Forgot your password?
Google Software

Ask Slashdot: Self-Hosted Gmail Alternatives? 554

Posted by timothy
from the that-is-one-tall-order dept.
linkedlinked writes "I'm tired of building my sandcastles on Google's beachfront. I've moved off Docs, Plus, and Analytics, so now it's time to host my own email servers. What are the best self-host open-source email solutions available? I'm looking for 'the full stack' — including a Gmail-competitive web GUI — and don't mind getting my hands dirty to set it up. I leverage most of Gmail's features, including multi-domain support, and fetching from remote POP/IMAP servers. Bonus points: Since I'm a hobbyist, not a sysadmin, and I normally outsource my mail servers, what new security considerations do I need to make in managing these services?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Self-Hosted Gmail Alternatives?

Comments Filter:
  • by Anonymous Coward on Sunday August 07, 2011 @11:43AM (#37014384)

    Especially with email, I like the fact that I'm not going to accidentally break something, miss an email and lose my job.

    I also like that I'm not updating everything all the time with security updates. Google does all that for me.

    I also like the integration between all the services.

    I also like the two-factor authentication. (Good luck getting that set up on a self-hosted system, I suppose you could use X.509 on a USB drive or something).

    Don't fix what ain't broke.

  • Try Zimbra! (Score:3, Insightful)

    by i_want_you_to_throw_ (559379) on Sunday August 07, 2011 @11:47AM (#37014418) Homepage Journal
    My company uses Zimbra []. It works pretty well for us.
  • Re:SquirrelMail? (Score:5, Insightful)

    by wolrahnaes (632574) <.sean. .at.> on Sunday August 07, 2011 @11:49AM (#37014434) Homepage Journal

    You have to be blind if you consider Squirrelmail anywhere close to comparable to a modern interface like Gmail. It pretty much embodies the visual style of '90s Perl scripts, and that's certainly not a good thing.

  • why? (Score:5, Insightful)

    by mr.dreadful (758768) on Sunday August 07, 2011 @11:51AM (#37014450)
    As a guy who ran email servers for a small organization, let me say enjoy it while you can, because email admin is a never-ending pain in the butt. The spam management, the 24x7x365 server monitoring for security issues, the blacklisting and DNS issues, and that people get really bitchy when their email service is disturbed in any way.

    That being said, I hear nice things about Zimbra.
  • Thats funny (Score:5, Insightful)

    by WindBourne (631190) on Sunday August 07, 2011 @12:00PM (#37014526) Journal
    For over 15 years, I spent my time doing my own servers. Figured out that I was spending too much time doing server admin and not enough building sand castles. Now, I am on Google.
  • by cshark (673578) on Sunday August 07, 2011 @12:04PM (#37014576) Homepage

    The whole beauty of gmail isn't that you get a lot of neat features. It's the fact that your email almost always gets from point a to point b. This is because you have the luxury of being on a "big" mail server. Smaller mail servers, like one that you or I would set up do not get special treatment. The whole system right now is stacked against small mail servers. The minute you hit operation, you'll find that you might already be on spam lists, and that you have to fight to get yourself off of them. The minute you find that you're off the lists, you'll probably end up back on them because someone three ip addresses away has been sending welcome emails from his web site, and someone forgot that they asked for one.

    If none of that scares you, the following list will get you close to what gmail can do.

    So here is what you need first and foremost:

    1. A dedicated server just for Zimbra with Domain Keys installed
    2. A block of 24-32 ip numbers. (49 ip numbers would be ideal, but it's harder to buy odd blocks like that.) Put your mail server as close to the middle of that range as possible. It sounds like a lot, but most collocation facilities can hook you up with this for 300-500 usd a month.
    3. Proactive attention to getting your ip block removed from all spam lists (especially Barracuda, their list is the most annoying for the high number of false positives) before the fact. Just let them know you exist.
    4. Pray that all of the hundreds of moving pieces you've just put in place don't break, that bad hackers don't brute force their way into your server. Strong passwords don't really help as much as people tell you they do either. That's now something you have to worry about too.

    So there you go.
    It doesn't make sense to me that you would try to do this for something that only you would use.
    The expense is too high, and the benefit just isn't there.

    Over the last few years, I've been offloading my email to the social networks and blogs. Facebook, Linked In, personal Drupal installations, Twitter, etc.

    They don't have a lot of the core problems that email has, and pretty much everyone I communicate with will use one or multiples of those.

    For everything else, I use Gmail for domains because, even if I end up upgrading and paying per account... it's still less of a headache than the Dante inspired hell that is managing my own email server.

    I hate running fucking email servers.
    Hate them.

    There. I feel better now.

  • Why #2? (Score:5, Insightful)

    by theNAM666 (179776) on Sunday August 07, 2011 @12:04PM (#37014578)

    The previous "why" poster has it right. It's like you're complaining about success. You are never going to do it 50 percent as well as Google. -- don't try. Rolling your own is an academic exercise. Zimbra is ok-- if you can live in the 90s. Google is it. Just backup your data.

  • by DrgnDancer (137700) on Sunday August 07, 2011 @12:36PM (#37014852) Homepage

    I've been a sysadmin for about 15 years now. I used to host all my own e-mail, my own website, all that stuff. I had a webmail interface (Squirrelmail), spam filtering, IMAP, blah, blah blah. Then about 6 years ago I got deployed to Iraq. I couldn't use SSH from the DoD network, so updates became a big issue, spam became an issue as I couldn't maintain my filters easily. After a couple of months I went hosted on my domain. Web based admin tools meant I could maintain stuff without SSH, they had a much less "hands on" backup procedure (at the time mine involved CDs), the service was down less often than my DSL used to be... Honestly at this point I can't see the value in maintaining all this stuff for myself. I pay less for hosting than I would have to pay for a "business class" DSL or cable line for the static IP, they handle most of the hard work, and what they don't handle, I manage from a web based dashboard.

    There are tradeoffs and disadvantages, but for 80-90% of personal uses cases I can't see why you'd want to personally maintain a server these days. If you simply enjoy doing it, that's one thing. If you have a business of any size, again, there's a good argument for self hosting. For most people though, just pay someone to take care of the grunt work for you. You'll have less downtime, and spend a lot less of your free time fiddling with it.

  • by bickerdyke (670000) on Sunday August 07, 2011 @12:39PM (#37014878)

    But Google has a whole team to counter any security threads.

    Good luck finding that for your one-person hobby server.

  • Re:Thats funny (Score:0, Insightful)

    by Anonymous Coward on Sunday August 07, 2011 @01:34PM (#37015348)

    If you're doing your email so wrong that you can move it to Google's marketing database and run around in public claiming it's a good thing, you should surrender your geek card, and just stop using email. Abdicating all responsibility to Google isn't geek nor smart nor particularly useful.

  • Re:Spam filtering (Score:5, Insightful)

    by wagnerrp (1305589) on Sunday August 07, 2011 @01:57PM (#37015526)
    The C.R.M. 114 was a radio transmission discriminator in the movie Dr. Strangelove. The spam filter was named as a reference to that movie. The discriminator would only allow radio transmission prefixed by a three character code phrase dialed into the unit. It was intended to prevent unauthorized messages from being received by nuclear bombers on their terminal attack. In the movie, the passcode used was 'POE', standing for Purity Of Essence, a phrase repeated by a base commander who drank only rainwater and grain alcohol, afraid the Russians were attacking by poisoning the drinking water and contaminating our natural bodily fluids.
  • by Requiem18th (742389) on Sunday August 07, 2011 @02:06PM (#37015604)

    Even before opening this article I knew it would be overflowing with cries to drop this self-dependency stupidity and just surrender to the corporate gods.

    What the fuck?

    What is the purpose of free software if you are not supposed to use your freedom? You can build your system using open standards, install an open source OS with an open source mail server. But you will get blocked because you are not a business? More over, what is the purpose of freedom when you are not supposed to exercise it? It really has come to the point where "freedom" means "freedom to work for the system".

    It should not be like this, it doesn't have to be like this. There's plenty of solutions, something like WoT can be build to prevent spam much better than a simple "block everything not from gmail yahoo or hotmail" that's just business whoring.

  • Re:Spam filtering (Score:5, Insightful)

    by baptiste (256004) <mike.baptiste@us> on Sunday August 07, 2011 @02:18PM (#37015682) Homepage Journal
    I think the whole exercise is short sighted. I've been there, done that. The amount of effort to keep everything running, updated, configured, etc is a PITA. Setting up a solid spam filter is a huge undertaking because it's a multi layered approach. SA or equiv, various milters, and more and you still won't come close to GMail. When I finally gave in and decided to switch to Google Apps I was floored by the improvement in Spam filtering. Are there quirks with Google' stuff. Sure. But they are improving it. I finally today got most of my stuff tied to my personal count migrated to my Apps account. The family enjoy using their apps accounts too compared to what we used to have. We've used IMP, Squirrel Mail, ROundcube, and others. Roundcube is the best in that group interface wise, but is still very buggy. Was Horde fun to play with way back before Google's services existed? Yup - because they were something not easily done elsewhere. But now? So good luck - it certainly can be done, but to be done right requires a lot of effort that's only worth it if you have nothign better to do or are a internet services admin at work and like to tinker at home. And even then... I can spend all that time spent screwing with my internet 'stack' and apply it to better things now that Google just handles the day to day stuff. Am I concerned about them 'owning' me - maybe a little. But so far, they've not done evil to me. Plus even if I wanted to migrate all my stuff back to a personal server again, Google Voice is the deal breaker for me. Can't live without it.
  • Re:Thats funny (Score:4, Insightful)

    by MojoRilla (591502) on Sunday August 07, 2011 @03:20PM (#37016166)
    So you offer two factor identification? SSL webmail?

    Gmail does.

    Security through being small isn't security.
  • Re:SquirrelMail? (Score:4, Insightful)

    by wish bot (265150) on Sunday August 07, 2011 @03:32PM (#37016264)

    Isn't Squirrel just an interface? He's going to need something a little more than that - Postfix is the thing you need.

    Now, having done exactly this for a long time (and having also moved everything over to Gmail for domains) I have a few observations:

    - running your own email server gives you a warm inner glow and feeling of independence, but that's about it.
    - check your logs daily, intrusion attempts happen constantly.
    - dedicate the box to email only, that is - close down every port you don't need.
    - don't run anything you don't need on that box.
    - for the love of god don't run php (which might cut out squirrel mail).
    - you'll need a set of good spam handlers. There's some good suggestions in posts below.

    Personally, if you were really going to do this, I'd get a Mac mini. It comes with everything you need in terms of unix tools by default. It runs low power, it runs quiet. And there's slightly less chance of you getting owned. Always kep your patches up to date.

    I eventually moved away from this because I got tired of being a paranoid sys-admin at home. Dealing with uptime issues also made me rethink what I was doing when email started to become critical to my finances - you'd be surprised how unreliable home dsl and power systems are when you really, really need them.

  • by cgenman (325138) on Sunday August 07, 2011 @06:21PM (#37017372) Homepage

    The guy is "a hobbyist, not a sysadmin" and is looking for a self-hosted alternative webmail. The thing is, unlike a lot of other parts of life, mail hosting is basically a sewer of pain. Potholes and pitfalls are absolutely everywhere. To make a bad analogy, the guy basically posted "I'd like to be more independent. So I've decided to learn to fix my car, start growing some vegetables in my backyard. And, oh yes, have a baby. Are babies hard?" All of those are valid goals, that people everywhere should aspire to. But, as the germans say, he needs to be aware of the commitment and Kindersheisse of maintaining a mail server.

    And I've been on both sides of the "black-hole everyone's mail" problem. If a server is sending out spam, a single server can easily be sending out hundreds of pieces of spam to each and every one of your users per day. Chances are, that "server" is a hacked Windows XP box someone in their IP block left online (there really aren't anything other than hacked Windows XP boxes online these days). Or a server with inadequate protections that is being maliciously harnessed. Or someone put the address into a blacklist wrong. Either way, without these blacklists e-mail service as we know it would be over. And, unfortunately, there are people profiting from spam, fighting every bit as hard as the legitimate users to get off of the blacklists.

    And that's without taking into account the basic technological issues, like needing redundancy and response significantly higher than take-it-or-leave-it services. If your docs server is down, you have to wait a bit to access your documentation. If your mail server is down for long enough, you lose all of those messages. Also, all of your clients get messages that your system is down, but you don't. You get hit constantly by volumes of spam, leading to waves of DDOSing. People don't back any mail up, but require it to be available forever. And, this may just be personal perception, but I swear that all mail servers are coded to be suicidal.

    So yes, the effort put out to host one's own mail server is disproportional to the payoff in terms of personal information security. Because it's not building a server. It's committing to hosting an ongoing part of the mail ecosystem.

  • Re:Repeat after me (Score:4, Insightful)

    by Firehed (942385) on Sunday August 07, 2011 @09:45PM (#37018474) Homepage

    Do you know my password? No? Security by obscurity.

    Almost all security* is based on someone not knowing something. Very very often, that something is either a password or very large random number. Or the physical pattern on a key. Or door/alarm code. Or something read via RFID. Or the algorithm that determines the number on my RSA fob. More commonly when making that claim, it's just a nonstandard port for a service, hidden URL, or combination of several.

    If an attacker has the exact same set of information that I have, then that attacker has access to the same systems I do. The amount of information they need (or the level of obscurity, if you will) determines the level of security. Something where you need to be on my VPN to get access to a whitelisted IP and then SSH in to the system where password-only auth is disabled is going to be a hell of a lot harder than something where you just need to know to hit port 8080 instead. But ultimately, my passwords and private keys are just very obscure information.

    And in terms of end results, not being a target absolutely makes me more secure than an equivalent system that is a target.

    * As far as authentication and encryption is concerned, at least. SQL injection and XSS protection being the two best examples where it comes down to actual implementation details.

  • by RoFLKOPTr (1294290) on Monday August 08, 2011 @12:13AM (#37019152)

    How many teams of for-profit hackers will be targeting your personal server?

    Thousands. Have you ever run a server and looked at access logs? There are thousands of bots running automated attempts to exploit any vulnerability they can find. There are no automated vuln bots that will ever make it into Google's servers. And skilled for-profit hackers don't even bother trying... there are better, smaller, more vulnerable fish that can be fried in much less time.

A sheet of paper is an ink-lined plane. -- Willard Espy, "An Almanac of Words at Play"