1   15 August, 2019
  2
  3Setting up my personal mailserver
  4
  5This is probably a terrible idea...
  6
  7   A mailserver was a long time coming. I'd made an attempt at setting one
  8   up around ~4 years ago (ish), and IIRC, I quit when it came to DNS. And
  9   I almost did this time too.^[1]1
 10
 11   For this attempt, I wanted a simpler approach. I recall how terribly
 12   confusing Dovecot & Postfix were to configure and hence I decided to
 13   look for a containerized solution, that most importantly, runs on my
 14   cheap $5 Digital Ocean VPS -- 1 vCPU and 1 GB memory. Of which only
 15   around 500 MB is actually available. So yeah, pretty tight.
 16
 17What's available
 18
 19   Turns out, there are quite a few of these OOTB, ready to deply
 20   solutions. These are the ones I came across:
 21     * [2]poste.io: Based on an "open core" model. The base install is
 22       open source and free (as in beer), but you'll have to pay for the
 23       extra stuff.
 24     * [3]mailu.io: Free software. Draws inspiration from poste.io, but
 25       ships with a web UI that I didn't need.
 26     * [4]mailcow.email: These fancy domains are getting ridiculous. But
 27       more importantly they need 2 GiB of RAM plus swap?! Nope.
 28     * [5]Mail-in-a-Box: Unlike the ones above, not a Docker-based
 29       solution but definitely worth a mention. It however, needs a fresh
 30       box to work with. A box with absolutely nothing else on it. I can't
 31       afford to do that.
 32     * [6]docker-mailserver: The winner.
 33
 34So... docker-mailserver
 35
 36   The first thing that caught my eye in the README:
 37
 38     Recommended:
 39     * 1 CPU
 40     * 1GB RAM
 41
 42     Minimum:
 43     * 1 CPU
 44     * 512MB RAM
 45
 46   Fantastic, I can somehow squeeze this into my existing VPS. Setup was
 47   fairly simple & the docs are pretty good. It employs a single .env file
 48   for configuration, which is great. However, I did run into a couple of
 49   hiccups here and there.
 50
 51   One especially nasty one was docker / docker-compose running out of
 52   memory.
 53Error response from daemon: cannot stop container: 2377e5c0b456: Cannot kill con
 54tainer 2377e5c0b456226ecaa66a5ac18071fc5885b8a9912feeefb07593638b9a40d1: OCI run
 55time state failed: runc did not terminate sucessfully: fatal error: runtime: out
 56 of memory
 57
 58   But it eventually worked after a couple of attempts.
 59
 60   The next thing I struggled with -- DNS. Specifically, the with the step
 61   where the DKIM keys are generated^[7]2. The output under
 62   config/opendkim/keys/domain.tld/mail.txt
 63   isn't exactly CloudFlare friendly; they can't be directly copy-pasted
 64   into a TXT record.
 65
 66   This is what it looks like.
 67mail._domainkey IN      TXT     ( "v=DKIM1; h=sha256; k=rsa; "
 68          "p=<key>"
 69          "<more key>" )  ;  -- -- DKIM key mail for icyphox.sh
 70
 71   But while configuring the record, you set "Type" to TXT, "Name" to
 72   mail._domainkey, and the "Value" to what's inside the parenthesis ( ),
 73   removing the quotes "". Also remove the part that appears to be a
 74   comment ; -- -- ....
 75
 76   To simplify debugging DNS issues later, it's probably a good idea to
 77   point to your mailserver using a subdomain like mail.domain.tld using
 78   an A record. You'll then have to set an MX record with the "Name" as @
 79   (or whatever your DNS provider uses to denote the root domain) and the
 80   "Value" to mail.domain.tld. And finally, the PTR (pointer record, I
 81   think), which is the reverse of your A record -- "Name" as the server
 82   IP and "Value" as mail.domain.tld. I learnt this part the hard way,
 83   when my outgoing email kept getting rejected by Tutanota's servers.
 84
 85   Yet another hurdle -- SSL/TLS certificates. This isn't very properly
 86   documented, unless you read through the [8]wiki and look at an example.
 87   In short, install certbot, have port 80 free, and run
 88$ certbot certonly --standalone -d mail.domain.tld
 89
 90   Once that's done, edit the docker-compose.yml file to mount
 91   /etc/letsencrypt in the container, something like so:
 92...
 93
 94volumes:
 95    - maildata:/var/mail
 96    - mailstate:/var/mail-state
 97    - ./config/:/tmp/docker-mailserver/
 98    - /etc/letsencrypt:/etc/letsencrypt
 99
100...
101
102   With this done, you shouldn't have mail clients complaining about wonky
103   certs for which you'll have to add an exception manually.
104
105Why would you...?
106
107   There are a few good reasons for this:
108
109Privacy
110
111   No really, this is the best choice for truly private email. Not
112   ProtonMail, not Tutanota. Sure, they claim so and I don't dispute it.
113   Quoting Drew Devault^[9]3,
114
115     Truly secure systems do not require you to trust the service
116     provider.
117
118   But you have to trust ProtonMail. They run open source software, but
119   how can you really be sure that it isn't a backdoored version of it?
120
121   When you host your own mailserver, you truly own your email without
122   having to rely on any third-party. This isn't an attempt to spread FUD.
123   In the end, it all depends on your threat model(TM).
124
125Decentralization
126
127   Email today is basically run by Google. Gmail has over 1.2 billion
128   active users. That's obscene. Email was designed to be decentralized
129   but big corps swooped in and made it a product. They now control your
130   data, and it isn't unknown that Google reads your mail. This again
131   loops back to my previous point, privacy. Decentralization guarantees
132   privacy. When you control your mail, you subsequently control who reads
133   it.
134
135Personalization
136
137   Can't ignore this one. It's cool to have a custom email address to
138   flex.
139
140   x@icyphox.sh vs gabe.newell4321@gmail.com
141
142   Pfft, this is no competition.
143     __________________________________________________________________
144
145    1. My [10]tweet of frustration.
146    2. [11]Link to step in the docs.
147    3. From his [12]article on why he doesn't trust Signal.
148
149References
150
151   1. https://icyphox.sh/home/icy/leet/site/build/blog/mailserver/temp.html#fn:1
152   2. https://poste.io/
153   3. https://mailu.io/
154   4. https://mailcow.email/
155   5. https://mailinabox.email/
156   6. https://github.com/tomav/docker-mailserver/
157   7. https://icyphox.sh/home/icy/leet/site/build/blog/mailserver/temp.html#fn:2
158   8. https://github.com/tomav/docker-mailserver/wiki/Installation-Examples
159   9. https://icyphox.sh/home/icy/leet/site/build/blog/mailserver/temp.html#fn:3
160  10. https://twitter.com/icyphox/status/1161648321548566528
161  11. https://github.com/tomav/docker-mailserver#generate-dkim-keys
162  12. https://drewdevault.com/2018/08/08/Signal.html