Cloudron as mailserver

jadudm

Hi all,

I once, long ago, ran an exim mailserver with a colleague. At some point, we got zero-day'd, and I decided that running a mailserver was less fun than I thought. I've never looked back.

I maintain a domain on an external provider almost entirely for the email forwarding. That is, I have a domain and addresses that I only forward on to other email hosts (e.g. Gmail).

I could move that domain to my Cloudron. At that point, I would be putting all of my personal infrastructure on a box in my basement, and be relying on it for my most important piece of comms infrastructure. And, I know I'd need to actually test my backup and restore process at that point, because I really couldn't afford to have an outage take out my family's email for (say) days.

Do people use Cloudron for production mail? (I mean, I assume they must.) Are there any concerns? Gotchas? Are there other paths people have walked? I've tried experimenting with Cloudflare's email forwarding solution, but was unable to get it to work reliably (a number of months ago).

Many thanks,
Matt

luckow

@jadudm Yep, do it. All my domains (personal and business) rely on Cloudron as their mail server infrastructure. On a side note, my entire infrastructure is based on servers in data centers. I have no real experience with mail infrastructures in my basement

Kubernetes

@jadudm I use Cloudron since over 12 months for all of my private e-mail without any issues. Uptime is great, no outages. I just cancelled the subscription for another e-mail provider that I used before cloudron.

fbartels

Receiving and storing mails is not the main concern here. Mailservers will retry delivering mails in case your server is not available at the time of the first delivery. The challenge (even more so if you are on a residential connection) is sending mail. For this nowadays its best to sign up for an external relay.

Dave Swift

Which VPS providers are you folks using? Many block port 25 or don't allow marketing emails.

I'm currently using Cloudron for email, but use SES as an outbound relay.

BrutalBirdie

@Dave-Swift
I use Hetzner, Netcup, DigitalOcean, hosting.de and others.
Many block port 25 by default but allow it after requesting it.
But a strict ban is a criterion for me to not use that provider at all.

jadudm

This is all good.

@luckow , @Kubernetes , thanks for the context. The... difference between a data center is mostly immaterial, I think. I mean, unless you consider that there is no power infrastructure in my basement, the ethernet cables are tacked to the ceiling, and there's no redundancy... OK. So, it's a little different. That's a separate issue, though, from the question of "Cloudron as my mail solution." So, thank you for the +1s.

@fbartels , @Dave-Swift , and @BrutalBirdie , I think you've all raised good questions.

• How will I send mail out? Do I relay? If so, what service?
• Will my ISP allow port 25 all the way down? I don't know. I know they're letting :80 and :443 in, because I'm hosting Cloudron at the end of my fiber connection. But, that doesn't mean they're not blocking :25.

Many thanks all. Good considerations.

jadudm

Fascinating.

So, I already had SendGrid already for outbound. I have sent one email in the last month. (Or, my.cloudron has.) This part was already done.

I wiped out my Cloudflare email forwarding experiments, picked a domain to test with, and set up email.

Nothing worked for a while (meaning "why are these messages I'm sending from over there not ending up over here?"), but then I read the documentation. Turns out I had to open port :25 to receive email. Documentation is so silly sometimes.

Email routed through. "Step 3: profit," as the cool kids say.

This is slightly terrifying to me, for what it is worth. My concerns are... at least a decade old here, but is there any reason I need to be concerned about my Cloudron becoming an open relay? Given that I'm using SendGrid, could I close my outbound 25 as a precaution? (Would it matter?) Or, is that what my DKIM and other DNS records are for? (Eh... kinda, to answer my own question. Documentation rears its head again!)

I went ahead and expanded my DNSBL zonelist:

zen.spamhaus.org
spamcop.org
uribl.com
nixspam.org

because I could.

Thank you all again for the responses.

andreasdueren

@jadudm said in Cloudron as mailserver:

Hi all,

I once, long ago, ran an exim mailserver with a colleague. At some point, we got zero-day'd, and I decided that running a mailserver was less fun than I thought. I've never looked back.

I maintain a domain on an external provider almost entirely for the email forwarding. That is, I have a domain and addresses that I only forward on to other email hosts (e.g. Gmail).

I could move that domain to my Cloudron. At that point, I would be putting all of my personal infrastructure on a box in my basement, and be relying on it for my most important piece of comms infrastructure. And, I know I'd need to actually test my backup and restore process at that point, because I really couldn't afford to have an outage take out my family's email for (say) days.

Do people use Cloudron for production mail? (I mean, I assume they must.) Are there any concerns? Gotchas? Are there other paths people have walked? I've tried experimenting with Cloudflare's email forwarding solution, but was unable to get it to work reliably (a number of months ago).

Many thanks,
Matt

Works without any problems whatsoever

necrevistonnezr

@jadudm said in Cloudron as mailserver:

This is slightly terrifying to me, for what it is worth. My concerns are... at least a decade old here, but is there any reason I need to be concerned about my Cloudron becoming an open relay? Given that I'm using SendGrid, could I close my outbound 25 as a precaution? (Would it matter?) Or, is that what my DKIM and other DNS records are for? (Eh... kinda, to answer my own question. Documentation rears its head again!)

I believe port 25 needs to stay open, @girish ?

I went ahead and expanded my DNSBL zonelist:

zen.spamhaus.org
spamcop.org
uribl.com
nixspam.org

because I could.

I recommend updating your firewall regularly with an antispam-list, https://forum.cloudron.io/topic/3795/firewall-spamassassin-automatic-list-update?page=3
Also the ruleset by @d19dotca is really helpful: https://forum.cloudron.io/topic/4770/sharing-custom-spamassassin-rules

girish

If you set up a relay, outbound 25 can be blocked. Incoming port 25 still needs to be open to receive mail. Note that atleast in the US/Comcast, port 25 inbound and outbound is blocked for all residential connections. (so, one cannot run a mail server at home).

necrevistonnezr

@girish said in Cloudron as mailserver:

If you set up a relay, outbound 25 can be blocked. Incoming port 25 still needs to be open to receive mail.

It's a shame you can't differentiate between incoming / outgoing block in Fritz!Boxes....

jadudm

@necrevistonnezr Thank you. Absolutely good advice.

My firewall pulls dynamically, twice a week? (I'd have to check---might be weekly) from what I've been able to identify as a "good" set of lists. I think have 6-7 different on the firewall. I could go further, but these seem like the "big ones" from my research. Could be good for me to revisit them.

jadudm

@girish Thank you. I am running a relay. I will check if I'm blocking 25 outbound (I probably am not). My ISP does not seem to block 25 inbound, because once I opened 25 inbound (I now route 80, 443, and 25 to my.cloudron), mail started to arrive.

I'm confident OpnSense will let me open it in one direction for NAT traversal, and block it in the other.

AmbroiseUnly

@BrutalBirdie DigitalOcean blocks port 25, and didn't open it when I asked, even insisted.

BrutalBirdie

@AmbroiseUnly
https://docs.digitalocean.com/support/why-is-smtp-blocked/

SMTP port 25 is blocked on all Droplets for new accounts to prevent spam and other abuses of our platform.

Dedicated email deliverability platforms are better at handling deliverability factors like IP reputation. To send mail from DigitalOcean, we recommend using SendGrid:

Is your account new?

rodsilva

I've been using Cloudron Mail for a long time with 3 different providers (Linode, OnetSolutions and Hostinger). I never had an issue on sending and receiving e-mails.

What bugs me a lot is the search. It doesn't work well even with full-text search enabled...

Another issue is the lack of good webmail software to use with Cloudron Mail server. Any other mail provider (Gmail, Proton etc) have a much better UX than what is available on Cloudron. I used for some time SOGo but now I use Nextcloud Mail and Snappymail's Nextcloud app as a fallback. From now and then I ask Mozilla to develop a Thunderbird Web