Why is self-hosting frowned upon? Lots of legacy reasons, some well intended, but many outdated, just like their 5mb file attachment limit policy. Or not unlike your grandmother used to cook a huge ham but her recipe called for cutting in half before baking, but your mom still does it that way, not knowing because grandma’s oven was too short for the whole ham to fit in, and still does the same - cutting it in two before baking.
People are also just “determined to be right” which probably influences their ability to communicate.
Long ago, it used to be that running an email server “properly” would often mean not letting it become a spam relay, not getting hacked through Sendmail (or OS), which meant hardening everything to sufficient levels in both the OS and Sendmail/postfix/exim etc. And along with that meant DNS had to be setup in a way that worked with the Email server, didn’t open up more security holes in terms of DNS tunnels, spoof attacks, and empower anyone to exploit holes in DNS binaries themselves.
Couple this with a lack of… good tooling, strong security features, good support, human-readable documentation, experience on the beginner and/or knowledge from even the more experienced IT guys on how to set up and make it all work, made the whole challenge quite difficult.
Also the attitude of many companies towards their IT guys, kinda sucked in many organisations, particularly towards Email & likewise choose often for some piss poor products. Early generations of Exchange - which was most common in most orgs still today - couldn’t scale well, had horrible UI’s for administration, and were always on the short end of the security stick in terms of features.
Toss in that the Email protocol itself sucks too.
And all these problems still exist today, along with the attitudes everyone has. But the tools have matured and gotten better. Two examples are Postfix and Sendmail. Unix Sendmail was crazy powerful…if you were good in writing in ‘m4’. But a badly setup Sendmail server was a service / security nightmare, and often mail admins would ignore it, or not be aware till major problems were no longer ignorable. Postfix was the answer to Sendmail & did everything so much better. But there were lots of corporates who stuck with Sendmail because Sendmail was what was “supported by the vendor” and swapping out Postfix was not supported. The situation was even worse tho with Microsoft shops based on Exchange - I used to beg so many customers to even drop in a “postfix gateway” for security reasons in front of their Exchange servers, but the vendor of their “supported solution” wouldn’t have it, unless crazy fees on his side were paid, if it was an option at all.
All of this created some very negative attitudes / stereotypes about people / companies that self host email. Marketing teams at cloud hosting companies (including Microsoft, Google, etc) still leverage these attitudes today towards their own interests.
But also what’s changed is the core technology, and a lot of people I think have noticed these changes, but aren’t fully paying attention to what they mean. Cloud providers are using legalise to claim rights to read, even own, cloud hosted email solutions. GDPR and the upcoming Article 13 will force more of that into the hands of the cloud providers responsibility to do so in the name of artists rights. Which means theoretically at least, less privacy.
On a different note, but related to core technology changes - the miniaturisation of PC’s, Servers and Infrastructure marches forward. The first signs of this could be seen most publicly by the companies and hosting providers who switching to running Mac Mini’s in the corporate / data centres as servers.
SOHO server installs are happening more and more on NUC like computers too. I’m running my mailinabox on such an installation with dual (DSL/Cable) uplinks to it. And it’s running 7 VM’s concurrently @ 10% cpu average load overall. No fans, only 11 watts and just a few hundred Euros to buy.
Mailinabox is one of those products, like Postfix, that back in the early days, solved a lot of problems, but still not a lot of people have experience with it (yet). A brilliant tool that does pretty well on solving a lot of the common gripes most still have about running their own Email server & DNS.
In fact, as someone who’s done crazy amount of installs & repairs (of others mistakes) on Sendmail, Postfix, Exchange, Lotus Notes, CC:Mail & yeap…UUCP… Mailinabox is a pretty damn fine project. I’ve only been using it for a few months now, but I remain stunned how well it works & impressed by the work the contributors and founders all have achieved.
I know GSM Operators and ISP’s who still don’t have their DNSes running properly or their Email servers configured correctly after decades of running them, a few I know have been running DNSSEC projects for 4+ years now, and still don’t have it realised (but that’s related to some past rollout choices, sometimes “worst practices” have been realized, in their own DNS that complicates it all. Because now it’s hard to change their legacy apps around a re-rollout of DNS). Honestly, we think because Email goes to Google or Microsoft, they some how have “magic skills” and “magic budgets” and “magical email wizards”. Nope, their people just like us. With similar time and budget constraints we often find ourselves in. And it’ll get worse for them too.
As I mentioned above, the products required to run your own infra are becoming cheaper and cheaper, basically becoming commodity products. Sure, if you want to have a server with 198 Cores, it’s going to be a large 19 inch rack you’re going to need, and those are expensive. And then you’ll have to purchase backups for redundancy and availability.
But a 1-50 person company won’t need an Email server with so many cores. They could probably dedicate that to a 2, 4 or 8 core box. One that’s Celeron based and that runs postfix under a VM along with a few other VM’s. Running emailinabox or some other turn-key variant solves a lot of the former problems associated with running one’s own Email server. And if all one needs is a couple of NUC like servers running a VM host, Virtualized DMZeds in which to run Emailinabox - Electrical costs would be in the neighbourhood of a RaspberryPi or 4 on your network for such a server. It all lowers the bar which cloud hosting can compete with. Less profit margins, less the Google / Microsoft / [insert cloud hosting name here] have to spend on administrating customer’s Email.
Further, these cloud companies never tell you if someone’s trying to hack your account, brute force your password, reveal statistics from Network Intrusion Detection, and Application Intrusion Detection. They’ll only tell you something happened, when it’s so public they can’t avoid it and/or legally required to do so. They’ll leave you in the complete dark - security speaking - until that point, pretty much. The security astute company will want visibility on this, where as the one that is not very security aware, will be cool with “making that someone else problems” and paying a small fee for that convenience (read: ignorance).
For some companies making the decision to host on premises vs cloud hosting of email solutions, in some cases it might always make sense to cloud host. It’s a business decision based on financial numbers, really. But there is a fad-like trend to move everything to the cloud, despite the fact many cloud providers are single points of failure, despite the fact that Office365 Professional is the single most attacked cloud service on the Internet today, despite the fact that security breaches in the cloud are a lot more common place than the original marketers promised us they would be. And people will make these decisions assuming their chosen vendor’s mail administration team has a good team culture, always hits their performance targets, etc. Like bad team / company cultures and bad politics never ever happen among the Homo Businessapian species.
To the company / admins who actually have noticed Article 13 and the GDPR and thought “this could affect our customer privacy” in relation to cloud hosting, it may always make sense to host on premises. I know one German International company who’s very strict about always having “total control” of their critical business assets, including Email. Like those who will always choose for the cloud, these types will always choose their way.
Myself (and fuller disclosure) I’ve run my own Email and DNS (plus contact / cal / web / other) servers since 1996. And since 2000 that has been running across some sort of fixed-IP xDSL connection just fine. And I’ve had Emailinabox running since August of this year, and it’s the first all-in best practices turn-key solution I’ve ever built & I was amazed at how well it has performed until now.
And I also laugh when I hear comments like you say, myself (just last week, btw) when a fellow security colleague said to me “oh dear, I’d never run my own Email server, that’s dangerous. To easy to get the config wrong, so I’ve always been too scared to run one myself” Of course, he didn’t know about Mailinabox at all either. But since he’s not called me back or updated me about his progress after telling him about it (and there was a WTF is this moment in that call…an expression of amazement on his end) I’m figuring he’s still playing with it, checking it out.
For myself, I’ll continue to run my own Email server on premises because financially it doesn’t make sense for me to host in a cloud. The size box I’d want for this and my other VM’s doesn’t compete financially compared to hosting on some inexpensive NUCs. I don’t have it on a raid config, just yet, but have space for two SSD’s if I want them. Live whole disk image backups and snapshots make Disaster Recovery (from SSD failure or box failure) a breeze, and for my own purposes, if it was down for a few hours even, I shouldn’t drop a single Email. Since I started off on a 100GB SSD and later migrated my VM host to a 500GB SSD (because NextCloud is gonna get some use too now), that upgrade took only 30 minutes, and I used those DA disk images to spin it all backup again.