One of the things that I’ve been asked about since the Snowden leaks, and especially since last night when two major “secure” email services shut down, is how do I host my email?
I host my email on my Mac mini server, and it’s quite a bit easier than you probably think, but likely not as secure as you think, and most certainly as much money as you think.
Let’s address these items separately so that you can get a good idea of whether or not you are still interested.
I have, and you can, most certainly host email on almost any web server that you get to host a blog. That, however, is not the server we are looking at, instead we are looking at hosting email on a Mac of some sort (which pretty much means a Mac mini) and this Mac not being in your home (you want a more stable internet/power connection than your home internet for hosting email). For that there are two companies that I can recommend: Macminicolo.net (my choice) and Macminivault.com (the choice of someone whom I respect).
To use either you need a Mac mini and can expect to spend about $50/month to have your Mac mini with either company. Both do rentals, but Macminicolo.net doesn’t offer rentals all the time (you need to catch them when they are promoting a special) and Macminivault.com looks like they rent year round.
Bottom line: if you want to use a Mac mini to host your email, in a professional data center, you are either coming out of pocket $700 plus $50/mo, or (roughly) $100/mo if you are renting. The smarter option is to buy a mini, but even I didn’t follow that advice.
2: Ease of Operation
Assuming the price hasn’t scared you off, the next thing to talk about is just how easy it is to setup a mini for hosting email. Once you install OS X Server, it is surprisingly easy — truly. In the most basic sense all you have to do is:
- Enable the mail service in the Server app, and add your domain.
- You go to your registrar/DNS provider and setup an MX record to point to your server.
- You setup your email clients.
All of that was in an app, not the terminal, with the trickiest part being the DNS record — but if you use a domain with any site you likely know how to do that bit. Again, that’s just a basic look, but it is truly not a complicated process for basic email hosting.
Thanks to the help of Rusty Ross, I know a few more tricks that you should do. Those include:
- Have your host setup a reverse DNS that points from the server IP to the domain that you are using for the server.
- Setup an SPF record with your DNS provider (Microsoft, of all companies, has a nice tool for that.)
- Purchase and install an SSL certificate. While you can self-sign one, you will get dialogs bitching about it unless you buy one.
- Tweak the SPAM settings in the Server app.
- Install Roundcube for pretty webmail (otherwise you won’t have webmail).
There’s a lot of other options 1 , but I think that’s a good jumping off point. Everything except Roundcube can be done in the Server app, or Safari windows. There’s nothing massively complicated.
3: Operations / How well does it work?
If you like the price, and the setup doesn’t scare you, then you probably want to know about the operation — how stable is it, SPAM, etc… I’ve been running it now for long enough, and with enough different email addresses, to say that it is really stable, works far better than Google Apps, or any other IMAP system I have setup, and has less SPAM. In fact, I get more false positives with this setup than I have before — which is both good and bad.
My email address is not only published on this site, but is also a link. It should get a lot of SPAM, but the server catches most of it. My iCloud email address? That gets the most SPAM.
Mac OS X Server stable, easy, and good with catching SPAM. In other words, it works quite well.
Ok, now we get to the downside: security.
There are a few things to consider:
- The security of the transmission.
- The security of the storage of the email.
- The physical security of the server.
You can easily have the mini run over SSL, which is about as good as it gets for IMAP based email. Additionally, Roundcube can be connected to over SSL — so there’s no concern here (well there is concern about SSL, but there’s no greater option that is easily implemented).
Since the email is being stored on your server, and assuming you use secure passwords, you can rest assured there’s no random employee of an email company prying into your mail database.
The server is also sitting in a data center, which is high security, but whomever is providing service to you, certainly has direct physical access to your server (and knows which one is yours).
The last bit is the toughest part.
Of course with a Mac, you can use FileVault 2 for entire disk encryption — but as anyone who has used FileVault 2 knows — if you restart your Mac you have to enter a password before the Mac will even boot OS X. That means you cannot enter the password via VNC or other services — which is potentially horrible.
I’ve never had my mini restart on it’s own, nor have I ever needed to power cycle the machine to restart it — all have been reboots that I have requested, which means that this little tidbit about
authrestart is very helpful.
Authrestart is a command line tool that allows you a one-at-a-time restart of a Mac using FileVault 2. You run the command, enter your password, and the Mac starts back up and into OS X without prompting for the initial password. This is great 99% of the time, but what about if trouble strikes and you need to reboot without using that command?
For that scenario I asked Brian Stucki, of Macminicolo.net, what in the world you can do, he responded via email:
If your machine were to crash and need rebooting then there is no way to do it remotely. The options here are either 1) you can send over your password and we can log in for you so the startup process can finish. Or two, we have a KVM over IP that customers can control but it needs to be manually connected to your machine and you would need to have java on your computer. (Related: The KVM over IP market could definitely use some updating)
Either way, there will be a wait to get the machine back up and running. Stucki also mentioned to me that he knows of people keeping their email databases in encrypted disk images — thus the server can be remotely managed as normal, but the database is still encrypted. I personally have no experience with that, but would imagine it is a bit of a pain in the ass setup.
Hosting Your Own Email
While getting email up and running on a Mac using OS X Server is pretty easy, it bears a large upfront and/or monthly cost to operate, and offers little extra physical security over email services, unless you are willing to wrestle with your mini.
(I am damned happy with my Mac mini email setup, but I plan on looking into storing email data in an encrypted disk image.)
The bottom line for most people is: just find a better email host. If you use a server already (say for your blog) I really do think it is worth getting a Mac mini server — I wish I had done it years ago — and at that point, why not host your own email?2
UPDATE: Some really good information in this App.net thread on the matter.