 So welcome to the second day of the 21st schularschprogrammiernacht to the talk Unlimited free accounts your own mail server in 60 minutes We all use email every day and now we are going to see a talk about how to set up our own email server the speaker is Benjamin who graduated here in Karlsruhe at the Karlsruhe Institute of Technology and is now working as a Consulting person and Yes Thank you very much for the introduction to be fair. I didn't give him much more than that. I didn't think it was relevant Okay. Thank you everyone for being here. I already told you that it will be a quite a packed talk with a lot of information and ideally there is a live coding session about about 50 minutes, but given the network Issues, maybe I will just talk about it and I will upload the code to do it yourself To the to the net you can download it tomorrow from my blog or somewhere or get up So you can do it yourself. It's actually quite easy. You just have to Repeat the steps here and I will give you the explanation for why you have to do it Yeah, but briefly who am I I'm I'm Benjamin as my Harold already said I'm an IT consultant I currently work in 14 G technology consulting and I Shouldn't mention that because they're nice enough to pay for me being here as a thought Which I find great so I have wear the t-shirt and I use their power print presentation slides No, they're awesome. Also in my free time. I do a lot of blogging and I organize meetups. So if you ever have the need to get the Nicest and greatest stuff from the cloud or from AI then come to our meetup. It's AI cloud AI cloud innovation in Karlsruhe Yeah, so why do we do this? Actually, I don't know why you would do it but I know that you have to be a bit weird to want to do it because or Yeah, I mean, it's a male server and there's so much stuff you have to do for it and Yeah, then you have really have to be a bit kind of weird to actually want to deal with that in your free time I mean or yeah, but For me it started out when after I mean I start off with free email accounts like everybody else like AOL or Gmail and stuff like that. So back in the day and then Yeah, I started reading the news and that that wasn't too healthy. I mean you read stuff like yeah Gmail is reading your emails. They're scanning it for advertisements. They're They're actually persons who read your emails. They're selling the information and stuff like that and at some point I didn't want to have my Emails on Gmail or somewhere else. I mean most email providers do this There are some who don't or presumably don't but they're of course not free and by then I was already down the path of doing it myself and I Think it's fun. Yeah, so But my main reason was privacy and Of course cost. I mean, yeah, you can have free emails accounts But by now you have most of the time some kind of cost associated with it either it's your privacy or It's reading ads that by now are injected into your emails and some providers. I mean, that's that's really fucked up and If you then want something that's not that's not with ads then you have to at least pay 50 60 70 euros per year And then this comes without all the premium features that you have to pay extra for Yeah, I don't want to do that either Okay, but if you decide to do it yourself, you will encounter One problem and this is That you have to realize that you have not only one problem, but you have many problems And this is just because Thanks, this is Sorry This is because a mail server. That's not one thing Mail server is comprised of a lot of moving parts that interact together and they influence each other and You have in the beginning you basically have no idea where to start and what to choose and Everything is configured differently every part of that has its different way of doing it and Even then when you arrive at Okay, I have to use decent this parts Then you have for every part you have 10 or 20 alternatives that you can use here for your email storage You can use a file system. You can use an IMAP server that are two complete different ways of doing it And then if you decide, okay, I need an IMAP server because I want to use it with Thunderbird Okay, which IMAP server do I use there are 10 and like eight are not maintained and two are maintained and whatever That's so much stuff that you have to do before you Get it done Yeah, so this for me that was a big hurdle and I mean I Did that originally during my study so I really had time to do it if you if you start without any guidance then oh Jesus and Of course most of the documentation that you can read online is either outdated or doesn't apply to you because you want to do something else So what do we want to do today? I want to give you One example of how to do it so to just Maybe lessen the anxiety of doing it a bit and give you a starting point from where you can then migrate into what you want to do Or to adapt this solution to your needs and ideally I wanted to do it online, but I'm apparently No, no, so I'm very very sorry for that I Will just show you what to do Yeah, but that Actually, that was not the problem before because I already got an IP address before. Okay, I will retry Okay, I got I got net so No Let's try something else if that also works Yes, okay, great All right, so we can do it online that is a big load of my chest Thanks for whoever was that who fixed it Okay, so We're a leaf of yep, okay, so this will be quite a process and So it will be a bit complicated and I can't I can't go in a lot of detail on every step so if you have questions just ask them right away because Again the Ideally this talk takes me 59 minutes and after that There is only a limited amount of time to ask questions So ask questions immediately when you have them because the more questions you ask the more Understanding you build the closer you are to actually getting a mail server running if I just read it out to you And you don't get anything of it then there you just wasted an hour Okay, by the way, why would you not do that? First of all of course is reliability You will set up a mail server maybe for the first time, but also if you do it for the 10th time That in big organizations that sell that service Every part of it will have at least one person who gets paid to service that part all out all the time You will do it in your free time with the limited understanding that you have or maybe you are an expert then that doesn't apply to you, but it certainly applies to me and Because I only have limited understanding of this. Yeah, okay If you ask me some in-depth question about hey, why should I use that kind of service in that setting on post fix? I will go like a read the manual. I don't know And And then there there there will things that there will be things that just happen like you have to reboot your server because there is a downtime on your provider because he has to Do some updates or you do have to do some updates or there is a certificate issue and stuff like that So there there will be Outer out time and you will not save time by doing this So, I mean if you're an expert maybe but I would suggest you You don't save time with it So only do it if you if you really want to do it and if you see a lot of benefits for you that outweigh Not paying for that service and doing it yourself because of like privacy reasons Okay Yeah, and there is One thing I have to mention When you Start your own mail server you have to put that thing on the internet and as we all know the internet is not the most friendly of places So everyone and their mother will be after you. You will receive so much spam. You will receive mails from scammers you will potentially be hacked although the the chance for that is fairly low if you're only doing it for your own purposes and if you're not Running a Microsoft product by the way, don't run a Microsoft product. I mean not unless you're paid for it really well It's just not worth your lifetime The last time a friend of Put an exchange server on the internet it took exactly five minutes until it was taken over by someone And he was out of the house by then So that this thing did distribute spam for hours until he could get back and shut it down by just plugging it out Yeah, okay, so Also, you might be and I'm not an expert. I'm not an attorney or something But you might be liable for anything that that thing that just got hacked does so be aware of that Okay, if you still want to do it, let's briefly go over the Core components of a mail server or at least the core components of a mail server that are Important now because yes, every of these components that are here have way more detail to them if you look at postfix that thing is Not one thing, but it's like 20 different things that all operate together I will not go into that detail because for now it's not really important and I don't know it No, I will just give you the most important things right now. So I Mean if we think of what happens when there is a when a mail arrives at our server Obviously, it has to find that server and for that we have to set set up a DNS entry We have to give it the name of our server and we have to put an MX entry in there Strictly speaking, you don't have to put an MX entry in trail, but it's really nice to do that I will go into that detail a bit later and but when the mail then arrives at your server We of course need some component that will take take over the email and read it and decide what to do with it and this component is postfix or the May mail delivery agent as You will read in the specific literature and also yes, I know this is strictly speaking not correct, but let's leave it at that The mail delivery agent will take over the email and decide okay, what will I do with it? most likely it will it will first hand it over to a spam checking process like in our case are spandee and then Decide okay, is there a user for that on my server that I have to deliver that mail to and For that it will basically or in our case it will ask the mail storage a tough cut Hey, can I can I store this mail with you and tough cut will either say no and then the mail delivery agent will reject the mail Or it will say yes, and then here it is the mail storage in our case is of a binary called tough cut Will store the email and I hand it out to you via IMAP so you can access it with a thunderbird or apple mail or whatever you use and It will know that you as a user exist because it will read the information from somewhere in our case We will use an LDAP server and This might be a kind of controversial decision because LDAP servers are one of the Worst design pieces of software that you can find The protocol to use them is so old and so weird But you can think of them as Yeah, a big dictionary That's always how I like to think of it It's a big dictionary and in the dictionary there are entries and we and if you find something in there there There is information. So that's how I like to I like to think about it But it's not a dictionary But it helps, okay so two other things that we will encounter over and over again in this talk are the Docker deployment because I Dockerized all these components That just helps me getting away from the operating system versions Because normally of course you can install these things on your operating system and Then you're bound to Or yeah, you're kind of bound to the versions that your operating system has or that's the Distribution has yes, you can install other versions, but it's a pain and I don't I wanted to use the Dockerized versions also if something goes wrong and I Screw it up. I just can't delete the container and get a new container and and I didn't mess with the Mr. With the host OS And So therefore I did write some darker images Specifically for a patch. Yes, I've got postfix are spending and so go this is actually not hard to do and you will find all of these images on Docker hub and on my block and Most importantly, you will not only find the images but also the code on for how to build images because there are a lot of images for these these binaries on GitHub at Docker hub, sorry But you will not want to use them because they don't deliver the code They are not official images and you don't know what's in there. I mean Could be anything could be could be a dovetail or could be something that just hands your email out to some Russian server Don't know so be careful what you do again operating a mail server is dangerous and Be sure that your images actually are This kind of software that you want to use Of course for some things there are official images and I also do use them because I kind of trust them, but yeah All right then What we all will do all the time at during this talk is for the images because I will briefly go over the images But the images are always the same thing you what you do to build them Is you? Take a base image you install your dependencies on it you copy a few a configuration files on it and then you tell it how to run That's everything. That's how every of these images is built They are a bit different every time but not much and the most important thing that you always have to do is you have to put some kind of configuration in there to redirect the Logging output to standard out so you can read it in the docker logs Or at least that's that's how I do it and I will not write all the Instructions of course myself now because that would take forever Now I use ansible which is a configuration management tool which is a bit more declarative in its usage So you don't say docker runs for stuff for instance, but you Hand over a file to ansible and say look ansible This is how I want it to be and then ansible goes and does it the necessary steps to make it that way and the lower Box is one example of a simple script that for instance Pulls up the Apache L app server It's a lot at first, but actually what it does is it says only hey take my image and hand out the port 389 and Save the the stuff that you that you save Somewhere where it can access it by the way to answer the question beforehand. I don't like docker volumes and I don't think it's necessary for a single server It's way easier for me me maybe only to back up that stuff if it's Bind mounted to a somewhere of the host operating system especially for dovetail and I will get into that later And all the ansible rows by the way Yeah, that I should mention that too You could now write all these Declarative instructions to one file, but it would be a lot very convoluted. So there is a way to partition them into reusable Chunks and these chunks are then called roles and here is a file structure of an example role It's the matching Apache DS role and it just says here Look, I have my my elder brawl and in this are no files that I have to upload Obviously, I'm not Mapping any files or copying any files here, but this is my task and this this is this file And then there are also some variables, but this file The file of the variables really I'm uninteresting because it only contains this variable and Then I use a so-called playbook and another file to just reference that role and say okay on my server Please do that Okay, and I will do this on the aforementioned Azure VM I hope it's still online because a few hours ago. It wasn't and Azure portal was also down and I Hope it's now up and I can show it to you I pre-installed something that's That's not relevant to the mail server. I pre-installed Docker That's not Really interesting for the mail server itself I put up a Docker bridge and some basic tools like Vim and H top and stuff like that and The base images and you put to 20204 which also doesn't really matter you can use Docker on any Linux or any modern Linux and again, I Will run this mail server on my fun domain, which is model Dan from NDE and And I saw I pointed that address to this Docker VM added to this Azure VM and also I pointed the SMTP DNS entry to the Azure VM and in the I Created a record for the MX entry and as we mentioned before the MX entry is where any other Server on the internet who wants to send mail to you will look first on when he asked hey Where should I send this mail to then it will look in this MX entry and this MX entry? Goes to SMTP dot model Dan from N dot D Alright, that's everything for the introduction now let's Get started with the code First thing I will do is actually something that I only have to now have to use at the end but I will do it now because it's super convenient to have the certificate already now and Then we were All right We will start with the first thing that we will set up and that's the L up server That's actually the task that we have seen before And that's the that's our user directory now you don't have to use an adult server you can Use a mail server with the for instance the accounts on the virtual machine itself But that doesn't scale really well, and it's also not really good for Maintaining stuff so I decided to use an adult server and Then there are three basically main LDAP service that you can use that's Open LDAP three at nine directors server and Apache DS Of course, there is active directory, but that again is a Microsoft product And I am I'm already happy with that virtual machine works. So seriously Yeah, so Apache DS has the advantage of bringing a nice GUI with it So an eclipse-based GUI that helps you manage it and I will use now this GUI to Yeah, that doesn't look like the internet connection is really back Name resolution error Yeah, okay And in this case I will scrap it for now Unfortunately, that's I'm very sorry about that, but without network there's no left demo I will just talk about what I want to do or what I would do and and Basically, I would now go and execute my prepared scripts Normally you would not do that You would just use something like this where you just put all your roles into one list and then execute that But Because I wanted to do it step-by-step. I Put every role into one file. So it's it's always the same but with like only one role or the LDAP has only one role and Ah, yeah, I'm sorry better Even even better like this Okay, everybody cool with that Alright So the first task would be then to Bring up the LDAP server No, I have to look for it Where is it up here? Okay, so again, that's the file that we have seen before and it just It just brings up the adult server and the next thing that we would do is we go to the To the configuration tool, yeah, I can only show that on a page here I love server. Okay, what we then would do is Create a new partition in that and that's a bit tricky to find actually It's not hard to do but it's tricky to find because I want in that in that dictionary Tree, I would say because if you follow the keys then you get like a tree structure and I want a new branch and To create that new root branch you have to go into the configuration and you have to Right-click here and go open configuration and When you What is it back? That can't be the adult server is not running Yeah, whatever. No, it's not back. Okay, then you right-click on the configuration and Then you add your new tree and That's that's very convenient for you to save all your stuff in that tree and not use another tree That's maybe used by the internal structure or something like that And Now held up in itself is Yeah, tricky a bit because you have to design that tree Somehow and it's really corporate focused. So it will Give you and and the leaves of the tree. They have to have specific Classes which only allow specific attributes That's quite nasty, but most of the time I just create an organization that has my family name And then I create an organizational unit that has a user's name And then I create all the users underneath that if you want to look for how to create a user I use in an org person And which has most of the stuff that I need mostly the common name and the user password Okay, once we did set that up we Continue to the next piece of software and in my case. That's the mail storage For mail storage again, we will use an IMAP server that can then can be accessed through IMAP with your normal Thunderbird or Apple Mail or whatever and Again, the script is the same as before Or as mentioned it just copies the configuration files there and then starts the container Maybe one thing that should be noted. Yes, it of course uses again the Container by me and it also hands in the certificates that the Program that I started before will give you and it mounts the configuration for the mail to the host system I Find that convenient because it then can access the mail files directly and can back up them directly But honestly everybody does back ups differently and that's Your should I sum that up or so it's 20 minutes left Okay, okay Because he just how held up all those the papers that he had and it says 5 10 and 15 and I could choose, okay But it's thank you very much Yeah, okay For smaller installations you will not have really performance issues with your mail server So I think it's really handy to have all the mails in one file And not sorry not all the mails in one file every mail in one file that you can copy and paste and recover from if something goes wrong because something will go wrong and Yes, there's pure text files, but in yeah, it's pure text files or actually you can put this Mail ending on them and then it will be readable via with Thunderbird. I Think yeah, but I never did that Yeah So that there are other ways of storing it was tough cut. There are more high performance options but again Unless you have dozens or hundreds of users you will or Really loads of emails you will not get into the The pro will not run into the problem that you have performance issues Okay, so we have of course to hand over the configuration file for tough cut and this is Only interesting in two or three places We tell tough cut okay, we want IMAP because that's why we install tough cut and More also important. We have to tell tough cotton. We do not only want IMAP We also want this protocol called LMTP Which is more a local protocol for shipping mails around and that will later be used by our MDA The post fix to hand the mail over to tough cut We will accept two ways of log in plain and log in plain sounds dangerous, but We will of course use SSL and SSL only and for Determining if a user can log in if a user has a mailbox on the server we tell A tough cut to look into the LDAP directory. That's a separate configuration file, which I will open soon and the rest is fairly standard and This File you will only need to see if you if you serve multiple domains so don't be Don't be led astray and again, we have to log to the console to Be able to read the mails and to read the log files on on Docker and now we come to the meat of the configuration file, which is these two lines and they work in conjunction and Maybe first the lower line it says Please save my mails to the folder to the user folder and sub folder mail there and Do it in the format mail there this string in the front this is really important because you can't put other things there and it will use a completely different format and Don't by the way, don't ever change it after the fact There are tools to convert mailboxes into other mailboxes But you can't just change that after you once used it first and saved mail there and But you might have noticed that there is a problem the users don't have User directories there on the server because all our users only exist in LDAP and not on the server itself This is why we tell the Dovecott, okay the user Directories or the home directories of the users are here in vars pool mail the hosts then the domain that we use in the email in this case model then from n.de and then the username and This will be their home directory. This is also where they They might drop other things like sieve scripts or so for filtering and this will go there Again rest is fairly simple. Of course, we will only accept SSL connections With the certificates that we handed in before Yeah, fairly standard and this this stuff is for if you then read the configuration files yourself later This stuff is just for telling in Dovecott that some folders are special like your drafts folder Or your junk folder or a trash folder and it makes it easier also for the Thunderbird or so to find that folder Okay, once that is started we have something to put our mails into but we need something to To accept our mail or send our mail and this this piece of software is called the It's the actual mail server the mail transfer and agent mail mail delivery agent. Whatever you this is all in there and This will accept mails from the internet put it in Dovecott or accept your mails and hand it out But our configuration in Ansible is fairly standard You just take again all the configuration files put it on the server and then tell Ansible. Okay, no, please start container the interesting part of course is what's in the configuration files and There are many of them because apparently and rather annoyingly and Handing mails around is super hard There are so many things that go on and so many rules and so I will try to simplify it a bit and First of all what you should do you should Kind of disregard the master configuration Because there's so much stuff in there that you actually don't need you only need one thing and For your setup and that's most of the time this this line here this submission line and that you should Comment that and that basically tells Postfix, okay, we open another port on that special port if I fade seven later accept mails from our users Not from the internet from our own users That's it for that file and in most distributions just leave that file alone Most of the time you don't have to screw with it much more important is the main configuration And in this configuration we have to first make one important distinction the mail server can either serve mail for like itself like for the SMTP dot modern for main dot DE domain, which is its own host name But it also can serve mails for completely different domains You can put into whatever the Google dot com domain as a mix server You can put SMTP dot modern for man dot DE that's completely legal. You can do that and Many people most of time use that so you have to Tell postfix somehow that you are hosting mail for a completely Virtual domain not your own domain, but a virtual domain Still your domain in this case is modern for man dot DE and your host name is SNTP dot your domain And this is just filled here from there But The what we will only Will not really accept mails for that Because we say okay now my my my destination only I will only treat local host like that for everything else. I will use the virtual mailbox settings, so Me myself I I don't really accept mail but I accept mail for all these virtual domains that I host and You have to use these three settings for that is all first of all It's a virtual domain mailbox domain since it's a list you can go and add domains for that and of course in these domains there has to be an MX entry that points to the server and When we then receive a domain for that we will use the virtual transport setting to hand this over to dovetail Then you will have in your mail server files that Have alias in them that's for instance say okay Your user Peter is also available under Schlafketschen at molybdenformen.de and You can put that in there and for the virtual Domains that you use these are special virtual files and they go into this one alright, I see a lot of Stunt faces are there any questions right now too many yes, please Yes Yeah, you can do it via the aliases Yes, that's possible, but you can do it actually multiple ways None You shouldn't have a catch all email because it will catch all email and people will try to send email to Whatever name a username at your server if you look at the log files later at your server. It's just This username that username that username they will constantly probe your servers for usernames You should have two very important Addresses or three this is the postmaster abuse and webmaster these are Recommended by the RFC and actually Even spammers don't use that so I On the mail servers that I administrate and I have never received spam on these three email addresses, but you I always keep them available and I don't even spam filter them Because if someone wants to report an abuse on my email I have to be able to react Of course for my personal email server I will just decline the request because I sent the email, but maybe My I misconfigured something in my server is hanging on spam Then someone could use the abuse at email address to send a Request for me to delete that Yeah, you should absolutely have these three exceptions in your files Yeah, other questions up to now Okay Yes Servers like down and not working. Yeah, where does the mail come from from the outside? Does it just like disappear into devoid? No Good question So the the mail from outside will not be sent to you in this case The when when a mail server takes a mail from you. It's basically like a mail carrier He now has a responsibility to carry that mail to its destination and he will try its or a proper mail So which will try its best to do that. So if he can't reach the destination, he will try again with a back off like five minutes 15 minutes or whatever most likely 15 minutes and Then he will try again and again and again and again until some limit is reached but most mail servers will Use very high limits and try to deliver that mail really thoroughly Okay Again if you have questions just asking Okay, now when we go to use earth on the bird to send mail through that mail server That mail server also has to know that whether it will accept this mail from us or not and Here we use a Shortcut because of course you could now configure The Postfix also to go to the LDAP server and ask for whether this use exists or not But that's actually quite a hassle because the format for that is still different than from Duffcott and What I do instead is use a nice feature of Duffcott and Duffcott allows to Distribute that information to the mail server so it will Make a subtle port available socket available where the postfix can then ask Duffcott hey Does that user exist and that's what we do here So of course we will also only allow SSL authentication because Otherwise we would send our passwords through plaintext over the over the internet. That's not recommended and we will use The high setting for the TLS ciphers you can't screw around with the setting a lot people like to do that I Read somewhere that high as a good setting, but you can specify every single cypher there if you want to So no anonymous mail and used to use the TLS and we will ask Possible Duffcott for whether that account actually exists and of course we have to also hand it over the certificates and then basically now our mail server would be running and Not maybe the first mail, but certainly the second one third and 100s mail would be spam that it receives so now we have to do something about spam and There this is a really big problem obviously you all know but It's not an easy problem because the spam sometimes sometimes it's dumb sometimes. It's really sophisticated and So we have to take a multi-layered approach to actually Try to filter it. We will not be able to filter it completely obviously, but We we will do our best and the first line of defense against BAM is actually again postfix or the email server itself when it receives mail It of course can it has to read the mail and in that instance, it's all it already can try to block stuff for instance it can block non-full qualified senders if if the sender just says hey, I'm Joe then my mail server says Okay, go away if oops if the recipient is Not for qualified and if you say hey, I want to send a message to Peter and then my mail server goes Okay, Peter. Who do you know that guy? No, it's just Peter now Peter is not good enough and Stuff like that it can reject if Obviously that that's an important thing if if you don't know the sender domain if you're not responsible for accepting mail for that domain don't accept that mail if you Don't know the recipient domain also don't accept that mail and stuff like that We but of course we also have to accept some mail and the mail that we accept first is that come that yes Come again the unknown sender this one Yeah, if it if the If you send an mail to The to someone you have to specify the domain for instance like gmail.com and if it's like xabselands at y.com and The mail server can't determine what that domain is if it can't resolve that domain Then it will not accept that domain That mail sorry, but it will add by the way these Conditions are evaluated in order and That's why permit my networks is up top now This is actually a controversial setting because this will permit everyone from this list To just send mail without any checks Obviously that's Bit problematic, but it always worked for me and if you if you don't put something on the internet in there But maybe just your local Net then yeah, okay, someone can hack something on your local network and then send unlimited mail. Yeah, okay. I Maybe I accept that risk and Also, I accept disaster authenticated people and these are the ones who will these are my users who I will Authenticate via the submission port that we mentioned before and I will just accept mails from them Maybe that's not wise and depending on the kind of users that you have but for this server It's most likely only me. So yeah Okay Obviously also reject people that you don't know and otherwise permit the stuff and Then our second line of defense or it are any any more questions to that filter By the way, there are There are other way There are other settings. So for instance, you can do halo recipient restrictions that actually would come before But they don't make a lot of sense because in the implementation of postfix. It's like he will Read a chunk of email first and when he has read that you can also already do all of these checks So you could theoretically do checks before that, but in practice you won't so I Just put that in here Yes One thing like my little attempt at doing the matching Where always really hard is not getting filled at a spam by other people So you have to set up like the D mark records in your DNS and whatever Will you get to that or? Hardly because when I designed this talk, I just wanted to get it running but yeah, I can I Can size something for that So this is and what he mentions is the other side of the equation, of course, we don't want to accept spam But the other people don't want to accept spam either so they will also be very thorough on checking who you are and They will do of course the same stuff that we do but they might do other things as well and basically a Running a mail server is building up a kind of credibility And if you have this credibility then people will accept mails from you Or if you just are Gmail then you have to accept mails from Gmail because most people use Gmail Okay, then you can't do anything even if the day sends spam to you and Of course you can decline it But then you will block out like 30% of the internet, but that's not really productive But you as a small mails server operator you have to jump through their hoops and then build up a credibility and they were depending on who it is they will Use other things to determine your credibility like this SPF record, which is another record in your DNS entry that Can where we can determine From whom from this domain should mails be accepted and You can use another technique. That's D mark where you Publish a hash of a public key in in your DNS entry again and Every email from that mail server now has to be signed with that public key and when the public key matches to the what you have Published in in in DNS then that will build trust and but actually most of the spammers now use D mark too So it's not really good They they five minutes. Oh, right. Okay. Are you sure? Okay, we have to speed up a bit. Okay Yeah, so they will that they will use other factors like some some will even require you to have a web page that they actually check then if there is a web page running on this domain and if not then then you will drop out of their favor and Especially Microsoft is really really dickish with accepting mail. They will Block your mail for like no reason and they will not tell you why and they will very hardly Put you back Into the white list they will they will just do that at random and you can do basically nothing about it And then they will have this great. Oh, I want to unlock my domain page and that won't work and because it's a Microsoft page Yeah, that's actually how it works Okay, our second line of defense just to mention that and then we will skip the weapon the weapon to phrase because it's We won't be able to show it anyway. And the second line of defense is our spam D Our spam D is actually a fairly modern spam checking Possibility before that there was spam assassin, but that was really hard to configure our spam D If you just want to use it, it's really easy to configure You just use the standard configuration files and you do stuff like tell it where the a very antivirus container is which is just like this line and then Of course, you put the logging again on the console and you tell it where Redis is So really really basic stuff the only thing where you have to think for a moment is If you want to just use one process for our spam D Then you have to put this line in that base because our spam D can be scaled to very high loads, but you don't won't have that loads hopefully and Then you can use just one process and then you disable the normal worker and Use the proxy worker to just scan the mail So that's that's the most important line here And of course the socket where you put it in but that's the standard socket. I just copied everything else Okay, and then postfix will send the emails to our spam D and that will check it for viruses and check it for spam and if it is Confident enough that it this is spam, then it will actually reject the email You don't you can configure that and I like to immediately reject the mail to to keep the connection from the client that wants to send me the mail open because some A email guru Peter Heinlein once said in one of his talks that is it is Advantages for legal reasons to immediately reject email because then it's like you haven't accepted it No way of knowing that if that's true, but he said it and he makes his money by administering mail servers By the way, there's a really good book on postfix and dovetail from him So I'm not affiliated or anything. He doesn't even know I exist, but these books are really good Okay, then we will skip the Zorgo part because that would be showing it and I can't show it obviously and Go directly to the questions Yes, please How resource intensive would you say is running a mail server? Let's say on a tiny computer even the raspberry Yeah, can do that if you only use a basic postfix and dovetail It can run on very very little The resource intent intent for things are more like spam filtering our spam de clam a v obviously the virus checker, but The postfix and dovetail are super optimized other questions Yeah Is so go a webmail interface? Yeah now so go is actually a group where there are many group was out out there But I like so go it brings Cardoff and caldough Sink possibility it has contacts calendar built in it has a material design interface It's it has not all the perks of let's say Here what's the file sharing thing called Come again next now. Yeah next up But actually neck I hate next cloud for it's a male client that thing just doesn't work and so go is built for mail And I use that It's just a personal choice You can do whatever you want because when the rest runs are plugging in so go is just pointing into the mail server Like your Thunderbird client. It's basically does the same thing Yes Running my own mail server since about 10 years I can Confirm the most difficult part is to get other people accept your mail like Telecom to tier online has a dedicated Email address you can write to that's a huge advantage As you told there's no way to contact Microsoft. Yeah, and I don't know on which Spam list you're listed on by the previous owner of the IP address I mean, I don't want to suggest that Microsoft makes a business off out of it to Reject your mail because then you need a Microsoft account But it's something you should probably think about Yeah, I will show. Oh, I have to say that there's a great tool like Called mail checker there you can send the email to them and it checks if you all people will accept it Just to make yes easier for other people here There is also the Mx toolbox or something like that. It's called whether where there are As a collection of tools that you can use also to verify SSL verify spam checking and stuff like that. I Think he was first Sorry I've been running my own mail server for about two years and I'm using a really amazing project called Simple nix as mail server. Yeah, have you heard of it? Yeah, I've heard of it. I haven't used it. By the way My my solution runs on Docker and on my Docker images because I'd like to use them And I'd like to fiddle with it if you want that solution in a bit more refined and a bit more maintained There is a male cow which basically does the same button better I don't want to diss myself, but this is also for me. It's fun. I know I'm weird but Yeah, if you don't want to invest so much time just use mail cow and Another solution is mail you that's even runnable on containers Kubernetes, okay. Yeah, okay. I don't have a Kubernetes server. Unfortunately All right. No, I get get gold Thank you anyway