So I’ve been running self-hosted email using Mailu for a couple of months (after migrating out of Google Workspace). Today it turned that although my server seems to be capable of sending and receiving emails, it also seems to be used by spammers. I’ve stumbled upon this accidentally by looking through logs. This seems to have been going on for all this time (first “unknown” access happened just a couple of hours after I’ve set everything up).
While browsing the logs there were just so many crazy things happening - the incoming connections were coming through some kind of proxy built-in to Mailu, so I couldn’t even figure out what was their source IP. I have no idea why they could send emails without authorization - the server was not a relay. Every spammy email also got maximum spam score - which is great - but not very useful since SMTP agent ignored it and proceeded to send it out. Debugging was difficult because every service was running in a different container and they were all hooked up in a way that involved (in addition to the already mentioned proxy) bridges, virtual ethernet interfaces and a jungle of iptables-based NAT that was actually nft under the hood. Nothing in this architecture was actually documented anywhere, no network diagrams or anything - everything has to be inferred from netfilter rulesets. For some reason “docker compose” left some configuration mess during the “down” step and I couldn’t “docker compose up” afterwards. This means that every change in configuration required a full OS reboot to be applied. Finally, the server kept retrying to send the spammy emails for hours so even after (hypothetically) fixing all the configuration issues, it would still be impossible to tell whether they really were fixed because the spammy emails that were submitted before the fix already got into the retry loop.
I have worked on obfuscation technologies and I’m honestly impressed by the state of email servers. I have temporarily moved back to Google Workspace but I’m still on the lookout for alternatives.
Do you know of any email server that could be described as simple? Ideally a single binary with sane defaults, similarly to what dnsmasq is for DNS+DHCP?
I use Zimbra with an external email gateway that only accepts authenticated email. Zimbra is pretty heavy (it’s intended to be a Microsoft Exchange replacement) but it at least has a huge amount of protection built-in to deal with spam and comes configured out of the box to not relay (well, outside of you setting up aliases and lists.)
That said, it’s not hard to find “incoming email only” configurations that deliver to local mailboxes only, for most email servers. The thing to avoid is having a single server configuration that tries to do both - accepting external email and sending locally originated email out. The configurations do exist to do that, but they’re confusing and tricky.
External email gateways… that bit is hard. I use a mail server I set up myself on a VPS. It does not listen on incoming port 25. It requires credentials. I did this largely because I was trying to send email out via Xfinity’s customer email relay, but the latter kept upping the authentication requirements until one day Zimbra just couldn’t be configured to use it any more. And each time they changed something, I wouldn’t find out until I noticed people had clearly not received the emails I’ve sent out.
VPSes are problematic as some IPs are blocked due to spam. There’s not much you can do about it if you’re stuck with a bad IP, so if you can find a way to send outgoing email via your ISP’s outgoing email server, do that. For Postfix, you can send out authenticated email using something like: in main.cf:
relayhost = [smtp.office365.com]:587 smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_use_tls = yesand in /etc/postfix/sasl_passwd:
[smtp.office365.com]:587 example@outlook.com:hunter2So in summary:
Good luck.