It used to be possible to run your own SMTP server, inbound and outbound, from home. This was so badly abused by spam that port 25 is blocked almost everywhere.
Domestic systems tend to be in configurations that make it hard to accept inbound TCP connections. You could serve SSL on a random port and open a port using UPNP, and it will work most of the time.
It's a difficult circle to square. The most trustworthy system is one you administer yourself and manually inspect all updates, but in practice the amount of work required makes that almost impossible. If you allow the OEM to do updates they can compromise you. If you don't do updates you end up vulnerable to exploits.
Even if your home provider allows you to accept SMTP on port 25, you're going to have a hell of a hard time with outbound delivery. The big mail providers give very low reputation ranking to e-mails originating from consumer connections. Even commercial connections w/ hosting providers need to be "warmed up" for a period of time to get their sending reputation to an appropriate level where they can expect reliable delivery without automatic spam-boxing.
What I'd rather see is a company go into partnership with the big providers to certify individual senders at home. The idea is that you'd put up some kind of bond (a few hundred USD?) to help ensure that you won't be sending spam. In exchange for your bond, the company vouches for your IP to Google/Yahoo/Hotmail/etc and you're allowed to send your own email. After some period of use w/o any spam complaints, you get your bond money back.
One option is to pay for mail hosting from a "big mail provider" or hosting company and simply use it only for relaying/sending outbound mail but not for incoming. Assuming 25/TCP inbound is not blocked by your ISP, you can point the MX RR at yourself and handle incoming mail on your own.
I work for an ISP and run my own personal mail system. This (25/TCP outbound being blocked/restricted) is, as you mention, one of the biggest hurdles for an average person to be able to run their own mail system (especially on their home connection). I've debated offering up a cheap "outbound relay only" service for fellow geeks but I would have to (initially, at least) institute some pretty low rate restrictions in order to help prevent any spam issues. That's the biggest thing stopping me from doing it so far.
one thing you'd lose that way is the direct secure delivery. not that it'd matter if you send it to someone on google, but you can't trust the relay server not to tamper with the mail
unlikely, but if you are the type to run your own mailbox, probably that matters to you
Good point, although if my options were either a) handle inbound myself, rely on a third-party for outbound or b) rely on a third-party for inbound and outbound, I'd pick the latter (although not everyone would, of course).
Obviously, you'd have to trust whomever you're using for relaying not to mess with your mail.
Another option could be a VPN connection to bypass ISP-level packets filters.
It would be a nice feature add-on if Own-Mailbox users could add a special TXT record to the DNS that identifies them as Own-Mailbox users. The presence of this record would tell Own-Mailbox that it could do a direct delivery to that user and get the increased end-to-end security. For all other outbound mail, it could use the provider's SMTP relay.
> you're going to have a hell of a hard time with outbound delivery.
Been there done that. Takes a good while to build up reputation, but it's possible, even without dkim signing or anything like it. Also since it's my personal email, my policy has always been "if you can't receive it because of your mailserver, sucks to be you -- you're using that service so it's on your end."
Really? So if my email sends get stuck in a client's Gmail spam queue, sucks for me or them? Sucks for me a lot more and I'll move to a hosted service instead that can guarantee email delivery.
I mentioned it's my personal email, not really meant for work (though I did use it for that also).
But technically yes, if they choose to trust Google with delivering the email and Google doesn't deliver, it's a problem on their end. Setting up your email in a way that a particular service (in this case Google) accepts it, doesn't scale.
How do you contact family and friends who aren't savvy enough to setup their own email server? What about replying to job interviews? It would really suck if you didn't get the job because the hiring manager never received your email.
In my few years of using this, and I'm by no means an expert on email servers, I have rarely had issues beyond ending up in Hotmail's and Gmail's spambox. Never outright rejections I think. Google's spamfilter is the most annoying one, followed by Hotmail; everyone else usually works pretty much fine.
Ah, blacklists. One of the companies I work for is on the RFC-Clueless blacklist. Gmail handles the business mail, but something was screwed with the abuse@ and postmaster@ mailboxes, so RFC-Clueless listed the domain years ago. Eventually we started running into trouble with mail admins who used RFC-Clueless. I got gmail involved, escalated to third-level support, and got those two RFC addresses fixed.
I've submitted this fix to RFC-Clueless several times over the past few months, but it's abandoned. Every request times out after a few weeks. Great, we're on a blacklist whose raison d'etre is "blacklist those not following the rules", and the bastards don't even follow their own declared workflow.
man, no-one is going to jump on this bandwagon if it requires a several-hundred dollar outlay. Considering the massive volume required for spamning to be a worthwhile venture, wouldn't 50 bucks suffice?
Maybe the big mail providers need to update their strategy regarding automatic spam-boxing?
Most personal mail servers are not going to be sending mass emails. An algorithm that auto-spam-boxes mail from domains it's never seen before (or only receives a small trickle from) is ignorant.
Most personal mail servers won't, but most sources of e-mail sending un-authenticated e-mail direct to the target mail servers from consumer internet connections are spam these days because almost no consumers does that - instead most e-mail sent that way come from malware.
An algorithm that auto-spam-boxes mail from address blocks used for consumer connections or from "new" servers is not ignorant - it is taking into account years worth of evidence that it is an effective counter-measure against spam.
I'm saying that as someone who would like to run my own home mail server, and someone who is constantly battling to make sure our (100% opt in) bulk mail servers at work don't get blocked by overzealous spam filters - I wish it wasn't this way, but it is.
Do you have any data on the percentage of spam email sources (of all email sources) that send 1-10 emails per day?
I'd expect that for a spam source to be effective, it'd need to send many more messages. Some spammers may try to run many low-rate sources, but you could likely do statistical analysis on the content of the messages to differentiate the spam sources from the non-spam sources.
Further, allowing the occasional doesn't-look-like-spam-but-is-actually-spam message (if such a thing exists), isn't the end of the world. The user can mark it as spam and have the source blocked forever.
The real spam problem that needed to be addressed was mailboxes being completely flooded with unsolicited messages. So flooded that it becomes impossible to read or even find the legitimate messages.
> Do you have any data on the percentage of spam email sources (of all email sources) that send 1-10 emails per day?
Do you have any method by which all the different mailservers worldwide can successfully collaborate to determine precisely how many emails a particular mailserver sends per day?
You're proposing that mailservers with a low emails-per-day metric be trusted. How is that metric established? How does everyone agree on it? Do we have to implement a new protocol in addition to SMTP in order for this to be viable?
The most obvious response to this is "well each service provider can just count the stats internally and use that" but it's a non-starter. That means that Google with their, what, 1000 email servers (or more) now has to figure this out. And every other service provider too.
Finally, given all the service providers out there, and the total number of "consumer" internet connected computers, giving all the computers a free 1-10 email pass means that spam is back to the worst of 2000-2010 levels. Here's some math:
Let's suppose that there are 20 big players in the mail provider category, Google, Yahoo, Microsoft (hotmail, office365, etc), AOL, comcast, at&t, time warner, etc. 20 seems like a good number.
Since these systems can't be made to communicate with one another easily about the sent-count of every IP address in the world, they just do it locally. That means that the virus that infected your computer and turned it into a spam-bot gets:
10 free messages * 20 major providers * 93mm computers = 18 billion spams per day
And that's just from the computers in the US. Once you take this global, you're probably talking at least 100 major providers and 300-500 million computers. Then you're talking something like a trillion spams a day.
Seems like a reasonable idea until you look at how it would actually be implemented. Then it doesn't seem so great.
Modern spam filtering is not purely based on white/black-lists. Statistical analysis of the content is performed.
You don't need to auto-spam-box sources that are sending low volume emails to the same set of addresses, especially when the messages don't get categorized as spam by the content analysis.
You don't need the kind of global coordination you are talking about. Further, whitelists don't solve the problem. Under your scenarios, you can just as easily receive low volume spam from millions of fake accounts at the big providers. You're just relying on the provider to solve your spam problem.
Sorry, but these claims just demonstrate that you have not operated a large volume mail servers.
Yes, most of us do need to automatically block such sources because content analysis does not do a good job, and experience demonstrates that the vast majority of such messages are still spam.
> You're just relying on the provider to solve your spam problem.
Yes, we are. And you should be extremely happy they put in the effort they do, or your e-mail would be completely useless.
> Modern spam filtering is not purely based on white/black-lists. Statistical analysis of the content is performed.
Not purely, no, but content analysis is typically performed after whitelist/blacklist checks. If a host connecting to my mail servers is on a blacklist, there is no content analysis because the mail will be rejected before it gets that far.
It's assuming that they're all infected by some malware. Of course not all of them are, but realistically there are also thousands of providers, not 20.
How would my mail server know that the sender is a low volume source?
It's trivial to randomly cycle through the domains you're sending to in order to deliver at a low rate to any single domain.
> Further, allowing the occasional doesn't-look-like-spam-but-is-actually-spam message (if such a thing exists), isn't the end of the world.
It is when you allow the occasional such message from each of tens of millions of compromised machines worldwide.
Recently we had to block inbound mail from most of Ukraine because hundreds of thousands of IP addresses belonging to Ukrainian ISPs were used to spam us. I started manually blocking /24's, but couldn't keep up, so we moved to blocking /16's, and even that was going too slowly to avoid affecting our systems.
Another time recently we had to block a particularly notorious Asian ISP that basically don't care that the millions of addresses in their net bocks all gets hijacked for spamming purposes (or quite possibly they do care as a result of being paid to look the other way).
This is business as usual when you operate anything but the smallest mail servers where you might get lucky and not get detected by spammers.
We still receive spam sent from malware addressed at domains of clients we haven't hosted for half a decade, that's been picked up from peoples mail clients....
This is why a lot of people decide it's easier to just blanket block all dynamic IPs. It costs a lot of money to stay on top of spam, and a lot more if you decide to try to avoid collateral damage.
> The real spam problem that needed to be addressed was mailboxes being completely flooded with unsolicited messages. So flooded that it becomes impossible to read or even find the legitimate messages.
The practices you complain about are the reason why the spam problem is now contained sufficiently for e-mail to still be usable.
Sounds like you can map out the compromised addresses and selectively block them.
Avoiding auto-spam-boxing new domains (as opposed to IP addresses), would be helpful. Any strategy that attempts to leverage multiple machines would still need to register and maintain many domain names, making such a spam strategy costly and more technically difficult. Further, an easy check for malicious users is to examine the websites at the domains suspected of spamming. Or even just WHOIS info.
If spam detection requires human intervention, it is too slow. Domain reputation needs to converge within 3-5 minutes---even 30 minutes means you have lost the spam race.
Many ISPs add their own consumer/residential netblocks to some blacklists (such as the Spamhaus PBL [0]) in order to help prevent spam from originating from the PCs of compromised users. Obviously, it is a receiver's choice whether to use such lists or not (although many/most? large mail providers do) but rejecting mail from these netblocks does result in a very noticeable decrease in spam.
>Most personal mail servers are not going to be sending mass emails.
There's no way to tell whether a random host on some residential ISP or VPS provider is doing personal email or spam.
>An algorithm that auto-spam-boxes mail from domains it's never seen before (or only receives a small trickle from) is ignorant.
Since blacklisting is so prevalent, spammers who aren't idiots will be sending most of their spam from different IPs. They go out harvesting unpatched VPSes and Windows botnets. The latter is patched by residential ISPs blocking port 25, the former is still a problem.
>Maybe the big mail providers need to update their strategy regarding automatic spam-boxing?
Why? Almost all legitimate email is coming from one of the big mail providers or a big-corporate Exchange server. What reason do they have to let more spam into their users' inboxes?
Despite my grievance elsewhere in this thread that mail servers do not come pre-configured with sensible defaults, I would guess that no modern mail servers are pre-configured as an open-relay when installed. The concern about port 25 relaying being abused by spammers strikes me as an anachronism.
In any event, I found that mainstream ISPs are willing to unblock port 25 if you tell them you are running a personal mail server and have it properly configured to not relay for unauthenticated users.
Aside from that, you'll want one static IP to make your life easy so you don't need to use dynamic DNS.
I think matters such as availability of your server and configuration are surmountable challenges.
But I strongly agree with you about security. Although I really like the idea of this device, the first thing I noticed in the product web page is the use of PHP Roundcube for webmail. I have a fear of running PHP anywhere on my network. The track record [1] is way better than, say, Wordpress, but seeing things like Exec Code, even back in 2008, gives me pause.
Nevertheless, in my experience, ISPs will unblock port 25 for customers on request. I've only worked with a few in my years, but I've not yet encountered any resistance.
Most ISPs that I'm familiar with won't unblock common server ports (25, 80, 443) unless you are on a business account (though that's not much more these days).
Though it isn't always just inbound 25 traffic... often it's outbound as well. Also, the larger issue is hacked/pwned machines and bots, not just open relays. Which reminds me, I need to update Tomato on my router.
My ISP only blocks common ports on dynamic ip ranges. If you order a static IP, you do whatever you want with it. They even set reverse dns record for me when I asked, because some blocklists/mail servers want it that way.
Issue with running your own mail server nowadays is spam. Gmail does a decent job filtering all the crap.
Of course! And I am certain that she and colleagues always used GPG or similar when e-mailing between her personal mail server and the State Department's official mail server. Because it goes without saying they would do so, otherwise those e-mails carrying untold sensitive information would have been routed in the clear. And that obviously never happened.
What I've gathered from news reports is that her mail server was accepting SSL connections, with a certificate that was probably strong enough at the time it was installed, but that was insufficiently strong for the brute-force attacks available today. Aside from that, it wasn't too bad - especially given the physical security of her residence (i.e., Secret Service).
Note that the State Department's score on the FISMA report was significantly worse than that of the infamously hacked Office of Personnel Management, so maybe Ms. Clinton was on to something. https://www.whitehouse.gov/sites/default/files/omb/assets/eg...
I remember reading some early RFC's that suggested pre-SMTP, remote "email" was "sent" using FTP.
Perhaps it was something like a PUT command to append to a user's "mail" file on the recipient computer?
This seems to suggest email was always envisioned as something to be "received" rather that voluntarily "retrieved".
In retrospect, knowing what happened to email, the later idea (e.g., djb's proposal) makes more sense.
The funny part is that even though the "receive" idea is still the core part of the email process, that is not what email users do in practice.
Users "retrieve" their mail from some third party who receives it for them.
First there was "POP" then there was "webmail".
Back in the Stone Age when email was "invented" computers were too expensive for the users to own.
Each user shared the computer with other users.
Each had an email account, usually administered by the organization that owned the expensive computer.
Today computers are inexpensive and seemingly all users own one but they still do not have control of their email accounts.
Some organization is still receiving all their mail before they do. And keeping a copy of course. :)
Then, in more recent history, the domain name "business" (a monopoly run by an organization that derives its "authority" from nowhere), fueled by the popularity of the "www", became the gatekeeper to email.
When was the last time you sent an email to user@[ipaddr]? Originally if my memory of the old RFC's is correct that was how it worked. No domain name needed.
Today, if there is no purchased, monopoly-blessed "domain name", then according to the people who control users' email there is no "valid" email address. No pay, no play. Even if port 25 is open.
Assuming a user who has paid for access to the "internet" wants control of their own email (seems reasonable), then "email" is still an addtional fee.
Back in the 90s, I used to run my own. It was extremely frustrating when big ISPs started blocking mail from dynamic addresses. I understand why they had to do it but it was still inconvenient for people like me.
port 25 blocking is just the beginning. In most cases mail sent from a consumer facing ISP (Verizon, AT&T, RCN, etc) will not be accepted if the destination server is implementing SPF mail authorization, which most are these days.
This looks very similar to what we built one year ago at https://kinko.me. And then we even managed to solve most of the problems outlined in the comments here (Port 25 blocked, etc.) But our crowdfunding campaign failed, and I have seen other campaigns with similar topics and target audiences fail since.
Consequently I doubt that a relevant audience for that type of device really exist -- even though I wished own-mailbox would succeed.
That's because they're all getting the target audience wrong.
"Personal email server" - right there is the mistake.
If the consumer market is small, 8 times out of 10 you can bet that if you adapt the technology appropriately - change the pitch, make a few feature adjustments etc - there is an enterprise market willing to pay for the solution instead.
Yes, and that's why we didn't call it that.. We had a box that "you just plug in, reconfigure your existing email client and are ready to go." .. and still: the privacy concerned end-user audience is a hard nut to crack, because you cannot just sell a magic box - people want to know what is inside, but then they shy away from too much tech.
As for enterprise solutions: I seriously doubt that PGP is a solution there, because recipients must have a pgp based solution as well. OTOH they can easily run S/MIME and feel fine... own-mailbox, at least, seems to support a mode where the recipients does not need gpg by sending out a link which points back to the plaintext email (and I assume they would then need a password of some kind.)
I've had to use Microsoft products (Windows & Office) in an enterprise environment before and, while I'd much prefer to use Thunderbird & GnuPG, Symantec's commercial PGP products in conjunction with Outlook are a good solution for this environment. A centralized server controls configuration and policies and, once up and running, it just works(TM) and, IME/IMO anyways, was a better solution than Outlook + S/MIME.
Of course, this required both sender and receiver to have/use PGP and/or a compatible product.
How does transmitting an HTTPS link solve email encryption for people who don't have PGP? The link is sent plaintext. Does the system require users to register out-of-band somehow? That's how corporate email "encryption" systems work (the "send an HTTPS link" approach is popular with financial firms).
The underlying approach this system uses --- webmail, but on a special purpose box the user owns --- is actually sound. It seems like a pretty good refinement of Mailpile.
On the other hand, they should tone the rhetoric down. I winced at "100% secure".
There are several options, ranging from making the link one-time only to requiring a captcha or password.
From TFA:
➜Can you explain more in details how Private Link Message (PLM) works?
Private Link Message (PLM) allows you to send and receive messages from people who don't use GPG.
The link is temporary: once clicked by your correspondent it is too late to spy, the link does not work anymore.
You can also, optionaly, setup an expiration date for the link. If your correspondent did not access the message before this date, it is too late to read.
The link is filtered by a question. Depending on the level of surveillance you think you are in, the question can be a simple captcha to avoid bots, a secret question that your correspondent can answer but not the NSA, or a request for a password previously exchanged with your correspondent, or no question at all.
Your correspondent will have a web interface to answer your message privately. You can also activate a permanent HTTPS interface for anyone to send you a message privately at any time.
In practice a simple captcha will allow you to be safe from mass surveillance, since only targeted surveillance can be done by human beings. On top of that any spy will be detected, and have his IP address revealed. On our test, no PLM has ever been spyed even with no question at all.
Except for the option of a secret question (ie: a password), none of these countermeasures seem useful. The one-time link in particular; an attacker will collect the email, then spoof a replacement site containing the email to make the surveillance mostly (or entirely, depending on how well the operator of this email-in-a-box service configures TLS) transparent.
The idea that a captcha protects anyone from mass surveillance is probably unworthy of discussion.
It's certainly not a watertight solution against targeted surveillance, but why wouldn't it be effective against mass surveillance?
If someone were to open all these one-time links (and manage to fill in the captcha's automatically), people would start to notice very soon when the intended recipients complain and the Own-Mailbox interface shows that the email-URLs were opened by some dodgy IP address.
I think you missed my sketch of how the attack against single-use URLs (or, for that matter, pages that show what the last IP address to access the account was) works.
Mass surveillance can probably be turned into mass MITM. As tptacek said, intercept mail, alter link to point to attacker-owned server or account, proxy messages via the original link. An intermediate Rails developer could put it together with a couple of gems.
However that requires a compromised client, a compromised cert, or a compromised ca. While all of those are possible, they do substantially raise the bar in terms of who may have the capabilities.
It's a classic tradeoff in terms of who you care about being secure against and how badly you want it.
If the client is compromised then the mitm can be performed on the client itself. And barring that wouldn't the cert or the ca have to be compromised in order to intercept the message at all?
If the original message is delivered via SMTP, it's supposedly fairly easy to force unencrypted SMTP if you have a MITM. Then you can just rewrite the URL in the message to a domain for which you have a valid cert, or rewrite it to use http instead of https and intercept/proxy the http requests.
Also KDE that downloads an URL to determine the mime type before sending it to an application. Doesn't the HTTP spec say that GET requests have to be repeatable?
> The link is filtered by a question. Depending on the level of surveillance you think you are in, the question can be a simple captcha to avoid bots, a secret question that your correspondent can answer but not the NSA, or a request for a password previously exchanged with your correspondent, or no question at all.
> Your correspondent will have a web interface to answer your message privately. You can also activate a permanent HTTPS interface for anyone to send you a message privately at any time.
Granted, 100% secure is a bold claim, but it's not just an HTTPS link anyone can click on, at least not if you're a tiny bit clever enough to enable additional protection it offers.
I'm curious why the "just" qualifier? Is there anything that makes a pre-shared key a bad idea? (Particularly if someone follows the habit of one per private email, exchanged out of band.)
But financial companies make sure to handle mail retention/archival, as well.
As I already said last time this product came up: this is not email. As far as encryption is concerned, it's a proprietary messenger, and it deprives not only the user (who opted in), but all of his recipients of virtually every advantage, standard email has got.
The reason for SMTP servers being better off in a proper data-center is not really due to port 25 being blocked at home, it's the entire infrastructure that assures reliability, so if your power goes out or your home router decides to die or your ISP is having issues, etc, you would start losing emails right away.
EDIT: I understand SMTPs are resilient but it also depends on the type of error they get back, even then it can't be expected that all servers keep retrying for long periods of time or even handle triple bounces.
So you 'could' start losing emails right away, is a better way of saying it.
Isn't SMTP actually pretty resilient to outages? Typically sending mail servers will retry for hours (or even days) before giving up when a recipient server is down.
Yes, it is. Virtually all normal SMTP servers will re-try e-mail delivery several times spaced over at least several hours before rejecting delivery with a notification back to the sender.
I have run my own e-mail server for about 17 years, originally from my home and more recently from a data-center where I have co-located my server. Admittedly, when I had my mail server at my home, I would suffer outages long enough to miss e-mails when I needed to do something as severe as work on my home's electrical panel or move. But generally speaking, a momentary glitch in network connectivity would not result in lost e-mail. Since moving my server to a data-center, the only downtime I had was when I needed to replace a disk.
As the above paragraph suggests, I am strongly in favor of people running their own mail servers and moving away from the presently-popular centralized Internet, back toward a decentralized model. This device isn't for me, and probably isn't for several of us here, but it's precisely the kind of thing I'd like to suggest to other people who would not otherwise be comfortable running a mail server.
I know a lot of programmers who shiver at the thought of managing their own servers, and I feel that's a regretful situation for the Internet at large. It suggests two things: (a) many programmers fear servers, which I don't think is healthy and (b) insufficient R&D has gone into making infrastructure easier to manage. After all (a) is a rational fear given the state of the art in many cases. It can in fact be quite difficult to set up a mail server (although once setup, most are pretty hands-off). It should be much easier to navigate through the settings and have a nearly out-of-the-box configuration that is sane and avoids the most common pitfalls.
Aside: Incidentally, I found that even mainstream ISPs like AT&T will unblock port 25 if you call them up and explain you are running your own personal mail server. When I moved to AT&T country, they did exactly that with no questions asked.
As for programmers fearing servers: all the mail servers I've tried are almost incredibly byzantine, making them stressful to configure and hard to understand.
My brother got tired of this and wrote a functioning and mostly conformant SMTP server in less than 50 lines of bash (using djb's tcpserver and delivering to maildrop).
As far as I'm concerned, all the configuration I can ever imagine needing for a simple SMTP server could be specified with like max 3 command line switches.
So yeah, I think it is a somewhat rational fear, and I don't understand why everything seems so amazingly complex.
FWIW, OpenSMTPD is extremely simple to configure and get up and running. (I don't use it other than as an "outbound-only sender" but the configuration file is very readable and simple).
To add to that I've found OpenBSD in general to be extremely easy to administer. Most configuration is straight forward and no more complex than necessary with very clear documentation.
> many programmers fear servers, which I don't think is healthy
I fear the consequences of doing it badly or wrongly. It's like building my own car - I could probably do it and drive it around for awhile, and if nothing goes wrong nothing would go wrong - but if something does, suddenly it goes very badly indeed.
"Since moving my server to a data-center, the only downtime I had was when I needed to replace a disk."
By the way, there exist backup MX services - commercial or self-made, which would give you 100% incoming-mail uptime but without having to move or copy your server to a data center.
Some hosts are doing away with backup MX hosts (including me/work) simply because a) any sane sender will retry for a period of at least several hours and b) sending via the backup MX is a common way for spammers to (attempt to) increase the chances of their mails getting delivered (e.g., due to lack of/decreased filtering on backup MX hosts).
Thanks for the note! I'll definitely keep that in mind next time I evaluate my hosting environment. I expect to switch to a different data center eventually, and that would come in handy.
Usually they will retry for days. 4 days is conventional, and it's rare to see less than 24 hours... So you're right, it's a rare concern.
And of course if that's an issue, it doesn't take a huge amount of effort to run two - the secondary only needs to run the MTA with sufficiently longer retry intervals for passing mail on to the primary to give you whatever safety margin you'd like.
People seem to forget that e-mail started out in an environment where not all recipient hosts could even be expected to be online all the time - there's decades worth of solutions for doing store and forwards for hosts with intermittent connectivity, so dealing with failure of an MTA is easy.
My big issue with running my own mail server these days, though, isn't the inbound e-mail but deliverability of outbound e-mail. These days I'd be inclined to pass my outbound messages through somewhere like Sendgrid or Mandrill (at a cost) to let someone else deal with the deliverability problem.
I know a lot of programmers who shiver at the thought of managing their own servers...
I used to be a sysadmin; now I'm a programmer. I love to host my own webservers and the like. But email? That's just a never-ending uphill battle. Between spam, and whitelists, and botnets constantly port-scanning your server (hope I've got all the latest patches, etc..).
For me, GMail solved this. GMail solved spam, and hassle. (At the cost of all my privacy being in the hands of a for-profit corporation.)
Yes. This is correct. Once, I had misconfigured my mail server when adding another domain I had bought and it rejected an e-mail. While I was looking into it, I saw in the logs that the sending party had retried after 15 minutes so I corrected my config and waited another 15 and I got the e-mail. Of course, number of retries, if any, and time between attempts will vary between different servers and their configs.
Another story I have about e-mail is that another misconfiguration on my part caused mail from me to others to be spam filtered or outright dropped by some receivers. It wasn't until I attempted to send an e-mail to a Debian mailing list that I learned why that was. Their e-mail server was nice enough to reply with the exact reason why they would not accept my mail. I was then able to fix it. (Though I don't remember if they did so in the form of what was said over SMTP and seen by me in logs, or if they bounced the e-mail.)
This is somewhat mitigated by the fact that legitimate sending mail servers will retry delivery if the destination server is unavailable. Outbound mail from a home connection may very well have issues being marked as spam due to ip blacklists though.
I don't think so, depends on where you live and the laws that apply there. It's probably easier to seize a home server than it is to hassle a company to divulge its contents.
I think it's the other way round in the US. Conventional email hosting providers are definitely not protected by the 4th. Also for political activists, actually raiding their homes is a dead giveaway whereas leaning on companies can be done quietly.
Should be easier to just encrypt all the email.
Either by encrypting the HDD or by automatically encrypting all ingoing email with you public GPG key (Saw a perl script for this in a blog)
RFCs dictate that a mail server retry sending when the MX host is unavailable. If the sending mail server doesn't retry then it is the sender's fault if a message is returned undeliverable without retrying at least a few times.
The "de facto standard" for retrying was (is?) five days, because that's what sendmail defaulted to for years. Nowadays, many senders don't retry that long (my mail systems are set for 48 hours) simply so that a bounce/undeliverable mail is returned to the sender much sooner.
IIRC, there was a certain version of Exchange (I forget which now) that apparently didn't retry and would immediately bounce a message if it was undeliverable on the first attempt, but that was quickly fixed.
Perhaps, it very well could have been. I made an assumption since sendmail was, for the most part, the MTA in those days. Yes, others (including qmail) existed but sendmail was, by far, the most widely used. I, myself, was a sendmail fanboy for years until I eventually moved to postfix in the early/mid-2000s.
eh, it's a security vs. reliability issue. You are right that a home-hosted email is going to be less reliable. Others are right that SMTP is pretty resilient, but not infinitely so.
A home mail server, from experience and from the experiences of others, would work okay on receive. You want a static IP (or a static-IP VPN.) at a minimum, and the first thing you need is to make sure you aren't on the dialup-user lists. But that's an outgoing mail issue, not an incoming mail issue.
that's the thing, though, the outgoing mail issue, ultimately, is more difficult than the incoming mail issue.
It isn't only receiving emails that requires a connection. According to the site, anyone who doesn't use encryption (currently the vast majority of users) will receive a link to your message hosted on the device. That means that most people won't be able to read your emails if your device goes offline.
Neither does, making Dropbox itself, "trivially by getting an FTP account, mounting it locally with curlftpfs, and then using SVN or CVS on the mounted filesystem. From Windows or Mac, this FTP account could be accessed through built-in software." [1] :)
Obviously it needs to be a lot easier than that - the fact that it's difficult right now is the problem. It needs to easy to manage like a smart phone or tablet is.
Plus many spam blacklists have blacklisted entire IPv4 ranges as "residential IPs" (meaning even if your ISP does allow SMTP (which many do not) then your emails may still be blocked as "spam.").
Only way around all of this is to pay for a "business" internet connection (with 500% markup for the same speed, single dedicated IP, and a pretty poor SLA).
I pay about $20-25 more for my business line than residential service, for the same speed and 5 dedicated IPs. Yes, it's more, but it's not 500% more....
>with 500% markup for the same speed, single dedicated IP, and a pretty poor SLA).
This is overly cynical. There's a world of difference between your crappy Comcast line at home and my fiber line at work. Unless you're actually responsible for an infrastructure, then I don't think its easy to appreciate the difference, but yes, its worth every penny. You may not realize it but jitter, latency, routing, etc are far, far better on proper business lines. Not to mention SLA's, dedicated bandwidth, and actually having someone to yell at on the phone who can do something for you instead of being yet another anonymous schmuck on discounted service that's oversold and runs like crap.
Oh, at previous gigs we tried "business cable" which was laughable. All the downsides of Comcast but somehow even worse uptimes and incompetence.
Personally, I agree that smtp traffic originating from residential blocks should be weighed much heavier than other blocks. Wanna see my mail logs at my spam filter edge? Most Windows computer in the world has been taken over in some fashion by malware. Its worse than you think out there.
I can't give real logs because of privacy concerns but in the past 7 days we've been at 79.2% spam. Roughly 2% of that is straight up malware like cryptolocker, various botnets, trojans, etc.
I've run a personal mail server on Comcast business class for about 2 years and haven't noticed this problem. Probably the majority of my outbound mail is to Gmail. I don't remember if I've checked the RBLs before, but I probably should re-check.
I have problems with several places that firewall the Comcast IPs - Symantec (messagelabs) is the worst because I don't know who uses their services until the message queue backs up and then I have to route around the damage. Really annoying.
To make it worse, I cannot find a way to contact them and ask them politely to whitelist our email server IP address.
Most mail services give a a rejection and, when I've asked to be whitelisted, they do it with no problem (Microsoft, for instance). Symantec simply doesn't respond on port 25 and has no contact information.
The big providers are actually less of a problem when it comes to RBLs than smaller ones, as the big providers have their own filtering and/or rely on reputable RBLs. The bigger problem in my experience is companies with overzealous IT people with the authority to largely do as they please, where you get some percentage that pick their favorite set of block lists with no consideration for whether or not said block lists are properly run.
We occasionally get on block lists, and though we do get onto reputable block lists now and again after mistakes by users, they're rarely a problem and quick to get off. But now and again we get on some shady block list where there's no quality assurance, and where delisting procedures are onerous. Every now and again one of them is an outright money-making scam ("pay $99 for express delisting, or wait for X days for the regular service; oh by the way we just randomly added you with no basis")
You certainly should check. As I'm sure you are aware, some RBL's areole aggressive than others. Some are down-right draconian, and some are more like a whitelist in that they leverage grey listing so any outbound mail is given a few good points in it's total possible spam score.
I ran a medium email ( late 90's ) mail server system on a dedicated 100mb/s line, on an older dual cpu Power Mac actually, but I pulled out all the GUI and tried to run it mostly as a server using the client OS and only the CLI, making it more like running FreeBSD or openBSD I suspect.
I got a /24 IP range out of Comcast which I think helped as it was a previously never used /24, or at least not in use long enough that it had fallen out of RBL's
I'm sure you are aware of the sites that checks your IP against all 200+ or so mainstream RBL's.
There are a few RBL's that block Comcast business as well as all cellular ranges and quite a bit more. I found RBL's to be more trouble than worth.
Ideally, you are dropping the connection at the very beginning, just after the EHLO/HELO., highly efficient, perhaps marginally more efficient CPU-wise than greylisting. Fail2Ban is probably your best friend. Do it closer to the network if possible.
The above, versus pushing the message through various spam filtering, address validation, and other measures. There's heavy CPU usage post greylisting, greylisting is great, but waiting that 5-15 minutes for the retry is too long, most users don't use a password manager. Their password manager is "forgot your password". Insane, but that's how I watch all my friends do it. They learned not to re-use passwords, but now they rely on third party email to send forgot password messages. At least people can tell which are not hashing/+salting their credentials. Though I doubt most blink an eye at a raw password in an email. Clients have email me their credit card data. I tell them delete their debt message, then dived 15 minutes doing tech support to help them locate the credit card sent email.
I was far too often adding whitelist entries, making certain clients ignore greylisting or drop down to 30 seconds, for which I saw no increase in spam. It's the retry value on the server that's set too high/long. Not to mention the 10% or so of older email servers that don't support greylisting so never retry. A clear RFC violation, but these are proprietary systems and not made with greylisting in mind. You could achieve it with a proxy running greylisting or ASSP if you want a full proxy with web admin and essentially a full MTA in a proxy all in one file of many tens of thousands of perl code. No version control, crazy version numbers, and I think still on SFNet ( Source Forge )
At some point you realize you have added aol, yahoo, gmail, etc., all the big guys, they need whitelisting because their IP ranges are huge, and ever changing. Keeping on top of which IP's they are publishing as public MTA based IP's, you can build a solid whitelistable IP range, but they change often enough it's not feasible. A SAAS that checked all this would be nice but latency may be too much. Less than the 5-30 minutes of greylisting though.
AOL fully ignores greylisting last I looked. Not to mention DNS TTL's are/were ignored. Sucked to set my MX TTL to 300 seconds, wait the 8 hours for my default DNS expiry, switch my DNS, and then wait 2 weeks for DNS proposition with aol. Not to mention all the paperwork that needs filling out to get into their MTA whitelist program which kicks your sending threshold up by a percentage so it's not a true whitelist. I had to renegotiate every time we added another 5000 to our outbound, it would flag me and I could see all the aol messages stuck in my outgoing queue. Two weeks was longer than my greylisting time, messages bounced because aol saw no server at the other end. I had to keep a "gateway" running, basically I set up a secondary MX to sit there and deal with the aol 2 week DNS propagation to happen.
Finally I gave up and added an external SMTP only machine in a colo. small machine, under 100.00 a month, all it did was SMTP. Deliverability was significantly better after that but ruined the notion of securing my data at my location. But it is relatively ephemeral in that its just SMTP, the data sends instantly, unless it hits greylisting servers or other things that initiate a SMTP retry. That leaves messages and retry logs on the remote server out of my control physically.
Most don't answer postmaster@ or abuse@ which are RFC. Some even bounce meaning they don't even have those addresses available. Having a support/postmaster/abuse @ address that you certainly should check. As I'm sure you are aware, some RBL's are more aggressive than others. Some are down-right draconian, and some are more like a whitelist in that they leverage grey listing so any outbound mail is given a few good points in it's total possible span score.
I ran a medium email server system on a dedicated 100mb/s line, on an older Power Mac actually, but I Pulled out all the GUI and tried to run it mostly as a server using client OS and only the CLI, making it more like running FreeBSD or openBSD I suspect. Added 2x SATA cards and an additional CPU to speed things up. IMAP is purely I/O limited and I wanted and had everyone in IMAP. but IMAP needs a few horses behind it, I wish SSD's were where they are now back in the 90's. That would have been great. I moved my 4GB IMAP account into pure ram disc. It was pretty amazing. Millisecond loading of a mailbox with push enabled in milliseconds to load many tens of thousands of messages and attachments.
I got a /24 out of Comcast which I think helped as it was a previously never used /24, or at least not in use long enough that it had fallen out of RBL's
I'm sure you are aware of the sites that check your IP against all 200+ or so mainstream RBL's.
There are a few RBL's that block Comcast business as well as all cellular ranges and quite a bit more. I found RBL's to be more trouble than they are worth. Good in theory and a great thing to run your own local RBL as it's such a nice way to manage it, through DNS. Want to whitelist or block, just add a DNS entry after reversing the IP. Simple, immediate, understandable.
Ideally, you are dropping the connection at the very beginning just after the EHLO/HELO. Versus pushing the message through various spam filtering, address validation, and other measures. There's heavy CPU usage post greylisting, greylisting is great, but wIting that 5-15 minutes for the retry is too long, most users don't use a password manager. Their password manager is the "I forgot my password" mechanism.
I was far too often adding whitelist entries, making certain clients ignore greylisting or drop down to 30 seconds, for which I saw no increase in spam. It's the return value on the severe that's set too high/long.
Eventually I ran out of granularity per user to set things how I wanted. Setting up a server for a subset of users was asking for trouble.
At some point you realize you have added aol, yahoo, gmail, etc., all the big guys, they need whitelisting because their IP's are huge, and ever changing. Keeping on top of which IP's they are publishing as public MTA based IP's, you hBe a solid whitelist able IP, but they change often.
AOL fully ignores greylisting last I looked. Most don't answer postmaster@ or abuse@ which are RFC required for postmaster and suggested strongly for abuse@.
Oracle ended up in spamhaus, after weeks, I finally got I touch with their admin. ( grind worked there, could not email him ) He'd ( Oracle MTA Admin ) been trying to figure it out for 4 months of bounced emails. How they never had a forwarded email from a bounce that shows the 5.5.0 code is all they would have needed.
But that poses another problem. You have to whitelist abuse@ and postmaster@ or the data you send them will trigger everything, anti-spam, and bounce. But then you get tons of spam, fully unfiltered on those two accounts.
Then there's DKIM and the rest plus the rest of the DNS based pseudo AUTH mechanisms. But those too are problematic. Some can't forward without bouncing, under SPF I believe. Oracle ended up in spamhaus, after weeks, I finally got I touch with their admin. He'd been trying to figure it out for 4 months or bounced emails. How they never had a forwarded email from a bounce that shows the 5.5.0 code is all they would have needed.
But that poses another problem. You have to whitelist abuse@ and postmaster@ or the data you send them will trigger everything from anti-spam and bounce. But then you get tons of spam, fully unfiltered on those two accounts.
In the end, I'm basically tailing logs, massaging them into a SNMP walkable data point so I can graph and chart. All to find out managing a mail server really is a near full time job. Add a secondary and it's even worse as spammers will direct target your mx2 Which means filtering, whitelist, blacklist, greylisting, geographically separated, and network role separated ideally, etc., full parity on two physically disparate boxes.
I was pushing about a million messages a day across a few 10's of thousands of accounts, forwards, aliases, etc. all over Comcast business.
The upsides: 4 hour support window 24/7/365. Direct phone line that a person answers. That person is an engineer of some sort or will transfer you to someone. I've spoken to engineers that maintain DNS, mail, web, etc. you get as close to he source as possible and they know how to unpack a gzipped or tar'd log file batch if you can even get a contact address for them.
Sorry if there's duplication of content. Either something is up with HN or my phone is being my phone as usual. I apologize for the illegibility in places.
"Many ISP's" don't actually block 25/TCP outbound but simply add their residential netblocks to, e.g., the Spamhaus PBL. An end-user assigned one of these IPs can, upon request, have it removed from the PBL himself. This is, IMO, a much better way of "disallowing" outbound SMTP than simply filtering out packets.
I'm curious as to why this is better in your opinion. Doesn't adding the range to a blocklist carry the potential of being copied by other blocklists? Then an ip seeking to send mail must track down and request removal from every blocklist that it's been added to whereas the alternate approach requires the email administrator only contact a single entity, and one they are a customer of to boot.
If, as an end user, your IP address is on the Spamhaus PBL, you can have it removed yourself simply by submitting a request online.
If packet filters are used to block 25/TCP, you have to request that your ISP unblocks it, hope that they do, and then wait for them to actually do it.
What is "valid"? I've been delivering personal email for 2 years from an IP whose reverse is like 1-2-3-4-static.hfc.comcastbusiness.net, and that name does not match what I put in my MX or HELO.
Now, granted, there are probably some systems that have issues with this, and maybe I do have failed deliveries I didn't notice, but you did say no email will deliver at all.
I was under the impression that you just had to have an IP with an A record that matched the reverse DNS, even if it's not for the A record that's your email domain?
It depends on the MX you're delivering mail to. Some aren't restrictive at all, some will reject if there's an A/PTR mismatch, etc. I make use of FCrDNS on my mail systems.
In this case, this isn't necessarily needed as own-mailbox could be the MX and then transmit the data using some other protocol or even just SMTP over a different port.
Of course this means that they could read your email again, so we'd be back to square one.
But they tend to allow you to send and receive SMTP though their servers so for a thing like this there is only a potential problem with the web and IMAP part ... which can be solved with a VPN.
It's an easy anti-spam measure for sure, but there's no reason you (as the user) shouldn't have a checkbox allowing you to remove this limitation. Otherwise it's not a full internet access.
There's a good reason: The demand for it is infinitesimally tiny, and the hassle of doing so (and having to deal with monitoring whether or not you end up being a spam source) is an extra cost.
An argument that it's not "full" internet access will get you nowhere - very few consumer internet subscriptions are "full" internet access in the sense that they are totally unrestricted - most have very severe restrictions on e.g. running servers and many other things.
I'm not sure I understood you correctly. Are you saying it's a common thing for all "ISPs" in the US to block outgoing traffic on port 25 (and allow incoming traffic for Outlook et al.)? Or do you simply mean that most email providers will block incoming mails from residential IP adresses?
My provider (BellSouth or AT&T or whatever they're calling themselves this week) block incoming port 25 and block outgoing to port 25 to anywhere except their SMTP servers, because of spam.
Words mean what people use them for. Sure it's technically only 65534/65535 of an ISP, but that's not a very useful way to communicate with people about the issue.
If you are not allowed to run server, they are WSP (Web Service Provider) not ISP.
But if you are OK with ISP not providing internet, I'm sure you are fine with unlimited limited or throttled after x, 24/24 access between 9-5 and secured http page as long as there is a padlock favicon ...
> Words first mean what is written in a dictionary or encyclopedia.
Nope - this is an important difference between English and other languages. If what people say differs from what's in the dictionary, it's the dictionary that will change, not the people.
Yeah, in my particular "land of the free" (the one everybody thinks of when you say that), there are actually laws on the books in many states and local jurisdictions which make it illegal to start your own cooperative/municipal ISP. I know the brochure says nice things about this country, but it's really not as great as it sounds.
I would say "avoids" rather than "solves." The issues raised in those posts are real issues, but they mostly have to do with the question of whether or not you can trust the server. With SC4, you don't have to trust the server -- or at least you don't have to trust our server. SC4 consists entirely of static files, so it's trivial to deploy from any server, including your own. You can even run it from a FILE: URL, though that actually turns out to be less secure (SC4 takes special precautions in this case). So browser-based crypto is far from ideal, but it can be better than nothing. In particular, it can be the 80/20 solution with respect to security versus implementation effort and deployment hassle.
If you want more details I'm happy to provide them.
A couple of problems as noted already that will make this a show stopper:
> Port 25 is blocked inbound on most residential accounts - preventing you from receiving email
> Many SMTP servers are configured to automatically bounce email from residential IPs - so sending would be a problem
The point of GPG is to make sure that the only person that can read the message is the one you sent it to. Having a HTTPS site doesn't prevent the random person from viewing the link and doesn't verify the user. Now - this might be interesting if the web app that shows the email has as GPG library in Javascript requiring the user to have GPG keys.
I think a better scenario is if keys haven't been exchanged - to send an email with "Alice would like to communicate over secure email - please download and generate a set of keys" with instructions on what to do. But I have no idea how not to make it look spammy.
This is just hilarious:
> Why shouldn't I trust and use any cloud email service with JavaScript client-side encryption?
> Encryption is done in JavaScript, and therefore relies on browser's JavaScript engines, which 80% of the time [1] are proprietary software coming from Google, Microsoft, and Apple, most eminent NSA collaborators.
The author does know that Chrome is open source right (well I guess technically Chromium but I hope it's based on the same code)?
> Why not use a raspberry Pi?
> Mainly because it cannot be trusted enough for this kind of application. [...] The Raspberry pi is provided with non-free software and the hardware needs non-free driver to work.
I've used Debian Linux on it before and didn't need to install third party drivers?
"Will make this a showstopper" for whom? You can't imagine anyone having any use for this device?
You're wrong about how the device uses HTTPS links, as other people have already pointed out elsewhere.
What's hilarious about the inherent impossibility of secure closed source software? You "hope" Chrome is "based on" Chromium---what relevance does this hope have for a factual discussion? And what about Microsoft and Apple? And the many well-reasoned criticisms of browser-based encryption?
Debian's wiki page about the Raspberry Pi explains about the non-free software required to even boot the device. You were probably using Raspbian, which is a Debian derivative that includes the necessary binary blobs.
> You can't imagine anyone having any use for this device?
No home users would be able to use this - and that is who they seem to be targeting their marketing towards.
> What's hilarious about the inherent impossibility of secure closed source software?
That you can't get around using closed source software/hardware. You have to put trust into closed source software at some point - do you drive a car?
> You "hope" Chrome is "based on" Chromium---what relevance does this hope have for a factual discussion?
Like I said before - relating to security I hope certain systems like OpenSSL and CAs are not compromised. I'm a realistic person and I assume they aren't. Do you check and pin every SSL certificate you come across? How do you know that you don't have a bad CA certificate in your store right now?
I'm not saying I have irrevocable proof that Chrome's code is a fork of Chromium - but there are enough indications that suggest this[1]. I'm not saying you should or shouldn't use Chrome - go use lynx if that makes you feel better.
> And what about Microsoft and Apple?
What about them? I'm not saying they are perfect - but I'm also not totally paranoid that I'm going to refuse them on the basis that I can't see their code.
> And the many well-reasoned criticisms of browser-based encryption?
That's a loaded question if I ever saw one. Web applications like cryptocat are bad because they send the keys with Javascript. I'm no security expert - but something like this seems reasonable to me in the context of the use case of this box [2].
Chrome is in not open source by any common definition. Google claim that Chrome is Chromium with some extras. But how can you or I ever know (unless we get a job at Google...)?
Open source with binary extras all compiled together != open source.
If I remember correctly the GPU is heavily involved in booting and running code on the Raspberry Pi while the ARM CPU is more of a coprocessor, or something like that. The GPU require a proprietary binary blobs to be present on the SD card to boot. It's a pretty odd computer and not open at all.
As far as I know it's still true. Even if you're using those open source graphics drivers you still need the binary GPU blob in order to actually boot the Pi. The Pi's initial bootloader has to run on the VPU and those open source drivers don't - indeed, they're from a related chip that doesn't even have a VPU. Last time I looked there was no documentation for the VPU, no open-source version of the bootloader code, no compiler that targets the VPU, and the only assembler was based on unofficial reverse engineering.
This article makes no promises. It merely states the possibility of having some functionality. Can you find somewhere that provides a fully OSS build for Raspberry Pi?
> The author does know that Chrome is open source right (well I guess technically Chromium but I hope it's based on the same code)?
What's hilarious is that you're relying on hope for security. That's not how security works.
> Mainly because it cannot be trusted enough for this kind of application. [...] The Raspberry pi is provided with non-free software and the hardware needs non-free driver to work.
The Raspberry Pi boots from its GPU and only non-free software is currently available for the GPU, even starting the machine requires a large (2MB) blob of non-free, unsupportable software
> What's hilarious is that you're relying on hope for security.
I hope that CAs don't get compromised and sign SSL certificates they aren't supposed to. Oh wait...
I hope Debian doesn't release a version of software with a security hole in it. Oh wait...
I hope OpenSSL doesn't have any bugs in it. Oh wait...
Does this mean I completely disconnect sit in a corner and hope for the best? No - I'm realistic. Software like OpenSSL, Debian, and people who run CAs are made by humans and will make mistakes. They will fix their issues and life will go on.
> The Raspberry Pi boots from its GPU and only non-free software is currently available for the GPU, even starting the machine requires a large (2MB) blob of non-free, unsupportable software
And? Systems you use everyday use closed source non-free software. Do you use Android or iOS?
As far as encryption goes in the Linux kernel - even Linus himself said it doesn't matter if the NSA has a backdoor to the random number generator [1]. If you feel that he is wrong please contact him and post his reply.
* Reliability of ones Internet connection should not be much of an issue, because SMTP servers should retry to deliver a mail for several hours/days. Otherwise a secondary MX could be used as a backup for mails in transit.
* Policies of ones ISP are often a problem for something like this, you likely need a "business connection" for something like this.
* Dynamic DNS could be used for receiving, but you won't have much success in sending mails unless you have reverse DNS working and that requires a static IP as far as i know. Most users will only get a static IP for "business connections".
* I'd be really interested how the combine their usage of GPG with multiple client. Is there some sort of key management included? How does it work with Webmail/Roundcube? Is the same key used for desktop and mobile phones?
Compromising a page doesn't necessarily have to alter existing content. It would be easy to add a "Download Preview Build" link pointing to a trojan, add links to a fake kickstarter, etc.
You know, I've never really realized that before. It's actually a pretty huge security hole for average users, no? There should be a way to explicitly forbid non-encrypted connections on a DNS level.
That's roughly the purpose of HSTS, but you need to have visited the site at least once first (or in the case of popular sites, HSTS status of a site is shipped with the browser.)
From the front page: "Optional P2P backup, so even if your Own-Mailbox is offline temporarily you don't lose any email from your self-hosted addresses as long as you maintain 70% up ratio." and "16GB storage, possibility to extend memory or do backup via USB drive/HDD."
I'm also wondering how the P2P backup works exactly?
As an example, if it comes with 16GB storage and my mailbox is 10GB, does that mean other people's boxes would contain the full 10GB dump or just pieces/blocks a la bittorrent?
If you use an IMAP client, you have a local backup. Alternatively, even if you exclusively use Webmail, you can still maintain a remote backup (using imapsync or similar). There's also the "optional P2P backup".
To be fair the whole FAQ would need some work. I'm always surprised people spent days or months putting together this kind of project, but wouldn't take an hour or two for proper copywriting. The project being open source, I'm sure they could even find someone to do it for free.
Documentation is difficult, and most people hate doing it. There's a lack of people who want to do documentation in opensourceland, and when someone does want to do docs, they also have to really understand the product, or have a senior dev work with them. Copywriting is easy for people who can write copy, but it's difficult for most people.
Its main feature is security, which is great for paranoid people. But what happens when you are miles away from home and your internet connections to the server goes down? How are you going to check your e-mail?
If you're concerned about privacy, it seems the best method is still to cut-and-paste encrypted envelope into regular mail client to avoid possible vulnerabilities, both physical and software. The obvious problem with a self-hosted server that you order from a company is that it can be intercepted or otherwise compromised before it arrives at your home. Thus it is potentially even more vulnerable than just pasting GPG encrypted message directly into gmail client.
> What about SSL certificates and authorities for HTTPS?
> Each Own-Mailbox will generate automatically its SSL key at first setup, and send to us the public part.
> Letsencrypt Certification Authority will be used , it is free and very easy to setup, and it will be handled automatically by your Own-Mailbox. Every Own-Mailbox will automatically ask for certification for its key indepently from us.
Regarding hardware-assisted self hosting, there is http://internetcu.be which, among other things, does email (and bypasses ISPs restrictions by bundling the "box" with a VPN and providing static IPv4 and 6 addresses to each user).
It's some sort of "freedombox" [0] come true. It works out of the box, in a plug and play fashion (and it's based on free hardware [1] and free software [2]).
The funny thing that most people who obsess over encryption forget is that using tough encryption attracts attention, and all the encryption in the world won't save you from simple workarounds (https://xkcd.com/538/) and ordinary surveillance.
The solution for all of us is to make ordinary communication more expensive to break into rather than to go out on a limb with attention-getting extraordinary measures.
I'd also have to say -- no offense intended -- that what I take to be a central European accented voice-over advocating using a new security product to avoid NSA surveillance doesn't fill me with confidence. I'm pretty sure the NSA is at least well-intentioned.
I'd suggest your best pitch accent would be scandinavian or perhaps Australian (not that the Australian government isn't horrible, but it's pretty harmless).
I did not mean to offend, and apologize if offense was taken. I don't know where the accent comes from and it's certainly not anyone's fault how they speak English (and kudos for speaking English since I suck at languages). The fact is, it seemed central (or eastern) European to me, and if I were trying to sell (say) Americans or western Europeans on privacy products, anything suggesting the former eastern bloc would not fill me with confidence. Make of that what you will.
I refer to making ordinary communication more expensive to break into. (Security is a relative term; you simply make things more expensive than who-ever it is surveilling you cares to pay. Good encryption is more expensive to break than weak encryption which in turn beats no encryption.)
"The National Security Agency/Central Security Service (NSA/CSS) leads the U.S. Government in cryptology that encompasses both Signals Intelligence (SIGINT) and Information Assurance (IA) products and services, and enables Computer Network Operations (CNO) in order to gain a decision advantage for the Nation and our allies under all circumstances."
Have you got any information to suggest this is not what the NSA tries to do?
Michael Hayden's perjury in front of congress aside, I don't think people at the NSA go to work, rubbing their hands together and evilly cackling about all the civil liberties they're going to violate. Indeed, can you nominate anyone who has actually been harmed by NSA surveillance? To the extent it works, we probably won't know about it for decades. Maybe never -- there are aspects of WWII Sigint and cryptography that are still undisclosed.
Now, if you don't like the US and its allies (and there are plenty of reasons not to, I won't deny that), sure -- that might tick you off. But it's not like every other country doesn't act in its own self-interest. I believe that the people in the NSA are attempting to honestly pursue its aims -- they may differ on their opinions as to how best to do this.
The point was to show, where you get the idea is well-intentioned. Citing a text from probably from the nsa.gov website is no argument for showing the NSA is well-intentioned. Besides that, your citation show in my opinion the NSA is not well-intentioned because it uses terms like "under all circumstances". Do you think that when somebody tells you he would do SIGINT under all circumstances is well-intentioned?
"Indeed, can you nominate anyone who has actually been harmed by NSA surveillance?"
In the end we are all harmed by NSA surveillance or surveillance by other secret services, because we have to waste or life time to protect our rights.
Concrete individual example are the German chancellor and French presidents. The people of the Country are indirectly affected by such operations because it attacks the integrity of the state.
But I emphasize that we should not look on the people on the top of the state but on the common population. We are the victims of spying. Using the Internet is for most people a tool to develop their personality. If your process of developing your personality is under enduring surveillance (and you know it), it is no free development of your personality. And we have a right to develop our personality freely.
Besides indivdual effect surveillance has social effects like the chilling effect, which is subverting freedom.
It's not only about surveillance but also about other operations like PSYOPS, which has the aim to manipulate the public. Of course it's bullshit to think it is well-intentioned because there is no legitimate reason to take such influence on the public opinion.
We are also indirectly harmed because they are attacking protests groups which we support.
What do you want to tell? That the NSA doesn't kill anybody?
Asides from the fact, that NSA's collected data is used for killing people without court proceedings: Why should rogue powers kill people if they can reach their goals with other (harmful) means?
I think you are being naive. All governments spy. Governments that don't spy are doing a disservice to their citizens. And it is the job of spies to push the envelope.
It would be nice to live in the land of milk and honey in an anarcho-syndicalist commune, but in the mean time we have to be real.
Nothing Edward Snowden revealed should have surprised anyone on this forum. Nor should the fact that everyone else is doing the same kind of thing (indeed, usually with fewer protections for private citizens). The damage to U.S. Largely comes from the idiotic belief that the U.S. Is somehow exceptional in gathering intelligence by whatever means it can. We can argue at the margins about, say, whether cell phone metadata should be held by the provider or the government, but not tracking this stuff is actually impractical so it comes down to whom do you trust more: Verizon or the U.S. Government?
While it's good that Edward Snowden catalyzed awareness and debate over privacy issues, all the "damage" to (for example) US business interests is from the publicizing of NSA actions and not the actions themselves. It's not like Russia (where Snowden now resides) is in any way more transparent or less invasive than the U.S.
Firstly let us conclude that you accept that you're assumption that the NSA is well-intentioned was proven wrong.
Secondly I want to tackle your straw man arguments.
I think almost no one is doubting, that (in general) all governments spy and Russia is more transparent or less invasive than the U.S.
Besides that I want to tackle your thought, that no one should have been surprised by Snowden revelations. Surely some details should have surprised people.
Of course everybody knew that secret services are spying and compromise infrastructures in the Internet. The surprising part in my opinion is the _extent_ and we have more or less detailed evidence.
We are not talking the fact that a secret agency is spying, hacking, disrupting or not, but about the quality (and quantity) in which ways and by which means the agency is working. Not only that, we are also talking about factual goals of such agencies and weather this whole thing makes sense regarding the cost and benefits.
In my opinion you relativizing the actions of the NSA, by saying: "Hey everyone is doing the same!". Just because all secret services are spying (doing the same in an abstract way) doesn't mean there are few agencies which are actually exceptional in gathering intelligence. I'm talking about quality and quantity again.
The NSA is one of the most powerful secret services. That's a fact. It has probably the biggest budget, the most employees and the most resources in contrast to the vast majority of other secret services.
So it's not about margins, whether cell phone metadata should be held by the provider or the government. This is just a distraction from more important questions like what's the point of such organization and do we really need it to spent billions of dollars for... For what actually?
Last but not least: Is this really your argument, that the publishing of Snowden-docs, which enlightened the people (which should be the real souvereign), damaged US interests?
What's your point? That the people should have been remained dumb about the actions of their agencies, which are actually legitimated by their power?
> Surely some details should have surprised people.
Of course. I'm actually surprised they were (a) only collecting metadata, and (b) restricted themselves from collecting metadata on purely domestic calls, and (c) that they actually had judicial oversight, even if it acted as a rubber stamp.
E.g. there's far less concern about the fact that targeted drone strikes and special forces assassinations (which clearly cause people harm) seem to occur with far less oversight.
Don't assume I agree with all your assertions. You certainly haven't proven anything. E.g. even if we accept that NSA spying on foreign leaders was harmful to them, how does it make the NSA evil? I simply argue that the NSA is basically well-intentioned.
Here's my argument in a nutshell so you can "prove" me wrong more easily rather than flailing around with random "facts":
The NSA means well.
> more important questions like what's the point of such organization and do we really need it to spent billions of dollars for... For what actually?
Um, they spy on people. And they're really, really good at it. If you think we shouldn't spy on people then that's fascinating, but don't pretend you don't understand this simple point.
>> Surely some details should have surprised people.
> Of course.
Contradiction. Either it should have surprised people or not. Now what?
(a) seems also a contradiction for me. In the one hand, your're saying they spy on people and are really good at it and in the other hand you say, you're surprised they were only collecting metadata. Is your definition of spying, that no content is collected?
However the claim that the NSA is only collecting metadata is wrong. The PRISM program is one example that shows that not only metadata are affected. The latest non-Snowden revelations concerning French presidents clearly shows it's not only about collecting metadata. This is a direct disproof about your claim assuming that you are not deny the validity of the revelations. Are you denying the validity?
Regarding to (b): Isn't the NSA a foreign intelligence agency? So you assumed although it's a foreign intelligence agency that it is collecting domestic data+metadata?
What's the surprising part of (c)?
> E.g. there's far less concern about the fact that targeted drone strikes and special forces assassinations (which clearly cause people harm) seem to occur with far less oversight.
Sorry, don't get it.
> Don't assume I agree with all your assertions.
So with some assertions do you agree?
> You certainly haven't proven anything. E.g. even if we accept that NSA spying on foreign leaders was harmful to them, how does it make the NSA evil? I simply argue that the NSA is basically well-intentioned.
You can't prove the intention of someone. But you can prove what someone does or did. I showed you that the NSA is not only involved in spying, but also involved in PSYOPS, which try to influence the public opinion. Again: One agency decides to spread misinformation to destroy reputation of people or to manipulate online discourse. Are such actions covered by your understanding of freedom and democracy?
> E.g. even if we accept that NSA spying on foreign leaders was harmful to them, how does it make the NSA evil?
I argued before it is affecting the integrity of the state. In my opinion (I'm no lawyer) it also violate the right of sovereignty of state. Breaking rights is bad. I think it's better to not using religious categories like good and evil, but rather of good or bad.
Just because a person is a state leader, doesn't mean she has no right to freedom, which legitimates to surveil her.
But this is no reason, that state leaders have to expect spying from other countries.
Since I'm not talking about spying on foreign leaders, but spying on nearly everyone it is bad because it destroy fundamental freedom and democratic rights of people.
If you're not convinced of freedom and democracy there is no reason to discuss for you. In this case it would be well-intentioned for you if you're country is illegally attacking another country, just because you're country is telling you it is a defensive measure and in the interest of the country.
Just for the case, that you understand me wrong: Believing in freedom and democracy does not mean inevitably that you do not know there are rogues out there who give a fuck about laws, freedom and democracy.
> I simply argue that the NSA is basically well-intentioned.
What do you mean by "basically"? Are there cases where the NSA is not well-intentioned for you?
> Um, they spy on people. And they're really, really good at it. If you think we shouldn't spy on people then that's fascinating, but don't pretend you don't understand this simple point.
Firstly, I don't know what your problem is on perceiving that there are other operations, which haven not something to do with spying such as PSYOPS. Or are PSYOPS also spy-operations for you?
Secondly, spying is not an answer to the question. Spying is a mean. What's the end of this mean? Fighting terrorists?
> And they're really, really good at it.
At least they were not good at preventing leaks.
> If you think we shouldn't spy on people then that's fascinating, but don't pretend you don't understand this simple point.
Great that you're fascinated and you know the truth of a simple point. Tell me more about your "simple point".
Maybe I am all wrong. Maybe the NSA is an exceptional secret-service, which differs from the SIGINT-departments of services like the Stasi, Mossad or Sowjet/Russian agencies, which weren't/aren't well-intentioned.
The revelations showed me the opposite.
Maybe you can explain why you are convinced that the NSA is well-intentioned and why it's not naive to believe it? I'm open for knowledge.
How are they going to receive mail? All blocks of IP's from any provider are blocked, usually huge blocks, larger than /24 often. No one is getting to any comcast users, they as do many others publish lists of their IP ranges so you can block then in your server or use an RBL.
>If your ISP provider is filtering email ports 25 going out you will have to use a SMTP relay. If It blocks port 25 comming in you won't be able to have self-hosted email address. Note that in both cases it won't prevent you from having a fully confidential email address, and that these blockages will be automatically detected and you Own-Mailbox will only propose configurations that will work.
So from that I think that it can use the ISPs email server.
"We point out that it is possible, purely from a technical perspective, for us to see your emails, address book and calendar data, if you have not encrypted them." It would be illegal for them to view your email because of German Law but from a technical standpoint it is possible. This other device is a pre-configured mail server at your home that stores all your mail. The two things are quite different. And this one I think if the software is opensource would be more secure.
I see a small market for this: bundled with verifyable co-location space.
At home, it's simply not going to work unless they also offer a VPN service for the ports in use. SMTP on an eyeball provider IP is simply dead these days.
Meta-data are also problematic. We are working on a solution for that, but it won't be included directly in our first version.
It will probably come for free with updates. Our idea is that for every email you send, your box randomly sends ten encrypted fake-emails, at random moments, at ten random addresses. Recipients server automatically sees that it is a fake email when it decrypts it, and automatically drops it.
I've been working on this exact idea on and off for almost a year now. Very cool to see someone else working on it, they've some nice solutions for hard problems too.
I don't really like the choice for RoundCube, but without decent funding or a couple of expert web developers they'll be hard pressed to build something better.
Also nice to hear they're also from Europe, it goes to show the U.S. surveillance worries are very much alive here.
This only address the issue of government surveillance of email through service provider backdoors. Since this would as well require auto software update to be as user friendly as the video advertise, you might as well give up the same amount of security for a service that is hosted in a liberty-friendly nation and not have to deal with SMTP flagging and home power issues.
I run my own mail server even though my ISP blocks port 25 OUTBOUND. I use DynDNS's Mail relay service. Only costs about $20/yr. I never have have a problem being flagged as spam or anything else. I can receive mail on port 25 INBOUND with no issues. I set my MX RR to my home IP and add a secondary to a dynamic address, also through DynDNS. works great!
If you want to set up something like this on your own hardware (not just email, also owncloud, jabber, etc), check out sovereign
https://github.com/sovereign/sovereign
This looks like a great project. One thing I noticed about the website: There doesn't seem to be a way to dismiss the video overlay. I had to refresh the page.
I know that's how PGP usually works, unless you have a backup somewhere. It's the #1 reason I don't promote using it very much. I was hoping this team had thought about improving that part of the user experience.
I'm not saying you have to give the key to anyone you don't trust. Just set up a system where it's easy to recover the key with the help of someone you do trust.
Also, I might have the wrong term. I was thinking of dividing the key into multiple messages, say in a 2-of-3 system or something. Not just handing control of your account to a 3rd party.
There are different kinds of security. Confidentiality and availability aren't exact opposites, and I don't think you have to compromise so hard on one to get the other. A good key escrow system or at least encouraging people to keep their passphrase in their wallets or something would go a long way to reducing the users' risk.
literally no one i know uses public key encryption - so now everyone needs to clink on a link to read an email from me? don't get me wrong I think this is a cool idea, but it still doesn't address the core problem with all of the encrypted email services/clients/etc., user adoption...
> The Own-Mailbox sends a HTTPS link to your correspondent, so that he can access the message in encrypted form. He can answer you using HTTPS protection.
So anybody who can read the unencrypted mail containing the link can access and read the real mail?
Is reading a FAQ really that much to ask nowadays?
> The link is filtered by a question. Depending on the level of surveillance you think you are in, the question can be a simple captcha to avoid bots, a secret question that your correspondent can answer but not the NSA, or a request for a password previously exchanged with your correspondent, or no question at all.
> Your correspondent will have a web interface to answer your message privately. You can also activate a permanent HTTPS interface for anyone to send you a message privately at any time.
What distinction are you trying to make here? Any system for secure communications will eventually have to connect to some sort of communications network. Are you saying that secure communications with computers is simply impossible?
How come no-one broke into the Bitcoin Piñata (in the other story) then? A networked computer can be confidential. Have you tried not writing your networking code in C?
Domestic systems tend to be in configurations that make it hard to accept inbound TCP connections. You could serve SSL on a random port and open a port using UPNP, and it will work most of the time.
It's a difficult circle to square. The most trustworthy system is one you administer yourself and manually inspect all updates, but in practice the amount of work required makes that almost impossible. If you allow the OEM to do updates they can compromise you. If you don't do updates you end up vulnerable to exploits.
The "send a reference to the message not the message" technique was part of DJB's "internet mail 2000" proposal: https://en.wikipedia.org/wiki/Internet_Mail_2000