Owning Your Data — Replacing Gmail

Posted on Sat 29 March 2014 in Tech

Gmail isn't secure or private, Google have admitted this. You simply cannot expect privacy from any service that you don't have control of. Thankfully your email doesn't have to be tied a mail service like Gmail, Yahoo or Microsoft. You can simply roll your own email server with your own domain name and easily create an (admittedly minimalist) Gmail equivalent.

Before you start

If you think this guide is too complex, that's totally understandable. Running your own mail server requires a reasonable amount of technical experience. If you're interesting in getting away from a service like Gmail and want a good alternative check-out https://mykolab.com/. It costs around 10 bucks a month for 2GB of storage, which isn't too bad. If you think this isn't enough space, you could either pay for more or have a mail client like thunderbird offline all non-essential email to your desktop.

What you're not getting

This is very minimal email setup. You won't be getting a web-accessible email client. If you want your email accessible everywhere, this simply isn't a guide for you. If you do want web-accesible email setup you could use something like `iRedmail `__\ to do all of your configuration for you. I find that because iRedmail configures everything automatically, I'm less in control of how my server works. Plus the extra requirements iRedmail needs reduce the security of my server, which I'm not too happy about. This guide is to get the bare minimum for email to work. Also, to decrease the amount of time my emails sit on my server, I store all of emails on my local machine and back that machine up locally. This is simply to minimise data leakage should my server become compromised. So you will need to point a mail client(thunderbird, k9 for Android etc) to download your email locally for search indexing. Sadly, there are a few usability prices to pay to stay out of another companies pocket.

Requirements

  • Ensure you have a server setup with salt. See here.
  • A domain name you wish to send email from. So instead of you@gmail.com it's you@mynewdomain.com. I use namecheap. They accept bitcoin and will allow you to buy whoisguard for your domain name. So fake all the details on here and make sure you buy whoisguard just to keep things quiet.
  • Once you have bought your domain name, you will need to point your domain mail records to your new server. Namecheap has a guide here. Generally, I create an A record on my domain mx.mynewdomain.com to the ip of my server. I then setup multiple mx records that point to mx.mynewdomain.com. I also use backup DNS suppliers for my low priority mx records (say priority 40/50), take a look at https://freedns.afraid.org/ to get yourself some free domain names.
  • Install git
apt-get install git
  • Setup a user on the server who you wish to send/recieve email as. So adduser jim and enter the password you wish to authenticate with on your mail client.

Setting up the server

The first thing you're going to need to do is, using salt, grab my salty-mailer setup. This leverages salt stack and will install everything you need to get your mail server up and running. You don't need to worry too much about what git does, it simply downloads the files required from github. Copy and paste this line into the terminal and it should get things started.

sudo mkdir /srv/salt/mail && sudo git clone https://github.com/shano/salty-mailer /srv/salt/mail

Now you'll need to configure a few files, with your own settings.

  • In /srv/salt/mail/init.sls change all entries from to the username you wish to send email as. So for example change it from to jim.
  • In /srv/salt/mail/postfix/main.cf you need to change <domain.com> to mynewdomain.com.

  • Under /srv/salt/top.sls ensure you have lines that look like this:

base:
    '*':
        — mail

Done? Great you've finished configuration and you're ready to install everything. This command tells salt to read these configuration files and install enough to get basic mail server up and running.

sudo salt-call -l debug state.highstate

This should provide a ton of output, but as long as there's no errors, you're good to go.

Testing your mail-server

You should now be able to configure your email-client to talk to your email server. So fire up your preferred mail client and use these settings to connect. Inbound:

Server Type:IMAP Username:jim Password:

Outbound:

Server Type:SMTP Password:

Now try connect your email client to your server and see what happens. If you have trouble connecting try run sudo tail -f /var/log/mail.log and reconnect. See if anything appears in the output. If there is something wrong, checkout google(duh) or tryout The Comms Room on ServerFault and see if someone can point you in the right direction. Or of course add something in the comments here.

Make your emails more reliable

Now that you have your mail server up and running, you're going to need to ensure the major email suppliers are willing to accept your email. People suggest adding SPFs and DKIMs to your email records but personally I haven't found either much use. The best thing for you to do is to add yourself to a legitimate whitelist. Fill in this form, the guys there will come back if the find any issues with your server that would prevent them adding you to their whitelist, once accepted Presto! You look like a legimate email user on the interwebs!

What's next?

Now that you've done all that work, here's the kicker. Email isn't secure. It was never meant to be the center of our digital lives, so back when it was invented security really wasn't a big concern. But here we are. With everything in plain-text all over the place you'd be wise to reduce your email as much as possible. If you wish to improve the security of any email communications you do make, take a look at using GPG. I use Enigmail with Thunderbird.