A new self-hosted email system.

I decommissioned my email on Proton and migrated everything to self-hosted docker-mailserver The makers describe it as a, “Production-ready fullstack but simple mail server (SMTP, IMAP, LDAP, Antispam, Antivirus, etc.) running inside a container.”

Now, like me, if your understanding of a proper container is an image that runs one process, you should look away now. This is more of a operating system image that runs:

• Postfix as the Mail Transfer Agent.
• Dovecot as the Mail Delivery Agent.
• ClamAV and Freshclam for virus scanning.
• Rspamd or Spamassassin for spam detection.
• Postgrey, Amavis, and more.

It even has cron running things and supervisord controlling it all. But don’t let any of that put you off! I am super happy with it all!

I started with the same Terraform / OpenTofu setup that my webserver uses.

It’s the same t3.medium instance, but instead of running on a Spot instance, I chose an on-demand one with an EC2 Instance Savings Plan. In the Europe (London) region, for a 1 year term and nothing upfront, that should cost me around $22 a month (plus storage) instead of $35 (plus storage).

So now it’s all back under my control. It’s fast. And best of all - I don’t need to deal with Proton’s absurdly poor systems.

A firewall using NFTABLES instead of IPTABLES.

Since I run Debian Sid on both my webserver and the new mail server, I’m using the very latest tooling in Linux. I noticed that fail2ban on both machines were using something called nftables instead of iptables and I my usual Geo-blocking scripts didn’t work.

So, I got down to work figuring out the new way to build these things and came up with this script, to block Russia, China, Vietnam, and Taiwan. I’ve popped it online as open source. It should work alongside any built-in firewall on new versions of Linux.

HTTP/3, QUIC, And more firewalling for UDP.

On my webserver, I enabled shiny brand new HTTP/3 and the accompanying QUIC protocol. The interesting bit of this work is that, where the older HTTP/1.1, and 2 using TCP to ports 80 and 443 - QUIC uses UDP to port 80 and 443. So, in addition to lots of NGINX work, I had to open up security groups and do yet more poking of firewalls.

HTTP/3 can handle more traffic and deliver content faster, especially on slower or unreliable networks. It does this by having multiple steams in the same connection, less handshakes, and of course by using UDP transport rather than TCP.

It’s also, in theory, a better security model as it uses TLS 1.3.

DNSSEC for cloudcauldron.io and funderburg.me.

For no particular reason aside from security, and that I could, I setup DNSSEC on both my larger domains. This mostly involved clicking a few buttons in Route53 in AWS to create the signing keys, then adding those details back into the appropriate registrars for the domain. Surprisingly easy work!

Whist I was in Route53, I also moved funderburg.me’s DNS into a new Route53 zone from my DNS provider. They didn’t allow more “exotic” record creations which I’ll talk about below.

An OpenTofu Run for IPv6 on Odin.

It’s been a few months so I re-ran my OpenTofu project for odin (the webserver) and the newish freyja (my mailserver) - mostly just to pick up a fresh base image of Debian Sid.

But also, it was a chance to enable ipv6 across my VPC and both the ec2 instances. Back into Route53 and added a shiny AAAA record for chris.funderburg.me that points to 2a05:d01c:eb9:2c00:11b5:6c38:49f4:92 - and the job’s a good one.

Still trying to get my head around IPv6 and I’m not sure if that address will change if I reboot - or re-create the machine. I should probably check that! If not, it should be easy enough to use OpenTofu to dynamically update the route53 record.

Enabled the legendarily dangerous HSTS and lots of edge-case security things.

I tried setting up HSTS years ago at work, not quite understanding what I was doing - and its lucky I didn’t get sacked! HSTS very violently enforces HTTPS only connections by leaving an entry in anyone’s browser who visits. This entry tells the browser to NEVER try to connect unencrypted. It also usually says, “and also do this with all my subdomains”. That last one can break casual websites where you forgot to add a certificate.

These days however, I encrypt everything everywhere using Letsencrypt. So, less chance of blowing sites up or having to walk people through scrubbing their browser data. I set it up on funderburg.me and cloudcauldron withing an hour and used the recommended settings of setting it’s timeout first for 10 minutes, now a week. And next week I’ll change it to a month, and the month after, 2 years! In this way I have time to see if I’ve forgotten anything.

And finally, for security’s sake:

• A Certification Authority Authorization (CAA) record, which notes that my web certificates should only come from letsencrypt.org.

This poor person on Github is about to learn an unhappy fact. Email has no guarantee of being encrypted as it moves across the internet. And there’s no good solution for that at all.

Come away, O human child!
To the waters and the wild
With a faery, hand in hand,
For the world’s more full of weeping than you can understand.
– W. B. Yeats

I cancelled my gym membership yesterday and I feel terribly guilty about it! If you were standing right here in front of me, I’d tell you how oversubscribed the gym was, how it was filled with groups of teenagers hogging machines for ages, how the place was unusable at any convenient time unless you went past 10pm.

But that’s not why my daughter and I stopped going and have now cancelled our membership. It’s because it just became too hard and we lost motivation.

And that’s the last thing I need. Not to gain muscle as I could care less. And certainly not to lose weight. Over the last 8ish years I’ve lost 33.7kg / 74.3 lbs / 5.3 stone. I’ve gone from size 38 trousers down to 34 and from XXL shirts down to just Large. If BMI’s are really any indication of health, I’ve gone from “obese”, down through simply “overweight” range, and I’m within touching distance (8k) of what it thinks is a healthy weight. That’s mostly down to just improving my eating habits.

The main reason I need the gym, is what I’ve touched on before. At 51, I feel my health slipping away a lot. I have no energy. Things hurt that shouldn’t. And I’m getting the occasional brief moments of dizziness from silly actions like walking up stairs or carrying heavy stuff, and I feel some just basic exercise might hold that off.

No idea what I’m gonna do now though. Exercise at home could be an option but that comes with it’s own motivational issues. There IS a new gym opening that’s a bit more expensive, and is “contract”, so it might be a bit less packed. I’ll gonna think about it over the next few days, see what my daughter plans to do, and make a decision.

Interesting Posts Read

• Digital Decluttering - Topical! Because of link-rot and websites that vanish, I’ve been keeping an archive of internet things I want to keep for nearly 20 years now - which I’ll surely be sued for someday no doubt - but I’ve got decades (gigabytes) of photos and old MP3 files that I really need to clean up. I should make a plan.

Druid / Charity Stuff

At The Druid Network this week I leaned in hard to make some progress in building a new members-only forum with Discourse. I’ve had it installed in a containerised environment in AWS for ages, but over the last week I’ve:

• Updated it.
• Stripped it all out, wiped all the data, and reinstalled it with each piece (Postgresql, Redis, etc) protected by passwords.
• Enabled SSL/TLS Encryption.
• Got the email working via AWS SES - which is what the rest of our charity systems currently use. This reminds me that I’ve never really discussed the thorny topic of email with my fellow trustees. There’s no large email service provider that isn’t without ethical issues. Google. Microsoft. Amazon. All a bit evil in one way or another.
• Searched for and tested a few themes, and enabled a dark/light button.
• Had a play with creating a public category within the overall private forum. This didn’t go so well.

With some luck and motivation, I’ll invite some of the other charity trustees to play with it in the next few weeks. This whole thing is just a proof of concept so it might not end up being used. Makes a great technical challenge though.

Speaking of Email

I’m getting closer to going back to running my own mail server with Docker Mailserver.

It’s … complicated in this day and age:

• A SpamAssassin Surprise
• How to set up a private email server
• Set Up SMTP Server – A Step-By-Step Tutorial
• Is It Worth Making Your Own Email Servers and Hosting

Speaking of Docker

It seemed to be a day for cancelling things as I also downgraded my Docker subscription. A few days ago they announced an 80% price jump without any compelling added value. That’ll put me back on their free plan once my current subscription expires in May 2025.

Thing is, I wanted to support them and I was happy to do so when they moved from a totally free service to a paid model several years back. But, whether from greed or desperation, they’re losing the plot!

There is no service they offer that you can’t get for free elsewhere so, I’ll just use their free service for now, and start making the slow move to newer workflows, and new places to store my Docker images in future.

Note: This has no effect on my TDN work or how I run my own tech stacks. Docker on a server is a different beast than Docker as I use on my laptop. My subscription only really affects how I locally develop things on the Macbook.