Why is self hosting mail server frowned upon such as this topic I found on Reddit: https://old.reddit.com/r/sysadmin/comments/9ejw5x/mail_server_setup_for_500_users/
They rather recommend using services such as Google and O365.
Security, maintenance and costs considered. Which is more preferable to use?
I was wondering the same question for a while too. I have a couple of business-friends/mentors, and if you couldnât care less about privacy or control and find the price of a paid solution to fit your needs, then you go for a paid solution.
To anyone else outside of that bubble (the good kind of people, in my opinion) will want to self-host or self-administrate (sort-of, hosting on places like Digital Ocean are just as good). I personally think $5/user/mo is WAY to expensive. $5/user/mo could get me a whole server PER USER!
Anyway, I spoke with a guy who owns a medium size business, as well as the president at A-Team Systems, and my impression is the physical maintenance, redundancy and upkeep of mail servers. My impression is that if you do it right (which Mail In A Box configures your box right, right out of the box, from my understanding), you donât need to administrate your boxâthatâs not the big issue.
So if you self-host the physical server, you have a whole lot of crap you have to deal with. What happens if your hard drive fails? Those will need to be replaced. If you forgot to create a RAID setup, youâre screwed. If the whole server fails at once, youâre also screwed. If the power goes out, well, I guess everyone in the office will do nothing until the server it back up. If the Internet (external) goes down, all those emails will either be delayed by a whole day (if youâre lucky and the other person has their mail server configured correctly), or will be totally gone. If these are business-critical emails from customers, this is not a good idea.
However, if you get something like a VPS or rent someone elseâs dedicated server, itâs not your problem to swap out the hard drives or keep the network active. All you have to do is not screw up as an administrator, which if you actually set things up correctly, shouldnât be a problem. If the network goes down, you will have someone ELSE running around, scrambling to find the solution NOT you. However, that is less likely to happen, as a VPS/dedicated server farm will be in a location for edge-provider Internet (much much faster, reliable Internet connections), redundancy beyond reasonable measuresâpower and network redundancy, and physical security beyond what the average Joe can afford.
I feel like a lot of whatâs online is a misconception people believe because it is what big email provider companies want people to believe, because that means more bottom line. To be honest, I think it is a bunch of crap to go from saying âdonât physically host your own mail on your own physical device at your own physical locationâ to âjust donât host anything that is not from a big company like Google or Microsoftâ.
I am in no way an expert, but itâs what I could gather from bits and pieces here and there from experts. I think a lot of people, from like 10 years ago, physically hosted their own mailboxes. When it became a problem they didnât feel like going through the hassle of moving it to a VPS/dedicated, because if they were going to move, they wanted Google and Microsoft to magically answer their problems. Also, Google and Microsoft give a lot more features than mail, so they were able to reap the benefits from switching to the Big Companies.
Why is self-hosting frowned upon? Lots of legacy reasons, some well intended, but many outdated, just like their 5mb file attachment limit policy. Or not unlike your grandmother used to cook a huge ham but her recipe called for cutting in half before baking, but your mom still does it that way, not knowing because grandmaâs oven was too short for the whole ham to fit in, and still does the same - cutting it in two before baking.
People are also just âdetermined to be rightâ which probably influences their ability to communicate. 
Long ago, it used to be that running an email server âproperlyâ would often mean not letting it become a spam relay, not getting hacked through Sendmail (or OS), which meant hardening everything to sufficient levels in both the OS and Sendmail/postfix/exim etc. And along with that meant DNS had to be setup in a way that worked with the Email server, didnât open up more security holes in terms of DNS tunnels, spoof attacks, and empower anyone to exploit holes in DNS binaries themselves.
Couple this with a lack of⌠good tooling, strong security features, good support, human-readable documentation, experience on the beginner and/or knowledge from even the more experienced IT guys on how to set up and make it all work, made the whole challenge quite difficult.
Also the attitude of many companies towards their IT guys, kinda sucked in many organisations, particularly towards Email & likewise choose often for some piss poor products. Early generations of Exchange - which was most common in most orgs still today - couldnât scale well, had horrible UIâs for administration, and were always on the short end of the security stick in terms of features.
Toss in that the Email protocol itself sucks too.
And all these problems still exist today, along with the attitudes everyone has. But the tools have matured and gotten better. Two examples are Postfix and Sendmail. Unix Sendmail was crazy powerfulâŚif you were good in writing in âm4â. But a badly setup Sendmail server was a service / security nightmare, and often mail admins would ignore it, or not be aware till major problems were no longer ignorable. Postfix was the answer to Sendmail & did everything so much better. But there were lots of corporates who stuck with Sendmail because Sendmail was what was âsupported by the vendorâ and swapping out Postfix was not supported. The situation was even worse tho with Microsoft shops based on Exchange - I used to beg so many customers to even drop in a âpostfix gatewayâ for security reasons in front of their Exchange servers, but the vendor of their âsupported solutionâ wouldnât have it, unless crazy fees on his side were paid, if it was an option at all.
All of this created some very negative attitudes / stereotypes about people / companies that self host email. Marketing teams at cloud hosting companies (including Microsoft, Google, etc) still leverage these attitudes today towards their own interests.
But also whatâs changed is the core technology, and a lot of people I think have noticed these changes, but arenât fully paying attention to what they mean. Cloud providers are using legalise to claim rights to read, even own, cloud hosted email solutions. GDPR and the upcoming Article 13 will force more of that into the hands of the cloud providers responsibility to do so in the name of artists rights. Which means theoretically at least, less privacy.
On a different note, but related to core technology changes - the miniaturisation of PCâs, Servers and Infrastructure marches forward. The first signs of this could be seen most publicly by the companies and hosting providers who switching to running Mac Miniâs in the corporate / data centres as servers.
SOHO server installs are happening more and more on NUC like computers too. Iâm running my mailinabox on such an installation with dual (DSL/Cable) uplinks to it. And itâs running 7 VMâs concurrently @ 10% cpu average load overall. No fans, only 11 watts and just a few hundred Euros to buy.
Mailinabox is one of those products, like Postfix, that back in the early days, solved a lot of problems, but still not a lot of people have experience with it (yet). A brilliant tool that does pretty well on solving a lot of the common gripes most still have about running their own Email server & DNS.
In fact, as someone whoâs done crazy amount of installs & repairs (of others mistakes) on Sendmail, Postfix, Exchange, Lotus Notes, CC:Mail & yeapâŚUUCP⌠Mailinabox is a pretty damn fine project. Iâve only been using it for a few months now, but I remain stunned how well it works & impressed by the work the contributors and founders all have achieved.
I know GSM Operators and ISPâs who still donât have their DNSes running properly or their Email servers configured correctly after decades of running them, a few I know have been running DNSSEC projects for 4+ years now, and still donât have it realised (but thatâs related to some past rollout choices, sometimes âworst practicesâ have been realized, in their own DNS that complicates it all. Because now itâs hard to change their legacy apps around a re-rollout of DNS). Honestly, we think because Email goes to Google or Microsoft, they some how have âmagic skillsâ and âmagic budgetsâ and âmagical email wizardsâ. Nope, their people just like us. With similar time and budget constraints we often find ourselves in. And itâll get worse for them too.
Hereâs why.
As I mentioned above, the products required to run your own infra are becoming cheaper and cheaper, basically becoming commodity products. Sure, if you want to have a server with 198 Cores, itâs going to be a large 19 inch rack youâre going to need, and those are expensive. And then youâll have to purchase backups for redundancy and availability.
But a 1-50 person company wonât need an Email server with so many cores. They could probably dedicate that to a 2, 4 or 8 core box. One thatâs Celeron based and that runs postfix under a VM along with a few other VMâs. Running emailinabox or some other turn-key variant solves a lot of the former problems associated with running oneâs own Email server. And if all one needs is a couple of NUC like servers running a VM host, Virtualized DMZeds in which to run Emailinabox - Electrical costs would be in the neighbourhood of a RaspberryPi or 4 on your network for such a server. It all lowers the bar which cloud hosting can compete with. Less profit margins, less the Google / Microsoft / [insert cloud hosting name here] have to spend on administrating customerâs Email.
Further, these cloud companies never tell you if someoneâs trying to hack your account, brute force your password, reveal statistics from Network Intrusion Detection, and Application Intrusion Detection. Theyâll only tell you something happened, when itâs so public they canât avoid it and/or legally required to do so. Theyâll leave you in the complete dark - security speaking - until that point, pretty much. The security astute company will want visibility on this, where as the one that is not very security aware, will be cool with âmaking that someone else problemsâ and paying a small fee for that convenience (read: ignorance).
For some companies making the decision to host on premises vs cloud hosting of email solutions, in some cases it might always make sense to cloud host. Itâs a business decision based on financial numbers, really. But there is a fad-like trend to move everything to the cloud, despite the fact many cloud providers are single points of failure, despite the fact that Office365 Professional is the single most attacked cloud service on the Internet today, despite the fact that security breaches in the cloud are a lot more common place than the original marketers promised us they would be. And people will make these decisions assuming their chosen vendorâs mail administration team has a good team culture, always hits their performance targets, etc. Like bad team / company cultures and bad politics never ever happen among the Homo Businessapian species.
To the company / admins who actually have noticed Article 13 and the GDPR and thought âthis could affect our customer privacyâ in relation to cloud hosting, it may always make sense to host on premises. I know one German International company whoâs very strict about always having âtotal controlâ of their critical business assets, including Email. Like those who will always choose for the cloud, these types will always choose their way.
Myself (and fuller disclosure) Iâve run my own Email and DNS (plus contact / cal / web / other) servers since 1996. And since 2000 that has been running across some sort of fixed-IP xDSL connection just fine. And Iâve had Emailinabox running since August of this year, and itâs the first all-in best practices turn-key solution Iâve ever built & I was amazed at how well it has performed until now.
And I also laugh when I hear comments like you say, myself (just last week, btw) when a fellow security colleague said to me âoh dear, Iâd never run my own Email server, thatâs dangerous. To easy to get the config wrong, so Iâve always been too scared to run one myselfâ Of course, he didnât know about Mailinabox at all either. But since heâs not called me back or updated me about his progress after telling him about it (and there was a WTF is this moment in that callâŚan expression of amazement on his end) Iâm figuring heâs still playing with it, checking it out. 
For myself, Iâll continue to run my own Email server on premises because financially it doesnât make sense for me to host in a cloud. The size box Iâd want for this and my other VMâs doesnât compete financially compared to hosting on some inexpensive NUCs. I donât have it on a raid config, just yet, but have space for two SSDâs if I want them. Live whole disk image backups and snapshots make Disaster Recovery (from SSD failure or box failure) a breeze, and for my own purposes, if it was down for a few hours even, I shouldnât drop a single Email. Since I started off on a 100GB SSD and later migrated my VM host to a 500GB SSD (because NextCloud is gonna get some use too now), that upgrade took only 30 minutes, and I used those DA disk images to spin it all backup again.
If you donât care that your email is handled (received, filtered, stored, examined) by companies that potentially use the contents of that mail to their advantage, you donât mind spending a (no doubt slowly increasing) couple of dollars per mail address every month until eternity and you are the kind or person who calls roadside assistance to change a flat tire, I would go for Google or O365 or, why not, the mail service of your friendly local ISP.
OTOH, if you want your mail fully under your own control and residing on your own premises, your ISP lets you run a mail server and you donât mind investing a basic amount of TLC, MIAB is a very nice solution to realize just that. Frowned upon? IMO it makes more sense to frown upon people who, without a second thought, blindly trust their entire correspondence to virtual companies on continents far far away that promise the world but are completely beyond their control when they fail to deliver.
I run MIAB for 2 years now, on a dedicated, âŹ190,- PCEngines APU2 server with an SSD, connected to the same VDSL line that serves my data, tv and telephone. The server is on 24/7 and takes 5 watts when active. Maintenance took me maybe 16 hours in that period, mostly spent in figuring out why my Lets Encrypt certificates one day were no longer updated. Which turned out to be an IPV4/IPV6 thingy at their side. Downtime was once, for 6 hours, due to a failed DSL connection. A DSLAM was replaced and no mail was lost, only delayed.
As I said before, all our mileage vary, but I am really content with this MIAB solution 
BTW, just have to add this ⌠if cloud service providers canât secure their own online services they built from the ground up, what makes us think they can better secure basic Internet services they didnât develop themselves, like Email?
âIf people would just move all their data to a centralised single point of failure service in the cloud, all of these security problems would just go away. Oh waitâŚdonât look there, weâre shutting that down.â â Mad Men @ Google
@Woody : re: " the mail service of your friendly local ISP." Yes, this. Having worked for Cloud providers, GSM Operators and ISPs in the past, Iâd bet my money on hosting at a locally owned and operated ISP. The chances are better that one will find passionate people who care for technology and their customers & who will go the distance for servicing local customers, over a large cloud provider who just seeâs âSubscribers as a pure numbers gameâ.
For me I see both upsides and downsides to hosting my own email.
Upsides
Downsides
Iâm sure thereâs others as well. Personally while I find MIAB a good solution, I find itâs SPF, DMARC and DKIM setup a bit too simplistic. Iâd like to be able to customise the SPF and DMARC records to suit my needs and Iâd also like the choice of being able to turn SPF checking on or off. I do understand some of the issues that SPF can cause but DMARC itself uses an either or algorithm to determine whether or not to pass a mail anyway.
e.g. SPF fail DKIM pass - mail passes.
SPF pass DKIM fail - mail passes
SPF pass DKIM pass - mail passes
SPF fail DKIM fail - mail fails.
I understand Joshâs motivations mind you, but that doesnât stop me wishing.
I think if people are competent enough to host their own mail server, then it shouldnât be discouraged, I agree with the thoughts that for the big providers, thereâs certainly a lot to be gained by discouraging the use of private mail servers and instead driving customers to your business. For some it can be a better experience if theyâre not technically competent as the big companies often have experts on hand 24/7 and an interest in making sure their servers are up and running with minimum downtime.
experts on hand 24/7
those are totally experts. reminds me when I transferred my domain away from a large provider (daddy) and it took almost a week and numerous interventions until they had figured out that they must delete the zonefile.
a project like MiaB will keep Big Data honest. Getting ripped-off is a high risk these days, so one better rolls oneâs own. 