Email is pervasive these days. Everyone expects you to have an email address, the guy at AutoZone asks for an email address at check out. It’s not hard to get email service. There are plenty of companies that offer email service, many of them “for free”. If you have a smartphone or home Internet service, you can probably get email service through those providers. This is not strictly free, since it’s part of a package you’re paying for, even if you don’t use it. But the point is that anyone can get email service, at little or no additional out of pocket cost. So what’s the problem?
Well, free email is not really free, of course. Those companies have to put kibble in the bowl somehow. They monetize your use of their service either by selling ads they hope you’ll look at, or by selling your data, whether they admit it or not[3]. Even if you are paying for the service, most email providers have no principled regard for your privacy. They’ll cough up your entire mail history at the first casual interest from any law-enforcement agency, with or without troubling to involve a judge[4]. And in the current environment, some of them will cut you off from your account with no recourse, if you happen to make yourself a high-enough-profile enemy of the mob. This taken-for granted, commodity service actually has some serious drawbacks. In fairness, there is at least one[5] email service provider that seems serious about privacy (maybe more, I honestly haven’t looked). But I decided a long time ago[6] to choose a different path: operate my own email service.
You may be thinking, that seems unnecessarily complicated. Complicated, yes. Unnecessarily… is subjective. For me, “the right way” is frequently synonymous with “the hard way.” In my defense, when I started this it was still common to get email through your ISP. Your address was tied to the ISP, so if you changed ISP, you changed your address. Gmail was just going into beta. Yahoo Mail was a thing, and I did for a time keep a Yahoo account as backup mail service. But I was an early adopter of not trusting “Big Tech”[7]. And, if I’m honest, it was interesting as a technical problem and appealing as a vanity project. My email address can be whatever I want it to be[8]. I don’t have to be joe.blow87@spymail.com, just because 86 Joe Blows have come before me.
So I propose to discuss the process of setting up your own email service from the ground up. I will note that, despite (or because of?[9]) my day job in computational research, I am not completely on top of the latest developments in the relevant technology. It’s probably closer to the truth to say I’m an idiot who knows just enough to be dangerous. There are plenty of Glibs in IT, so I’m sure there will be plenty of comments on what could or should be done differently or better. But I will say this: what I’m doing has, after some initial pains, worked for me. I’ve operated my email service, using the same email address, for 17 years, albeit with a few outages. I know where my mail is stored, and I know what security measures protect it. No one will subpoena my email without my knowledge[10]. To the extent possible, I completely control my email.
There are downsides. It is complicated, there are a lot of moving parts. When, not if, something breaks, it will be on you to fix it. There are capital and operational expenses that have to weighed against any perceived benefit. Most people, even those with IT experience[11], will decide against the cost and effort. For my part, however, I’m satisfied with how it has worked out for me.
What You’ll Need
- A computer to run the email software, and store emails.
- A reliable Internet connection.
- A static IP address, so computers on the internet can find you.
- A domain name, so people on the internet can find you.
- An operating system.
- Mail Transfer Agent software, to exchange email with other mail servers.
- Mail Delivery Agent software, to deliver mail to where you can find it to read it.
- Mail User Agent software, to read your emails.[12]
I’ll discuss all this stuff in more detail in further posts, assuming there’s any interest.
[1] That’s a lie, it’s not fun.
[2] Or profitable.
[3] Google has totally stopped trawling through your email. Pinky swear.
[4] National Security Letter, my ass.
[5] https://protonmail.com
[6] 2004, according to the oldest emails in my Sent folder. Hording FTW.
[7] Trust-in-authority issues is my thing.
[8] Unnnnless someone else already registered your super witty domain name. Sad trombone.
[9] In a lot of ways, enterprise computing best practices crash with innovative computational research. Ask our Risk people.
[10] Like anyone gives two shits about what’s in my email, but it’s the principle.
[11] Especially those in IT.
[12] MUA software is not strictly part of operating the email service, but I bring it up because I will expressly not be deploying a webmail interface.
Know any good spam filtering/virus scanning software you can put on your in house mailserver?
Spam Assassin is still going strong, I believe.
It’s been a while since I ran mail infrastructure, but it was reasonably effective at the time.
Oh, and ClamAV for antivirus.
I believe my host uses that too. And yeah, it’s been forever since I tweaked it. I don’t get any spam so it must be working.
I used to have some issues with it, but I haven’t run my own mail server in a decade, so it might be improved now. It worked really good for me, but some of my clients still had a lot of spam get through.
If it’s strictly private use, we’re very fond of XEAMS. Works well with Clam AV. Commercially, licenses are inexpensive, but not free.
I trust the good people at google to handle my mail needs.
You realize that there is a shortage of good people at google, right?
nonsense. I even get a monthly email telling me everywhere I went that month in case I forgot.
Nobody who’s motto is “don’t be evil” could be evil.
That was almost the first thing they dropped when the new CEO took over.
Any time an organization adopts a rule, its because they have a problem.
Any organization that adopts the rule “don’t be evil”, has an evil problem.
Also the footnote links did not work properly at first but now they seem to work. weird.
Ditto. Though a host provider runs the mail server for me and I have no idea how easily they’ll cough up my secrets to the Man.
Sadly, that technically means your data is in 3rd party hands and you have no intrinsic interest in the security thereof from either corporate or government snooping.
Unless you’re encrypting your mail at the client, you may safely assume your data is in 3rd party hands.
It seems like that would negate the use of a VPN.
Just for the mail server – your client can still use a VPN
I have saved e-mails from 01/2001. I might be a hoarder.
In the previous thread, Ownbestenemy on March 5, 2021 at 9:53 am asked:
Loudon’s Good Ship Venus is a bawdy classic. Maybe put the headphones on for that song. ;^)
https://www.youtube.com/watch?v=kHEX9EpIL7o
My kids watch youtube…so its probably the least mildly thing they will hear
Not Adahn, what do you think of TSMCs new 3nm chips? Do y think they’ll make the fall 2021 deadline?
I’m sure they’ve already produced yielding dice, though exactly what their actual product yield is I have no way of knowing. They really are good.
I wonder if I can get Hillary’s guy to set up a server in a spare bathroom.
The bathroom is a terrible place for a server. You want someplace less humid.
Can I make another joke about fecal bacteria, or have I wrung that …uh… dry?
You just need to wipe the server down to clean it up.
I look forward to the posts. I’ve wanted to setup an email server.
*Sings*
Celebrate good times…
*/sings*
*ahem*
The Google Mail pilot program is complete, and we’re going back!
The static IP is going to be the difficult part, and by ‘difficult’ I mean, ‘completely fucking impossible.’ Residential ISPs simply won’t give you one, so you’ll have to set up a business ISP circuit and pay through the nose for it. You can’t run a mail server on a dynamically assigned IP, as it will trip every spam filter written in the past twenty years.
IPv6 might be a usable technique, but you’d have to ask someone who’s actually competent with IPv6 routing.
The other possibility would be to host your virtual mail server in Azure or AWS. That might not provide you with the level of privacy and/or security that want.
Or you can use the mail hosting package that comes with your domain name.
can you get one on starlink?
No you can not, as it uses CG NAT. but I had already transitioned to AT&T LTE which was already CG NAT.
So you need a fixed IP out at a cloud provider ( Vultr $5/month) and then you route that back to your internal network via any number of VPN solutions.
So I have my own email, web remote VPN, with dual ISP links (Starlink for speed, and LTE for backup)
SpamAssassin is barely up to the job. ASSP seems to do a better job if you are willing to go through the effort, but it must monitor all inbound and outbound.
Spam is the only reason running your own system is hard… and I was very glad when the corporate email backbone went to another group in the early 200X’s.. Keeping away spammers and hackers is a thankless task.
There was a service for dynamic DNS that allowed for your IP to change due to DCHP lease expiry.
Also when I manually managed DNS pointing to a residential IP, the lease doesn’t expire and end up with a new IP that often if you’re always connected. You’re virtually static without any additional cost/effort.
I thought about DNS forwarding, but it wouldn’t work. You’d still be sending your mail from a dynamically assigned IP, and everybody knows what routable IP ranges are dynamic.
The recipient’s spam filters will block your mail in a heartbeat. It’s assumed that any mail sent from a dynamic IP is spam coming out of some schlub’s compromised desktop.
send? who sends email these days?
/end snark.
Every online vendor I’ve ever patronized. Multiple times per day.
“I said ‘Unsubscribe’ dammit!”
Sorry, we didn’t get that e-mail from you.
Yes. Email from an IP that has been tagged as “dynamic” is probably going to get scrubbed.
Don’t feel bad UCS, I was thinking the same thing. Then realized that would work for inbound, but you’d need an outbound relay that was static is you wanted anyone to get your e-mails.
I have Verizon. My IP rarely changes. It appears to happen when they make some hardware changes at the CO. I’ve had my current IP for a year. You can use a dynamic DNS service to keep DNS updated.
the key bit it will trip every spam filter written in the past twenty years.
Some mail servers will refuse to even attempt delivery to home IPs
You can use a virtual private host (dreamhost/digital ocean/host gator/etc.) if you want to avoid Azure & AWS.
Yeah, any of those would work. I’m not a huge cloud computing advocate, but the more I think about it the more that it seems like the way to go.
I was going to say that using a $5/mo vm from Digital Ocean might be the best way to get a static IP and not have to worry about hardware.
The static IP is going to be the difficult part
Indeed, for many people this will be a dealbreaker. I’m lucky in that my ISP offers a static IP for a modest monthly surcharge.
I have a rare last name, so my web site is (mylastname).com, and my email is kevin@(mylastname).com. Every once in a while I find someone who notices and thinks it’s cool. I’ve payed someone else to host for at least a decade. I would consider hosting my own, but for me the expense of a static IP and the maintenance on a server are too much trouble. For now.
Kevin Ilyich Ulyanov?
Kevin Laquisha Tomika Washington?
Man… you guys went in a completely different direction.
I’m really looking forward to meeting Kevin Pronhubbe.
That’s where I tapped out.
I’ve had the same ‘Free’ web based e-mail since at least ot 1. Last I saw they were bought by square space. I’m not worried about people reading my emails, it’s more mundane than the things I post here .I get neither intrusive ads nor a limit on inbox space, so I assume they have amassed a lot of data on me that amounts to…I made a cartoon on glibs?
I’m too lacking technically to figure all the stuff out. If I’ve got nothing to hide… Hey, why do I have to wear pants in public?
OT: Waco shirt
Gee, a little early for the 30th anniversary.
“ John McAfee Indicted Over Alleged Cryptocurrency Fraud”
https://www.zerohedge.com/political/john-mcafee-indicted-over-alleged-cryptocurrency-fraud
Well damn…
I got a business card from a contractor who went to the trouble of putting together gift bags with branded tchotchkes for the whole office. He has a .com website and an AOL email address.
I cringe every time I see some construction guy with a @aol.com address painted on their truck.
Authentic Oak Lumber?
Light Wood Laminate?
Eh…if it works, why have the trouble to move all your contacts to a new email address? Sometimes, you just go with it especially if your clientele knows your email address.
Bah. Someday it’s going to be so old it’s retro.
I LIKE having my aol.com address which is older than some of my coworkers.
Vanity domains are like tattoos. In jokes and cuteness give way to regret and loathing over time.
I do not regret owning .com
whoops – that’s my_last_name.com
I mean owning a TLD would probably be lucrative.
Is your last name Amazon?
I have lots and lots of domains. I’m doing better about getting rid of them, but I still love having the ability to throw up a quick site on a funny domain name.
The other great thing about having your own domain is you can set up a catchall account and then when asked you can give them email addresses that make it easy to figure out who sold your contact info.
What is your email address?
“autozone@jimbo.church”
“tor@jimbo.church”
“lafitness@jimbo.church”
Then when you get span you can see who they sent it to and go yell at the assholes who sold you out. On the plus side, you can really impress people with your tech wizardry when you give them an email like @jimbo.church. The guy at LA Fitness didn’t believe it would work and when I got his confirmation was in awe.
I used to do that but the catchall can end up being such a spam headache.
I’m a heavy user of [address]+[whatever]@[domain].com, for similar tracking purposes.
lafitness@jimbo.church
I do something very similar, for the same reason. When the spam starts to roll in, you just delete the alias.
*ponders RC@BigDick.com*
Yeah, I see your point.
You are a fan of that fine Caribbean rum?
I paid for a domain name through Network Solutions 15+ years ago.
They are pretty aggressive about filtering spam (too aggressive in fact).
I assume that ever email will be in the hands of the feds within minutes of the first request. I behave accordingly.
I can’t stand supporting email servers!
The problem is that it is fantastic money in it. 99% of the time you don’t have to do anything except send the bill at the end of the month to your client. The problem is that 1%. Crack heads go easier on their dealers when they aren’t holding than frustrated email users.
E-commerce site down? High level of concern from clients. IoT platform down and no remote readings are being processed? Yeah, that isn’t good, let me know when it is working again. Email down? Every 10 minutes you will get a text or a call demanding an ETA on when email will be back up.
The other problem with email servers is constantly making sure bad people haven’t gotten in and turned your server into an open relay to send spam.
I sort of enjoyed running the mail infrastructure, though that was a long time ago at a much smaller company.
I’m still tangentially involved at my large company – our mail is now fully run by an Exchange guy but the relays are still Linux. He’s a dyed-in-the-wool Windows dude and instead of learning anything about this important component of the mail system, he ignores it until something goes wrong and then comes begging for help.
He plan seems to be to ignore the Linux hosts until he can figure out how to replace them with Windows components. To the point that he’s planning on running Majordomo on Windows. Which sounds like a horrible idea.
Good times.
I was not familiar with that software so I did a little digging. Running a Pearl script on Windows sounds like a major PITA. Of course, I am a member of the Linux Master Race so, I consider people that are Windows-only guys to be Untermensch.
Pearl script
Python fan boi exposed! Denigrating perl the best scripting language EVAH! I’m guessing you are also a emacs user.
And Linux? Pulllleeeeeze. If you didn’t cut your teeth on real unix (or even better Sun Solaris) you are a n00b.
🙂
*cough* Sun Solaris….most of our ATC automation equipment is ran on that…
Ran?
We’re still using it.
running? run? Yes we still use it.
Sun Solaris has been certified by the US Govt as “secure”.
Last time I checked, no linux variant had yet achieved that certification (3 years ago?). It was part of due diligence research into a software package we were looking at potentially buying.
I thought SE-linux would have been, especially since it was developed by the NSA.
Interesting because we are moving away from it. Red Hat is used a lot in some of our systems and then we have one that is Windows with all Java based programming that is…interesting.
Sun Solaris has been certified by the US Govt as “secure”.
So the NSA backdoor has been tested and verified.
I may or may not have first-hand information that said agency used Sun until ~2005 and went to XP.
Avaya CMS ran on Sun as well.
Of course, most phone systems run on their own in house coded systems, some of which have been ported over to Windows in a fugly, haphazard, “well it works” matter.
My first gig was voice response software on Interactive Unix, and later Solaris x86.
I did start out on Sun Solaris thin clients doing various flavors of shell scripting in the ’90s and early oughts. Never did much in Pearl though.
perl was originally pearl, but the a got dropped very early on. Maybe OBJ Frankelson is Larry Wall?
If so, Hi Larry.
Perhaps that has been my problem all along!?
#!/bin/pearl didn’t work! XD
Solaris? Child, please. I started on Sun OS. And SCO 4(?) *shudders*
As a guy who can probably claim legit Perl expertise, I don’t miss it. The significant whitespace in Python still irks me a bit, but I’m generally happier.
I like Ruby a ton, but I ended up being the lone Rubyist – at least with Python I have co-workers who can (theoretically) contribute.
Of course, I’ll be back on a lonely island if/when I start doing more in Go (though there’s plenty of Go folks company-wide, just not in my group).
Some of us just weren’t born early enough to join in the fun on the previous unices.
I think we’re the same age? I just stumbled into early adopters (financial services).
Our weather integration systems uses that also.
Come to an FAA facility to see everything from 70s on in terms of computing and OSs
Isn’t the banking sector still using FORTRAN or some such?
I wouldn’t doubt it. If it does the job why change?
Still a fair amount of COBOL and FORTRAN in use.
Indeed shows 750 FORTRAN jobs and 1500 COBOL job listings.
Granted, there are 75,000 Java job listings and 90,000 python job listings on the same site.
Lawson software still has a huge amount of code that is COBOL.
When I was airing my grievances at having to support such a clunky software package it was pointed out to me that:
a) a lot of the CFO’s got their start using Lawson, they understand it and don’t want new things that will make them feel old when talking to the young bean counters
b) The Lawson code has been running a long time and been audited/vetted for decades. Rewriting it is only going to risk screwing something up.
SUNW is my personal bulls make money, bears make money, hogs get slaughtered story. Technically, I made money on it, but at its peak I was up over $100k over my final selling point.
The back end of Epic (a popular and expensive electronic medical record system) is a bunch of Perl scripts with a DB2 database. Or so I’ve been told by the guy that runs the AIX clusters.
People that have used Epic may not regard that as any kind of bragging point for Perl.
bunch of Perl scripts with a DB2 database
*starts twitching*
(sotto voce: I think they’re lesser than us as well)
I haven’t run Windows in any fashion, not even as a client, in something like two decades.
I still bear a grudge against MS for funding the SCO lawsuit, to the point that I have a low-level discontent that we’re using Azure.
We are using Azure, I want to say something about trusting big tech with your infrastructure, but I am still a new guy here.
The only time I have wanted to short a stock. SCOX at $18 would have been a sweet profit.
Ah the joys of an Exchange server. King of Catch-22 support.
The worst was when a disk would fill up and the server would crash. Can’t bring it up and delete stuff because the disk is full. Also almost 100% guaranteed that when the disk filled up and crashed that the Exchange db would have corruptions and the only way to fix would be to run a command line tool over and over until things were fixed.
Why are you storing them on the root disk? Come on man.
Back in the day the drive was a Dell RAID array, so you couldn’t even just add another big disk and go from there.
I really disliked having to do the hardware/firmware/OS type support back in our startup days.
Doing red team stuff in the past, we loved open relays. If we hadn’t already popped the DC and Email server, that is.
Can hardly wait until the next part! (no sarc)
You might have this on your desk (google fucking hates me):
pKa for various acids in isopropanol?
I’ve got something neutralizing after HCl but before HAc. If it’s carbonic, I can give up and go home. If it’s not, I’ve just earned a nice bonus for 2021 already.
Is in in the CRC handbook? Always the first place I look…
Also, you might find it in this paper: https://doi.org/10.1021/ac50037a039
This seems like something I learned back in school.
Like Swiss and a mass narrow gaze, Hyperbole is no where to be found to provide a mass NERDS!
Good stuff and look forward to the next part!
*EF GRANTS WISH*
Don’t need more compliments and validation from Hyperbole.
Besides, nerd envy is a terrible thing.
The problem with email is kind of like the problem with the phone system…the creators didnt think thru all the possible issues and technology has caused problems. However, in the case of email, the solution existed right at the point where it was still just possible to switch over as the number of email users was still small.
With phones, the problem is spoofing. With email, it is spam (and spoofing, and phishing, and and and). Neph will have to tell you what should have been done to prevent the phone issues, for email it was public/private key signing of all emails. When Zimmerman won vs the US and PGP was no longer a munition, if everyone had adopted it and all email systems had integrated it in, lots and lots of problems would be prevented.
How would encryption do anything about spam if you still need to be able to get mail from arbitrary new contacts and thus your public key is, well, public? And if you don’t publish it, how do you handle the key exchange between new contacts in such a way that nontechnical users can do it and it does anything about spam?
I mean each new spam contact would have a valid key for their not quite the same name. it’s the same whack a mole problem, just with more processor overhead.
Not sure on all of that, but I can think of some ways, maybe. I am sure holes can be drilled, since I have given it 13 seconds of thought.
Public keys stored on a “trusted” site. that “verifies” identity. Obviously a spam connected key would quickly be marked as spam and not trusted anymore.
While typing that I can see a few holes to be picked, but I think the idea generally works.
There is a mechanism to use a combination of pubic/private keys and DNS TEXT records to at least authenticate that the mail server sending the email is actually an authorized server for the purported origination domain of the email. But even without that, you can cut way down on spam just by insisting that remote servers have a basic level of correctly configured DNS.
DKIM is cool tech – I was chuffed when the Podesta e-mails leaked & the DKIM signatures proved they were legit.
I’ve got about 18 DNS entries concerning DKIM and other verification solutions.
It takes a while to get set up properly.
The good old days of the mid ’90s and the fun we had sending fake emails by telnetting to port 25 of some email server and spoofing an email.
I have had so much fun sending fake emails to my buddies who are not very technically sophisticated. The best was the time I sent an email to a friend that looked like it had come from his HR dept and was asking for a meeting to review his browser history. He called me almost immediately to ask for advice on what they could find in his browser history and how he could get rid of it. It was pretty funny. It was a week before I could truly convince him that I had sent that email and I wasn’t trying to talk him out of a real meeting with HR.
Now it’s 587. And I think there’s some sort of ssl cert running around.
587 is the submission port, 25 is still the default for mail. Can be TLS on connect or STARTTLS.
Something like http://www.jetmore.org/john/code/swaks/ is a lot of fun to poke at mail servers.
It’s been a while since my servers needed to recieve mail Not since we decommissioned the listserv. Now I just need to make sure notifications go out.
I got in trouble for doing that on a secure system. I sent an email that looked like it came from another guy and they thought I hacked his account. Once they understood that it was run-of-the-mill shenanigans they grudgingly let me go about my day with a stern talking to.
We had a guy confuse whitehouse.gov with whitehouse.com back when that was not good.
Hahahahahaha good times those were
“confuse”… likely story.
They had a firewall block on the domain. It still sent an alert that resulted in a visit to your desk.
My favorite was when a coworker got a visit for having some long running communication on ports security didn’t recognize. It was for software the government made him use for development.
Tub-Girling somebody’s wallpaper was fun too.
Before X authentication, you could remote in to computers and run graphic output on their screen. The common programs were the watching eyes or snow storm.
If they left their computer unlocked, you opened up their work terminal and changed the text color to match the background color. Also donuts.
zip up their entirely home directory and move it to /tmp.
I liked to make their wallpaper a screenshot of the desktop with some sort of catastrophic sounding error message. Or changing their mouse to left-handed.
robc, the filesystem still had permission controls. But like OBJ states you could spoof a screen. Among other reasons for adding authentication to X is you could spoof a screensaver unlock screen and capture the password entered.
Sorry robc. I thought you were referring to a remote connections.
Bash command aliasing was also popular for unlocked computers.
AFAICR, xauth was always available but people found it confusing, so it was always just ‘xhost +’
alias alias=’echo “alias”‘
Always fun to run “touch ‘*'” in their home directory.
Funny when they run “rm *” without thinking. Even funnier if they think about it a second and then ask, “hey how do you get rid of file named *?” because you can say “just add the -rf flags to your rm command” and really laugh.
“Run the read markup editor with the really fast options.”
I can neither confirm nor deny that this actually happened. Oh wait, yes I can confirm it.
*whispers to self about doing that (for non-nefarious purposes) earlier this year at my F500 tech company*
Just because they should know better doesn’t mean IT does know better.
That is kind of my point above. Telnet had obvious security holes so telnet basically went away. Use ssh to connect and firewall off anyone trying to connect with telnet.
The obvious security holes of email remain.
As it always is with new tech, security is secondary to getting the dang thing to work. Cell phones were broadcasting in the clear up until the mid-nineties, IIRC. With the early AMPS system, a technically competent individual could steal the authentication information and basically clone your phone.
Yes, but it got fixed. Email is older than cell phones but didn’t get fixed in the mid 90s.
Then again, I thought we would all have switched entirely to IPv6 by about 15 years ago.
I’m convinced IPv6 is never going to be used. We’ll just have more NAT gateways.
IPv4 forevah! They will always have to support it, I think. I once heard tell that there are packets traveling around the internet since before TTL was implemented.
They’ll get there someday.
I’m convinced IPv6 is never going to be used.
It’ll get there, just slower than planned. Developing countries pretty much can’t get IPv4 blocks anymore.
https://www.akamai.com/us/en/resources/our-thinking/state-of-the-internet-report/state-of-the-internet-ipv6-adoption-visualization.jsp
Sure they can. Just buy from someone who has spares.
There is a secondary market for IPv4 address blocks, and they get more expensive every year.
It’s not economically viable for a large provider in India get enough IPv4 blocks; so IPv6 will continue to grow.
And most people asking for addresses don’t need to be universally publically addressable.
And most people asking for addresses don’t need to be universally publically addressable.
In that case, people can and should just use RFC1918 space.
I’m trying to think of a case where you can’t use RFC1918 addresses but you don’t need the addresses to be routable. I’m sure I could come up with something, but it’s not going to be common.
And most people asking for addresses don’t need to be universally publically addressable.
Setting aside the various private and reserved IP address spaces (RFC 1918, multicast, blocks like 7.0.0.0/8 owned by DoD, etc), you have about 3.4 billion public addresses. Setting aside the reserved and registered ports, you have about 16,000 free TCP ports for dynamic allocation. With NAT, that means you can have about 54 trillion simultaneous connections. Considering that routers have to maintain entries in state tables to make all this work, that’s about how many new connections you can create in a 10-minute window. That’s only 90 billion new connections per second, which is somewhere between 2 and 9 per Internet-connected device. Using smaller windows of time or larger numbers of ports, you can up the numbers but not by as much as you might hope. Taking more generous estimates (routers need keep the state table entry for only 1 minute, all ports except 1-1024 are available), you could get as high as 180 new connections per second per Internet connected device. But the number of Internet connected devices doubles every 10 years, so you’re still on borrowed time.
Of course, you can implement ever more complex solutions to this problem. Connection pooling, carrier-grade proxy servers, multi-layer TLS, etc. could further alleviate the contention. But it juts gets more absurd over time. The next stage of the Internet is more likely to be isolated IPv4 islands connected by IPv6 tunneling than for IPv4 to be directly usable across the Internet forever.
Yep. I still have an email one of my friends sent to me that looks like it came from Ronald Reagan (this was after Ronny was dead)
Shit. I did that to point out some weak security at a job just over a decade ago. They were running in house e-mail, and still had all the telnet ports open.
I remember the early days of the internet when Windows had the messenger service (not MS Messenger) on by default, and people would get random messages from early scammers.
PGP and S/MIME are ivory tower solutions that, while they work in controlled situations, never really worked well on the web on their own. You’d have to bolt a lot on top of PGP or S/MIME to make them viable at web scale. Of course, this is more or less exactly what has happened with TLS-PKI; what’s written down in RFCs is a fraction of what’s necessary to really make it work at scale. To not put too fine a point on it, if they spent less time fiddling over supported ciphers and the ASN.1 representation and more time working out how human beings would actually use this shit it would have seen wider adoption. Of course, part of the problem was a lack of attention in those days.
See also: DNSSEC
There’s more problems then just spoofing with phones. The problem is that the costs for security would have priced phones and phone service out of the market of the regular users (and the ATT monopoly for years didn’t help). It’s at the point where right now, the real fix is to go to whitelist only for inbound calls. Which unfortunately doesn’t work for businesses or support numbers.
The problem with email is HTML and top-posting.
You’re half right, the problem is HTML.
But you’re wrong about the top posting. I shouldn’t have to scroll three miles down to see the newest update.
Then the problem is not snipping extraneous material.
Incorrect, there is no such thing as extraneous material.
So you want emails with multiple embedded levels of
?
I’ve been on groups where I get eight or nine levels of this shit because people just hit reply and add a few words to the top, not bothering to delete all that quoted shit.
There’s your real problem.
Then the problem is not snipping extraneous material.
When did we start talking about mohalim?
PrankstersSocial experiment artists are posting fake Ebay listings for 3000-series Nvidia cards in order to trick scalper botsI bet ebay take it down, or refunds the scalper and penalizes the seller.
I like that he even faked the NVLink bridge.
Zotac gaming geforce rtx 3090 trinity 24gb photoGraphy card
A steal starting at only $500.
I posted here a few weeks back some sitr had the newest 3000 series for like 280bucks…total scam of course but yeah
It better be a NFT.
I remember similar scams for game consoles. In the fine print you were only getting the box it came in.
https://www.youtube.com/watch?v=7a_sx3ozoXI
Ha! I had my teens watch that just last week..college just won’t be the same for them.
I mean…the nerd bascially raped the hottie, unwarranted photography and videography of their dorm while naked and staying up all night drinking beer.
They absolutely loved it.
It’s a classic. Yet another one i’m gonna need to get on physical media.
So incredibly unwoke.
I feel sad for you Tundra.
Thanks, Scruff. Shitlordin’ ain’t easy.
A shitlord’s netflix queue isn’t like a square’s queue…..
Grumman – Obviously we need MOAR ON THIS.
Greenwald doing his best to debunk the INSURRECTION! narrative:
He eviscerates the “armed insurrection” mantra, and shows just exactly how much bullshit they’re peddling.
https://greenwald.substack.com/p/as-the-insurrection-narrative-crumbles?token=eyJ1c2VyX2lkIjoyNDcyMDg5NCwicG9zdF9pZCI6MzMzMjA4NDYsIl8iOiJuQWFUcyIsImlhdCI6MTYxNDk3MTgxMiwiZXhwIjoxNjE0OTc1NDEyLCJpc3MiOiJwdWItMTI4NjYyIiwic3ViIjoicG9zdC1yZWFjdGlvbiJ9.XqH6FdthocXIzONZ2z1la4sKTqEuFaFBwsFHpwchsr8
“Assistant Director of FBI Counterterrorism Division Jill Sanborn”
For a second there, I thought Pelosi got actually good plastic surgery.
For some reason, I expected this to drop on March 11th, so I’ve completely missed all the comments up to this point. I’ll try catch up a bit.
Thanks for putting this together. Looking forward to the next installment!
Grumman, thanks for this – I will attempt not to start shouting “WRONG!” in the comments in the future installments.
I’ll note that, after spending my late 20’s/early 30’s running my own mail host, I just pay Protonmail now (and have a grandfathered-in Google Apps account – gotta figure out if I can get mom using Proton mail so I can switch that domain over).
I expect a lot of “WRONG!” not least because I’m sure I am doing some stuff wrong. On the high side, maybe I’ll learn something useful.
Does protonmail handle custom domains? One giant downside to this scheme is that no one I know* could take over the work if I got hit by a bus. My entire userbase (my wife) would be hosed. So at some point, I do need to think about migrating the service to something with a better business continuity plan.
*that I know and like and trust, and likes me well enough, and is capable.
They do handle custom domains, but they are fairly pricey.
$5/mo. isn’t _that_ bad.
It’s even better for the Visionary plan (basically a family plan for us). For $20/mo you can get 300 email addresses across 6 users plus 10 VPN connections.
That’s what I have for the family.
Yep, custom domain support comes at the lowest paid level.
No catch all account at that level if I remember correctly. I tried moving one domain over a few years ago and didn’t like it. Can’t remember all the reasons, but I think most of them were because I’m cheap and didn’t want to spring for higher levels of their service.
I do have a individual @protonmail.com and like it a lot.
Thanks for the post! I’ve been tempted to do this a few times, but haven’t. Yet.
“GlibMail”
Nah.
misanthropes.com or recalcitrantbastards.com
If I could make a suggestion. There are a number of hosting services out there that provide custom email hosting at very reasonable prices.
Scalahosting is one of them. And you get spam filtering, which is an invaluable service given how expensive and complicated it is to set that up.
Thanks for the post. Velly intellesting.
I have my own domains and use my webhost’s email. I am actually more interested in my own home cloud than I am my own email server. What I’d ultimately love is my own hosting servers with all the bells and whistles, but there is no way I’m ever going to be that IT sophisticated, with Apache and whatnot. I never even got around to setting up a Linux box.
I considering getting some raspberry pi to create physical cluster to play with. Currently I’m using lxd on a server.
As someone who has had racks of servers running in his basement during pre-historic working from home times, no you don’t want to run your own stuff in your house.
Just the extra electricity you will use makes cloud stuff seem reasonable. Not only running your servers, but you will need to run HVAC to keep things cool.
VM’s from places like Digital Ocean are a godsend. Let them manage all that crap for you.
Home clouds don’t really need to be powerful for basic photo, document, and calendar syncing.
Pretty sure most residential NAS devices will run OwnCloud/NextCloud
Alternately a PI3/4 or old laptop with SSDs to keep the power consumption down to a bare minimum.
And if you want external access OpenVPN.
I have a MyCloud.
Of course I ALSO have Carbonite.
If you are just experimenting, a pi can run off POE so no more than 15 W each.
I have a rack with firewall, switch, server, nas and a few POE devices. The whole thing pulls about 110W unless I’m doing something intensive. Activity ramps it so the utility room is warmer than the rest of the basement, but I haven’t needed cooling.
When we sold our startup, one of my drop dead requirements was that we could continue working downtown and not have to move way the fuck south of the Mall of America. Purchaser agreed.
Fastforward a year and the Twins started building their new stadium right across the street from our previously scummy building. Now scummy building was a hot property and they started fucking with leases. Our new corporate overlords said fuck it, move down here.
I flipped out and asked them what they didn’t understand about me not wanting to change a 15-20min commute to a 45+min commute (1-way times). Told them if they are serious, I’m quitting. Since I was the only developer left who understood things, they caved and said I could work out of my house.
So I had a rack and a half of Dell and Compaq servers that were our old dev environments from the original office. Probably ended up with 8 or so Dells and 5 Compaq servers.
I wasn’t so worried about the cost of running it because I got a monthly bump from the corporate overlords to cover it.
I’ve downsized the home system to a Synology NAS. Storage, reasonable software, updates and low power.
I ran an Xserve for years until Apple made it perfectly clear that they didn’t want you to run enterprise software on their platform. (2 years of OS security support is also too short)
If the hardware isn’t under your control, it isn’t secure…. Perhaps it still isn’t secure, but if you don’t control it you know it isn’t secure.
I finally sprang for a Synology myself about 2 years back. Quite happy with it.
I’m doing periodic backups with restic to Backblaze, which seems to be working well, though I haven’t had to do any restores yet.
That said, I fear there’s zero chance my wife could figure this all out if I die – need to get a better solution for certain key bits, like the wedding photos.
I do encrypted backups to Google Drive… Can’t really get the workflow right for AWS Glacier. But nobody else is going to be able to retrieve those, even if copies of the keys and passwords are in the fire safe.
I would suggest to just have a 4GB USB drive that you mirror to every 6 months or so… that will allow others to get at family archives. And/or keep it remote for fire safety.
And yes, test at least one part of the restore a year. If you don’t restore you don’t really have a backup. and it doesn’t help when step#1 is “buy another Synology”
Switched to a Synology RS1219+ a couple years ago. Runs Plex, backup both linux and windows, stores photos and documents. I love it.
I also need to write a manual for how to get things off the NAS in case of bus factor 0.
That’s a big sucker – I’ve “just” got a DS918+, doing pretty much the same thing as you (sub “Macs” for “Windows”).
Honestly, the 4x4TB drives is way more space than I’m using or probably need, though I did just buy a BluRay drive for my Mac so I can start ripping my physical media.
It’s big, but I like to run RAID 10. I have two volumes of 3 drives each with a smaller SSD cache drive for each volume. With films, music, photos, backups and all I’m using half of the 11 TB available.
BTW, Synology needs to improve the model numbers. RS1219+ has 8 bays expandable with external hardware to 12. DS918+ 4 bays expandable to 9?
I’m tempted to try build a Pi-based NAS. It shouldn’t be hard, if you’re satisfied with USB3 speed. This guy did it with a PCIe SATA card and a custom kernel. Have to use mdadm RAID, but that’s okay. Nice for a home storage server, lower power consumption, small footprint.
How custom was the kernal? Was it just “make menuconfig” custom, FUSE modules, or actual coding?
Depending on how far back in prehistory you’re talking, the power differential could be substantial. One Dell PowerEdge 2950 III server from ca. 2008 sucked up 300W doing absolutely nothing in my basement. Whereas today, my entire set up (3 Celeron NUCs, 2 desktop-grade machines, an RPi or two) doesn’t even use half of that.
Though it doesn’t hardly explain the massive difference in idle power consumption, it is worth noting that none of those machines in my current setup (except maybe the RPis, since they’re custom SoCs; I haven’t checked) have ECC RAM. You can build a low-power desktop/server with ECC RAM but it will cost more than one with non-ECC RAM, and obviously it would be purpose built (whereas my desktops-turned-servers are all just old desktops repurposed). Apparently with the increase in memory density and bus speed, bit errors are surprisingly common nowadays so a long-running machine without ECC isn’t the best idea for genuinely important stuff.
Long term storage is where I am most concerned. It is why I am using btrfs and 3 drive mirroring on the NAS.
The thing I don’t care for about a host your own email is that the domain is affirmatively tied to your identity.
Same thing with paid providers.
As scummy as they are/can be, freebie providers do allow you to have an email address completely disconnected to your identity, though you will need to take steps to keep it that way (VPN, Tor, avoiding browser/device fingerprinting)
I’ll note that ProtonMail has a free level
Your domain registrar needs to know who you are, but most (all?) will let you hide some of your private info so it’s not visible in the domain contact records. Instead, the registrar’s contact info is shown.
You can hide it from casual scrutiny yes, but the registrar will of course do like email providers and tell Gov everything they know about you.
In the vein of trying to maintain anonymity and keep every service identified with a unique email address your domain being so unique would connect you between services.
If you don’t mind associating with unpersons, lookup who is willing to register the unpersoned sites. They are unlikely to tell the government much without a warrant.
Honestly I’m not actually disciplined enough to ever be anonymous.
Just more thinking out loud
I have a bag of sweet mini peppers that I’m thinking of stuffing. The pepper I tested only holds less than a tablespoon of filling. So I’m not sure what to make to put in them.
I have ground pork, onion, anchovy, cream cheese, sour cream, saurkraut, and mozzerella cheese as candidates for part of the filling. All together will not work, but some subset might.
Soft goat cheese.
I don’t have that.
There are grocers in this universe.
LIEZ.
I’m not going to start raising goats.
More seriously, I’m trying to use ingredients I have on hand because of the hassle of dealing with the New York rules and petty tyrants at the grocery stores.
You have anchovies?
On purpose??
Every so often I buy experimental ingredients to see what I can do with them. I haven’t opened the jar yet.
I’d be inclined to use everything you listed but the anchovies and the sauerkraut.
Stuffing tiny peppers that aren’t jalapenos seems pointless to me. Plus you have no bacon to wrap around them…
Dice em up with the onions. Brown the ground pork, seasoning to taste, then add the peppers & onions, & top with shredded moz.
you clearly haven’t had stuffed peppadews
https://www.errenskitchen.com/wp-content/uploads/2016/10/Garlic-Herb-Cream-Cheese-Stuffed-Peppadews3.jpg
Beats stuffed pewdiepie
Actually, I do have bacon.
I’m not going to dice the peppers, I bought them to stuff. If I were going to dice, I could have just bought regular bell peppers.
Bacon wrapped peppers stuffed with cream cheese and onions.
“Seasoning”
Remember whom you’re talking to.
You could halve them and then you can get more filling into them. I made those a lot this summer. Cream cheese, shredded cheese, cooked bacon, garlic and onion powder.
If these are poppable, the obvious answer is cheese and meat, batter and deep fry.
Since the capacity is only about a tablespoon, they probably count as poppable, but I don’t have enough oil (or the inclination to clean it up afterwards) to deep fry.
Stuff with cheese, surround with meat, and make them into Scotch “eggs.”
Don’t those still need to be fried?
No, they can be baked or pan-fried.
I may have gone overboard with the sale at the winery:
https://imgur.com/a/l6nFH8E
15% ABV? Ouch.
The big boxes are a case of pinot at 14%, 6 sangiovese at 14% and 6 rosés at 13%.
I like their wines but I do wish they’d throttle it back a bit sometimes.
Thanks for all the positive comments, folks.
CZ97 owners:
Do you have carbon fiber grips? Why the hell not?
I’m now up to half a dozen e-mails trying to explain to someone who should understand it why a timezone offset bug on a job expiration datetime would cause scheduled jobs (that are being offset correctly for the timezone) to not run.
More annoying is that it took over 6 months for the company that made the software that has the bug to find and acknowledge the issue. The past two examples they dragged their feet, and then pointed at another company after the logs that other company would need to troubleshoot the issue would have been overwritten.
ProtonMail does take security seriously. And they and their servers are in Switzerland, beyond the reach of US Laws and government pressure. Their free accounts are pefectly adequate for intermittent use. I have a paid account because I have several addresses – one for libertarian activism, one for local activism, and a burner account. They have bigger plans which allow you to setup and manage accounts for others.