1. 21
  1.  

  2. 7

    “Open-source email software is complicated to set up if you were not a sysadmin in the 90’s.”

    vs

    “Mailu is a simple yet full-featured mail server as a set of Docker images.”

    Unsurprisingly I see dovecot, postfix, nginx, rspamd in the repo.

    1. 4

      I looked at Mailu briefly. Yes, it seems to just repackage all the standard e-mail services.

      There’s also Maddy which seems to be a totally integrated server implementation.

      I currently run all my e-mail on an OpenBSD VM using opensmtpd, but I want to move it to my main/dedicated Linux server and have been looking at both Mailu and Maddy.

      1. 1

        There are several more, yes. I’ve only looked at sovereign, mailcow and docker-mailserver (I use the latter).

      2. 3

        Hah, I guess you’re right, Mailu is open source too. “Open-source email software is complicated to set up” was referring to manually setting up all of those services, which I think is still complex. Luckily, all the 90’s sysadmins got together and pre-configured the Mailu images to all talk to each other and to have reasonable defaults.

      3. 6

        I think the importance of choosing the right email service provider for an “outgoing SMTP relay” is glossed over in this post. Using a provider to send email has no advantages of using a VPS if their IP addresses are regularly being added to spam blacklists because they have hacked accounts that are sending phishing emails.

        I was a SendGrid customer last summer. Because I rented my own IP addresses, I assumed I wouldn’t be affected, but it took weeks for them to acknowledge customer support queries, much less respond to them.

        1. 3

          My thoughts exactly when I saw that. I don’t really think this could be classified as true self hosting if all your doing is shipping your mail off to another provider. I love the thought of doing this, but not the practicality and maintenance overhead associated with it all.

          I’ve been with Fastmail for quite some time now and couldn’t be happier with it.

          1. 3

            In comparison, I have a tiny Vultr VM that runs my outgoing SMTP server and nothing else. You have to contact their technical support to enable outbound SMTP and let them know the reason (personal email) and volume (tiny) of email, and then they enable it. I’ve not had any problems with any large provider blocking this IP. Their $3.50/month plan gives you an IPv4 address and more than enough RAM and CPU for a workload that happily ran on a 100 MHz Pentium with 32 MiB of RAM as a background task among many others.

            As far as I’m aware, most providers track multiple kinds of reputation. They’ll block entire IP ranges if the owner doesn’t respond to complaints about spam (which is why folks like Vultr make blocking outbound SMTP a default: you can’t automatically register 1000 accounts for sending spam and if they receive reports of large volumes of spam then they can block access until you fix things). They’ll typically block individual IPs for short periods, given that they can be recycled quickly, and not hit problems. They may block (or, rather, divert to spam folders) an entire domain if it sends a lot of spam. Most of them check SPF / DKIM things so if email claims to come from your domain but doesn’t have the correct origin / signatures then they won’t count it as spam from you.

            1. 2

              I use a Vultr openbsd VM for my e-mail. It’s the only thing I haven’t moved over to my dedicated server. I’ve still had issues in the past with e-mail not making it to the big servers, but I think it’s been getting better (fewer people tell me my e-mail went straight to spam, even for people I haven’t e-mailed before).

              I fear if I move off of that VM to a new IP address, I’d probably start facing all those issues again, even with correct SPF, DKIM, DMAC, etc. That’s just the nature of over-aggressive e-mail filters.

              1. 3

                I fear if I move off of that VM to a new IP address, I’d probably start facing all those issues again, even with correct SPF, DKIM, DMAC, etc. That’s just the nature of over-aggressive e-mail filters.

                I have the same setup as you (Vultr), and if it’s any consolation, I just migrated my email to a new server and new IP, and have had no issues so far :).

                I agree that email filters seem to have gotten less strict. I’ve only had issues sending mail to Yahoo mail lately.

                1. 2

                  I suspect that there are different rules for known and unknown domains. If your domain has a history of not sending spam, it probably doesn’t matter where it’s coming from: if you have a solid reputation and you have DKIM / SPF so that emails you send are accounted to your reputation, it will be received correctly.

              2. 1

                So you were affected despite having a dedicated address?

              3. 5

                Is Docker a hard requirement? I’d love to see an article on getting Mailu running on FreeBSD or HardenedBSD. But if Docker’s a hard requirement, then software portability’s a no-go.

                1. 1

                  I think Mailu is only available as a set of Docker images, based on their documentation.

                  1. 13

                    It saddens me when developers choose Docker, which in reality is an “open source vendor lock-in” tool. Enforcing the use of Docker places arbitrary limits on how the project can be used.

                    Software monocultures are bad.

                    1. 6

                      Assuming:

                      1. Maybe Docker takes full advantage of Linux specific-features like cgroups, porting (it and the dependent Dockerfiles using it) would be difficult
                      2. Maybe Docker can instead mostly be generalized to jails, but the tooling doesn’t exist (and good luck on OSes without a concept, like OpenBSD!)
                      3. The alternative is a pile shell scripts that mutate a system in place, welcome to suffering

                      Why should they bend over backwards to make deployment harder and less maintainable, especially when Docker has significant mindshare already? This seems like the kind of portability that maintainers don’t like to hear; it feels like kneecapping yourself for a small few. (I say this as someone who ports software to weird platforms professionally and runs FreeBSD on a server.)

                      Disclaimer: I’ve used Docker (well, podman) once, and because the alternative was installing Db2 myself.

                      1. 6

                        I generally don’t like to use Docker even on Linux because it trades off a little bit of complexity of running serverd and setting up cgroups vs. a the massive beast that is Docker and its 90M dockerd that needs to run as root and does all sorts of automagic stuff. dockerd is exactly the sort of thing I would put in a container, ironically.

                        runc is okay though, and what I use if I really want to run a container image.

                        1. 1

                          Docker services are also like blue/red “functions” we’ve had here previously. Have fun trying to talk from a docker container to a mariadb instance on your host etc, you’ll end up making the mariadb server also a container, just so you don’t have to deal with changing the docker owned iptable rules and stuff like “what is the IP address of my container/host”. And if you’re running a good proxmox cluster you’ll already have a multitude of VMs to isolate services but don’t want to have a host with a VM with a docker container, just because somebody decided it’s funnier for deployment to them. You can “easily” package something debian native into docker, but the other way around is annoying as hell. Even worse: most of the time such a project may not even have any kind of docs about what you need if you’re trying to setup this by yourself. And I’ve been the producer of such a project once, it’s still annoying as hell for people that do not just stuff everything into docker.

                      2. 2

                        Docker images are less locked in than you think (or then this comment makes it look like). The actual image format is an open specification and can be converted or used directly with other container orchestration tools.

                        1. 1

                          Except if you don’t want any fancy orchestration tools because you’re running a bunch of VMs with KVM & Ceph as an HA cluster.

                          1. 1

                            Sure, but I said less locked in, not “Not locked in at all”.

                            That said, I wonder how hard would be to convert a dockerfile or an OCI image into a VM image … Maybe there’s even something out there already

                        2. 1

                          From my point of view, I’d build something like this in Docker because… well, I know how to use Docker, everyone I’ll share my project with knows how to use Docker. I’m actually not well versed in the alternatives. What would you recommend someone to use who wants to set up a project like Mailu, that isn’t Docker?

                          1. 3

                            I’m primarily a BSD user, where Docker’s not supported. I haven’t run Linux in any serious capacity in well over a decade. I get that projects like this have a bunch of moving parts. Shell scripts and configuration management tools can help simplify things.

                            If I wanted to use Mailu on the BSDs, I’d have a lot of headaches ahead of me. And, even then, I might fail if there’s dependencies on other Linux-only projects (for example: SystemD).

                            1. 2

                              I’m not a fan either but in this case it solves a problem. “A set of n packages (not sure if they are all packaged for this OS version) with m configs that all play well together.”

                              There’s also sovereign which solves the same problem for one host OS version via an ansible playbook, but even if your OS of choice has all the packages, most seem to lack this “I want a dedicated set of configs”.

                              1. 2

                                A set of n packages (not sure if they are all packaged for this OS version)

                                I’m a huge fan of helping out with the package system. For me, if the project in question doesn’t exist in the package repo, the project won’t get used at all. Everything must reside in the package repo for me. If it’s not there, then I add it.

                    2. 3

                      While I agree that there’s a lot of evil actors out there in the mail space and even with a preconfigured set up like this, email is so important to communication and account and identity verification that I don’t know I would trust myself to forget to update for a new security vulnerability or accidentally failing to pay a monthly server bill. How would I contact support without email to contact support? There are a lot of smart, inexpensive, privacy-respecting service providers out there running the same FOSS stack that dedicate themselves to making sure all is well. Why should I choose to self-host?

                      1. 3

                        Basically this is a guide to setting up Mailu: https://mailu.io/1.7/

                        Mailu looks interesting but I’m running all of the same major pieces myself on a $5 VPS. (Plus some other services.) It only has 1G of memory so I can’t really afford the overhead of docker. But I’ll definitely give it some serious thought when it’s time to rearrange the deck chairs.

                        I assume the author’s definition of self-hosted is “running everything off a raspberry pi hanging off residential cable internet” because any reasonable VPS provider is going to have clean IP blocks and will help you if their IPs are blacklisted anywhere. Thus negating the need to rely on a third-party outgoing relay.

                        A good chunk of the article is spent configuring a backup SMTP server and syncing IMAP… I feel like the author didn’t know that SMTP is already a store-and-forward system… Yes, you can have multiple incoming SMTP servers for high-availability but unless you’re a big company or an ISP you probably don’t need them. If your mail server is down, any RFC-compatible system will queue and retry delivery, usually for up to 24 hours.

                        Also fetching mail from the backup server via IMAP seems bonkers to me… again, SMTP is store-and-forward, the backup server can simply be a relay that delivers to your main server and just holds it in a queue when the main server can’t be reached.

                        1. 4

                          Mailu looks interesting but I’m running all of the same major pieces myself on a $5 VPS. (Plus some other services.) It only has 1G of memory so I can’t really afford the overhead of docker.

                          What overhead? It’s just a glorified fork with chroot?

                          1. 4

                            I feel like the author didn’t know that SMTP is already a store-and-forward system

                            I did in fact know this 🙂 But it’s not enough for my scenario. To expand, my personal self-hosted setup runs off of a machine in my house. It’s possible that if I were outside of the country and something catastrophic happened, it could be offline for an indeterminate amount of time. Possibly weeks. MTAs will stop retrying after some time and bounce the mail. So for my scenario, having a reliable backup MX is crucial.

                            I had an interesting discussion on Reddit about exactly this, with some anecdotes about how common MTAs handle downed MX servers: https://reddit.com/r/selfhosted/comments/ogdheh/setting_up_reliable_deliverable_selfhosted_email/h4itjr5

                            the backup server can simply be a relay that delivers to your main server and just holds it in a queue when the main server can’t be reached.

                            An SMTP relay with a infinite retention time would be a good way to achieve this as well. Though, with Google Workspaces already set up on all my domains, I didn’t want to spend additional effort reconfiguring all my MX records to point to a separate SMTP server, let alone paying for/setting up such a service. So this bonkers IMAP setup was the way for me!

                            1. 1

                              Historically, spammers would target lower priority MX because they would often not have the anti spam measures configured. It looks like in your scenario you won’t get your own anti spam measures applied, but you will get Google’s, whether you want it or not.

                            2. 2

                              It only has 1G of memory so I can’t really afford the overhead of docker.

                              I’ve forgotten how much memory my VPS has but it’s not likely more than 2G and I think we are running a couple of Docker containers. Is the daemon really RAM hungry?

                              1. 3

                                I checked on one of my VPSs and it uses 50MB. I don’t think that that is too bad. Could be less, sure, but not the end of the world.

                              2. 1

                                It only has 1G of memory so I can’t really afford the overhead of docker.

                                I’ve run multiple docker containers on a host with 1G of memory. Other than the daemon itself, each container is just a wrapper for cgroups.