The internet was meant to be used by people who knew how the internet worked. Herein lies the problem.

This might sound like gatekeeping, and maybe it is. When these systems were designed, they were not designed to be used by everyone. They were not designed to be commodities that are bought and sold, with the most valuable trinket available being the attention of the user. But this is where we are.

Few are capable of running their own _anything_ on the internet, and even fewer have the desire to do it, because if you run it well for yourself (as an individual), someone else will want you to do it for them because you are already doing it, so it's not that much more work, right? \s

Decentralization limits monetization of anything, so that is going to be a non-starter for investment of resources. Unless you are trying to have your infrastructure survive a nuclear war, no one is going to provide the means to build anything big unless you can sell it or the users of it.

The notion that anything really works on the internet with the assumptions that were made in the 70s and 80s, and the realization that what holds most of it together is the blood and sweat of ops, duck tape, and fever dreams consistently astonishes me. In the not so distant past, someone paid me to write them a custom FTP server. In the 21st century. It's like being asked to whittle an engine block out of a tree.

> Decentralization limits monetization of anything, so that is going to be a non-starter for investment of resources. Unless you are trying to have your infrastructure survive a nuclear war, no one is going to provide the means to build anything big unless you can sell it or the users of it.

I'll go further: centralised systems can emulate decentralised systems, but not vice versa. Thus, ultimately, the only USP of a decentralised system is that it is decentralised for the sake of being decentralised, and nobody cares much about that. Centralisation is inevitable, and wins out every time.

They can pretend to be decentralized, but they can't emulate the lack of centralized authority.

People certainly care enough about centralization once it's consistently abused in ways that hurt them (which always happens eventually, given enough time). Our existing anti-monopoly laws came about like that.

Signal jumps to mind.

Plus I don't see much evidence people care. This argument reminds me of Accelerationism, which doesn't seem to work either.

People start to care on the edges (e.g. social networks), but there simply isn't enough abuse wrt email yet for opposition to register.

> And you would be surprised, how many sites sell email addresses to others, and I know it as every one gets its own email address.

So much this. I've actually contacted companies to tell them they've been compromised because I started getting phishing emails. I quit after the third time of reporting it and being told "we haven't been hacked, someone in your friends group has and you just can't read email headers".. right because someone in my friends group emails "mylocalgym.com@mypersonaldomain.com" to schedule group activities.. then six to twelve months later I get an email from HIBP telling me said website was hacked and my email was compromised.

It's funny to hear this experience. I've been doing this consistently for about 5 years now and have noticed 2 instances where this occurred, and in both there were prior disclosures about a security failure.

I tend to sign up for a lot of things (I'm seeing over 150 unique email addresses I receive emails from using this scheme), but I guess I'm just getting lucky.

Also, just out of curiosity, where does one sell email addresses, and how much are they worth? I take signups on a few websites, and I'd never sell my users' email, but I'm just curious to learn more.

I used to trade e-mail addresses with various banks, some 15 years ago. I'd just call up their marketing departments and offer those as 'financial leads'. I had a network of people who had various ad campaigns running where a customer could win something if the'd leave their personal (financial) data.

I did it in the early 2000s with a domain I picked up just for that purpose, which I'm almost positive was "myspamstopper.com", but I let the registration lapse and it was snapped up. It's amazing what was still available back then to easily register.

Not the GP, but I’m experiencing this mostly with small to mid-sized online retailers.

Side note: I've seen some MTA systems having weird filters for receiver's domain name or company name being part of sender's local-part.

When I'm opening an account at Example Bank which uses example.com domain, I avoid creating dedicated mailbox or alias with words "example" and "bank". exmplbnk@, xmplbnk1234@ or similar seems to have better deliverability when I'm attempting to contact the other side.

> weird filters for receiver's domain name or company name being part of sender's local-part

Likely to help cut down on phishing.

Perhaps there should be a system that lets [1] ordinary people record that they notified a company that said company had been hacked together with timestamped evidence of said notification. [2] people/organizations who sue/regulate said companies wrt said hackage have access to said timestamped evidence.

I don't know how to monetize said system but it would produce both social and economic value.

I've discovered two previously unknown data breaches this way. I was gratified when the operators of the sites thanked me for reporting it. Most times, though, I get the treatment you're describing.

Honest and non-rhetorical question here: Have any of your customers had an e-mail they've tried to send not arrive because the recipient's system was using a black-hole list that, for some erroneous reason, had you blocked? If so, were you able to successfully communicate with and/or reasonably work through whatever issue got you black-holed?

I haven't administered e-mail servers for 20 years, but back when I did, this started to be a problem that eventually became insurmountable. I used to manage a small business oriented ISP. We were multi-homed with a /18 that we used for everything. I had a customer that was a reasonably sized organization that dealt with tourism and conventions for a major city. On one of their websites, (which we hosted with IPs that came out of the same /18 as their mail server,) they had a directory of vendors who were associated with them. ONE of those members had a website that had been hacked/defaced. This got our entire /18 on a blac-khole list. They had an employee that was trying to send e-mail to someone on a system that was using this black-hole server to filter spam.

When we explained to them what the problem was, we got glassy-eyed stares back at us and a, "just fix it." I told them that, they would need to remove the link to their partner's site from their website in order to get them AND all of our other customers using numbers inside our /18 de-listed from this particular black-hole. They asked, "We have hundreds of partners who pay for membership in our organization and being listed on our website is one of the benefits. How can we possibly police every one of those websites every day to make sure there's no defacement or serving of any problematic material from any URL in any of those domains?" That's a decent argument in my opinion. And I tried to explain that different black-holes have different policies and no black-hole is demanding that anyone use their system for filtering. I tired contacting the organization that was using that black-hole to explain the situation to them, but they weren't interested in discussing it. As far as they were concerned it was our problem to deal with.

This kind of problem happened dozens of times with varying degrees of severity but with increasing regularity and it was one of the primary reasons we quit hosting e-mail and started re-selling another vendor's solution. That was a long time ago, and maybe black-hole lists aren't a thing anymore.

(Running a email system for a few thousand users)

> If so, were you able to successfully communicate with and/or reasonably work through whatever issue got you black-holed?

Yes. Practically all black-lists have a de-list form that one can use, and most seem to auto-delist fairly fast as soon they don't get any more reports from honey-trap and other sources.

We do have a few custom written ways to detect hacked accounts, and we don't allow users to set their own passwords. We also tend to discourage/deny users who do newsletters and other "higher risk" form of email. All emails sent by websites is sent through different servers, which also mean that a hacked website does not impact the reputation of the email servers.

Events with black lists maybe occur once a year and as I mentioned above, fixed fairly fast. One good tip is to keep an automated eye on the mail queue and react quickly when things start to look wrong.

It's better now, but in the early days of organized blacklists (more than 20 years ago) it was somewhat chaotic. Many large ISPs ran their own blacklists and some were poorly managed. AOL was the worst of them all. Their admin staff was unprofessional and unresponsive when I provided a PoC for their defective spam control system.

There are a few sites where you can plug in an IP address to see if it's on any blacklists. A handy thing to do before setting up a new server is to work with your provider to find a clean IP address beforehand. Here's one that I have used: https://mxtoolbox.com/blacklists.aspx

Thanks for the link, I see my email server is on a few lists. I’ve heard that DigitalOcean isn’t good for email servers but I’ve been lax on investigating.

Now I have incentive, this is annoying. Maybe I need a static IP as well.

For what it's worth I've run into the same set of issues at corporations using Google and Microsoft's hosted offerings. Hell, sometimes you can't even send it mail between customers!

> Have any of your customers had an e-mail they've tried to send not arrive because the recipient's system was using a black-hole list [...] ?

Yes. Twice.

In the first case, the mail provider was our ISP; and they got themselves in some mainstream blacklists. The problems getting that sorted out were part of the motivation for bringing mail in-house.

In the second case, there was some academic departmental mailserver and they were using some list incorrectly; using an extremely-opinionated list to block when it should at best be used to score.

This wasn't in itself a big deal, but one of my boss's correspondents was a senior professor in this department and they had some important business; and the postmaster was a dick, and wouldn't help. Boss didn't want to use some secondary email address; I had to show him how to set up an alias on some commercial server, which was second-best, but he was in a hurry.

Boss was angry with me and barked at me. If you run a mailserver for some group, one you assembled yourself, then people expect you to take responsibility for sorting out any mail problems. Well, they're right: you have taken on that responsibility. You made it, and you're running it: who else can they complain to?

[Edit] My point is that it's not hard to set up an artisan mail system; what's hard is that you create a job for yourself that is at the same time networking, user-facing, and technical. It's an interesting learning point, and I recommend it. But don't underestimate what you are taking on.

> [Edit] My point is that it's not hard to set up an artisan mail system; what's hard is that you create a job for yourself that is at the same time networking, user-facing, and technical. It's an interesting learning point, and I recommend it. But don't underestimate what you are taking on.

This. So much this.

I will happily run my "artisinal" mail system for myself. Would I put customers on it? Oh, hell, no.

I, sadly, always recommend that companies pay money to Microsoft for email. You are really paying for the customer support service rather than the email service.

Microsoft's email behaviour seems like anticompetitive abuse - you can whitelist an address and they overrule you and block incoming email for obscured reasons.

Customers still have problems occasionally _sending_ email to one domain, which is over 15 years old and sends <1 email per day. If they initiate and email us we can't send them a reply (if they're on MS email, sometimes). We use an outlook.com email nowadays as a relay and have to treat MS using customers differently still despite using a relatively large supplier.

Some years ago, I was lead to believe, you could pay a third-party to add you to what was effectively MS's whitelist.

Aside: back then I was doing some webdev and supporting IE5+ so I already hated MS about as much as one could.

Never paying to enable interoperability that is part of being a reasonable web citizen/company. Paying them just reinforces the negative behaviour.

Please don't recommend to people to pay money to have all their email communications read and stored by Microsoft, the US government and possibly other parties.

There are plenty of other email providers which are worth considering, and I'm sure some of them have half-decent customer support.

> I'm sure some of them have half-decent customer support.

You would, sadly, be wrong.

Microsoft customer support is "least bad" among the email providers.

That is a massive indictment of email providers, but it is what it is.

> Well, they're right: you have taken on that responsibility. You made it, and you're running it: who else can they complain to?

Assuming logic applies to humans is painfully wrong. I wish it wasn’t.

That question seems completely unrelated to running a personal mail server?

> Getting spam? I am sick of you, whatever? No issue, just REJECT the whole address

I started using that with Fast mail, they call that Masked address. Best spam filter ever.

It’s not so much that I want to go all the way and do it myself, but I’m interested to see the gold standard way and as per the OP, perhaps go part the way (ie not send) - do you have a resource you could point me at that you recommend or rate? Not trying to get you to do my dirty work, just wondering if you have a resource you use.

Exactly this. You make the wrong comment on Youtube and they take down your entire company's infra. Is this an acceptable risk to anybody?

While that’s true, and crazy…

Everybody know you show never even read YouTube comments. Posting them is just insane…

Using the same stack and have to agree. Once it’s up, it’s rather low maintenance. I wouldn’t start again from scratch, though today.

There is also a guy, Jar, who runs a rather his own email service, mxroute, quite successfully. Users love it and he seems to know his stuff.

> I don't want or use webmail (sluggish)

Serious question: what if you're on a network that blocks non-HTTP[S] traffic? How would you read your mail? This is a problem I hear of quite regularly.

That’d alert me to the fact I didn’t have my vpn running.

Im happy to pay for my own cellular data and vpn to avoid networks like that. Including tethering my laptop if needed.

Are there any guide or books available on how to setup something like this?

I assume you have a fixed IP. That's a non trivial part of the process.

What are the memory requirements for postfix, dovecot, and rspamd these days?

> What are the memory requirements for postfix, dovecot, and rspamd these days?

Approximately nothing. I run all my email infrastructure on the smallest available $5/mo Linode and it's way overprovisioned even so. I'd take a smaller VM if they offered one.

Hmm. Admittedly, I didn't use postfix, but dovecot was the largest process running on my 1G server and adding rspamd resulted in it doing the Out-of-memory mambo a couple of times a week. This was just for my domain, but I do get a crap ton of spam.

Very low for one person with a few emails per day. They almost never appear in top on a 3€/month VPS server (2 vCPU, 2G RAM).

They probably work well on quite limited hardware. But I guess it largely depends on traffic / on the number of hosted users.

Doesn’t even need that. I’ve run pretty much that stack on an original Raspberry Pi. You wouldn’t want to be trying to do a lot else, and GB sized attachments are gonna be limited by the usb Ethernet speed, but it’ll run just fine.