I've kept a spare cheap android for too long and recently went with Graphene instead. I have one Google profile and only use it for Uber, work's Google Chat and maps. One bank refused to work (even with Google services) so I moved bank. I've moved most of my mobile use to self hosted (freshrss full text, password manager, calendar, tasks) with no direct internet connection.
It's a bit irritating but I'm glad I started down this journey because it looks more and more like I'm going to be avoiding the internet
My setup is similar and nearly 100% self-hosted, including email, files, AI. If something does not work on Graphene, I will do without it. I also have a Google profile, mostly for testing purposes.
I said it already in another comment, but if you care enough to use GrapheneOS, I believe you should not only "do without it". You should also complain to those services.
If enough people complain, those services will start caring. If all they see is "one user complains every 3 years", they will just ignore it. That's how it works.
Drop your sarcasm for long enough to see that "I won't use your app if I have to use Google" is not a complaint _to_ Google.
The bank I was talking about were the worst net loser of customers in the UK last year (around -8000) They are making excuses but maybe they would care about why.
Also, it works in practice. Some banks have fixed their apps after GrapheneOS mentioned that the app was broken. In some of the issues/reports linked at https://privsec.dev/posts/android/banking-applications-compa... there are even bank app developers joining in on the discussion (e.g. NL -> Triodos).
The consumers of google captcha will not care if on occasion some failing business attempts to enable graphene or linage users, the userbase of those users is not enough for most companies to care and the ones that do probably aren’t cared for by google.
I hate that this is the way it is, I’m a graphene user too, and I see a pretty bleak future for any unsigned OS, followed by a pretty bleak and authoritarian future for humanity.
Not to Google, and not to any of the TooBigTech, obviously. For those, we need to enforce regulations (that already exist but are ignored). As a user, the only thing you can do against TooBigTech is to complain to your government (if they can listen, e.g. in the EU there is a DMA entity that you can and should contact).
But for companies that are not monopolies, you can complain to them, and you can give them a bad review on the Play Store. Most companies are not in the business of screwing you: if they screw you, it's just a collateral effect. If you want to be on their radar, you have to make noise.
If enough people complain, then the company sees a need, then they prioritise. If they believe that "it only affects 1 guy who complained 2 years ago", of course they won't do anything... and I don't even know if I would blame them for that.
How have you managed to accomplish self-hosted email? I tried similar in 2022 and found it damn near impossible without business static IP or a cloud provider.
You can't do it reliably without a static IP in a non residential subnet that lets you set reverse dns. If you have a static residential IP and they don't filter inbound SMTP you can make it work with a smarthost/relay like mailgun. Its not the insurmountable obstacle everyone makes it out to be, but its not going to be free unless you already have an IP that meets the criteria.
If you don't have a static IP you need will want to think about a MX relay service too ~ although mail is surprisingly tolerant of offline MX hosts if you can wait a little bit for your mail.
My approach is to run a VPS with multiple static IPs that I (using Wireguard) tunnel to a number of virtual machines I host at home on a microserver. Likewise, the virtual machines' primary view of the Internet starts on the opposite side of the tunnel.
I have access to a commercial (non-residential), fixed IP. You could also use an outgoing relay as a compromise, since presumably the issue you are facing is other servers rejecting email that you send from a disreputable IP. That being said, you really want a fixed IP as a matter of convenience if you are going to self-host anything.
How often are your emails being marked as spam, for others? A few years ago it read like there’s a whole science behind avoiding getting flagged. Is this easier now with agents aiding the setup?
Not the person you replied to, and it's impossible to know with certainty how often you're in someone else's spam, but very rarely.
I had an issue with yahoo a couple of years ago that's all. The "it read like there's a whole science" is sadly a trope mostly repeated by people who have never tried because it gets upvotes on Reedit.
There are some steps you have to take, but not many, and systems like Mox mailserver or stalwart guide you through it, and mail-tester will check if you got it right.
Email, other than tweaking spam filters, is one of my lowest maintenance systems. I can't remember the last time I touched Exim or Mox config
You got me really interested here, I ran my own mailserver years ago and eventually just gave it up. I am getting rid of Google Workspace and have been planning a migration to Proton for two domains. But this sounds like a fun project. Any advice? I am going to check out Mox and Stalwart.
What providers are good hosting candidates, I have a website on DO, but from my understanding their entire ranges are blacklisted heavily.
If I remember rightly DO have some restrictions like port 25 on ipv6 outbound being blocked.
I can't speak for all of them but I use mythic beasts in the UK for one mail server (they are a very knowledgeable old school host) and it has been good. I also have dedicated with OVH which is fine, and a couple small scale (eg simplelogin, a notification server) with IONOS but they only deliver to me so I can't say how reliably they deliver elsewhere.
Mox is great but I think it's still alpha. I've been using it for 2 years in production for a small traffic domain. The other I use Exim (with mythic beast's Sympl that sets it up) but it's a little more hands on at the beginning
I imagine an agent would make a lot of the first time setup from scratch easier, but the fastest reliable way to get up and running is mail-in-a-box or mailcow. Before those were available I built a flurdy style Postfix+Courier+Amavisd+MySQL setup and have been evolving it ever since. Now I'm on Postfix+Dovecot+rspamd+MySQL but I don't think that's for everyone or even the best way to start.
The science of not getting flagged is easy when you're not sending large volumes of untrusted mail; it only gets complicated if you start hosting mail for "customers" or let your system forward mail unfiltered into gmail/yahoo.
Here's my hit list of universal things to configure:
* Start with an IP with good or neutral reputation, non-residential, its nearly impossible to fix an IP that has been burned by a spammer. (Network)
* Valid reverse dns for your IP matching your mailhost forward dns (DNS)
* Valid SPF record; -all (DNS)
* Valid DKIM; with sufficiently sized key (DNS+Config)
* Valid DMARC; start with p=none to test and move to p=reject once you're configured (DNS)
* ARC if you or your users will ever possibly forward mail (Config)
* Don't get your messages flagged as spam anywhere ever, filter outbound mail even if its just you. All it takes is one piece of malware and a saved password and you'll have to get a new IP. (Config)
* Don't configure services behind your mail server with example domains that you don't control ~ I get so much mis-configured test mail from people who think its cute to use my domain as an example in their practice lab. It all gets reported as spam or bounces and then their smart host bounce rate goes up. (Config)
* Test for open relay; only relay for authenticated users. (Config)
* Use strong authentication, preferably with certificates or MFA. (Config)
* Secure everything; IMAP/SMTP/POP are old AF make sure you're requiring STARTTLS and setup MTA-STS to prevent downgrade attacks and enforce encryption in transit. Use a real certificate from Lets Encrypt don't self-sign. (DNS+http+Config)
* fail2ban your auth, you're going to get so much driveby password spraying and credential stuffing; I fail2ban block entire subnets at a time with iptables actions. I also have a bunch of "poison pill" rules for weird stuff I see in my logs eg block anyone who tries to auth with the NTLM hash for 'password'. (Config)
* Don't bother with BIMI at home, you can't get a blue check mark without deep pockets and a trademark (vmc) and most platforms only show logos that have a matching vmc. (DNS+https+config)
* DMARC reporting and TLS-RPT reporting are a pain to manage but are helpful troubleshooting deliverability be prepared to read some XML reports or setup a stack to parse them as they arrive (DNS + Config + https)
* setup the SMTP Submission port (587), so many networks block port 25 outbound and its the right way for clients to connect. (Config)
* configure BACKUPS, don't skip this step, encrypted restic backups to s3 or backblaze b2 is cheap and easy. (config)
* track your configs in git, don't commit secrets. (config)
* configure a free blacklist monitor on mxtoolbox for your domain(s) (config)
If you do those things you'll be in a pretty good spot, you could probably paste that list/this post into your agent and vibe up solid mailserver.
For me keeping the spam and phishing out is a bigger hassle than deliverability issues. rspamd does a pretty good job of keeping it manageable.
I do all of those things and with all of that setup the only place I ever run into issues with with users on AT&T's residential broadband mail servers. AT&T appears to block you if you're not known to them and they have a short memory. If you don't have regular correspondence with AT&T users they will block you after a bit. I'm a fairly low volume sender so I end up blocked every other time I try to send to AT&T by no fault of my own. I've talked most of those friends off of AT&Ts free email and on to ProtonMail at this point.
A VPS or cheap dedicated is enough to get the static IP. I have very few problems with email, I use one VPS and one dedicated server though some zealots would argue a vps isn't self hosting
Halifax UK. It just refuses to work so I left it (Graphene is more secure, so forcing less security for the sake of tracking is off the cards). All the other banks so far say they won't work without Google services but if I click OK they work
Not OP, but I've been on GrapheneOS for a few years and I have no problem with Chase, CiT or Wealthfront. I mostly use them to check balances and unlock debit cards, but they all login and function fine.
> One bank refused to work (even with Google services) so I moved bank
Banks are implementing terrible "security" checks. Users of alternative OSes should be a lot more vocal: change bank, but also complain a lot to the offending one, and make sure to leave them a bad review on the Play Store.
Actually people not using an alternative OS but caring about that should also leave bad reviews to those banks on the Play Store.
At the end of the day, the problem comes from humans in those banks who don't understand and don't give a shit. The only way to make them care about it is to complain enough that it becomes their problem.
When I had a jailbroken iPhone my bank app (HSBC) would detect it and show a warning but let you continue anyway at your own risk, which I thought was a reasonable compromise
This should be the way. Have a tiny burner phone for maps and any apps that you absolutely can't use without google(it should be a tiny set of < 10 apps hopefully) until you can fully de-google
My current de-google project is categorizing all my pictures on my local NAS to create the memories feature (where it shows historic pics on multiple theme axes). You can get really far with just a few hours of work a month to de-google and some off the shelf image embeddings.
The hero project in this category — what one cannot do trivially as an indie dev — is creating a great fresh PoI dataset. This is tough to do on a planetary scale because its a societal cooperation problem.
The problem with this is gmaps. There is no alternative to it and by the nature of it knowing your location it removes anonymity. I would buy, or even pay a monthly fee, for something that is 75% as good as gmaps but respects your privacy but there is nothing out there I have found.
I don't get how Samba is not there yet. We already have everything in the OS, the UI, the mental model, the protocols, how come it's such a terrible experience that we need to re-invent the wheel in web 2.0.. Maybe we need a Jarred Sumner to fix it.
Samba has never been about file sharing over the internet. The project has been about cleanroom-reverse-engineering specific MS technology. To start it was NT4 authentication domains, then printing services, along the way SMBv1 (commonly incorrectly called CIFS btw), then SMBv2 v3.x, and then in 2012 Samba Active Directory.
In no way has it ever been about a functional alternative to something like Nextcloud. It's been about services primarily for LAN functionality, not stuff that should be going over the internet (mostly for security reasons).
So your expectations really don't align with what Samba has ever been about.
Source: I professionally support Samba for businesses.
I have nothing but issues with it, mostly because the iOS/Android apps are notoriously bad at syncing the files timely and also because of ridiculous filename restrictions on Android.
Is not the same though. It requires downloading the entire shared folder. That doesn't work when I have 100+GB of files and I want to share it with my phone
If you dont need filesharing, you can just setup wireguard, setup a network drive on your phone's files app.l, and then when connected it'll feel like native file browsing.
It's a bit irritating but I'm glad I started down this journey because it looks more and more like I'm going to be avoiding the internet