They say it is hard and scary… but is it ?

I had in mind to host my own email server for some time now. I managed a couple of email servers in the in the past (20 years ago, how time flies), at my first job, back when having an email server was not seen as strange.

Those were different times though, and it was much easier: buy domain, set a couple of DNS records, setup a server that is not an open relay, and you’re done. These days ? A bit more complicated.

If you don’t want to be ignored by major mail providers (and by ignoring, I mean that your mail will be routed to /dev/null without a single notice), your server needs a few more security-related features.

The most important, the “don’t even bother if you don’t implement them” feature set, seems to be

Very briefly, SPF is a method to list the IP addresses and domains that are allowed to send mail on your behalf, so nobody else can pretend to be one of your servers. DKIM is a method to sign the mails that your server sends, and for the receiver to check that the signature is valid. DMARC provides a way for you to decide how the unvalidated or unsigned messages are to be handled by other mail server. PTR is a DNS record used for reverse lookup of a domain from the ip address. Many mail server block emails if the name advertised by your mail server doesn’t match it PTR record.

There are some other mail-related standards that one can implement, although they are not, at the moment, as “make-or-break” as the ones above:

Standard Purpose Key Requirement / Note
DANE Forces encrypted connections between servers. Requires DNSSEC, which many providers don’t support.
MTA-STS Tells other servers to only send you mail via TLS. Easier than DANE; uses HTTPS and DNS.
ARC Preserves authentication when mail is forwarded. Important for mailing lists.
TLS-RPT Provides reports on TLS connection failures. Helps troubleshoot why mail isn’t arriving.
BIMI Displays your brand logo in the recipient’s inbox. Mostly for branding; often requires a VMC certificate.

Of the above, only MTA-STS seemed important enough to me, so I made a note to configure it too, if possible.

Now, which software ?

I had a number of requirements

First of all, it should let me easily setup a decent configuration, which a non open relay with SPF, DKIM e DMARC. I don’t want to battle with configuration files in order for Google to accept my emails.

Support multiple domains. I have a bunch of domains for my side projects, and I want to be able to send/receive emails from them too, if needed. This is in fact one of the reasons I wanted to self host, as costs may add up if I start using external services for many domains.

Easy support for user management, aliases, creating new domains. I will not do this often, but this also means that every time I do I forget how I did the previous one. The procedure must be simple.

I just need email. Calendar is a plus, the rest is unneeded. It must be somewhat lightweight (let’s say under 1GB of memory under light load)

My original idea was to use postfix+Dovecot. I have experience with them (although not as Internet-exposed mail server), but they fail at the first and third requirements. They were born in a different era, and to configure them for modern requirements is an error-prone endeavour. Luckily I found docker-mailserver, which seems to package together everything that you need (smtp, imap, spam filter, all the security functionality mentioned above).

It was not clear right away, but it has a CLI tool that helps with handling new users, domain, certificates and whatnot. It requires to manually configure the specific service in some cases that are not handled by default (for example SPF for multiple domains in rspamd, maximum message size in dovecot), but it is something I can live with.

Honorable mentions

The one above was not my first choice.

I almost ended up using Stalwart, after hearing about it on HackerNews. It ticks a lot of boxes, in particular it is easy to setup, it comes with reasonable defaults and guides you to setup DNS for SPF/DKIM/DMARC. It also support multiple domains out of the box, has a nice web interface, support a few extra protocols like CalDAV, CardDAV and JMAP. The main drawback that made me look elsewhere though is that it has an Enterprise and Community edition. While it is not by itself bad, I had bad experiences in the past with companies moving functionality from the free to the paid version of their application, or closing up shop and leaving the community abandoned. I am willing to revise my choice in the future though.

For a while, I was also considered using Apache James. It is Java and more heavy than the other solutions I considered, but still reasonable. What threw me off is that the documentation is absymal. Once you go out of the examples and tutorial, understanding what needs to be changed is an adventure: I couldn’t find a clear reference for all the configuration parameter of the various components. Also, LLMs were useful only to a point as the configuration file format changes a bit between versions. When I tried to add support for spam filtering, and had to manually add a jar to the container, which caused other parts of the mailserver to crash, I gave up.

How it is going, so far

Surprisingly good. Before “going live” I made some tests with some online services (like mail-tester.com) and it got almost everything correct right away.

But my real test was another. I had issues sending mails with pdf attachment to one of my clients that was using Microsoft for mail (Microsoft 365 or whatever is called these days). The mails would be invariably be sent to /dev/null, without any notice. And this is despite me sending and receiving mails with them for years. This wouldn’t happen with mails sent from my Gmail account.

Maybe this speaks more about the quality of the service provided by the company that I was using (a not-to-smallish national hosting provider), but it is proof that if you are not one of the bigs, delivery is no guaranteed.

My self-hosted solution worked right away, and finally my pdfs started being delivered

(see ? sometimes you can even do better than “professionals”)