Run Your Own Email Service, Part 4

by | May 8, 2023 | Privacy, Technology | 90 comments

In this installment, I’ll start talking about some of the parts (“infrastructure”) that you need to have in place before you can think about hosting an email service.

IP Addresses, Redux

Last time I talked about IP addresses, and said “[Internet connected] computers are identified by an IP address.” You may have heard about “IP address exhaustion,” the problem that there are so many Internet-connected devices these days that there aren’t enough addresses for all of them. This problem applies to IPv4[1] addresses, which is the sort you’ve probably seen (four numbers separated by dots, like “192.168.0.129”). To fix this scarcity[2], eggheads came up with IPv6[3], which provides for about a quadrillion-quadrillion more addresses[4]. But even with this vastly greater range of addresses, you can’t just pick a random address and expect that to work on the Internet. Recall last time I also said, “IP addresses are routable,” and for that routing to work in a tractable way, there has to be some organization to how addresses are handed out.

Whose IP Address Is It, Anyway?

Generally speaking, the ultimate authority for all the IP addresses in the world rests with the Internet Assigned Numbers Authority (IANA). In practice, all not-quite-4 billion IPv4 addresses and the gazillion IPv6 addresses are broken into blocks and authority for each block is delegated to other entities: public or private corporations, government agencies, etc. These entities in turn break their blocks into smaller blocks and hand those out, etc. This hierarchical delegation is what makes IP addresses routable. A central Internet router only needs to look at the first part of an address to know that it is in a block delegated to, say, the Asia-Pacific network authority. Successive routers will determine the address to be in a block delegated to China Telecom, then a smaller block allocated to ChinaNet Ningbo, then a still smaller block allocated to Fenghua Hospital, where one of the night orderlies uses their work computer to send spam emails cleverly crafted to convince the unsuspecting to click on links to micorsoft.com. By the same mechanism, the IP address on your phone or computer is assigned to you through of a chain of delegations.

Static Versus Dynamic

But how is that address assignment accomplished? Back in days of yore, every IP address was manually configured. That is, after you unboxed your shiny new DECStation and jammed a vampire tap into the 10base5 thick wire that ran under your desk, you went down to the suspender-wearing beardo and asked him[5] what address you should use. That address, then, was permanently (today, we would say “statically”) assigned to your computer. This process, elegant as it seems, has a small scalability problem. Even for a small network, it’s inconvenient and error prone. In a larger network, it’s onerous and, when addresses are scarce, it’s wasteful to permanently assign an address to devices that may be used only infrequently.

Dynamic address assignment is meant to solve all these problems[6]. Through a mechanism I won’t explain[7], when a device joins a network, an IP address is temporarily, or “dynamically,” assigned for some period of time. When the device leaves, it relinquishes the address. Or, if the time expires and the device hasn’t asked for an extension (if it’s turned off, etc.), the address is reclaimed. The IP addresses on every device in your day-to-day life (phones, tablets, etc.) are almost certainly dynamically assigned. Even something like a cable modem that does not, for the most part, move around or get turned off still has a dynamic address, it just keeps requesting extensions. Try turning it off and going on vacation for a week, you’ll have a different address when you get back.

Tinned Pork Product

A static IP address is a hard requirement for running an email server[8]. There are a few reasons for this, but mostly it has to do with our friend in Fenghua Hospital. Preventing spam email is a Sisyphean task that requires a layered strategy. The first layer is, simply, don’t accept email from mail servers that look shady, and the reddest of red flags is a mail server that is sending from a dynamic address. It’s not hard to learn the ranges of IP addresses that ISPs have reserved for dynamic allocation. There are lists compiled just for the purpose of limiting spam[9], and most big email providers will refuse to talk to mail servers with a dynamic address. There are other reasons why you want a static address, and I’ll talk about those next time.

 


[1] Internet Protocol version 4, first deployed in 1982-83.

[2] And to rethink some of the original design decisions, based on how people actually use the Internet.

[3] Internet Protocol version 6, duh. Design was finalized in 1998, but the standard was not ratified until 2017.

[4] IPv4 has on the order of 10^9 addresses, vs. order of 10^38 for IPv6.

[5] Theoretically possible it was a “her”, but let’s be honest here.

[6] Don’t worry about the beardo, configuring DHCP servers is complicated enough to guarantee job security.

[7] Okay, since I teased it in footnote [6], it’s Dynamic Host Control Protocol (DHCP).

[8] Assuming you want to be able to send email, that is.

[9] Blackhole lists, that also include other IP addresses known to generate spam.

About The Author

Grummun

Grummun

Sad Brad Marchand is the best Brad Marchand.

90 Comments

  1. Penguin

    What a complex set of issues, Grummun. Way to address the topic.

    I’ll see myself out.

  2. Penguin

    Seriously, though, do they have any sort of protocol to “recycle” email address after, say, 100 years or anything? Or are they just going to wait until it’s necessary to go to IPv8 until they bother?

    • Pat

      IPv6 will last until something displaces TCP/IP for networking in all likelihood. They could kludge something to extend IPv6 in the same way we did with NAT for IPv4 as well. IP addresses are attached to hardware, not specific email addresses. One server with a single IP in a Google data farm could be hosting thousands and thousands of email accounts. And they can be reassigned after the hardware is taken offline.

      • Grummun

        IPv6 will last until something displaces TCP/IP for networking in all likelihood.

        Probably. IPv6 was designed, in part, to be a big enough space that large chunks of it will never be used. 10^38 is a very large number.

  3. Sean

    I’m tired of spam emails. Do better, Comcast.

  4. Grummun

    Email address or IP address?

    IP addresses are “recycled” all the time, even static addresses. You don’t own it, you rent it. Stop paying, the upstream provider will rent it to someone else. When I first got my static address, I had some trouble because the previous renter had apparently done some not-so-nice stuff and had gotten the address onto some blackhole lists.

    • Grummun

      Meant as a reply to Penguin.

    • Pat

      When I first got my static address, I had some trouble because the previous renter had apparently done some not-so-nice stuff and had gotten the address onto some blackhole lists.

      I hadn’t really thought about that, but that’s a shitty situation. If it’s a VPS you can get a new one easily, but if you’re running a server from home with a static IP from your ISP I imagine they would be less accommodating.

      I’m looking forward to the rest of the series. I currently use a paid subscription email service for both my personal email and to host my website email, and even with a reputable provider I had to manually configure SPF and DKIM to keep Google from shitcanning my emails to clients.

      • Grummun

        I hope you’re not disappointed. It’s a miracle that Google hasn’t blocked my chump ass yet. Email has gotten much more complicated since I started doing this 19 or so years ago.

      • cyto

        Sometime around 98 or 99 I put a baysian filter in front of our email server to intercept spam. After training on my personal inbox for a couple of weeks, I turned it loose.

        It blocked over 90% of incoming traffic. No false positives.

        And it still let through quite a bit of spam at at that point.

        Spam really ramped up quickly back then. It was a significant portion of our internet traffic, and backing up spam was becoming quite expensive.

      • Grummun

        By the way, Pat, your privacy articles led me to convince my brothers to try Session. Working okay, although some hinkiness with group management.

      • Pat

        Very nice! If they’re open to it, Jami has introduced a few new changes as well that make group chats much better (still P2P, but they introduced what they’re calling “swarms” – it’s basically just a Git backend so that any peer in the group can pull the chat history from any other peer in the group to catch up on anything that took place while they were offline).

      • slumbrew

        If it’s a VPS you can get a new one easily

        Even then you’ll still probably be on the naughty list. Email from some random AWS instance will likely get shitcanned.

      • Grummun

        There’s something I should have mentioned in this article: even if you get a static address, your provider has to allow you to run a mail server. AWS, for example, will not, they just block port 25. There is an appeal process, but they require exceptional circumstances.

      • Grummun

        I don’t know if they block 587 (or 25, for that matter) inbound. But they certainly block 25 outbound, which is what you need to send mail. 587 outbound is only useful to relay through someone else’s mail server.

  5. Fourscore

    I’m grateful for you folks that understand this kind of thing. I can’t remember my box number at the post office.

  6. Penguin

    Grummun & Pat: Thanks. As you can tell, I am whoppingly* ignorant regarding the structure of the Internet.

    * (I am amazed that Brave accepted this as a word.)

    • Chafed

      #MeToo

  7. Gustave Lytton

    48 hour rule aside, what a fucking fess of news reporting on the TX shooter. “Army kicked him out for mental issues”: he was separated during basic under the section for physical or mental issue not rising to a disability. Aka easy out that could be nothing or big time but easier to slide him out under that.

    • cyto

      This Russian social media profile that posts a bunch of stuff from regular sites like TikTok is sus.

      Barely used, never interacted with… but this guy posts stuff from TikTok and Timcast without having any accounts at TikTok or Twitter or Facebook or…..

      Seems really sus.

      And if he doesn’t interact, how does random journo track it down?

      • Gustave Lytton

        The Russian social media was overegging the pudding. I mean cmon. Neonazi posts by some guy in TX on a Russian site? Right…

      • Not Adahn

        It wasn’t a rando, it was a Bellingcat employee.

    • one true athena

      Amazing how this magically happens as Biden’s poll numbers come out as only slightly above cratering.

      Personally I believe nothing the FBI dumps on its journo useful idiots. I don’t know what the shooter was, really, but it’s not any of that.

      • cyto

        The Biden angle is odd. Who could possibly think this guy is doing well? He makes Bush Jr look articulate, post retirement Reagan look spry, and the country is unquestionably headed to hell in a handbasket. I get “I am team D” surviving…. but Joe is doing well?

        No rational person could believe that.

      • Chafed

        Even Team Blue doesn’t believe it.

      • slumbrew

        He makes Bush Jr look articulate

        I’ll offer a minor defense of W – he was bad at giving speeches but good when speaking off the cuff.

      • Chafed

        Strategery.

      • slumbrew

        Much like “I can see Russia from my house”, not an actual gaffe but a SNL bit everyone ended up believing was true.

      • Rat on a train

        “Fake but accurate.” It’s in their SOP.

  8. kinnath

    Hello TPTB. I have submitted a short story.

    • rhywun

      I’m four very rough drafts into… something. Just knocked out part IV of at least VI, maybe more.

  9. cyto

    Back in the 90s I set up a Linux email server as a relay gateway for our corporate exchange server. I set up a test server on an unused MX domain and relayed out department’s test exchange server through there so we could eat our own dogfood for a while before releasing it to the company.

    Within a few minutes it got compromised. It took me 36 hours to find it.

    I got to meet some cool security folks from NYU and Israel. We lost the trail after it bounced into an Israeli military domain.

    Wipe. Start over.

    Now comes the funny.

    I was configuring the server remotely via SSL. I was editing the host files to execute a whitelist strategy. Saving after each step, to be safe. One change at a time.

    So I edited the hosts file with a default DENY ALL.

    Save.

    My shell instantly closes.

    Dammit!

    Walk of shame to the server room to log in locally and add my desktop to the hosts.allow list.

    At least I found out that it works.

      • Zwak , who will swing for the crime, in double time!

        Back in the nineties, a friend of mind was going to UCSB, and, of course, living in Isla Vista. One night we did some power drinking, and as we were still sitting on the porch finishing beers, we saw them, one by one walking by, shoes in hand, party dress’ rumpled, heads hung low.

        Dawn cresting the hills. Shame written on their faces.

      • Chafed

        Zwak gets it.

    • Gustave Lytton

      Hah hah. I’ve done that myself. Turned off remote access remotely. Or an oh shit moment when the remote device fails to reboot quickly and start doubting whether it was a good idea.

    • Pat

      So I edited the hosts file with a default DENY ALL.

      Save.

      My shell instantly closes.

      Lol, I did that with my first remote box using UFW.

      • Pat

        (thankfully it was just a file server 2 rooms over in my basement)

    • slumbrew

      To err is human, but it requires automation to really screw things up.

      You haven’t lived until you’ve locked out your whole team from hundreds of servers, necessitating logging into the console on each machine, one by one.

    • rhywun

      Heh. On my first day in 1998 temping at the company which after an acquisition and a firing and a rehiring I am *still* working for, I accidentally sent a 1,000-page document to the printer. loldumb

      • cyto

        You triggered a random brainchild with that.

        Back around 2002-ish we were spending quite a bit on mailings. So I was evaluating various printing solutions to create custom mass mailings (mail merge) in house. One of the solutions I looked at was a commercial printer from some Scandinavian company. Body made from bent steel and sheet metal screws.

        Demo was running a stapled magazine through the document feeder with pages crumpled and sideways. Thing ate it alive, no problem. It was a beast. Could print and staple 50 page booklets at more than 1 a minute. Was like 100k over budget… 🙂

        He showed me material on the big one. (That wasn’t the big one). It required a full time staff to run it. The location he was showing had a dedicated warehouse bay door for the paper truck. They just loaded the printer from the truck. IIR it was like 100k pages per hour…. they loaded paper in huge cassettes that took a whole pallet pf paper. 4 cassettes in rotation.

        Something for printing books and corporate publications or some such.

        I always enjoy finding out what “the big one” really is.

        My ex taught me about that with shipping. I was complaining about getting service from UPS (we were spending like 45k pee month) back in the 90s. My ex was surprised. She said they were great to her. Then she said they had 3 staff on site full time. Their own office on the loading dock….

        Wait… how much do you spend on UPS??? Oh, about $3.5 million per month.

        No wonder they didn’t give a crap about my lousy $45k.

        Like the first time you saw a Terex Titan as a kid. Finding out how big the scale goes is fun.

      • Gustave Lytton

        I have no idea how much we spend with UPS but it’s enough that the discounts to the billed rates (never mind any account level kickbacks or adjustments) are so steep that it’s practically the same cost to ship something next day air as ground. The only I send ground is in state where it will be delivered tomorrow anyways.

      • Zwak , who will swing for the crime, in double time!

        Back when I was an account manager in logistics, I was working for a printing company, one of those three letter internationals. We simply formed our own shipping service companies, as UPS or Fedex were too small to handle our needs.

        But, we were printing things like the NYTimes for the west coast, along with the entire catalog for Random House.

    • kinnath

      thanks

    • Scruffyy Nerfherder

      It certainly lets you know that most of the media is well trained will help when told to.

    • Lackadaisical

      Mr. Biden, would you say the New York Post is Fake News?

      /if one were a real journalist

    • Lackadaisical

      ‘The FBI warned former Twitter executives of an alleged “hack-and-leak” operation attempting to interfere in the 2020 election by spreading disinformation about Hunter Biden.’

      weird. If one were going to make shit up, they wouldn’t need to ‘hack’ anything. See also ‘Russia collusion’.

      All this done while he really was under investigation by the FBI… or is that just code for the FBI trying to cover everything up?

    • Stinky Wizzleteats

      Lishen Jack, they’re ttacking my sonzsh good name-smarthesht person I know…
      *wanders off into crowd looking for the ten year old in the Sunday dress*

  10. Brochettaward

    Is anyone man enough, First enough, to accept my challenge of a First In The Cell match? A First-off for the ages?

  11. Brochettaward

    I know you are all looking forward to the Martin Scorsese biopic where he literally gets down on his knees and blows Roosevelt as played by Leonardo Dicaprio.

      • rhywun

        It wouldn’t surprise me.

      • Chafed

        Isn’t it the subject of your six part series?

      • rhywun

        It is not the subject of my six+ part series.

      • Chafed

        Now I’m a little disappointed. Jk

  12. LCDR_Fish

    Rhywun – saw some of your posts earlier. My area of VA is pretty nice right now with a lot of opportunities. What kind of work are you open for?

    • rhywun

      I’m laptop class, I can work anywhere. Looking at upstate NY if only for family reasons.

      • Sean

        So, not escaping communism. Sad.

      • rhywun

        lol

      • Not Adahn

        If you’re not too worried about escaping communism, have you considered Montreal? It might give you the lifestyle you prefer.

      • Not Adahn

        I’ll teach you how to shoot.

    • Gender Traitor

      Good morning, Sean, Ssccrruuffyy, Stinky, and Lack!

      So….yeah – The local YMCA system involved in this case discussed yesterday is, in fact, my local Y (though I’ve never been to that location.) I can’t seem to find a credible, unbiased answer as to whether, as the Y claims, they’re actually legally required to allow guys playing dress-up into the women’s locker rooms, but they sure seem gung ho rah rah about doing so. Therefore I’m looking into alternatives that have the fitness facilities I want (i.e., a pool as well as exercise equipment.) After work today I’m going to check out a nearby small city’s recreation center, which seems to have what I’m looking for – with the added advantage being significantly cheaper than the Y, even for a non-resident of the city.

      • Stinky Wizzleteats

        Have mercy, madness abetting madness.

      • UnCivilServant

        Do you think telling the Y why you’ve decided to leave will have any effect?

      • Gender Traitor

        I doubt it, if they actually believe they have to follow this policy or if the whole organization is so woke they’ll be glad to be rid of a “deplorable.” Maybe if I’m one of many, they’ll go back to their lawyer(s) and ask, “Are you SURE we have to do this?”

        And if they really do have to, then presumably the small city rec center would have to do so as well. If that turns out to be the case, well, I may be SOL. But at least in the meantime I might save some money.

      • Scruffyy Nerfherder

        Vote with your feet. Let the Y die.

      • Gender Traitor

        (Rereading this, it occurs to me that the problem isn’t that the guy was playing dress-up, it’s that he was playing UNdress-up. 😒)

      • UnCivilServant

        Back in the days when the first ‘bathroom bill’ was being argued, I did point out that deviants and perverts will exploit any such rule/regulation/law where someone is foolish enough to implement it.

        Of course, the response was “how dare you call these stunning and brave mentally ill people deviants and perverts!”

        At this point, I have no charity left towards the people who push such rules/regulations/laws. They deserve to be put out of our misery.

      • Shirley Knott

        Mornin’ GT, and the rest of you lot 😉

      • Gender Traitor

        Good morning, Shirley! 😃

      • Shirley Knott

        Good luck with the gym/pool search!

    • Lackadaisical

      ‘Hurst and Grant, who were housed in the same unit but not the same cell, escaped through a hole in the wall in the recreation yard, Carney said.’
      wow.

      ‘Headcounts were increased at the facility due to Hust and Grant escaping, officials noted.’
      The same headcounts they missed and resulted in no alarm? I’m guessing your headcounts don’t mean shit, and people are often missing and then turn up later.

      ‘Carney said they haven’t a breach at the facility since 2010. The correctional officer’s union entered a vote of no confidence in Carney’s leadership just last week, citing a staffing crisis which they say has risen to more than 800 vacancies.’

      That seems way too often. I wouldn’t brag about letting someone else escape a decade ago.

      • Lackadaisical

        Also, how big is this jail? 800 vacancies? my god.

      • Stinky Wizzleteats

        Got to be a typo or some kind of agency wide shortage.

      • Zwak , who will swing for the crime, in double time!

        They mean prisoners. They want more, need more, to feed the beast inside each and every guard.

    • Stinky Wizzleteats

      Hey, the second best nerd rock group after They Must Be Giants.

  13. Rat on a train

    COVID Eye

    For some pollen allergy sufferers, eye irritation at this time of year is nothing new — but with the newest strain of COVID-19 circulating, local doctors are suggesting that if you have pink eye and a fever, you should test for COVID.

    Fear will keep the local systems in line. Fear of pink eye.

    • Stinky Wizzleteats

      Or, you know, take an antihistamine and some vitamin c.

    • Zwak , who will swing for the crime, in double time!

      So, now it is the stink eye.

      • Shirley Knott

        That’s where my mind immediately went lol