Fast forward to July 15, 2016 (there’s that lab journal again,) when, after receiving an email from Google asking me to indicate how exactly I would like them to use my data to customise adverts around the web, and after thinking for a bit about what kind of machine learning tricks I would be able to pull on you with 12 years of your email, I decided that I really had to make alternative plans for my little email empire.
Somehow FastMail came up and in one of those impulsive LET’S WASTE SOME TIME manoeuvres, I pressed the big red MIGRATE button!
The rest of this post is my mini-review of the FastMail service after almost 3 weeks of intensive use.
I’m pretty sure at least some of you are contemplating a similar migration, away from companies like Google, Microsoft, and Apple, to something else.
Unless you cut off all communication with people who do use the big services, you’re only fooling yourself if you think they won’t still get data on you.
That doesn’t mean that you should give carte blanche to Google to mine your life?!
Gmail is the only thing that connects me right now to Google. I don’t use G+, Google search. I don’t log in to any Google services (youtube) and I filter near all Google domains in my web browser.
But as long as I keep using Gmail it’s bloody easy for Google. It seems Fastmail is quite nice, I really like their plain English privacy policy too:
https://www.fastmail.com/about/privacy.html
Maybe I should fork out 40 dollars and give it a try. Seems it’s easily worth the price.
Long-time Fastmail user here. I think using Fastmail to avoid Google is doing it wrong. You still access it through Chrome or Android, and anybody you communicate with who has an @gmail.com address would be giving the entire conversation away to Google’s scans.
The best features are one-time logins for untrusted computers, Sieve filters, multiple aliases, and actual product support. Maybe GMail has these features, maybe not. I’m ignorant to what’s available with GMail anymore, but it was the lack of support (long story that I’m not going to repeat here due to probably forgetting half of it and then everybody going to try to nit pick the story like they were there) that lead to me going to Fastmail exclusively.
TL;DR – use Fastmail for its own merits, not because you hate Google.
joekiser,
They don’t want to spend any money on service, and it shows. That’s google’s business model. No seriously, making it extremely difficult to get service is by design.
Interesting, I might try Fastmail.
I have been using namecheap’s email service (privateemail.com). I know it’s not very private being in the US, but still I was tired of having everything in gmail. I took me a few months to complete the transition, but I like it a lot. It’s based on openxchange, so I get EAS on my phone (so I can use Nine in Android, the best client I’ve seen on a phone). On my desktop I use Thunderbird with IMAP. In the rare event I need to use the web interface, it’s actually very pleasant to use.
I just wish they had stuff like 2FA.
You know what I was just thinking? I would gladly pay a monthly fee to have on-demand support for Google products and to get rid of all the tracking and advertisements. I already pay something like $10/month for the ad-free Youtube thing.
Maybe $20/month, no ads on my cell phone or in the browser, no scanning my emails/Google Drive docs or selling my info to trusted partners, and a number that I can dial for any support issues. Just a quick search revealed that they did an invite-only demo of this back in 2014; no idea if that is still available now.
Google, please tell us what the break even price for such a service would have to be.
Speak for yourself. I may not have finished my preparations to self-host my e-mail yet (I have a specialized milter I want to write), but I run Firefox on both my desktop and my OpenPandora palmtop (which runs a custom variant of Ã…ngstrom linux).
That’s what I’ve almost always done. I migrated off Internet Explorer to pre-1.0 Mozilla Suite, followed it through to Firefox (switching to Linux along the way), spent a little time on Chrome around Firefox 2.0 era when it finally came to Linux, and then switched back to Firefox because the extension API was too crippled. Since then, Chromium has only been present on my machine for testing websites I develop.
Edited 2016-08-09 05:09 UTC
A long time making the effort to stay out of The Fields, ssokolow.
Started with 0.X Opera, old Opera. Attached to an ancient UK magazine.
If people are serious about leaving gmail over privacy, I think indy hosting should be on the list. Unlike most new services coming out, I’m thankful that email is federated. Admittedly it takes some effort to set up and get everything working correctly, but once it’s up and running it doesn’t need much maintenance and you can’t beat it for privacy.
Zentyal comes with a *.zentyal.me domain and complete groupware suite. I’ve been using the Zimbra suite for a few years, takes a little more work than Zentyal
https://www.zimbra.com/open-source-email-overview/
http://www.zentyal.org/server/
Another option if you really care about privacy is to run your own mail server.
Advantages:
1. Emails between family stay private (it’s on your mail server) With TLS enabled, you and your family can communicate privately without spying eyes.
2. You can tune spam filtering to your tastes
3. Your little server isn’t as juicy a target as Gmail, etc.
4. unlimited disk space (up to what you can afford) I had 20GB of email way before Gmail
5. Works with mailing list software. This can be useful for many things.
6. Your email address never needs to change. Providers like hotmail, gmail and so on aren’t guaranteed to last forever. You may lose your email address. If you buy your own domain, it’s yours. I’ve had the same address since 1998.
Disadvantages:
1. Large providers are colluding to block mail from small mail servers thinking it’s all spam.
2. Lots of sys admin time to set it up and periodic work to maintain spam filtering at acceptable levels.
3. Blacklists – sometimes you get flagged because someone marked something junk in one of the big providers. Bad security can cause this too
4. Security patches need to be kept up to date and you have to watch for malicious activity.
5. Network traffic is a lot more than you think it’s going to be with all the spam sent. Even if you reject it or filter it, it’s still traffic.
If you REALLY cared that much about privacy, why use a communication medium (email) that is inherently insecure in the first place? I mean, it’s plain text, for christ’s sake.
WorknMan,
I’d be interested in hearing other people’s opinions about binary versus text protocols, but that in and of itself doesn’t imply something is secure or not. The SMTP protocol is text, so is HTTP, both can use crypto with certificates. Email can use GPG on the client to keep message contents private even from the server admin. The problem isn’t that these aren’t available, it’s that they’re not default and not enough people use them.
If anything I think this move toward web apps makes security much more challenging because HTTPS only protects the transport between you and the server, virtually nothing is kept secret from the service provider.
Edited 2016-08-09 00:45 UTC
It’s OT, but this just reminded me, that one of our business partners actually has a setup where they reject GPG-signed (not even encrypted, just signed) e-mails. I only send signed work-related e-mails for many many years now, and it’s sad that not everyone does the same, but this was my first time that I actually ran into someone actively blocking it :[ A cure for stupidity might be more important than for cancer…
No. Email-traffic between any properly-configured servers is protected by SSL/TLS these days, just like HTTPS is HTTP protected by SSL/TLS. Sure, if the destination-servers you’re sending email to don’t support SSL/TLS then the protocol falls back to plain-text, but many/all of the big ones, like Google, Microsoft and Apple, do support it, and many smaller ones do it these days, too.
I mostly just use my email for receiving mail, but I haven’t seen a server in ages now that didn’t support SSL/TLS.
Because plain text sent to my locally hosted server is completely secure. No one is trying to intercept my email as a man in the middle attack.
I have tried to setup my own mail server a couple of times but never got very far (and I am quite technical).
Do you know any good guide that also guides you through firewalls, setup with sqlite rather than mysql/postgress and how to handle MX records, host files etc?
I remember looking at an Ubuntu guide and scratching my head on the first couple of lines.
It said to name my server something like mail.wcool.org. Does that clash with wcool.org if I want to run a webserver on the same server? It doesn’t describe the consequences, just the steps.
Also how reliable has your mail server been?
Would really love to do this though.
Edited 2016-08-09 10:55 UTC
Wondercool,
I’d be willing to help if you want.
Edited 2016-08-09 12:45 UTC
Thanks for that Alfman
I hope I can make some time in the comings weekends to give it another go and if I am stuck I will contact you.
I’ve had a few problems with mail delivery to specific servers over the years because of the address space (use comcast busniess and run it from home on static ips). Most people would probably just get a virtual private server or aws ec2 or something and that would be fine.
I’m at a loss with the mysql vs sqlite comments. While some mail servers and web mail programs require storing settings or data in a database, it’s not required for most SMTP/IMAP setups.
Here are the parts you need:
1. DNS. This can be something like BIND or you can use a hosted DNS solution like amazon’s route 53 which is web based. A mail server needs an A record and a MX record. The MX record announces where to deliver mail and that’s about it. I read DNS & BIND which is a good book and covers MX records well.
2. SMTP software. I used sendmail because it was considered good at the time. Now most people setup with postfix. There are many guides on this subject and postfix is a bit easier to configure than sendmail. There are also tons of books on this.
3. IMAP or POP software. Personally, I always like IMAP and that’s what you get by default with Google. I recommend Dovecot for IMAP or POP3 software. It’s reasonably easy to configure. It works with all common SMTP servers too.
4. Optional: spam filtering. I use spam assassin which is a perl program. It can be complex to setup but once it’s working it’s ok. This can use a database or files for configuration. I did it with files.
5. Optional: Web mail. This allows you to check your email from a browser. If you do this, please use a SSL/TLS certificate with it. For simple mail setups, i use squirrelmail. Roundcube is a good choice for a more modern web mail interface, but it requires a database. Both need php
6. Optional: antivirus. I have clamav setup with a milter (plugin) in sendmail. There are other ways to use it and depending on OS, you may have commercial AV available too.
7 Optional but recommended: TLS/SSL certificates for dovecot and your SMTP server. These can be generated with openssl or you can buy one. Many people just generate a self signed cert and they work ok with most email clients. If you use Macs, you have to get it to trust your cert so you don’t get prompted all the time in Mail. The certificate should be configured for the mail server domain name e.g mail.foo.com. It’s a good idea to name the box the name that you publish for your MX record. it also does not have to be named mail.
8 optional: greylist milter or similar. There are many add-ons for mail servers that can do different filtering. greylist delays accepting mail to stop spammers. It makes any domain wait. The problem is that if a service uses a lot of servers, it won’t come in. Facebook is a problem for instance. it will cut spam a lot but at a cost of mail you may want.
You’re right there is a lot to learn, but you don’t have to do all of it at once. It’s also much easier now with services like amazon web services and azure. You can actually get a server running half the software, and setup dns from a browser.
You need the DNS, SMTP and IMAP to get started. Everything else is an add on and you can do it over time.
affer1,
IMHO this technique isn’t very good because the costs outweigh the benefits. In theory it’s argued that spammers will give up on slow connections, but I don’t know if that assumption carries any weight. On my servers I’ve never seen additional delays cause disconnects, spammers or otherwise. Now this might be simply because other blacklists preemptively filtered these guys out, but regardless it doesn’t seem to be useful and it can hurt legitimate but inefficient SMTP servers that fork per connection far more than spammers with software optimized for spamming.
Consider that the cost of keeping a socket open and idle in custom spam software is negligible. With a few dozen bytes you can park an idle socket using epoll with almost no overhead under a modern linux kernel. A spammer using efficient software is not going to flinch at the delays.
Another technique I’ve seen is for some SMTP servers (google in particular) to abort email sessions and wait for the email to get resent automatically. I think this is more likely to be effective against spammers than a simple delay because they might not be programmed to retry the way a legitimate SMTP daemon would. Although a competent spammer should be able to handle this case as well, in which case you’ve added alot overhead for yourself without stopping the spam.
IP based blacklisting is pretty effective and spam is kept to a minimum that way, but I really wonder about the feasibility of blacklisting in the future with ipv6 where the address space would technically allow for a new IP for every email.
Edited 2016-08-09 15:01 UTC
The approach I’m planning to self-host to enable is a setup where I dedicate an entire subdomain to myself and then assign each sender a specific incoming alias to act as a revokable API key, restricted to their SPF-verified From address.
(eg. That way, I can bounce any mail resulting from eBay sellers adding PayPal or eBay addresses to their mailing lists without asking.)
Much more deterministic than traditional spam filtering and, if I implement it properly, it should ALSO have greater accuracy.
Edited 2016-08-09 20:08 UTC
I went that route initially with per-sender aliases. It becomes a bit of a bitch to maintain, as it’s just one more step to do when e.g. signing up for a service, or especially if providing an email address in person for something (at a doctor’s office or whatever). In those cases, I basically have to ensure I set up the alias when I get home before they might actually email me.
I bailed on that and just used plus-addressing now by default. It’s not a true alias, but at least enough of a deviation to be able to filter on. Sure: sender’s could get wise to it and write parsers to strip plus-addressing out and hit the bare local part, but plus-addressing is such a tiny minority on the web that I doubt the likelihood of that.
The annoying part of that is web devs that use braindead JS libraries for email address validation and tell you that an address with a ‘+’ in it is invalid. Read the damned RFCs, lazy punk! And get off my lawn!
I currently use SpamGourmet for my unimportant stuff and a paid MX-level forwarding service for my important stuff, so I know how much friction is dependent on UI design.
My plan is to whip up a quick Firefox extension analogous to a password manager where “Create new alias for this site and paste” is added to the context menu for text fields.
The alias would then be in a sort of “training mode” for the first 48 hours or so where, if the first message which arrives isn’t from the expected domain, the system will assume the site is using a secondary domain for mail exchange and update its records.
Edited 2016-08-13 09:32 UTC
Personally I think we need less centralization and to make this more accessible. I think it’s a bit of an uphill battle, but a more decentralized set of federated protocols is good for the Internet as a whole.
Also:
There is TLS wherever feasible (though I still need to get to DNSSEC, TLSA and DANE), DKIM in place, and I sign every email I send with PGP using a published key unless there is some recipient-side issue preventing it. Does that mean people actually send me encrypted email? Very rarely, but we do what we can
The original author replied to me; they’ve moved the content to:
http://verchick.com/mecham/public_html/spam/ or more specifically to http://verchick.com/mecham/public_html/spam/spamfilter20110303.html
justanothersysadmin,
It’s nice to hear from others who do this too.
Wholly agree. Less centralization is important to the survival of the internet as a democratic medium (ie in the hands of people and not just powerful corporations). Federated protocols are ripe with innovative potential, even for commercial use. But the trouble is that every significant internet shaper is shaping the internet towards centralized services to reinforce their business models. Consequently federated protocols are stagnating. I feel like I’m loosing out both as a consumer and as an admin.
Privacy conspiromaniacs will be happy to make the switch
When I tell people using “secure mail” the following obvious fact, their head turns green.
Fact: Every mail you have in your secure mailbox also resides at least one more place (the recipient or sender), but usually three more places (you and your peers account on some mail provider server, typically replicated across the world)
Spam, downtime, getting my mail blocked because I’m too small.
I host quite a lot of services for myself but I never hosted my email myself. Should I ? If so, what is a good guide with best practices (I use Debian, have my own domain and a public IP address) ?
Above at http://www.osnews.com/permalink?633061
Unless you have a sysadmin background and experience running a mail server, dealing with DNS, etc., you may want to take a pass, though. I heavily support a greater number of smaller servers than a select few clusters of Internet giants, but mail is a bit of a spacial animal.
Likely you won’t have issues receiving email, but unless PTR records, SPF, DKIM etc. are acronyms in your vernacular, you may have a hard time with having your email be reliably accepted.
Does anyone here use ProtonMail for secure communication? I was wondering how their service is, and how it works with people not using Proton Mail.
… to my own VPS + Postfix + Dovecot setup. It took quite some time to configure Spamassassin (I got very surprised at the amount of spam I am getting, after all those years in GMail where that’s not a problem!), get my IP off some blacklists, SPF, DKIM, set up a Web client (RoundCube), but now everything is working nicely
Remaining problem: I still need to have 1 GMail account hanging around because I have uploaded quite a few videos to Youtube (AFAIK I need a GMail account to host videos in Youtube?).
I would like to completely nuke my connections to Google including Youtube. Question: what do you guys recommend instead?
Edited 2016-08-09 16:36 UTC
Utumn0,
Youtube seems to get the lions share of visitors, but here are some others. Who knows, they might become more popular if the popular channels on go behind the youtube red curtain later this year. Apparently the motivation for that is to counteract all the adblocking users.
http://www.freemake.com/blog/top-7-free-video-sharing-sites/
I am debating myself if I should continue to host my own solution for ages. We are a small local wi-fi ISP (cca 800 clients) and of course we had to provide our own smtp server.
Man, what a journey it was. Endless times on the black list, because of the wrong settings, clients nervous, myself having headaches. So here we go …
I always wanted to have some kind of ISP panel, so that more ppl from the company of my brother (after all, it is not a paid job for me) could admin new users, change settings.
Hence I tried ClarkConnect, which later on became ClearOS. Divorced with them, as those guys are crazy enough to claim, that if I want multi-domain setup, I should run multiple virtual servers. No, thank you. The other one, was/is a Zentyal. I really easily set-up, what I’ve needed. Well, those guys (or their investors) have changed the business plan – they started to remove module by module – FTP, Webserver, making it absolutly unacceptable for old-timers. It was like snap in the face. Instead they do provide MS like server, based upon Openchange, or something like that.
Well, we still run (on the older) Zentyal, using Thunderbirds or Roundcube webmail. No blacklist for few years (as we run on separate IP, implemented sfp records, etc.). I am still NOT a Linux/email expert. Proper email rules are a very sophisticated discipline, which should be treated with a respect.
Because of low volume we need, I am thinking to move my small server to Synology – it can host websites, including php, postfix, Roundcube is there, you’ve got it on a raid setup and have some home media server too.
But – when I am consulting some even small business clients, I warn them – you either have a proper IT guy/company knowing the email related stuff, or you can get burned! Clients want more nowadays – they want their calendar, share office files and want it being mostly failure free and reliable. I don’t hesitate to suggest big guys – Google, Office 365. And the privacy factor? Come on 😉
Sorry for the long post …
-pekr-,
Hey I’m always looking for paying clients, I can do hosting and I can custom build you whatever you want
/plug
Thanks for the reply. You know – Synology is here for long. Not sure how stable their modules are, but … Zentyal have changed in 2 years completly, ruining everything many ppl planned.
I simply don’t belive in anything long term. Maybe to go with some Ubuntu LTS and hand tuning everything.
But then I am missing some GUI toolkit above it. I looked into the ISP panel for eg., but it seems kind of complicated – doing something in GUI, I always looked into configs, what did the GUI do underneath.
Maybe I should write those few of dialogs for my colleagues in some simple GUI creation language like Red for e.g 🙂
Many, may years ago Suse Linux had an e-mail specialized distro. Full stack. They used to take care of a lot of the nuances, like Spam lists.
e-mail has all of the characteristics to become the best battle front to define the future, at the Individual-Privacy|State-Security issue.
It is THE exemplar, by excellency.