile clients, local mutt, remote mutt, Roundcube (MUA)
- dovecot (IMAP)
- user scripts
- Postfix (MTA)
- PAM (dovecot SASL hooks in)
- DKIM (on top postfix)
- SPF and DMARC records
- Apache HTTPD (for web UIs)
- Letsencypt (certs)
54 @watcsc's even more complicated because we use LDAP for managing user accounts and use Kerberos for authentication. Maildirs are on NFS 😱
55 I once debugged a performance issue with NFSv3's caching algorithm thanks to Maildir issues. It calls getattrs on every single file...
When you have an NFS mount with hundreds of inboxes and each has thousands of file entries... as @darrick_wong said, it's a fun stress test
56 I have never professionally worked on email outside of a small contract job. Certain unnamed mailgun people have given me shit for this 😏
57 I would like to work on email professionally someday. It's an awesome mix of legacy systems, storage, distributed systems, and open specs
58 When I "finished" setting up my mailserver in 2013, I wrote the following poem to commemorate the occasion: \
postfix is dicks
sasl is dicks
dovecot is dicks
59 If you liked this thread, please let me know! It was fun! 😄 happy to answer any more of your questions to the best of my ability
60 OH ONE LAST ONE
I broke my email recently because I ran out of disk space on my VPS from downloading too much Initial D 😂