Hi everyone, I’ve been considering hosting my email from home to have full peace of mind that no one else is storing it, however I’m not confidant in my own knowledge about the risks involved, I understand the threat of someone breaching my account login (which is a threat regardless of what email service I use, be it my own or a third arty). but I don’t know the possibility of someone finding a vulnerability in the actual email server program and being able to bypass account authorisation altogether. is the risk really there? or is it as uncommon as someone big like gmail or microsoft’s hosting having a vulnerability? thanks.
I have heard from various reputable podcasts that you shouldn’t self host email because of several critical issues involving uptime and spam (among other things).
There is always a risk associated with it. Big companies are more likely to get targeted by bad actors but also have more resources to defend themselves. It is unlikely that someone out there will randomly choose your server and put in the time and resources to hack it. However, there is no shortage of automated bots trying to guess your account passwords and scanning your server for vulnerabilities.
From a security standpoint, servers need maintenance. It’s not just a setup once and forget kind of thing. You need to regularly check that your packages are up to date, make backups of your data, read access logs for unusual activities, etc.
I recommend you read through the Infosec-Handbook’s guide on web server security.
thank you for your info
I wouldn’t recommend it, personally.
- Corporations storing your emails is apparently your biggest concern, but the majority of people you send emails to will use, say, Gmail. You may be saving yourself from having Google associate that email with your Google account, but it’s still going to be saved.
- Self-hosted SMTP is overwhelmingly used for spam. You’d be lucky to have any email service worth its salt not chuck your emails into the spam folder.
- Echoing others, the internet is constantly being scanned automatically by hackers for vulnerable services. SMTP is particularly picked on.
By personal bias for openBSD, I’d suggest
smtpd as your best bet.
thanks for that, I also should’ve mentioned in the post it’s not my sending of emails I want to keep confidential, it’s the emails I’m being sent by automated systems such as government notifications, financial statements, I don’t really want some big company going through that, I rarely send or receive emails from other people
Lets say you are about to receive a subpoena/court order via email. If your email server is down at the exact wrong moment, you could not be receiving critical correspondence.
Also there is this push in the security community to always update, Update, UPDATE! But updates do break systems frequently if you update too fast and you leave yourself vulnerable if you update too slow. If you dont know how fast you should update, you should probably not be self hosting email.