Julien Vehent on 8 Jul 2012 12:47:35 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] So, That's it for Thunderbird

On 2012-07-08 14:33, David Coulson wrote:
On 7/8/12 12:22 PM, Julien Vehent wrote:

Certainly not what a Linux Geek would do.
I'm a Linux geek, but I gave up running my own MX environment about five
years ago. Wasn't worth the time/hassle, and gmail/google apps has superior spam filter and functionality than I care to support. Plus it's free, so that makes it even more appealing. I think I've had maybe an hour or two of outages
in the last five years, if that.

Disclaimer: I may get a little passionate when it comes to this. Nothing personal, not judging anyone's choices.

My personal opinion on this: if you're not paying for it, you're not the customer, you're the product.

SMTP , XMPP, SIP, DNS and most of the communications protocols of the internet are designed to work in a decentralized fashion. SMTP works so well that it hasn't been replaced or barely edited over the last 30 years. Gmail changes that completely. They want you to use their infrastructure for everything. Screw decentralization. If everybody uses gmail, then google becomes the Internet itself and there's no need to interconnect services anymore. There are a few other companies in that race (facebook, linkedin, ...), and all dream to become the biggest player, to pass 1 billion users, so they can switch your privacy setting to "open wide" overnight without you being able to complain about it, or switch service.

But it's a tricky game for them. Sometime people get offended. It's annoying for those big corps, because it slows them down. So they give you something in exchange. "Hey, we build green datacenters". "Hey, we're making cars that drive by themselves". "Hey, we're realizing that amazing machine learning technology. Ok, we use it to read your emails, but see it's really cool stuff". Oh, ok, that's cool, Google is a nice company, I'll give them my emails then.

I'm against that. I want to keep control over my emails for the next 100+ years. I want my grandchildren to read emails from 2005 and make fun of it. Like we did when we were kids in grandpa's attic. I also want to be able to email health related information, bank statement, family stories, anything to my wife and my family without thinking "Hey, maybe I shouldn't put that in an email. What if google/facebook/yahoo/the NSA reads it ?".

And that's not going to happen if gmail or facebook or the next web3.0 startup is in charge of them.

Once again, I'm not judging everyone's choices. My wife uses gmail, and that why I don't email her some stuff. But I also set up a backup of all of her mailboxes into our server. Just in case.

Think more along the line of DIY postfix + dovecot. Some antispam (dspam is great, postscreen too). Any MUA (roundcube, mutt, thunderbird). And a MX record that points to your machine.
Presumably you are paying for a machine/VM/whatever somewhere with a
static-ish IP address and inbound port 25 open?

I do have a small atom box in a datacenter in Paris, with a static IP. I use it only for sending and receiving emails. The reputation of the static IP is good, better than what I would have on a residential DSL. But I don't store anything there, it's all relayed back to an in-house storage that has 3*1TB drives in soft raid 5. Before that, I was hosting everything in my tiny appartment. And my other appartment before that, and so on... Emails follow me, not the other way around.

Nothing hard. And definitely better than letting google (and others) read your emails.

You know email is unencrypted right? Unless you are using PGP/GPG or some
other encryption tool, just assume everyone is reading it anyway.

I do security for a living. Crypto, pentest, firewalls and so on. Email security has always been a lot of fun to me. There are ways to secure your email correspondence. StartTLS is available almost everywhere, so your SMTP can talk to the recipient's SMTP over an encrypted connection. It's not really enforced anywhere though. Then it's up to the storage layer to make sure that it doesn't leak emails in the wild. But in any case, I still find it better than knowingly authorizing gmail to run big-data-machine-learning-what-not-algorithm on my data. Authentication is also almost fixed with DKIM. That requires having strong authentication between the MUA and the MTA, which is the job of your email server, then the MTA signs the email, and the recipient verifies it blablabla... I said "almost fixed" because DNSSEC isn't fully deployed yet so one can still spoof DNS records and hijack you auth process. Or you can use S/MIME, PGP or any other system that fails to scale because key management is hard and nobody managed to fix it.

The engineering side of maintaining your email server manually is extremely exciting. I'm not giving that up for whatever fancy feature gmail has to offer. And, honestly, I feel like I've been keeping up just fine. I got to implement (and, incidentally, write articles on) very cool projects like DKIMproxy, DSPAM, Postscreen or Roundcube. Brought up a fully resilient hosting infrastructure with 1 LDAP master and 2 slaves, 1 Bind DNS master and 2 slaves, 2 Postfix servers, Haproxy + Nginx + php/fastcgi for roundcube, DSPAM + Postgres for the antispam. Only Cyrus-imap isn't distributed, but I plan to replace it with Dovecot some time soon and make it master/slave.

Yes, it's time consuming. It's also extremely rewarding. It's all a matter of how much one is ready to invest into it.

- Julien

Julien Vehent - http://1nw.eu/!j
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug