Hello. I’m looking to begin hosting my own email. I’m looking at using Digital Ocean to host my linux server running MaiB. My question is:
Any additional information on the privacy aspect of MiaB would be appreciated.
Thank you
The VPS you get are as secure as any other linux box. As a general matter, random folks can’t just log into your server and start poke around looking at things. MiaB relies on that and doesn’t add more security.
Do note - this assumes the DO isn’t a malicious actor (ie they aren’t putting backdoors into the VMs they provide) and they aren’t just abusing any password recovery features…
Thanks Kelly. How long have you been using MaiB? Are you happy with it? Do you feel it’s more private then say Google, etc. What VPS are you using?
I am afraid that I need to step in and correct @kellytrinh’s comments.
ALL VPS providers have the ability to see what you are running on their services. ALL.
The question is … how much do you trust the VPS provider to not look?
Now, in general, they have no reason to look nor will they under normal circumstances HOWEVER should they get a complaint, you can bet your last dollar that they are looking.
At one time, I had a client who owned a rather controversial domain and I hosted email for that domain using MiaB. DO received a frivolous complaint directed toward that domain and stated that they did not want that domain using their services. So I was off to find a different provider. The next provider that I found ALSO requested that the domain be removed from their services as they used grep to discover the domain’s email was being hosted on their VPS. There was none of the domain’s content present on the mail server, simply the signature file which included the domain’s URL.
Moral of this story … any and every VPS provider can peek. IF you require absolute privacy, you need to host a mail server in your basement where only YOU have access. The problem is that email does not work very well when hosted in a residential setting for all the reasons you can discover elsewhere on this forum.
@wyzard also let me answer your questions that you presented to Kelly if I may to give you another perspective.
I’ve been using MiaB for going on 4 years now. I am very happy with it though there are some minor features that I wish it had like quota management and SSO. It is absolutely more private than Gmail as there is nobody actively scanning your email for marketing data which Goofle/Gmail is well known to do. I use a variety of VPS’s from several providers around the world. Digital Ocean is NOT one of them.
Not a fan of DO? Why not? What VPS would you recommend?
Thanks for the additional info Alento - I was more focused on the fact that outsiders cant get into the box but the provider can always just use any PW recovery features to get in anyway so there isn’t really any protection from the provider if any case.
From your example it sounds like the provider was inspecting what is going on in the box without actually logging into it. I suppose this is because they can just read directly off the hard disk and as MiaB doesn’t do anything ‘extra’ in securing the services - is that correct?
Well, reading my reply should have answered that … being the fact that they ran with an unsubstantiated allegation of hosting a website that they did not like, when it was clear that nothing but email was being handled. Then refusing to consider the evidence that proved that I was not in violation of their own tos by hosting this client.
If that is not enough, they have gone downhill in the past year in the support department not to mention that they do not seem overly concerned about maintaining IP reputation as MANY of their IP ranges are on blacklists.
My recommendation would be specific to your location and use case.
As far as I am aware, you are correct. The provider does not need any extra magical ability to read what is on his hardware. Keep in mind that even if full disk encryption were in use, that would be ineffective as the disk has to be unencrypted while operational.
Hi @wyzard, I have been using MiaB hosted at DO for about 3 or 4 years now.
I have had very little issues with DO and are generally happy with their service.
As far as DO snooping, they do install a resource monitoring agent or background service into the VM image by default to allow the VM statistics and monitoring to work in their console. Who knows what this is capable of? But generally speaking I trust them enough to host my business servers.
I secure my servers with SSH using a key file to access, I have disabled root login and password login. That is probably about as secure as a MiaB server on DO is gonna get. The firewall obviously only opens the ports that are necessary for it to work and you can always setup Fail2Ban to monitor potential hack attempts from the outside.
The root user of this server can’t even easily view the emails of the users on the system, unless you setup IMAP impersonation of course. But who would do that?
I hope this helps.
@wyzard perhaps worth sharing more about the speicifc threat model you are trying to protect against. As Alento said, your provider is always going to be able to get at your machine so if the Feds want court-order them to hand over your emails they cant.
That being said, they are in the business of running servers so generally don’t expect snooping unlike and tnot advertising so won’t be like google systematically going through all your emails.
DigitalOcean will not provide or open port 25 …
Unless this is a new policy instituted today, this is not accurate.
Digital Ocean blocks port 25 for new accounts. They will usually open the port upon request.
That:s not true.
They not open even upon request.
It:s their policy.
Therefore I cancelled my account there.
Then as I stated, this is a very new policy. I suspect though that they just told you that to get rid of you. They do view users from specific countries negatively. They also have different rules for different server locations. Personally, I do not find DO to be a company that I wish to deal with for this and a multitude of other reasons.
I had much the same impression but there are others that have managed to get it open so perhaps it is a ask-again-and-be-more-persistent thing