I've been getting increasingly fed up with gmail, but not quite to the point of making me set up exim. Does anybody know of a mail server I can throw on ec2 and forget about?
As we converge on a handful of major email providers, are we really much better off? Would you be singing the same song of Hotmail a decade ago, or is it just because Google seems to be the Monopoly with a Heart of Gold?
If hotmail gave better service than your typical bigcorp's email servers (which is subjective) I'd be saying the same thing. I'm not too worried about a monopoly on email hosting, just because there's very little lock-in; it's trivial to set up as a new email hosting company, and almost as trivial for companies to migrate.
It doesn't really matter if it's "a smart idea", it already happens and you have no control over it. A simple search for setting up your own mail-server is just a search for people who have done that saying "don't ever setup a personal mail server because it's guaranteed to be blacklisted".
Spam has lead email to basically become this closed ecosystem. If you don't use one of the already established major email providers, ISP's or domain name registrars the reliability of email hits the floor.
While I understand your sentiment, I respectfully disagree that it does not matter if it's a smart idea. Because if it is not a smart idea then that means we can do better. One of the projects I'm working on solves the "closed ecosystem" problem. The use of the term "closed ecosystem" is ironic because it seems to me that the "open" nature of email receiving (not sending) is what leads to the spam problem. In other words, I do not see the problem as the fact that people can send mass quantities of junk email. I see the problem as the fact that daemons accept and deliver mail from anyone. (And then resort to blacklisting.) What if the system was "closed" by default and instead a sender would contact the receiving SMTP daemon directly (no internediary) and would first need either a means of authentication (i.e. he has been pre-approved) or a way to have his sending address revieved and then receive permission to send. Right now you can see someting like this within a domain. For example, one gmail user might be able to send to another gmail user, directly, as they are both able to authenticate. They both have accounts (private accounts, not some RBL, DKIM or other scheme managed by an interloper) and these accounts can be checked. But if one gmail user wants to send to some non-gmail address, the non-gmail recipient has no knowledge of the sender in the form of an account against which he can authenticate. There's no privity between sender and receiver. Instead third party schemes are used. Such as blocklists for sending.
Consider the idea of running a mailserver than only accepts mail from a predetermined set of sending addresses. What would be the chances of receiving junk mail?
"Consider the idea of running a mailserver than only accepts mail from a predetermined set of sending addresses."
How is this functionally any different then blacklists? That's just a whitelist instead. So instead of new mail severs "quite likely" being on a blacklist, they are definitely not going to be on a whitelist.
And no, it doesn't matter if isn't a smart idea when you aren't in a position to change anything. Even if you have a perfect technical solution to the problem, you still have to convince every existing major provider to adopt a solution that isn't even a direct problem for them.
If Alice and Bob agree to run their own SMTP daemons, closed to the public and not necessarily on port 25, and they each agree to put the other on their "whitelist", how is this functionally different from the current third party controlled system? Answer: 1. Immediate delivery, assuming Bob and Alice keep their machines online. 2. No spam. 3. No third parties exerting control over their mail. No idiosyncratic delivery policies.
I'm afraid there's no need to convince any provider of anything. At this point, Alice and Bob are sending and receiving email without the need for any third party "email provider".
Functionally blacklists and whitelists are the same. They both have the same goal. But they are not the same in their effect. Blacklisting an entire netblock to stop one bad IP address affects many IP addresses who do not need to be blocked. Whitelisting a single known IP address does not have that side effect. For Alice and Bob, handling their own messages may be a desired option. Of course, not everyone may follow Alice and Bob's example. But who cares? The population using email is enormous and diverse. The point is that if someone wants a better solution than what "email providers" offer, she can get it.
Your proposed solution isn't really email though. What you are describing has already been solved by instant messaging/jabber/twitter/facebook PM etc. Some of the solutions that already exist need a third part provider, others don't.
The problem to solve is how do you have a fixed address where anyone can contact you, spam doesn't get though and you don't have to maintain personal black/white lists. This is what email currently provides. Granted, the spam part varies depending on the provider.
Yes, you defined the problem in the opening sentence of your second paragraph. But I disagree that you should not have to maintain a whitelist. What are your email contacts i.e. what is your email address book? You already maintain a list of people you correspond with, whether you think of it that way or not. And when you want to correspond with someone new, you have to give them your email address. As it stands, there is no _reliable_ way for them to look it up. There is no worldwide directory of email addresses. In fact, what do we do? We try to hide lists of email addresses.
If everyone had a fixed address with a mail server running, "lookup" i.e. simple MX lookup, might be possible, e.g. if your IP address is 1.2.3.4, anyone could send mail to inquiries@[1.2.3.4] or something like that. But I'm not sure that alone really solves the problem.
Email still works without a worldwide directory. People exchange email addresses and they keep lists of them known as address books.
It's starts closed and it is opened by invitation. Yep. That is exactly how it works.
If you cannot understand that approach, then that just means it's not how you think. It does not mean that the approach makes no sense or has zero utility.
Maybe a stupid analogy can be made if we pretend "Facebook" is the internet (of course it's not, but it does present a messaging system so play along for a moment). On the one hand you could make every Facebook user your "friend" and thus able them to send you messages, and then when people abused that privilege - and we know from experience some would - you could block them. On the other hand, you could only make a select number of people who you know and trust your "friends" and thus only give a select number of people the privilege to send you messages. Chances are, they won't try to sell you Viagra.
On the one hand there are times you may want to enable the entire network to be able to send you messages. On the other, there are times you may only want to allow a small subset to send you messages. Not sure about you, but I don't receive important email from all that many different people.
People's social circles are only so big. There is a certain carrying capacity beyond which it becomes unmanageable.
Your posts contain a baffling mix of incompatible ideas.
You argue against block listing, but then suggest blocking the entire Internet except the few people you want to send you email.
You say that only people who you have given your email address to should be able to send you email, and then you say there should be a lookup system to get email addresses. (But what's the point of the email directory system if you can't send email to someone because they haven't white listed you yet?)
> but I don't receive important email from all that many different people.
Eh, depending what you mean by "important" I do receive a lot of important email from lots of different people. My email addresses have been used on the public Internet for many years, and I've had a lot of communication to those email addresses, and those communications have brought me great joy. And I also have a variety of people who email me about work related stuff - I won't have prior knowledge of those people.
I think I'm missing something about your system. Please, is it something that you already have well planed out? (Even if not in a state that can be deployed yet) Or is this something that you've just started thinking about?
So long as you're not suggesting Challenge Response we can have a discussion about it.
I never said there should be a lookup system. Where are you seeing that? I said there isn't one and people still manage to get by. The other commenter was suggesting looking up addresses was some sort of problem. I'm saying it's a non-issue. If not having a public name-to-email lookup was a show stopper, then we would not be having this discussion because email would not be popular. People get by just fine without lookup. They exchange addresses and store addresses on their own.
Discussion is great. But you have to read carefully to understand what's being said. (If I am not being clear, then I apologize.) But if your mind is closed then there's no point reading what I'm typing because I am not regurgitating the usual ideas on email.
Anwyay, discussion is irrelevent when juxtaposed against running code. I'm interested in stuff that works more than getting approval from people in online forums.
This is not some new thing. Anyone can use email this way now. We all have good connections and bandwidth. There is no need for store and forward. What has stood in the way of using email as direct communication is people who can only see email being used one way: daemons that accept commands from any connection, spoofed IP's and all, and email as a service run by someone else, not a small program on the client's machine. If it was impossible to authenticate connections based on any other means besides real-time challenge-response, or DNS run by someone else, then how would people manage to run ssh daemons without the same problems as email?
Blacklists are run by anti-spam zealots who really don't care about what is fair or a smart idea.
For example my employer's mail server--which has been sending legitimate person-to-person emails for years (no bulk)--has ended up on blacklists several times because some blacklist operator decided to black-hole an entire netblock at our ISP.
From the blacklist operator's perspective, the broad effect of the block is intended to cause headaches for a ISP as a form of punishment for allowing outbound spam. Our deliverability (and many others) was just cannon fodder for that fight.
I wish we could get these anti-spam zealots to apply the same effort to stopping junk postal mail. The history of direct mail is interesting and perhaps instructive. It has been kept alive by those who do the delivery (cf. those who do the sending). I have sometimes wondered if the same might be true for email.
If your emplyer knows its recipients (e.g. business partners) and can coordinate with them to run an SMTP service for recieving and sending messages on a different port, would that solve the problem?
This is not a workable solution because the problem is not based on what port SMTP is running on. Organizations and ISPs voluntarily subscribe to email blacklists because they are desperate for any help in reducing spam volumes. They would filter email coming from blacklisted IPs regardless of what port it came in on.
You're basically proposing a whitelist solution, which has many known problems: it does not scale well; it does not handle new or unexpected email partners; it relies on the simultaneous cooperation of all parties; etc. In this particular case it also relies on spammers remaining ignorant of the new port for SMTP--which seems unlikely.
The problem is the open internet. There are ways to establish connections to a peer-to-peer overlay that take this out of the equation. The ISP is unlikely to block UDP traffic on some high port. Throttle perhaps, but not block.
That gets us around the port issue. Once you log on to the overlay, the ISP only sees one port.
Then we are free to do our SMTP of other messaging as we desire. Each connected machine can choose what ports it wants to listen on, if any.
And what if this does not need to scale? What if it's only being used for a small group of people? What if all the people know each other? A very specific but very common use case. Not everyone is a celebrity with a gazillion "friends". Nor is everyone constantly conversing with new acquaintances. Some people have old friends and family. So I've heard.
Is it worth the spammer's time to try to find an SMTP daemon for each indivdual email address? Under the current system, things are centralized enough that a spammer can spam hundreds, thousands or even hundreds of thousands of recipients via sending to a single SMTP daemon.
Spammers have to send enormous amounts of spam to be successful. Having to do extra work to find an SMTP daemon just to send email to one recipient, and have to do this repeatedly, seems like it would not be worth a spammer's time. At least, not when it's so easy to just spam people that are using email the usual way: allowing some third party to handle their mail.
If his employer knows the recipient the employer can ask the recipient to either stop using the block list, or to poke a whole in it and whitelist their email.
> For example my employer's mail server--which has been sending legitimate person-to-person emails for years (no bulk)--has ended up on blacklists several times because some blacklist operator decided to black-hole an entire netblock at our ISP.
You replied:
> If your emplyer knows its recipients (e.g. business partners) and can coordinate with them to run an SMTP service for recieving and sending messages on a different port, would that solve the problem?
That solution introduces a bunch of problems: you're running more software that's open to the Internet and thus introducing insecurity; you're asking people (who might not be technical) to install and run software and use a different mechanism when they want to communicate with a subset of users.
The other solution is to just ask the people that you're sending email to, but who are using a whitelist / block list to add you to the white list or exclude you from the block list.
You're making assumptions. About how things would work and about users and what they can and cannot do. Typical online discussion. Lots and lots of assumptions.
I do not understand your last sentence. Didn't he say his ISP is blocking outgoing mail? The recipients are powerless to unilaterally change that situation.
Think about this for a moment. Forget the corporate example. Imagine one user has a daemon listening for mail (no setup, it's all been set up for him:- it's "built-in" to his OS). Imagine there is an authentication method e.g. a shared secret and perhaps even some obfuscation like port knocking to hide the open port. Even assuming a determined spammer can get past this, is it worth his time? He will reach a grand total of one user.
We can even use a small overlay, where the IP addresses are private, not routable on the internet. The spammer needs to get into the overlay network first, again defeating things like shared secrets or perhaps private keys to identify machines before he can even get a shot a access to a listening mail daemon. That's not easy to do if the users stay logged in. And again, if the network is small, with a few hundred users or less, maybe only a handful, is it worth his time?
> It would seem to degrade the usefulness of EC2 for anyone wanting to run their own mailserver.
People chose whether or not to use a block list. Thus your problem isn't really with the person creating the list, but with the mail admin choosing to use that list to filter email. That person feels it works for them.
Very few people should run their own mail server. Email is, now, toxic. Spammers pretty much destroyed email; especially the ability for people to run their own servers for sending.
For a history of a (perhaps overly vigorous block list) look at SPEWS - spam prevention early warning system - which had a few honeypots and which happily blocked large ranges. The Usegroup news.admin.net-abuse.email has very many threads from innocent blocked users and wingnuts screaming "change your ISP!!"
Spammers destroyed an open email system that relies on a centrally controlled DNS. Probably because they were among the only ones who learned how email works. We never made the effort to teach the population at large, preferring instead to let email be centralized via "email providers". And now, after decades of spam, we still have people who argue it is the best, or even the only, way to do things.
Spammers did not destroy the protocol or well-designed email servers and clients.
"Very few people should run their own email server"
That mindset is why we have a problem, in my opinion. We have actively tried to prevent people from learning.
The history of block lists is a history of the failure of the "email provider" (i.e. "very few people should run email servers") idea. Of course, anti-spam is a career for some people, so "failure" is relative. They've succeeded in trying to exert control over a common internet capability, for profit.
The internet began as peer-to-peer. There was no "DNS". And there were no "email providers". Everyone had a responsibility to learn how to use the network and the basic services it could provide e.g. messaging. Then some people got some bright ideas about how to make money. "Spammers" were not the first ones.
Enjoy that spam in you inbox. It is the product of ignorance.
But if you're doing it legitimately, and not bulk emailing, EC2 has proper SMTP forwarders you can use. And if you ARE bulk emailing, they have a service (plus you're not using Gmail for that anyway).
SMTP doesn't just drop messages if the destination server is unavailable. It'll either get held back at an intermediary server until your server comes up again, or else it will be bounced back to the sender.
That's not true. It should either send the email to the recipient or return it to sender. But it should never just drop the message (except for bounces which can be dropped since there is nowhere to send them if delivery fails).
I think you and the parent are using different meanings of "guarantee."
Yes, everything in the protocol leads to the fact that nothing should drop an email unless it has passed responsibility of it to another server which has accepted the message.
Yes, one misconfigured server between source and destination can "eat" email and you'll never be the wiser. Doesn't happen often, but it can and the protocol does not detect it.
An SMTP daemon will try to send the message a certain number of times, at a certain interval, then, eventually, it will stop ("bounce"). You can configure these settings if you run your own SMTP service.
I risk new messages getting bounced, but all of my email is backed up on my computer. And I'd archive everything to s3 (which has never lost data to my knowledge) in case both my ec2 instance and my laptop disappeared.
You can set up a different mail server with a lower priority. I run my own server on a VPS, but have Google Apps' SMTP server as backup for those cases, and it's been working fine for months.
Assuming your ISP is not blocking port 25 and your internet address is not on some blacklist you can send mail directly from your machine. No need to use intermediary SMTP servers.
Is it possible that someone people might like to use their native SMTP capability for low volume noncommercial email? Does every person who sends email have some overwhelming urge to send spam? Such that we must place pseudo control over sending email, any email whether commercial or noncommercial, in the hands of "email providers"?
My ISP doesn't block port 25, but since my IP address is technically dynamic, it's on Spamhaus' Policy Black List. That said, my ISP offers SMTP servers for proxying outgoing messages, so I used that for a while. I switched to a VPS because my home server died.
Well, yes, because my ISP only offers static IPs for business contracts, which are more expensive overall, and my VPS only costs $2.3/month (and it doubles as a web server, hosting my personal landing page and an instance of Tiny Tiny RSS).
"Spammers use cheap dynamic IP's therefore anyone with a cheap dynamic IP that sends an email is a spammer."
That's not what they're saying.
"Very many spam emails come from people running an email server on a dynamic IP. Some companies were happy to host spam sending companies, and would put them in dynamic ranges so they could continue to get money from those spam sending companies and keep changing the IP address. The ratio of good email servers to bad email servers on dynamic IPs is so poor that blocking all dynamic IPs is, unfortunately, the only reasonably solution".
You can be on a dynamic IP and send email. Just don't send that email from a server on a dynamic IP.
What they're doing is making a very dodgey assumption. They might stop a few hundred potential spammers but they also stop millions of people who could potentially be using email more effiently and reliably (and Spam Free) by sending and/or receiving mail directly between their machines.
Email could be even more decentralized than it already is in practice. This could potentially make spam far more difficult.
Reading that quote (from SpamHaus?) two things come to mind:
1. We are entrusting the rules on our mail delivery to someone who begins sentences with "Very many" and lacks the attention to detail to spell "reasonable" correctly. Make of that what you will.
2. The "problem" is not the existence of "bad email servers" on dynamic IP's, it is the lack of "good email servers" on dynamic IP's. Why the heck aren't the millions of people on dynamic IP's using this capability? Answer: They do not know it exists.
To "replace email", we do not necessarily need to fundamentally change anything about how email works. What we need to do, perhaps, is replace the people controlling it and instruct "good" people how it works. As it stands, in general, the only folks who understand how email works are a. email providers (e.g. ISP's), b. spammers and c. spam fighters.
If the vast majority of email sent directly to recipients from dynamic IP's was low volume and noncommercial, the "bad apples" would be overshadowed by the good ones. And so would the anti-spam zealots be overshadowed by reasonable people who just want to communicate with each other (not necessarily trying to sell ED treatments to the whole of humanity).
Education is the way forward. People arguing against any sort of consumer education on something so basic as internet messaging are an interesting spectacle to behold. Their attitude should fuel the fire of anyone working on this "dangerous idea" of "replacing email". You know who you are.
It's not a quote from spamhaus. It's me re-wording your text.
> Why the heck aren't the millions of people on dynamic IP's using this capability? Answer: They do not know it exists.
No. Millions of people have no interest in running their own email server. What benefit do most people get from running their own server? (Where most people are those who have one or two email addresses, which they use for a couple of hundred contacts.) What benefit do small businesses get from running their own email server, rather than paying someone else to host the server?
> If the vast majority of email sent directly to recipients from dynamic IP's was low volume and noncommercial, the "bad apples" would be overshadowed by the good ones.
You clearly have no idea just how many spam emails were being sent. Something like 90% - 95% of all email was UBE. Much of this was sent from botnetted machines, and many of those would have been on dynamic IPs.
> anti-spam zealots
Conversation is fruitless if you attack the people who have the same aims as you.
> People arguing against any sort of consumer education on something so basic as internet messaging are an interesting spectacle to behold
But you're not suggesting to educate people on internet messaging. You're suggesting that people are educated on installing and maintaining a mail server.
Installing and maintaining a mail server. What OS doe you use? I'll bet there a whole host of dameons or services running and you never pay much attention to them. Someone else installed and configured them for you. And they just run all the time and you don't even pay attention to them.
What is an "mail server"? At its essence it's just a program that listens on a port for an incoming or outgoing message. Then you have programs for storing, delivering, forwarding, etc. And maybe you have perceived issues of being able to handle lots of messages. But you don't necessarily need all that if you are not providing email for other people. What if you're just a casual user who wants to send or receive a message to/from your friend? If I have an email daemon (or a "service" in Microsoft parlance) listening on a local port, I can type some text and "hit send" (or whatever method I choose to send the text to the daemon) and the mail is sent. No email provider needed. If the recipient has her email daemon listening for messages from my IP address (and only my IP address), she gets the message "immediately". There is no third party email provider. This is how email works.
There is also no spam if we do it that way. Her daemon is not open to the whole internet. It's only open to me. Why is this so baffling?
Neither third party email providers nor some rule that "no one wants to run an email server" or "no one should run their own email server" are a part of the email protocol. Those are your observations of what people have done so far and your opinions. They do not set limits on what can and cannot be done. Are we in the business of startups and trying new things or are we here to preserve status quo?
Email is internet messaging, one of the oldest forms of it. Email is a message sent in a specified format* over the internet. What could be more simple?
*Granted the format is rather rigid, but it's not too difficult for anyone to learn. It's like writing a business letter.
Millions of people have an interest in sending messages to each other over the internet. And millions of people have no interest in sending bulk email for commercial purposes. That's all I need to know. A project is born.
There is a need for an "email replacement" as many others have voiced and as pg identified in his list, but I'm afraid it's not going to come from anti-spam zealots. I appreciate what they try to do, but I do not appreciate their mindless, blunt-force methods and ideas about "good guys" and "bad guys".
There is an enormous amount of bulk email sent every minute of everyday. Just because it is "opt-out" doesn't make it any less impersonal and unwanted (or any less of a huge drain on the world's computing resources). Can we accept that some people have little interest in receiving bulk email, and that there may be a market (besides you) for email inboxes that are not open to marketers, but only to known contacts? Alas, that's not what the anti-spam zealots aim to address. They do not want to curb bulk email. They just want to stop certain senders.
This does not really move me toward my vision of email. It's just the same old thing. An inbox full of garbage.
