People who read this may or may not know that my job is an Email Sysadmin. I’ve had my personal Email on GMail since they introduced it and I always though it was pretty neat. It worked great, pretty much always up and had all the cool features as well as being fast. And hey, it was Google, you could trust them – after all their motto was “Don’t Be Evil”.
And then the Snowden/Prism stuff happened.
It got me thinking, hey this is my job and my personal stuff. This is something I care about and I’m trusting it to people I don’t know. It’s not like I’m even paying them to do it, why would they have my interests at heart. In fact the only way they can afford to run the service for me is by it making it easier to target ads at me and how do you think they do that?
So they only answer for me was to go back to how Email was originally intended to work. To run it for yourself, to check things yourself. Not part of some massive anonymous cloud system that exists across borders. – I fully understand why people don’t do these things for themselves, they are relatively fiddly and Gmail is **free!**
But it’s about principle.
So I went about trying to find a good place for my server to be. As I mentioned earlier, this is my job but I think it’s not a great idea to mix business with pleasure. Yes I could simply route my own mail to my Work mailbox. Job done. But if I ever left or it was frowned upon it would make things trickier so divest myself from it. So I thought about the people in small part of the Internet that I know about it. I used to work in one of Manchester’s largest Datacentres so I thought about those days and who I used to get on well with. Bytemark stood out. I always got on well with them, they always looked like the knew exactly what they were talking about and I thought, yeah I trust them. They have a great standing in the community and I know that if I wanted, I could go and touch the machine that my VPS was hosted on if I wanted (* not actually sure if this is true but I reckon I’ve a good chance).
So onto the build of the mail server.
Bytemark’s VPS’s offer a distro they’ve knocked up called Symbiosis. In the reading of the manual for this I though hey that seems really simple. It works great ‘out of the box’, but I can still get to the bits I want to fiddle with, beats using a CPanel for ultra configurability.
Things can be as simple as firing up an SCP client, logging in and creating files to get mailboxes set up and configured. You can switch on spamscoring and virus checking just by creating the relevant config files (yes, just files, it’s already set up, just watching out for relevant files to enable it or not).
MySQL, Apache, Exim, Dovecot and the rest of your favourite are all already there waiting for you. So you can get going with it really quickly. It’s all preconfigured to do backups and updates. It’s really not much work, which is good for a server you just want to leave going really.
Let’s think through the DNS for a bit. It’s a good idea to have redundancy on this so if you can basically just duplicate what you’ve done with one mailserver on the other. I haven’t, because I’m cheap. But what you could do is team up with a friend you trust who wants to do it as well and just relay mail for each other. It should happen often if you set one with a higher priority MX. I’ve not actually done this myself ( a- hadn’t though of it til now b- not enough friends) what i’ve actually got at the moment is a fall back lower priority mx record of Google. Yeah, I know – what a hypocrite! But it’s probably temporary until I can make some friends plus it was already set up to work on my domain.
Weaning off the Big G
It was always going to be a little tricky to wean all the way off the big G because I had several mailboxes on my domain over at Google Apps that I wanted to leave there and still have mail delivered onto Gmail. All this principle and privacy is fine for me to worry about, but I’m not so sure if my wife feels the same way when it comes to putting up with SquirrelMail for a webmail interface (I’m pretty much IMAP only so I don’t care).
So what I did was set up a forwarding rule on my VPS for those mailboxes and they get sent on to a subdomain of mine that I set up in my Google Apps account as a domain alias. It’s all completely transparent to the user (no complaints yet anyway), they get another layer of spam filtering and I get lovely log files I can trawl through if needs be (don’t get those hosted at Google!).
Here’s a big conundrum. The now infamous ‘NSA Proof your email in 2 hours‘ blog post is mostly about making sure the filestore is encrypted. Symbiosis does a great job of doing all the secure TLS transmission of mail, a self signed X509 cert is there for you already (feel free to add your own if you like, I’ve not bothered for £££ reasons). So things in the interwebtubes are more often than not all nicely encrypted already so you don’t have to worry too much about the NSA tapping the wires. At the moment I figure, they’ve got to get to the physical box to read my filestore. I’m the only one with root access (not even Bytemark), so they’d need to bruteforce that to get in without my knowing.
So it’s probably something I might look at again in future because I am super paranoid (**it’s not that I have something to hide, it’s that they could look without asking me). His instructions are all for postfix anyways and I like exim.
For TLS encryption testing you can verify it with this tool.
Another of my personal internet crusades is the take up of IPv6. It’s a chicken and egg problem and I really like that Bytemark are out in front on it. Your VPS comes with both 4 & 6 addresses, no extra work needed. You just makes sure you add a AAAA record for your MX to point at (Along with an ‘A’ record dur, we’re not quite ready for 6 only yet!). You can use Freenet6 to test your set up.