Yeah, my solution for low-volume self-hosted email is to relay my outgoing SMTP traffic through Amazon SES. I get good delivery to all the big players, bit still control all the parts of the email stack that I care about. (Plus at low volume, SES is basically free...)
I have had very few troubles sending outbound email directly, however there was one email provider that always rejected me because they were blocking all of DigitalOcean's IP space. This provider was quite niche, but it still bothered me.
My solution was to set up SMTP relaying based on the recipient ___domain. So nearly all my email can still be sent direct, but I have a list of domains that get routed through mailgun.com (or you could use SES or whatever).
I've also blocked tens of thousands of ips from DO, and AWS on several web sites.
Mostly for attempts at logging into wordpress admin accounts, some were spammers I'm guessing were using vpns that sometimes go through them.
Those and tens of thousands from brasil, and several other countries.
There was a time when I looked at sending in reports -
and a time when I asked someone in the wp plugin directory who had a detector-like plugin to have it spit out a chunk of fields that would be ready to fill in the amazon complaint form and to do a cidr lookup to port over to iptables.. but that never got made.
This was all made worse when maxmind went registration needed and ruined the most effective security plugin for wordpress I'd been depending on for years.
I've noticed an increase in the microsoft ips I'm blocking these days to.
for now I don't mind doing an ip lookup when I can block 64,000 ips or more at a time I find it's a solid win.
Is there anything I can do to get whitelisted? How can I contact you?
Not a huge deal if not, I've implemented the workaround already. But to be whitelisted after a chance meeting on HN would be a nice way to finish this story.
I always wondered why there isn’t a config option in MTAs that tries to route an email over different other MTA‘s submission port and tries until delivered. I mean a automated setup not static rules you mention. This would make self hosted setups so much easier. The chance that someone blocked your cloud server‘s IP address 4 years ago and never bothered removing it is high.
When you send an e-mail, as soon as it leaves your mail server it's out of your control and you have no say in where it goes before it ends up at the recipient. There's no such thing as self hosted sent e-mail.
Chances are you’re already compromised eitherways , most mailservers interact with you over STARTTLS, which means any middleman/isp can strip your tls encryption on your emails, midway while you’re reading them over imap. (ISPs worldwide have been caught doing this before)
Most providers do not mandate a strong SSL only imap system.
Along with other similar caveats, do not depend on your mail system to keep your emails private.
If you want privacy, encrypt your emails yourself.
Also most people who selfhost their email usually do not encrypt data at rest. As its not the default norm. As such anyone having access to your disk can compromise you at anytime too (especially likely if you’re using a vps).
So, unless youre encrypting your emails yourself E2E. Assume you have no privacy.
If you’re doing E2E, aws cannot decrypt your mails anyways.
The odds of the emails going through AWS, GCE, or Azure infrastructure in one form or another is probably pretty damn high even if you host your own SMTP service.
Sure, then you can use whatever SMTP option that is best for you. Some people are fine with using American cloud providers and some are not. If they are technical enough to host their own email server, they are more than likely to understand what choices they are making.
If you run your own incoming mail, nobody but you has a copy of your entire mail archive and you are self-hosting that data. It can't be handed over to the government, it can't be sold, it can't be analyzed by gmail, etc. That's where the big win is. If you send e-mail using SES, that's one untrusted hop out in front of an unknown number of untrusted hops that you can't opt into or out of - there's little practical difference. The privacy win come from hosting your own data, not your own smtp server with a carefully curated reputation that you spend hundreds of hours a year working on.
That is _your_ definition of self-hosting. Do you rely on an entity for your internet connection? At some point, you _will_ need to rely on someone else's infrastructure.
Do you run into any issues with your outgoing mail being marked as spam by the recipient? Particularly with GMail’s aggressive filtering?
I imagine 99% of outgoing Amazon SES traffic is transactional or marketing email for various online services. I worry this could make my personal emails look more like spam to the big providers. Or maybe it works out fine.
FWIW running a service who's job is to send email, I have found that GMail is one of the best providers to send to. They strongly value ___domain reputation and are popular enough that it was quick to build up a basic reputation. Now my messages are rarely flagged as spam even coming from a Digital Ocean IP address. I just rely on DKIM.
This is in contrast to Microsoft which seems to rely mostly on IP reputation and trying to send from a new server is incredibly difficult as they (reasonably) treat unknown Digital Ocean IPs as likely spam but (unreasonably) don't allow a good ___domain reputation to override that.
I have set up the same thing for myself and have been using it for several years now, so i’ll join in.
Aws ses has this offer where for a few thousand emails per month, email sending is free.
The steps are this:
1- Signup for aws ses, once you do that they’ll put you in a sandbox environment
2- After that they’ll ask you a few questions on why you need it, just tell them its because you’re a growing startup who expects to send thousands of emails per month, (make sure to say this, they don’t crosscheck later, if you dont say something along the lines of this, they usually reject your application to avoid having to serve small customers who might not scale their business later. )
3- After you’re approved, they provide you with a mail relay api key, just take that api key and attach it to your postfix or other smtpd installation
I use docker-mailserver[0] which packages everything I need for my mailserver into a small container and was good to go, it consumes minimal resources too.
For me, i just had to add the ses relay api key to the config file of my docker-mailserver install and it was all setup.
However you can do the same with any provider that gives you an option to act as your email relay, I remember both aws ses and sendgrid provide this service, but I’m sure there are more niche businesses providing this too.
>2- After that they’ll ask you a few questions on why you need it, just tell them its because you’re a growing startup who expects to send thousands of emails per month, (make sure to say this, they don’t crosscheck later, if you dont say something along the lines of this, they usually reject your application to avoid having to serve small customers who might not scale their business later. )
I have the same setup as you, relaying outbound mails through SES. I told exactly how I was going to use it and was accepted promptly. Maybe I just got lucky.
As others have mentioned, setting up SES is straightforward (as much as anything AWS) and for the rest of my setup I just use mailu.io containers. The config for setting up the relay is here: https://mailu.io/1.8/configuration.html?highlight=relay#mail...
