[TUHS] Who is running their own mail server and what do you run?

[TUHS] Who is running their own mail server and what do you run?

[Norman Wilson]

I run my own mail server, on systems in my basement.
It is a setup that no one in their right mind would
replicate, but the details may actually be proper for
this list.

A firewall/gateway system runs a custom SMTP server,
which can do simple filtering based on the SMTP envelope,
SMTP commands, calling IP address and hostname.  It is
also able to call external commands to pass judgement on
a caller or a particular message.

If mail is accepted, it is passed through a simple
MTA and a stupidly-simple queueing setup (the latter
made of shell scripts) to be sent via SMTP to a
different internal system, which uses the same SMTP
server and MTA to deliver to local mailboxes.

Outbound mail is more or less the obvious inverse.

I have put off naming names for dramatic effect.  The
two systems in question are MicroVAX IIIs running
my somewhat-hacked-up version of post-10/e Research
UNIX.  The MTA is early-1990s-vintage upas.  The SMTP
server, SMTP sender, and queuing stuff are my own.

I wrote the SMTP server originally not long after I left
Bell Labs; I was now in a world where sendmail was the
least-troublesome MTA, but in those days every month
brought news of a new sendmail vulnerability, so I wrote
my own simple server to act as a condom.  Over time it
grew a bit, as I became interested in problems like
what sorts of breakin attempts are there in real life
(back then one received occasional DEBUG or WIZ commands,
but I haven't seen any since the turn of the century);
what sorts of simple filtering at the SMTP level will
get rid of most junk mail.  The code is more complicated
than it used to be, but is still small enough that I am
reasonably confident that it is safe to expose to the
network.

The SMTP sender and the queueing scripts came later,
when I decided to host my own mail.  Both were designed
in too much of a hurry.

There is no official spam filtering (no bogofilter or
the like).  A few simple rules that really just enforce
aspects of the SMTP standard seem to catch most junk
callers: HELO argument must contain at least one . (standard
says it must be your FQDN) and must not be *.* (I see dozens
of those every day!); sender must not speak until my server
has issued a complete greeting (I follow Wietse Venema in
this: send a line with a continuation marker first, then
sleep five seconds or so, then send a finish).  I also
have a very simple, naive greylisting implementation that
wouldn't work well for a site with lots of users, but is
fine for my personal traffic.  The greylisting is implemented
with a pair of external shell scripts.

I have had it in mind for a long time to consult the Spamhaus
XBL too.  It would be easy enough to do with another plug-in
shell script.  There are stupid reasons having to do with my
current DNS setup that make that impractical for now.

The mail setup works, but is showing its age, as is the
use of Research UNIX and such old, slow hardware as a network
gateway.  One of these years, when I have the time, I'd like
first to redo the mail setup so that mailboxes are stored
on my central file server (a Sun X2200 running Solaris 10,
or perhaps something illumos-based by the time I actually
do all this); then set up a new gateway, probably based on
OpenBSD.  Perhaps I should calculate how much hardware I
could buy from the power savings of turning off just one of
the two MicroVAXes for a year.

I have yet to see an MTA that is spare enough for my taste,
but the old upas code just doesn't quite do what I want any
more, and is too messy to port around.  (Pursuant to the
conversation earlier here about autoconf: these days I try
to need no configuration magic at all, which works as long
as I stick to ISO C and POSIX and am careful about networking.
upas was written in messier days.)  At the moment I'm leaning
toward qmail, just because for other reasons I'm familiar with
it, though for my personal use I will want to make a few changes
here and there.  But I'll want to keep my SMTP server because
I am still interested in what goes on there.

Norman Wilson
Toronto ON

[TUHS] Who is running their own mail server and what do you run?

[Grant Taylor]

On 09/21/2017 02:05 PM, Norman Wilson wrote:
> I run my own mail server, on systems in my basement. 
>  It is a setup that no one in their right mind would
> replicate,

Maybe ... maybe not.

I think a number of TUHS subscribers enjoy special configurations.

> but the details may actually be proper for this list.

I'm only replying to the historical aspects.

> A firewall/gateway system runs a custom SMTP server, 
> which can do simple filtering based on the SMTP envelope, 
> SMTP commands, calling IP address and hostname.  It is 
> also able to call external commands to pass judgement on 
> a caller or a particular message.
> 
> If mail is accepted, it is passed through a simple 
> MTA and a stupidly-simple queueing setup (the latter 
> made of shell scripts) to be sent via SMTP to a 
> different internal system, which uses the same SMTP 
> server and MTA to deliver to local mailboxes.
> 
> Outbound mail is more or less the obvious inverse.
> 
> I have put off naming names for dramatic effect.  The 
> two systems in question are MicroVAX IIIs running 
> my somewhat-hacked-up version of post-10/e Research 
> UNIX.  The MTA is early-1990s-vintage upas.  The SMTP 
> server, SMTP sender, and queuing stuff are my own.

IMHO the dramatic effect was warranted.  (I was thinking that it's not 
too complex up until you said MicroVAZ III.)

It sounds to me like your MTA is completely separate from the SMTP 
stack.  -  Would I be correct in guessing that your SMTP stack reads 
from and writes to ""queues that look like mailboxes to your MTA?

By the way, what you've done sounds very impressive, and likely challenging.

> I wrote the SMTP server originally not long after I left 
> Bell Labs; I was now in a world where sendmail was the 
> least-troublesome MTA, but in those days every month 
> brought news of a new sendmail vulnerability, so I wrote 
> my own simple server to act as a condom.

I doubt that many of todays script kiddies would do such a thing.  I 
like it.

> Over time it 
> grew a bit, as I became interested in problems like 
> what sorts of breakin attempts are there in real life 
> (back then one received occasional DEBUG or WIZ commands, 
> but I haven't seen any since the turn of the century); 
> what sorts of simple filtering at the SMTP level will 
> get rid of most junk mail.  The code is more complicated 
> than it used to be, but is still small enough that I am 
> reasonably confident that it is safe to expose to the 
> network.
> 
> The SMTP sender and the queueing scripts came later, 
> when I decided to host my own mail.  Both were designed 
> in too much of a hurry.

So, what was SMTP used for before you hosted your own email?  Was it a 
minimal implementation to get logs / outgoing messages off of the box?

> There is no official spam filtering (no bogofilter or 
> the like).  A few simple rules that really just enforce 
> aspects of the SMTP standard seem to catch most junk 
> callers: HELO argument must contain at least one . (standard 
> says it must be your FQDN) and must not be *.* (I see dozens 
> of those every day!); sender must not speak until my server 
> has issued a complete greeting (I follow Wietse Venema in 
> this: send a line with a continuation marker first, then 
> sleep five seconds or so, then send a finish).  I also 
> have a very simple, naive greylisting implementation that 
> wouldn't work well for a site with lots of users, but is 
> fine for my personal traffic.  The greylisting is implemented 
> with a pair of external shell scripts.
> 
> I have had it in mind for a long time to consult the Spamhaus 
> XBL too.  It would be easy enough to do with another plug-in 
> shell script.  There are stupid reasons having to do with my 
> current DNS setup that make that impractical for now.
> 
> The mail setup works, but is showing its age, as is the 
> use of Research UNIX and such old, slow hardware as a network 
> gateway.  One of these years, when I have the time, I'd like 
> first to redo the mail setup so that mailboxes are stored 
> on my central file server (a Sun X2200 running Solaris 10, 
> or perhaps something illumos-based by the time I actually 
> do all this); then set up a new gateway, probably based on 
> OpenBSD.  Perhaps I should calculate how much hardware I 
> could buy from the power savings of turning off just one of 
> the two MicroVAXes for a year.

Could you keep your working configuration and save power by migrating 
your configuration to emulation?  Perhaps on a Raspberry Pi or the likes.

> I have yet to see an MTA that is spare enough for my taste, 
> but the old upas code just doesn't quite do what I want any 
> more, and is too messy to port around.  (Pursuant to the 
> conversation earlier here about autoconf: these days I try 
> to need no configuration magic at all, which works as long 
> as I stick to ISO C and POSIX and am careful about networking. 
>  upas was written in messier days.)  At the moment I'm leaning 
> toward qmail, just because for other reasons I'm familiar with 
> it, though for my personal use I will want to make a few changes 
> here and there.  But I'll want to keep my SMTP server because 
> I am still interested in what goes on there.
> 
> Norman Wilson
> Toronto ON



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3717 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20170921/22ae2cf5/attachment.bin>

[TUHS] Who is running their own mail server and what do you run?

[Dario Niedermann]

Il 20/09/2017 alle 18:25, Larry McVoy ha scritto:

> I tried running my own server on mcvoy.com but eventually gave up, the
> spam filtering was a non-ending task.
> 
> If someone has a plug and chug setup for MX I'd love to try it.

I run my own mail server (OpenSMTPD + Dovecot) but I don't do any spam
filtering server-side. I filter my email client-side with procmail and
bogofilter.

Every message to any non-existing address gets thrown into a catch-all
mailbox. I download the contents of that mailbox daily, and feed them
straight to bogofilter as spam, which of course improves its accuracy...


-- 
Dario Niedermann.                 Also on the Internet at:

gopher://darioniedermann.it/  <>  https://www.darioniedermann.it/

[TUHS] Who is running their own mail server and what do you run?

[Ian Zimmerman]

On 2017-09-20 23:34, Grant Taylor wrote:

> I expect my message directly to you will bounce then, as I'm using
> Linode as well.
> 
> I'm purposely sending this message to you so that it will (hopefully)
> bounce.  That way I can open a support case with Linode, as a
> customer, and *hopefully* get them to change their policy.  ;-)

Ditto here.  But Dave must have added this recently, as I have conversed
with him privately not longer than a month ago.

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
Do obvious transformation on domain to reply privately _only_ on Usenet.

[TUHS] Who is running their own mail server and what do you run?

[Ian Zimmerman]

On 2017-09-20 23:30, Grant Taylor wrote:

> Interesting work.  I'd be curious to see how you're doing some of that
> and think about implementing it myself.
> 
> Thanks for sharing Dave.

You can try

telnet very.loosely.org smtp

while you're at it :-) Credit goes to Dave who gave me the ideas, on
another mailing list.

I bet the implementation in exim (plus 1 or 2 tiny helper scripts) is
simpler than anything you can do in other MTAs, a good example of why I
am a fan.

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
Do obvious transformation on domain to reply privately _only_ on Usenet.

[TUHS] Who is running their own mail server and what do you run?

[Ben Greenfield]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 532 bytes --]

I use Server.app from the app store in os x. I switched to OS X server in the late 90’s from communiGate which is still around.

http://communigate.com/main/platform/email.html

I would describe any aspect of spam fighting as plug and chug…


Ben


> On Sep 20, 2017, at 12:25 PM, Larry McVoy <lm at mcvoy.com> wrote:
> 
> I tried running my own server on mcvoy.com but eventually gave up, the
> spam filtering was a non-ending task.
> 
> If someone has a plug and chug setup for MX I'd love to try it.
> 
> Thanks,
> 
> --lm

[TUHS] Who is running their own mail server and what do you run?

[Steve Simon]

> Doesn't pbl.spamhaus.org do this better for you, and maybe other similar
> RBLs ?

I do a spamhaus check first but if they miss them I add a regexp to picks them up.

I should do a sweep of the regexps against spamhaus - there was probably
only a small time window when spamhaus missed them.

-Steve

[TUHS] Who is running their own mail server and what do you run?

[Grant Taylor]

On 09/20/2017 10:58 PM, Dave Horsfall wrote:
> Ah yes...  I get a fair amount of spam from linode.com, yet they have
> no "abuse" reporting address, so I blocked the entire network; I do that
> with any ISP not having it when I try and report spam.

Hum.

I expect my message directly to you will bounce then, as I'm using 
Linode as well.

I'm purposely sending this message to you so that it will (hopefully) 
bounce.  That way I can open a support case with Linode, as a customer, 
and *hopefully* get them to change their policy.  ;-)

> I've since whitelisted you :-)

Let's see what sort of cages I can rattle.

Note:  I do not fault you for your black list.  We are each free to run 
our server(s) the way that we want to.



-- 
Grant. . . .
unix || die

[TUHS] Who is running their own mail server and what do you run?

[Grant Taylor]

On 09/20/2017 10:14 PM, Dave Horsfall wrote:
> Didn't I just see you somewhere else? :-)

Probably.

> Yep; as I recall, the RFC line length is no more than 254 chars (I 
> think), with no limit on the number of continuation lines.  Try 
> connecting to my server at horsfall.org (I'll make you wait around 10 
> seconds), then check out my RFC-compliant banner...  I'll keep an eye 
> out for you in my logs :-)

Very interesting.

I want to figure out how to make a multi-line banner.  (In Sendmail.)

I feel like your greet_pause was more than 10 seconds, but so be it. 
Still shouldn't be a problem.

> Check out www.horsfall.org/spamlog.pdf for a nice pretty graph; the 
> rejects on "banner" is the purple one on the top; the "reject" line is 
> the red one, and the "spam" line (stuff that gets through) is pink (for 
> SPAM, geddit?).
> 
> Note that many of the "banner" violations are from woodpeckers i.e. they 
> keep trying until they either give up or I notice (and firewall them).

I've wondered about a more featureful syslog daemon that could pattern 
match and watch for the log message for pre-greeting traffic, and 
forward them to a script that would dynamically update an RBL.  I just 
haven't found enough round-tuits yet.

> The tools behind this are still a work in progress, so I don't currently 
> log the number of "wait" violations etc (it was implemented fairly 
> recently).
> 
> (And yes, my HTML programming sucks.)

Interesting work.  I'd be curious to see how you're doing some of that 
and think about implementing it myself.

Thanks for sharing Dave.



-- 
Grant. . . .
unix || die

[TUHS] Who is running their own mail server and what do you run?

[Grant Taylor]

On 09/20/2017 09:04 PM, Robert Brockway wrote:
> This is a well established technique known as Nolisting.  I believe the 
> safest option is for the port to be unbound and thus for a TCP RST to be 
> sent.
> 
> en.wikipedia.org/wiki/Nolisting

I think I've heard of people doing nolisting before and ran across the 
term within the last week.

I wonder how effective it is.

I recently wrote a gray mail server (in Perl) that ran into the problem 
of the 3rd bullet point in Drawbacks.  -  My workaround has been to 
return ICMP errors, much like nolisting probably does.

I will have to give Nolisting more thought and mess with it.



-- 
Grant. . . .
unix || die

[TUHS] Who is running their own mail server and what do you run?

[Dave Horsfall]

On Thu, 21 Sep 2017, Robert Brockway wrote:

> As an aside I just saw this in my mail queue:
>
> # mailq
> -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
> 2182087EA      1618 Thu Sep 21 10:41:07  robert at timetraveller.org
> (host aneurin.horsfall.org[110.141.193.233] said: 550 5.7.1 
> <dave at horsfall.org>... No reporting address for linode.com; see RFC 2142 (in 
> reply to RCPT TO command))
>                                         dave at horsfall.org
>
>
> That is aggressive standards compliance ;)

Ah yes...  I get a fair amount of spam from linode.com, yet they have
no "abuse" reporting address, so I blocked the entire network; I do that
with any ISP not having it when I try and report spam.

I've since whitelisted you :-)

-- 
Dave Horsfall DTM (VK2KFU)  "Those who don't understand security will suffer."

[TUHS] Who is running their own mail server and what do you run?

[Robert Brockway]

I received a private request for info on my Postfix config.  I'm happy to 
post to list.

This is the interesting bit:

https://pastebin.com/tNceD6zM

Running under Debian 8, soon to be upgraded to Debian 9.

Postgrey is listening on TCP/10023.

As an aside I just saw this in my mail queue:

# mailq
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
2182087EA      1618 Thu Sep 21 10:41:07  robert at timetraveller.org
(host aneurin.horsfall.org[110.141.193.233] said: 550 5.7.1 
<dave at horsfall.org>... No reporting address for linode.com; see RFC 2142 
(in reply to RCPT TO command))
                                          dave at horsfall.org


That is aggressive standards compliance ;)

Rob

[TUHS] Who is running their own mail server and what do you run?

[Dave Horsfall]

On Wed, 20 Sep 2017, Grant Taylor wrote:

Didn't I just see you somewhere else? :-)

> I've never thought about a long, multi-line banner.

Yep; as I recall, the RFC line length is no more than 254 chars (I think), 
with no limit on the number of continuation lines.  Try connecting to my 
server at horsfall.org (I'll make you wait around 10 seconds), then check 
out my RFC-compliant banner...  I'll keep an eye out for you in my logs 
:-)

> I agree with the first two, and I'd like to know more about the 
> effectiveness of the third.

Check out www.horsfall.org/spamlog.pdf for a nice pretty graph; the 
rejects on "banner" is the purple one on the top; the "reject" line is the 
red one, and the "spam" line (stuff that gets through) is pink (for SPAM, 
geddit?).

Note that many of the "banner" violations are from woodpeckers i.e. they 
keep trying until they either give up or I notice (and firewall them).

The tools behind this are still a work in progress, so I don't currently 
log the number of "wait" violations etc (it was implemented fairly 
recently).

(And yes, my HTML programming sucks.)

-- 
Dave Horsfall DTM (VK2KFU)  "Those who don't understand security will suffer."

[TUHS] Who is running their own mail server and what do you run?

[Robert Brockway]

On Wed, 20 Sep 2017, Grant Taylor wrote:

> On 09/20/2017 07:30 PM, Lawrence Stewart wrote:
>> We have 3 MX records with weights 10 50 100, but only the second one has an 
>> SMTP server behind it.  This tends to discourage spammers.
>
> Do the first and third MX actually resolve to an IP?  Are they pingable?
>
> Are you sending TCP resets?

This is a well established technique known as Nolisting.  I believe the 
safest option is for the port to be unbound and thus for a TCP RST to be 
sent.

en.wikipedia.org/wiki/Nolisting

Rob

[TUHS] Who is running their own mail server and what do you run?

[Grant Taylor]

On 09/20/2017 07:30 PM, Lawrence Stewart wrote:
> We have 3 MX records with weights 10 50 100, but only the second one 
> has an SMTP server behind it.  This tends to discourage spammers.

Do the first and third MX actually resolve to an IP?  Are they pingable?

Are you sending TCP resets?



-- 
Grant. . . .
unix || die

[TUHS] Who is running their own mail server and what do you run?

[Grant Taylor]

On 09/20/2017 06:55 PM, Dave Horsfall wrote:
> Dunno, as I've never used it, but there are some clever tricks that can 
> be used to enforce RFC-compliancy (a lot of spamware is written by 
> idiots who don't understand the finer points of SMTP):

Some of the ones that I've seen make me understand SMTP at all, or if 
they are using a library to abstract it.

>      Enforce proper DNS configuration e.g. must resolve etc, and must
>      actually exist.
> 
>      Make 'em wait a few seconds before sending your own banner, and drop
>      the connection if they send beforehand.

I do both of those.

>      Set up an enormous greeting banner (many long lines); there is nothing
>      in the RFC that says it has to be a single short line.

I've never thought about a long, multi-line banner.

> These simple measures alone cut out most of the crap; the rest are 
> handled by various DNSBLs and my private access list.

I agree with the first two, and I'd like to know more about the 
effectiveness of the third.



-- 
Grant. . . .
unix || die

[TUHS] Who is running their own mail server and what do you run?

[Lawrence Stewart]

On Thu, 21 Sep 2017, Robert Brockway wrote:

> I do some additional tricks like requring the sending MTA to hold the connection open for (IIRC) 10 seconds before I will accept traffic. This drives up spammers costs (and everyone elses :( ) but definitely helps.



We have 3 MX records with weights 10 50 100, but only the second one has an SMTP server behind it.  This tends to discourage spammers.

(Postfix, Ubuntu, on a Rackspace instance)

-L

[TUHS] Who is running their own mail server and what do you run?

[Ian Zimmerman]

On 2017-09-20 23:54, Steve Simon wrote:

> I also have a list of regexps which match the reverse dns
> addresses of adsl blocks which catch many spam bots.
> 
> The regexps sound like a lot of work but I have some scripts to
> analyse my logs and suggest  patterns, so its just a click or two
> I can block somthing like:
> 
> 	dhcp.[0-9]+.[0-9]+.[0-9]+.[0-9]+.adsl.nasty-isp.net

Doesn't pbl.spamhaus.org do this better for you, and maybe other similar
RBLs ?

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
Do obvious transformation on domain to reply privately _only_ on Usenet.

[TUHS] Who is running their own mail server and what do you run?

[Dave Horsfall]

On Wed, 20 Sep 2017, Grant Taylor wrote:

> I thought I had heard reports that tar pitting, for the purpose of 
> slowing spammers down, didn't achieve much.

Dunno, as I've never used it, but there are some clever tricks that can be 
used to enforce RFC-compliancy (a lot of spamware is written by idiots who 
don't understand the finer points of SMTP):

     Enforce proper DNS configuration e.g. must resolve etc, and must
     actually exist.

     Make 'em wait a few seconds before sending your own banner, and drop
     the connection if they send beforehand.

     Set up an enormous greeting banner (many long lines); there is nothing
     in the RFC that says it has to be a single short line.

These simple measures alone cut out most of the crap; the rest are handled 
by various DNSBLs and my private access list.

-- 
Dave Horsfall DTM (VK2KFU)  "Those who don't understand security will suffer."

[TUHS] Who is running their own mail server and what do you run?

[Robert Brockway]

On Thu, 21 Sep 2017, Dave Horsfall wrote:

> On Thu, 21 Sep 2017, Robert Brockway wrote:
>
>> I do some additional tricks like requring the sending MTA to hold the 
>> connection open for (IIRC) 10 seconds before I will accept traffic. This 
>> drives up spammers costs (and everyone elses :( ) but definitely helps.
>
> Err, it's not the spammer who's paying for it these days...
>
> Or are you talking about greet pause, and not tarpitting?  Either way, both 
> are effective.

I'm doing greet pause.  Just checked, it's currently set to 15s.

Rob

[TUHS] Who is running their own mail server and what do you run?

[Grant Taylor]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 764 bytes --]

On 09/20/2017 06:00 PM, Dave Horsfall wrote:
> Or are you talking about greet pause, and not tarpitting?  Either way, 
> both are effective.

I thought I had heard reports that tar pitting, for the purpose of 
slowing spammers down, didn't achieve much.

I wonder if I can find any of my old Sendmail hacks to bad recipient 
throttle that sent a longer and longer multi-line error message for when 
you exceeded the number of allowed back recipients.  }:-)



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3717 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20170920/d9d35cbd/attachment.bin>

[TUHS] Who is running their own mail server and what do you run?

[Larry McVoy]

On Wed, Sep 20, 2017 at 04:57:13PM -0700, Bakul Shah wrote:
> What is needed  is an SMTP "Brita" filter!
> 
>   crud+legit email => smtp filter => legit email
> 
> This then goes to your usual MTA. Steve, this may be
> the killer app for plan9!

I'd run plan9 (or *BSD or even SmartOS) if I could grab an install image
and change host/IP, add some users, aliases, and it just worked.

In fact, I'd pay for that.  If it actually worked I'd pay $500 for the
install image and $100/year for updates to the spam filter.

Corey, what do you charge for your email service?  All I need is inbound
spam filtering, I've got a working linux box that can receive and send
mail but my MX is rackspace.

[TUHS] Who is running their own mail server and what do you run?

[Dave Horsfall]

On Thu, 21 Sep 2017, Robert Brockway wrote:

> I do some additional tricks like requring the sending MTA to hold the 
> connection open for (IIRC) 10 seconds before I will accept traffic. 
> This drives up spammers costs (and everyone elses :( ) but definitely 
> helps.

Err, it's not the spammer who's paying for it these days...

Or are you talking about greet pause, and not tarpitting?  Either way, 
both are effective.

-- 
Dave Horsfall DTM (VK2KFU)  "Those who don't understand security will suffer."

[TUHS] Who is running their own mail server and what do you run?

[Bakul Shah]

What is needed  is an SMTP "Brita" filter!

  crud+legit email => smtp filter => legit email

This then goes to your usual MTA. Steve, this may be
the killer app for plan9!

On Wed, 20 Sep 2017 23:54:34 +0100 "Steve Simon" <steve at quintile.net> wrote:
"Steve Simon" writes:
> My spam filtering is all plan9 based but the ideals are all portable.
> 
> Greylisting and delaying a few secs before starting the SMTP
> conversation are my most successful filters, After this comes
> SPF and using spamhaus to validate the senders IP.
> 
> I reject some silly domains like localhost.com and usernames like
> user and test.
> 
> I also have a list of regexps which match the reverse dns
> addresses of adsl blocks which catch many spam bots.
> 
> The regexps sound like a lot of work but I have some scripts to
> analyse my logs and suggest  patterns, so its just a click or two
> I can block somthing like:
> 
> 	dhcp.[0-9]+.[0-9]+.[0-9]+.[0-9]+.adsl.nasty-isp.net
> 
> -Steve

[TUHS] Who is running their own mail server and what do you run?

[Dave Horsfall]

On Wed, 20 Sep 2017, Arthur Krewat wrote:

> I've built an extensive list of whitelisted email sources and 
> destinations (TUHS for example). Anything that doesn't match that 
> automatically goes into my SPAM folder.

Mot having a go at you personally, but I keep seeing this: "SPAM" is a 
trademark of Hormel (makers of that wonderful pink stuff), whereas "spam" 
is the junk stuff.

Hormel might not like having their trademark diluted...

-- 
Dave Horsfall DTM (VK2KFU)  "Those who don't understand security will suffer."

[TUHS] Who is running their own mail server and what do you run?

[Grant Taylor]

On 09/20/2017 04:54 PM, Steve Simon wrote:
> My spam filtering is all plan9 based but the ideals are all portable.

I would love to hear more about how (and why) you're using Plan9.  I'm 
naively curious.

> Greylisting and delaying a few secs before starting the SMTP
> conversation are my most successful filters, After this comes
> SPF and using spamhaus to validate the senders IP.

I forgot about pre-greeting delay.  I also use that.  It's amazing how 
much difference even 1 second makes.

I think it's also amazing how many spam bots try tricks to get around 
spam filtering, like connecting to a high order MX that hypothetically 
has less spam filtering.  -  JunkEmailFilter's Project Tarbaby does 
phenomenal work with that.  Plus, it feeds their RBL which I use as a 
data signal for SpamAssassin.  }:-)

> I reject some silly domains like localhost.com and usernames like
> user and test.

Are you referring to the purported sender?  Or something in your domain?

Are you referring to SMTP Authentication or email addresses?

I have disabled SMTP Authentication on my main MTA and only allow it on 
my MSA.

> I also have a list of regexps which match the reverse dns
> addresses of adsl blocks which catch many spam bots.

Thankfully I've not had to deal with those.  (At least not that I'm 
aware of.)

> The regexps sound like a lot of work but I have some scripts to
> analyse my logs and suggest  patterns, so its just a click or two
> I can block somthing like:
> 
> 	dhcp.[0-9]+.[0-9]+.[0-9]+.[0-9]+.adsl.nasty-isp.net

Nice.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3717 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20170920/68de9162/attachment.bin>

[TUHS] Who is running their own mail server and what do you run?

[Michael Parson]

On Wed, 20 Sep 2017, Ian Zimmerman wrote:
> On 2017-09-20 09:25, Larry McVoy wrote:
>
>> I tried running my own server on mcvoy.com but eventually gave up, the
>> spam filtering was a non-ending task.
>
> exim on a VPS.  Currently it is a linode running debian but I will have
> to find an outlet that supports BSD before systemd becomes unavoidable
> on debian, which I'm afraid is only a matter of time.

I run NetBSD on my Linode hosted VPS.  It took a little work, but it
does work.

I also use sendmail + 5s greet pause + greylisting + regex milter +
spamassassin.  I also don't accept mail from IPs that don't resolve.  I
have also wholesale blocked several IP blocks from China and Korea via
ipf that have been problematic.

Before taking those measures 12-15 years ago, spam was eating my inbox,
since then, my spam volume has been quite low, but I do see some IPs
connect and never say anything, probably scripts hung up on the greet
pause?  Dunno.  If I'm watching the logs while one of those is going on,
I'll just 'sudo route add -host badip gw 127.0.0.1' and forget about
them.

The stuff that makes it through all gets delivered through procmail
which sorts list mail into folders, stuff marked as spam into a spam
folder, and everything else gets delivered to my inbox and forwarded
to a second account which I point my phone at for reading inbox stuff,
generally, maybe 10-15 messages a day wind up in my inbox.  Spam mail
varies from day to day.  Some days it seems like I get tons, other days
it's just a few.

Mail is read either via alpine directly on the host, via roundcube
webmail on the host, or from my Android phone using the K-9 mail app.
All connect over imap/s provided by dovecot and Let's Encrypt SSL certs.

> spam is a problem but also a challenge ;-)
>
> I'll never switch to gmail as my primary address.  The day when it's the
> only way is the day the Net dies, as I see it, and the day when I look
> for a different line of work (which maybe I should have done a while ago).

Yeah, I thought about switching to google-hosted email, and I do have a
gmail account (more than one, actually), but those are not what I give
out as 'my' email address.  One is my 'android' account that is the
default account for my phone, one is used for signing up on websites
and other stuff I care less about.  Any real communication with me will
probably come through this address (mparson at bl.org).

I just don't like the idea of google reading my email, which is why I
don't even use their mail app on my phone, even to read mail sent to the
gmail accounts.  I do use their web interface for the gmail accounts,
but I also have alpine pointed at them, which is how I read most of my
mail.

-- 
Michael Parson
Pflugerville, TX
KF5LGQ

[TUHS] Who is running their own mail server and what do you run?

[Robert Brockway]

On Wed, 20 Sep 2017, Bakul Shah wrote:

Hi all.  I've lurked here for a long time but hardly posted.  I've only 
used *nix for 25 years which makes me a n00b in these parts.

I run my own mail server and use trusted RBLs, Greylisting (GL) and 
SpamAssassin (SA) in that order as I did many years ago.

I do some additional tricks like requring the sending MTA to hold the 
connection open for (IIRC) 10 seconds before I will accept traffic.  This 
drives up spammers costs (and everyone elses :( ) but definitely helps.

> I use postfix + postgrey. But greylisting doesn't seem to work
> any more. I detect spam using various scripts. As you put it,

I'd suggest GL works but not for the same reason it originally 
worked.

GL is great in combination with an RBL.  GL gives the RBLs time to get 
updated so that by the time they get around to resending there is a better 
chance the RBL will block the incoming spam.  It's reall the combination 
of greylisting and the RBLs which helps.

Perhaps not surprisingly the nature of spam has changed over the 20 years 
that I've run my own MTAs (Sendmail and then Postfix).  IMHO spam was most 
difficult to deal with perhaps 5-10 years ago.  It seems to me that the 
enforcement against organised crime online in recent years has reduced 
spam a lot.  IIRC I read that in recent years most spam was coming from 
only 7 or 8 organisations.  When one of those was shutdown some years ago 
I believe I saw a sudden drop in spam.

SA is probably of limited value today but it still catches some spam for 
me.  I never really bothered using a Bayesian filter inside SA or 
standalone.

FWIW I spend virtually no time maintaining my MTA.  I've been using the 
same approach for about 10 years and if anything I get far less spam than 
I did in 2007.

Cheers,

Rob

[TUHS] Who is running their own mail server and what do you run?

[Dave Horsfall]

On Wed, 20 Sep 2017, Larry McVoy wrote:

> I tried running my own server on mcvoy.com but eventually gave up, the 
> spam filtering was a non-ending task.

I've been a Sendmail bigot for years; I don't like the way that Postfix 
works.

> If someone has a plug and chug setup for MX I'd love to try it.

My setup is highly customised for anti-spam controls, so may not suit 
everyone...  And yes, until the last spammer's head is on a pike (I'm
serious), it is indeed a non-ending task.  I simply won't outsource my
filtering to a third party.

-- 
Dave Horsfall DTM (VK2KFU)  "Those who don't understand security will suffer."

[TUHS] Who is running their own mail server and what do you run?

[Steve Simon]

My spam filtering is all plan9 based but the ideals are all portable.

Greylisting and delaying a few secs before starting the SMTP
conversation are my most successful filters, After this comes
SPF and using spamhaus to validate the senders IP.

I reject some silly domains like localhost.com and usernames like
user and test.

I also have a list of regexps which match the reverse dns
addresses of adsl blocks which catch many spam bots.

The regexps sound like a lot of work but I have some scripts to
analyse my logs and suggest  patterns, so its just a click or two
I can block somthing like:

	dhcp.[0-9]+.[0-9]+.[0-9]+.[0-9]+.adsl.nasty-isp.net

-Steve

[TUHS] Who is running their own mail server and what do you run?

[Greg 'groggy' Lehey]

On Wednesday, 20 September 2017 at 10:46:19 -0600, Warner Losh wrote:
>
> I ran my own server for bsdimp.com and village.org form the early
> 90s until 2009 or so.

I've been running my own server since 1992, first sendmail, then
postfix.  And yes, the only issue is spam.

> I switched to gmail when I was seriously looking at dropping $10k
> for a server that had enough horse power to filter the 50k-75k spam
> I was getting a month at that time.

My issue with spam filtering wasn't horsepower, which was only a
fraction of what you mention, but accuracy.  Spam was continually
getting through, legitimate messages were being marked as spam.  None
of the conventional methods, such as header analysis, were accurate
enough, and they required continual tweaking.  In addition, it seems
that Spamassassin passed its use-by date some years back.  See
http://www.lemis.com/grog/diary-jan2010.php#D1-10 : on 1 January 2010
I received a bounce with the message:

 3.2 FH_DATE_PAST_20XX      The date is grossly in the future.

That was fixed, of course, but it remained a pain.

> Switching to google was easier and I didn't have to spend the $10k
> nor the 4 hours a week on the care and feeding of the black lists,
> etc.

I felt very embarrassed, but I did something similar.  I now use gmail
as a spam filter, while retaining my own mail server.  Clearly
maintaining spam filtering is enough work that it should be left to
people who do it for a job.  But at least my headers show that the
mail comes from a lemis.com mail server.

Greg
--
Sent from my desktop computer.
Finger grog at lemis.com for PGP public key.
See complete headers for address and phone numbers.
This message is digitally signed.  If your Microsoft mail program
reports problems, please read http://lemis.com/broken-MUA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: not available
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20170921/70ab7426/attachment.sig>

[TUHS] Who is running their own mail server and what do you run?

[Theodore Ts'o]

On Wed, Sep 20, 2017 at 01:13:57PM -0700, jason-tuhs at shalott.net wrote:
> I run my own mail.  Linux and FreeBSD servers, running qmail (plus lots of
> patches) and dovecot (and local, direct maildir access on the servers, for
> users who want to run alpine or mutt).

I run my own e-mail as well.  I use Debian Stable on Linode, using
dovecot, exim, and spamassassin.

> The real challenge in hosting your own mail seems to be on the outbound
> side.  Google seems to be pretty distrustful of small, hobbyist systems,
> even though none of my IPs has ever been used for spamming, and I took the
> time to setup stuff like SPF.  I haven't heard too many complaints lately,
> but for a while, I had a number of users complaining that their emails were
> always being marked as spam for gmail users...

The big thing is to use SPF and DKIM (I use opendkim), and to make
sure your IP address (or IPv6 address block) is clean.  If it is not,
you might have to ask your hosting provider to give you a clean IP
address.

					- Ted

[TUHS] Who is running their own mail server and what do you run?

[Jon Steinhart]

Bakul Shah writes:
> 
> 
> > On Sep 20, 2017, at 9:39 AM, Jon Steinhart <jon at fourwinds.com> wrote:
> > 
> > I run my own server using sendmail.  Part of what makes it work is an accretion
> > of crud that I have hooked to it over the years which I wouldn't particularly
> > suggest to anyone else.
> > 
> > So yes, spam is a big problem.  I manage it in a crude but effective way.  I
> > have a milter (mail filter) that I cobbled together that is invoked by sendmail.
> > I also have a separate "spam" user.  What the milter does is to take anything
> > that it considers to be spam and rewrites the address so that it goes to the
> > spam user.  I have permissions set up so that I can easily check on spam when I
> > have time.  Oh yeah, another of my curmudgeon credentials is that I use nmh for
> > my MUA (I'm a maintainer).
> 
> I use postfix + postgrey. But greylisting doesn't seem to work
> any more. I detect spam using various scripts. As you put it,
> "accretion of crud"!  I block spammer IP addrs via pf.
> Probably not the right thing to do.  Should look into various
> anti-spamming mail filters again. It is trivial to manually
> detect spam so probably should experiment with NN code for
> this.
> 
> I too use nmh (and MH before then). But since my last upgrade
> repl, comp, forw seem to bring up a blank X-MH-Attachment in
> vi.  Used to bring ~/Mail/drafts/<number> file, initialized
> with interpreted contents of "components" or "replcomps" file.
> Haven't gotten around to  looking into this. [This is a
> problem with many "maintained" software packages.  Things
> evolve and if you update only sporadically, you just may miss
> a crucial update or two!]

Um, well, while I am a maintainer I have been too busy to pay attention
to it in the last couple of years.  I am the person who invented/wrote the
attachment code for nmh.  I asked and asked for feedback on the design
before implementing it an received none.  Things were find for about a
decade and then all of a sudden folks had a myriad of complaints and made
a bunch of changes.  My suggestion is that you mention this on their
mailing list after making sure that you have the latest stuff installed.
I do recall that a few changes were made some years back which broke stuff
if one had customized the components files for their own installation.

Jon

[TUHS] Who is running their own mail server and what do you run?

[jason-tuhs]

> I tried running my own server on mcvoy.com but eventually gave up, the 
> spam filtering was a non-ending task.
>
> If someone has a plug and chug setup for MX I'd love to try it.

I run my own mail.  Linux and FreeBSD servers, running qmail (plus lots of 
patches) and dovecot (and local, direct maildir access on the servers, for 
users who want to run alpine or mutt).

The stackable filters concept in qmail (and other DJB software) makes it 
ridiculously easy to write plugins using the language/toolkit of your 
choice, so you can easily pass all mail through spamassasin, clamav, 
defer-first/gray-listing setups, RBLs, etc.  I spent some time on this 
setup years ago, and haven't really touched it since, yet it still seems 
to keep the spam down to manageable levels.

The real challenge in hosting your own mail seems to be on the outbound 
side.  Google seems to be pretty distrustful of small, hobbyist systems, 
even though none of my IPs has ever been used for spamming, and I took the 
time to setup stuff like SPF.  I haven't heard too many complaints lately, 
but for a while, I had a number of users complaining that their emails 
were always being marked as spam for gmail users...


  -Jason

[TUHS] Who is running their own mail server and what do you run?

[Bakul Shah]

> On Sep 20, 2017, at 9:39 AM, Jon Steinhart <jon at fourwinds.com> wrote:
> 
> I run my own server using sendmail.  Part of what makes it work is an accretion
> of crud that I have hooked to it over the years which I wouldn't particularly
> suggest to anyone else.
> 
> So yes, spam is a big problem.  I manage it in a crude but effective way.  I
> have a milter (mail filter) that I cobbled together that is invoked by sendmail.
> I also have a separate "spam" user.  What the milter does is to take anything
> that it considers to be spam and rewrites the address so that it goes to the
> spam user.  I have permissions set up so that I can easily check on spam when I
> have time.  Oh yeah, another of my curmudgeon credentials is that I use nmh for
> my MUA (I'm a maintainer).

I use postfix + postgrey. But greylisting doesn't seem to work
any more. I detect spam using various scripts. As you put it,
"accretion of crud"!  I block spammer IP addrs via pf.
Probably not the right thing to do.  Should look into various
anti-spamming mail filters again. It is trivial to manually
detect spam so probably should experiment with NN code for
this.

I too use nmh (and MH before then). But since my last upgrade
repl, comp, forw seem to bring up a blank X-MH-Attachment in
vi.  Used to bring ~/Mail/drafts/<number> file, initialized
with interpreted contents of "components" or "replcomps" file.
Haven't gotten around to  looking into this. [This is a
problem with many "maintained" software packages.  Things
evolve and if you update only sporadically, you just may miss
a crucial update or two!]

[TUHS] Who is running their own mail server and what do you run?

[William Pechter]

Never used their support.  I keep nothing 
important on the server. 

I back up my stuff to my house over SSH with rsync. 

They have zfs snapshots and a remote console over web browser, so if I break it I fix it or reinstall.

If I get into too much trouble they do have support.  I am running from the bootable install they supplied and I used freebsd-update to go from 10.3 to 11.1 IIRC.

Bill

-----Original Message-----
From: Ian Zimmerman <itz@very.loosely.org>
To: tuhs at minnie.tuhs.org
Sent: Wed, 20 Sep 2017 15:26
Subject: Re: [TUHS] Who is running their own mail server and what do you run?

On 2017-09-20 14:22, William Pechter wrote:

>> exim on a VPS.  Currently it is a linode running debian but I will
>> have to find an outlet that supports BSD before systemd becomes
>> unavoidable on debian, which I'm afraid is only a matter of time.

> Digital Ocean does FreeBSD  for me.  My mail hosting costs me $5 per
> month.  Using postfix and zfs...

I try to choose my words carefully, and here I wrote "supports" on
purpose even though it is a much overused word.

Linode will let me run FreeBSD, no problem, but they will not support
it.  That means, for example, no backups.

So when you write that DO "does" FreeBSD, how far do they go on the
support scale?

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
Do obvious transformation on domain to reply privately _only_ on Usenet.

[TUHS] Who is running their own mail server and what do you run?

[Ian Zimmerman]

On 2017-09-20 14:22, William Pechter wrote:

>> exim on a VPS.  Currently it is a linode running debian but I will
>> have to find an outlet that supports BSD before systemd becomes
>> unavoidable on debian, which I'm afraid is only a matter of time.

> Digital Ocean does FreeBSD  for me.  My mail hosting costs me $5 per
> month.  Using postfix and zfs...

I try to choose my words carefully, and here I wrote "supports" on
purpose even though it is a much overused word.

Linode will let me run FreeBSD, no problem, but they will not support
it.  That means, for example, no backups.

So when you write that DO "does" FreeBSD, how far do they go on the
support scale?

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
Do obvious transformation on domain to reply privately _only_ on Usenet.

[TUHS] Who is running their own mail server and what do you run?

[Grant Taylor]

On 09/20/2017 12:22 PM, William Pechter wrote:
> Digital Ocean does FreeBSD  for me.  My mail hosting costs me $5 per 
> month.  Using postfix and zfs...

Digital Ocean has piqued my interest a few times.  I just did some 
looking, for a spam filtering test that I just did, and decided to stick 
with Linode.  But Digital Ocean has earned my respect in their 
interactions on Twitter too.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3717 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20170920/77c7c3eb/attachment-0001.bin>

[TUHS] Who is running their own mail server and what do you run?

[Grant Taylor]

On 09/20/2017 11:57 AM, Ian Zimmerman wrote:
> exim on a VPS.  Currently it is a linode running debian but I will have
> to find an outlet that supports BSD before systemd becomes unavoidable
> on debian, which I'm afraid is only a matter of time.

Hi Ian,

I'd strongly encourage you to reach out to Linode support (I've found 
them very responsive and helpful) and ask about BSD.

I believe you can do a micro install of something on one vDisk and then 
use that to boot strap install something else, possibly anything else.

I think I've even heard that you could get Windows installed via their 
GUI web console.  -  So I expect that BSD should be fairly easy to do.

I personally am planing on resizing a couple of VMs to a larger size w/ 
more CPU & disk to do a Gentoo install from my old CentOS.  Then I'll 
switch the boot disk, and ultimately remove CentOS & shrink back to the 
current size.

So, don't give up on Linode yet.  I bet you that they have a way for you 
to run BSD.

> spam is a problem but also a challenge ;-)

Agreed.  }:-)

> I'll never switch to gmail as my primary address.  The day when it's the
> only way is the day the Net dies, as I see it, and the day when I look
> for a different line of work (which maybe I should have done a while ago).

*salute*



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3717 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20170920/0f880a91/attachment.bin>

[TUHS] Who is running their own mail server and what do you run?

[Corey Lindsly]

> 
> I tried running my own server on mcvoy.com but eventually gave up, the
> spam filtering was a non-ending task.
> 
> If someone has a plug and chug setup for MX I'd love to try it.
> 
> Thanks,
> 
> --lm
> 

We provide email service for a few hundred (mostly legacy) customers. The 
essential elements of the system are:

Linux (HA pair)
Postfix
SpamAssassin
ClamAV
RBLs (Spamhaus)
MySQL database
Maia Mailguard

I spend maybe five minutes a week maintaining the system. The most 
important part is Maia Mailguard. Incoming email is scored by SpamAssassin 
(higher = more likely to be spam). Above some threshold, which can be 
tuned up or down by the user, the mail is tossed into their spam 
quarantine. The user is able to browse this quarantine. False positives 
can be freed-up and delivered as usual and the sender is whitelisted. 
True positives are confirmed and contribute to training the filter. After 
a little while the system gets pretty good at automatically 
distinguishing between spam and ham.

The important point of this system is that it puts the user in control. 
Too much spam? Turn the spam threshold setting down a little lower. Too 
many false positives? Turn that knob a bit higher. Expecting an important 
email? Whitelist the sender or check your spam quarantine. As a mail 
admin, my goal is to give the users the tools to manage their own email 
effectively according to their requirements. I don't want my phone 
ringing every time some user wants to complain that he gets too much spam.

The system has been a success. Complaints from the users have dropped to 
nearly zero. I spend very little time thinking about or dealing with the 
mail system. Stats follow.


As of: 2017-09-20 11:38:53 PDT 

Efficiency 99.35% False Positive 0.50% False Negative 0.15%
Sensitivity 99.84% PPV 99.45% Specificity 94.00% NPV 98.16%


--corey

[TUHS] Who is running their own mail server and what do you run?

[William Pechter]

Digital Ocean does FreeBSD  for me.  My mail hosting costs me $5 per month.  Using postfix and zfs...

Bill

-----Original Message-----
From: Ian Zimmerman <itz@very.loosely.org>
To: tuhs at minnie.tuhs.org
Sent: Wed, 20 Sep 2017 13:57
Subject: Re: [TUHS] Who is running their own mail server and what do you run?

On 2017-09-20 09:25, Larry McVoy wrote:

> I tried running my own server on mcvoy.com but eventually gave up, the
> spam filtering was a non-ending task.

exim on a VPS.  Currently it is a linode running debian but I will have
to find an outlet that supports BSD before systemd becomes unavoidable
on debian, which I'm afraid is only a matter of time.

spam is a problem but also a challenge ;-)

I'll never switch to gmail as my primary address.  The day when it's the
only way is the day the Net dies, as I see it, and the day when I look
for a different line of work (which maybe I should have done a while ago).

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
Do obvious transformation on domain to reply privately _only_ on Usenet.

[TUHS] Who is running their own mail server and what do you run?

[Grant Taylor]

I'm running Sendmail (the 800 lb gorilla that I know) on multiple Linode 
VPSs.  (I can highly recommend Linode.)

My email stack is fairly straightforward:

  - Sendmail + milters
     - ClamAV       - can reject email at SMTP time
     - OpenARC      - adds headers for SpamAssassin
     - OpenDKIM     - adds headers for SpamAssassin
     - OpenDMARC    - adds headers for SpamAssassin
     - SpamAssassin - can reject email at SMTP time
     - SPFmilter    - can reject email at SMTP time
  - JunkEmailFilter Project Tarbaby as a high order / low priority MX
  - Reverse Path IP filtering
     - Team Cymru Bogons
        - Full IPv4
        - Full IPv6
     - Spamhaus
        - Drop v4
        - eDrop v4
        - Drop v6
     - DShield

I also do the following, but they don't strictly impact inbound email 
filtering.

  - I publish DNS records for
     - SPF w/ -all
     - DKIM
     - DMARC w/ strict rejections on all messages
  - DNSSEC signed zones & published DS records.
  - I recently added Sender Rewrite Scheme to my mail server.
     - I now host email for a friend that he wants forwarded 
(unmodified) to Gmail.

On 09/20/2017 10:25 AM, Larry McVoy wrote:
> I tried running my own server on mcvoy.com but eventually gave up, the 
> spam filtering was a non-ending task.

I may end up regretting saying this, but I don't think my spam problem 
is nearly as bad as other people seem to have it.

> If someone has a plug and chug setup for MX I'd love to try it.

I've found my solution to be mostly maintenance free.

I do dabble, by choice, and recently wrote a proto MTA in Perl to 
experiment with gray listing.

I also have > 2k lines of procmail recipes, but that's almost all for 
filtering different addresses into the multiple hundreds of folders I 
have in my personal email account.

Ask if you want any more details.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3717 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20170920/fccda534/attachment-0001.bin>

[TUHS] Who is running their own mail server and what do you run?

[Arthur Krewat]

Side note on my own post:

I use Thunderbird to read all my personal/professional email except 
where I'm forced to use Outlook

I've built an extensive list of whitelisted email sources and 
destinations (TUHS for example). Anything that doesn't match that 
automatically goes into my SPAM folder.

So even if I turned off all SPAM filtering upstream, I still wouldn't 
get anything in my Inbox that I didn't want to see. My SPAM folder would 
be huge though ;)

On 9/20/2017 1:10 PM, Arthur Krewat wrote:
> Sendmail.
>
> Since I got a business-class fiber connection from Verizon FIOS last 
> year, I've been tempted to really "roll my own" receiving mail server, 
> but haven't because of the SPAM issue.
>
> Most of my main inbound email goes through Godaddy because I have an 
> umlimited (almost) hosting account with them. They filter 99% of the 
> SPAM and I'm happy with that. Let them deal with the updates and such.
>
> I use fetchmail to pull down email from various other places - gmail 
> (I'm a subcontractor to someone), Godaddy, outlook.com, etc.
>
> Outbound I push it through Godaddy again. Verizon recently cut their 
> mail service outbound for email outside of their root domain. Can't 
> blame them, they were probably being used to spam by customers' 
> machines that had been compromised.
>
>
>
> On 9/20/2017 12:25 PM, Larry McVoy wrote:
>> I tried running my own server on mcvoy.com but eventually gave up, the
>> spam filtering was a non-ending task.
>>
>> If someone has a plug and chug setup for MX I'd love to try it.
>>
>> Thanks,
>>
>> --lm
>>
>
>

[TUHS] Who is running their own mail server and what do you run?

[Ian Zimmerman]

On 2017-09-20 09:25, Larry McVoy wrote:

> I tried running my own server on mcvoy.com but eventually gave up, the
> spam filtering was a non-ending task.

exim on a VPS.  Currently it is a linode running debian but I will have
to find an outlet that supports BSD before systemd becomes unavoidable
on debian, which I'm afraid is only a matter of time.

spam is a problem but also a challenge ;-)

I'll never switch to gmail as my primary address.  The day when it's the
only way is the day the Net dies, as I see it, and the day when I look
for a different line of work (which maybe I should have done a while ago).

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
Do obvious transformation on domain to reply privately _only_ on Usenet.

[TUHS] Who is running their own mail server and what do you run?

[Rico Pajarola]

I was running my own Postfix server with spamassassin until I got
frustrated (that was when I working for Google on Gmail spam/abuse and
realized just how much better a job you can do with more resources and that
there's no way I could come even close to that quality of filtering with my
homegrown solution). Nowadays I run everything through Google. Sadly (?)
this also saves me a ton of time and money (I sometimes miss tinkering with
my mail setup).

On Wed, Sep 20, 2017 at 6:25 PM, Larry McVoy <lm at mcvoy.com> wrote:

> I tried running my own server on mcvoy.com but eventually gave up, the
> spam filtering was a non-ending task.
>
> If someone has a plug and chug setup for MX I'd love to try it.
>
> Thanks,
>
> --lm
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20170920/db808b49/attachment-0001.html>

[TUHS] Who is running their own mail server and what do you run?

[Clem Cole]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1476 bytes --]

On Wed, Sep 20, 2017 at 12:25 PM, Larry McVoy <lm at mcvoy.com> wrote:

> I tried running my own server on mcvoy.com but eventually gave up, the
> spam filtering was a non-ending task.


​for ccc.com - as a 40 year old domain  and a 3 letter one at that, spam
was never ending.  I gave up when Google asked me to beta test Google Apps
for business.   Now the cost of having them do it for me is so cheap, I
really can not justify running it myself.  Same for my DNS for my class C,
I moved it all upstream to easyDNS in Canada (great bunch BTW and pricing
is super).

Now I live downstream of a 1G fiber.   The Firewall is fairly hot because
of my domain, so many nut cases tap on it; but my logs show its been stable
for a long time since I have it locked down pretty tight.    At one time, I
had some of Ches's mapping stuff running that gave me a pseudo-real time
map of where the attacks were come each day (mostly script kiddies).  But,
we had a flood in the basement and that system got decommission since I got
bore looking at it.  I fear, those bits are rotted.

Anyway moving Mail and DNS upstream did clean up spam and while it did not
rid of the attacks, but it certainly let the primary defense be done at
places better set up to handle them me personally and I bought back much of
my day.

​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20170920/ea4931de/attachment.html>

[TUHS] Who is running their own mail server and what do you run?

[Henry Bent]

On 20 September 2017 at 12:46, Warner Losh <imp at bsdimp.com> wrote:

>
>
> On Wed, Sep 20, 2017 at 10:25 AM, Larry McVoy <lm at mcvoy.com> wrote:
>
>> I tried running my own server on mcvoy.com but eventually gave up, the
>> spam filtering was a non-ending task.
>>
>
> I ran my own server for bsdimp.com and village.org form the early 90s
> until 2009 or so. I switched to gmail when I was seriously looking at
> dropping $10k for a server that had enough horse power to filter the
> 50k-75k spam I was getting a month at that time. Switching to google was
> easier and I didn't have to spend the $10k nor the 4 hours a week on the
> care and feeding of the black lists, etc.
>

This is essentially what happened when I was working at Oberlin College.
Around 2005-2006 we bought a dedicated appliance to handle spam (with
around 5000 active email addresses at any given time, it was a lot of spam)
but within less than a year it became completely overwhelmed and we needed
to upgrade to a much more powerful and expensive machine.  We switched to
Google Apps very shortly afterward and it saved countless hours on the back
end and provided a better experience to our users.  Initially I wasn't
particularly happy about the fact that we were no longer directly in
control of our mail, but the benefits far outweighed the drawbacks.

-Henry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20170920/d6f739f8/attachment.html>

[TUHS] Who is running their own mail server and what do you run?

[Jon Steinhart]

BTW, another reason that I like to run my own mail servers is so that I can
see "spam" in case it isn't.  While I'm sure that filtering tools have gotten
better I recall an issue some years ago while using a clients email address
where the message included a register layout like 0 1 1 X X X 0 1; the message
vanished because of the X X X.

[TUHS] Who is running their own mail server and what do you run?

[Arthur Krewat]

Sendmail.

Since I got a business-class fiber connection from Verizon FIOS last 
year, I've been tempted to really "roll my own" receiving mail server, 
but haven't because of the SPAM issue.

Most of my main inbound email goes through Godaddy because I have an 
umlimited (almost) hosting account with them. They filter 99% of the 
SPAM and I'm happy with that. Let them deal with the updates and such.

I use fetchmail to pull down email from various other places - gmail 
(I'm a subcontractor to someone), Godaddy, outlook.com, etc.

Outbound I push it through Godaddy again. Verizon recently cut their 
mail service outbound for email outside of their root domain. Can't 
blame them, they were probably being used to spam by customers' machines 
that had been compromised.



On 9/20/2017 12:25 PM, Larry McVoy wrote:
> I tried running my own server on mcvoy.com but eventually gave up, the
> spam filtering was a non-ending task.
>
> If someone has a plug and chug setup for MX I'd love to try it.
>
> Thanks,
>
> --lm
>

[TUHS] Who is running their own mail server and what do you run?

[Steve Nickolas]

On Wed, 20 Sep 2017, Warner Losh wrote:

> On Wed, Sep 20, 2017 at 10:25 AM, Larry McVoy <lm at mcvoy.com> wrote:
>
>> I tried running my own server on mcvoy.com but eventually gave up, the
>> spam filtering was a non-ending task.
>>
>
> I ran my own server for bsdimp.com and village.org form the early 90s until
> 2009 or so. I switched to gmail when I was seriously looking at dropping
> $10k for a server that had enough horse power to filter the 50k-75k spam I
> was getting a month at that time. Switching to google was easier and I
> didn't have to spend the $10k nor the 4 hours a week on the care and
> feeding of the black lists, etc.
>
> Warner
>

I've run my own server for over a decade.  I don't get an unmanageable 
amount of spam, though if there's a way I can make it easier to filter the 
crud out using the tools (postfix, alpine) I have, ...sure

-uso.

[TUHS] Who is running their own mail server and what do you run?

[Kurt H Maier]

On Wed, Sep 20, 2017 at 09:25:02AM -0700, Larry McVoy wrote:
> I tried running my own server on mcvoy.com but eventually gave up, the
> spam filtering was a non-ending task.

I still run qmail, using a patch to pass everything through
SpamAssassin.  Remote IMAP is provided by courier-imap.  This setup has
been in place long enough that I can no longer remember originally
configuring it.

I experimented with moving to OpenSMTPD, but at the time it wasn't
flexible enough to manage spam filtering in a sane way.  I've read
matters have improved, and based on current descriptions it might be
worth revisiting.

Another relative newcomer is rspamd, which can take a lot of the pain
out of spam filtering.  Getting it integrated with my creaky old qmail
setup has been on my TODO for quite a while now.

> If someone has a plug and chug setup for MX I'd love to try it.

Sadly, while my setup has been rock-solid and I have no complaints,
there's nothing plug and chug about it.  The ability to quickly deploy a
new server is one of the things that originally got me looking at
OpenSMTPD, but filtering and user-controlled address creation a la
.qmail-files were showstoppers for me.

khm

[TUHS] Who is running their own mail server and what do you run?

[Warner Losh]

On Wed, Sep 20, 2017 at 10:25 AM, Larry McVoy <lm at mcvoy.com> wrote:

> I tried running my own server on mcvoy.com but eventually gave up, the
> spam filtering was a non-ending task.
>

I ran my own server for bsdimp.com and village.org form the early 90s until
2009 or so. I switched to gmail when I was seriously looking at dropping
$10k for a server that had enough horse power to filter the 50k-75k spam I
was getting a month at that time. Switching to google was easier and I
didn't have to spend the $10k nor the 4 hours a week on the care and
feeding of the black lists, etc.

Warner
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20170920/4e824ba5/attachment-0001.html>

[TUHS] Who is running their own mail server and what do you run?

[Jon Steinhart]

Larry McVoy writes:
> I tried running my own server on mcvoy.com but eventually gave up, the
> spam filtering was a non-ending task.
> 
> If someone has a plug and chug setup for MX I'd love to try it.
> 
> Thanks,
> 
> --lm

I run my own server using sendmail.  Part of what makes it work is an accretion
of crud that I have hooked to it over the years which I wouldn't particularly
suggest to anyone else.

So yes, spam is a big problem.  I manage it in a crude but effective way.  I
have a milter (mail filter) that I cobbled together that is invoked by sendmail.
I also have a separate "spam" user.  What the milter does is to take anything
that it considers to be spam and rewrites the address so that it goes to the
spam user.  I have permissions set up so that I can easily check on spam when I
have time.  Oh yeah, another of my curmudgeon credentials is that I use nmh for
my MUA (I'm a maintainer).

The big question is, what is spam?  To me, it's any message from a sender who is

 1.  It's spam if the sender is in my blacklist.  This rarely gets used.

 2.  It's spam if it's sent to more than one recipient at my domain and any of
     the recipients are nonexistent users.

 3.  It's spam if the message is malformed.

 4.  It's spam if the message has a forged address or a non-resolvable host.

 5.  Finally, it's spam if it's not text/plain and not in my whitelist.

My big issue with spam is not the spam itself, it's the interruptions.  So I
scan the spam folder every once in a while and if I see something from someone
that I want then I add them to my whitelist.  Works for me.

I also run fail2ban which at least keeps my log file size down.  Biggest issue
for me is that, living out in the country I am limited to a very expensive T1.
Every once in a while I have to call Verizon customer service which coincidentally
is the phone number for the Oregon Department of Justice and get them to block
mainly Chinese IP addresses at their end because getting hit with thousands of
spam attempts per minute is effectively a DDOS attack.

Jon

[TUHS] Who is running their own mail server and what do you run?

[Larry McVoy]

I tried running my own server on mcvoy.com but eventually gave up, the
spam filtering was a non-ending task.

If someone has a plug and chug setup for MX I'd love to try it.

Thanks,

--lm