Like the title says, I’m new to self hosting world. 😀 while I was researching, I found out that many people dissuaded me to self host email server. Just too complicated and hard to manage. What other services that you think we should just go use the currently available providers in the market and why? 🙂thank you

  • Vogete@alien.topB
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    A password manager because if anything goes wrong, you’ll be completely screwed.

    What you SHOULD absolutely self host though is a password manager, so you can be in control of your most sensitive data.

    Regarding email, I think everyone should absolutely self host it, but it’s less and less viable in this google/Microsoft duopoly world. But ideally everyone would self host it. The reason why people advise against it really comes down to lack of real competition, and the two tech giants dictating how we violate every RFC possible.

    • pogky_thunder@alien.topB
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      A password manager because if anything goes wrong, you’ll be completely screwed.

      What you SHOULD absolutely self host though is a password manager, so you can be in control of your most sensitive data.

      Wot?

  • bulletproofkoala@alien.topB
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    Okay I understand that email hosting is bad for SENDING email , but what about only RECEIVING email , isn’t it a good idea to keep my stuff private ? I rarely send personal emails, and like to avoid my data being used for marketing purposes Is that bad to have smtp imap open on dynamic ip address ? Just asking your opinion

    • shrugal@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      I’m doing exactly that, and it works like a charm. Get a DynDNS, backup mx and SMTP relay and you’re good, or get a domain provider like strato.de that already includes all three with the domain.

      Spam is also manageable. I get maybe 1-2 per day that make it past the filter, and I do have to add some custom keyword filters from time to time, but that’s about it. Fetching updated filter lists and self-learning from past errors keeps the filter up to date and is completely automated.

    • nekapsule@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Self hosted doesn’t mean hosted on your home connection. Even with a static IP I would recommend against hosting your mail server at home because any outage means no mail (been there, done that). I have hosted my own imap/smtp server for decades and couldn’t be happier with it, but yes, the smtp part is tricky to evade blocks, especially from MSFT who would just block entire networks without a real reason (Linode for example)

  • No-Needleworker-9890@alien.topB
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    Passwords:
    -> You want to have immediat access to them, even if your house burns down

    Notes:
    -> You want to be able to read the documentation how to fix your selfhosted service, even when your selfhosted services are down

    Public Reverse proxy:
    -> A reverse proxy is only as safe as the applications behind. And NO, most selfhosted-applications are not hardened or had security audits
    (reverse proxy with a forward authentication proxy is something different)

  • SwingingTheLamp@midwest.social
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    In my opinion, cloud storage for (zero knowledge) backup. Your backup strategy should include a diversity of physical locations. I had a house fire a few years ago. Luckily, my data drives survived, but if they hadn’t, my cloud backup would’ve been invaluable.

    • KN4MKB@alien.topB
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Meh, been doing it for 5 years now with minimal issues. Had one issue come up where my domain was flagged as malicious, but was solved in a few days and some emails to security vendors.

      I think it’s important that those who can, and are educated enough to keep it running properly do host their own. Hosting your own email should be encouraged if capable because it helps reduce the monopoly, and keep a little bit of power for those who want to retain email privacy.

      • rad2018@alien.topB
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        I agree with KN4MKB. I’ve been hosting my own mail server for decades. Not one issue. I use that in lieu of a mail service provider (Google immediately comes to mind), as their EULA service agreement will tell you that - since you’re using their service, on their servers - anything goes. Read the fine print on Gmail, and you’ll see. 😉

      • AdmiralPoopyDiaper@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I did for years quite successfully. Ultimately blocklists did me in however - I don’t have the knowledge to resolve those timely and it became a headache I couldn’t tolerate at that time.

    • Zoenboen@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      They are not hard to setup, easy to keep running (once going they pretty much just work). If you follow the right steps you can avoid being undeliverable and keep people from abusing your sending server (as a relay).

      https://workaround.org/

    • Im1Random@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I did it anyway some time ago and I’m really happy with it. I’m using my own email addresses for absolutely anything by now.

  • shrugal@lemm.ee
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 year ago

    People saying email, look into using external SMTP servers as relays. Your domain most likely comes with at least one email account with SMTP access. You can use that as a relay to send personal/business emails from your server using the provider’s reputable IP addresses.

  • rgnissen202@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    I’d say backups. At least it shouldn’t be only local. I follow the rule of threes: two local copies and one off site with backblaze. Yeah, it ties up a not insignificant amount of disk space I could use for other things, but dammit, I’m not loosing my wedding photos, important system configurations, etc.

  • GolemancerVekk@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Don’t self-host email SMTP or public DNS. They’re hard to set up properly, hard to maintain, easy to compromise and end up used in internet attacks.

    Don’t expose anything directly to the internet if you’re not willing to constantly monitor the vulnerability announcements, update to new releases as soon as they come out, monitor the container for intrusions and shenanigans, take the risk that the constant updates will break something etc. If you must expose a service use a VPN (Tailscale is very easy to set up and use.)

    Don’t self-host anything with important data that takes uber-geek skills to maintain and access. Ask yourself, if you were to die suddenly, how screwed would your non-tech-savvy family be, who can’t tell a Linux server from a hot plate? Would they be able to keep functioning (calendar, photos, documents etc.) without constant maintenance? Can they still retrieve their files (docs, pics) with only basic computing skills? Can they migrate somewhere else when the server runs down?

    • vkapadia@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      What is wrong with that? Don’t they still need correct credentials to connect?

      • Korlus@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        The service itself is insecure. You need to hide it behind a more secure setup if you want to expose it to the internet. It’s been a long while since I tried, but I have some foggy memories of an RDP Server that would encapsulate the connection in an SSL tunnel and forward the connection to the remote machine rather than exposing the RDP client itself to the internet.

        Definitely do your research on how to do it securely before you just set it up and open it to the wild.

          • Korlus@alien.topB
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Oh sure, VPN is definitely the preferred way if you already have the infrastructure in place. My experience with the front-end RDP server was years ago as the sysadmin for a company. My experience is likely very out of date, and was very corporate-focused, rather than for an enthusiast.

            Nowadays I try not to touch Windows, and haven’t used RDP in years.

            • teem@alien.topB
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              These days there are so many bots scanning that you have to be so careful.

    • linkthepirate@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Psa for you guys that rdp over the net, turn that off, and use a VPN like wire guard or tail scale, or use something like apache guacamole.

    • HashtagMOMD@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I have a load balancer on my network that has opened one port on my home network. The load balancer is connected over the cloud flare and is encrypted on both sides. Is that okay?

      • kon_dev@alien.topB
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Why you chose to open a port, if you use cloudflare? Couldn’t you use cloudflare tunnel in that case?

    • teem@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Lol, I work at an attack surface scanning company. Every freaking company I talk to, with very few exceptions, has at least one of these. If not a whole infrastructure. Then they cry, “how did we get ransomware?”

    • SpongederpSquarefap@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Don’t try to be clever and change the port from 3389 to something else either

      Scanners can fingerprint traffic and just blast the other ports instead

      I (foolishly) did this a few years ago and luckily I had account lockout enabled

      Constant attempts all day long - they were even able to enumerate local users and try to log in as them (fortunately they never could cause the passwords were random keepass ones)

      Don’t do it, seriously

    • FlockSystem@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      What do you mean by “clearly”. Open RDP without password protection?

      I often use RDP to access my desktop Windows 10.

        • FlockSystem@alien.topB
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Those vulnerabilites come from humans clicking on files they’re not supposed to click on. NO way of communication is secure against that. Not even the magic of Tailscale. RDP offers 2FA and has an encrypted connection. It’s fine!

          • FabianN@alien.topB
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Even Microsoft recommends against opening rdp to the web and to use a VPN instead.

            You’re playing with fire here.

            • FlockSystem@alien.topB
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              Microsoft recommends against opening rdp to the web

              As far as a few google searches got me: No, they don’t.

    • Tivin-i@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Any public facing service that other (services) depend on should not be running on a public IP (especially ones that translate addresses, and ones you have to manually update).

      You could run an authoritative NS “hidden” where only your secondary NS can reach out to for zone transfers. You could also escape having a public IP if you configure rsync or scripts to update secodary host files on every IP change.

  • Server22@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Email. I always recommend AWS SES. Use it at as an SMTP relay and any internal services gets restricted access through IAM.

  • zfa@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I don’t self host anything where it would impact me unduly if it went down while I was on holiday to the point where I’d have to break state and go fix stuff.

    I don’t want to have to leave my beer or beach and head off to fix things like an email server, restore a password manager db etc. so anything like that which is critical to the point where an outage would prob have me do so means I pay someone else.

  • Sensitive-Farmer7084@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I think there’s a hangup on the term “self-host” where some people are assuming it’s going to be exposed to the Internet.

    I self-host a ton of stuff that is only available inside my home network or through my VPN, which is not publicly discoverable. I would never open a TCP port to the world from my home network. That’s how you end up on shodan.

    So yeah, if it has to accept inbound connections from arbitrary other systems on the dirty internet (email, mastodon, etc), it’s not happening on my network, and probably not at all because it’s a pain in the ass to stay patched.