Help an oldfag get up to date on email. Back in the day you would just read RFC822 to know how email works...

Help an oldfag get up to date on email. Back in the day you would just read RFC822 to know how email works. What are the technologies now? What RFCs should I know about?

What are the email servers and their qualities? I remember:
* Sendmail was always getting hacked and no one could maintain it with a book
* postfix was getting popular
* I think djb rolled his own
* hell, I rolled my own forwarder once

What are the connection protocols?

* There was POP that let customers accidentally delete their inboxes whenever they read their email from a friend's computer, IMAP, MAPI that no one else supported, and everyone skips those and uses web based email now.
* Microsoft had some protocol to push emails to its handhelds that was always hanging and you needed to schedule a script to delete ds2mb every hour to work around it.
* Is there anything new in server-to-server protocols or are they still sending flat RFC821/RFC822 to each other?

What are the recommended storage formats? Those I know of are:

1. mbox - One flat text file per mail folder.
2. maildir - A nest of subdirectories with one file per message that takes forever to load off a HDD.

How does one encrypt mail like Protonmail or Tutanota?

1. encrypt storage so the host can't read it?
2. encrypt comms to other SMTP servers if they support it?

What about spam fighting? There were a bunch of groups in the late 1990s that went silent and underground in the early 2000s, especially after Usenet died.

Speaking of Usenet, how does one get back on it without going through Google Groups or "pay for binz" sites? Every ISP that I know of has shut down their usenet servers. Is anyone still on it or is it all spam and tumbleweeds?

How does one create a cluster with multiple physical servers serving one email domain? Is this done at a lower level?

What webmail frontends are recommended? Squirrelmail was once the standard but it has been abandoned for years.

Is there anything new that needs to go into DNS to make email work better? Any special TXT tags?

What else should a techie know about email today?

Attached: email.jpg (129x90, 1.91K)

Welcome back.

- I think Postfix + Dovecot is the most popular combination today. Among debianfags exim is popular while OpenBSD is rolling their own right now called opensmtpd.
- Protocol for sending is SMTP and for receiving it's IMAP. No one uses POP3 any more.
- For storage, maildir is popular because it's fastest when it comes to write performance. Filesystems and disk latencies have become a lot better.
- For webmail roundcube is popular.
- You should learn about DANE, DKIM, and DNSSEC.
- Some e-mail servers require ssl for incoming mail. Use ssl by default and whenever you can. Free SSL certificates are available at letsencrypt. Their software is cancer, use an alternative client.
- Mailinglist software still sucks, but there are a few nice projects on the horizon.

It's encrypted on disk (but note that they can still read the message before they save it to disk).
Email traffic over the internet is mostly end to end encrypted between each mail server that passes the message along, but some servers aren't end to end encrypted.

If you actually want your emails encrypted use PGP.

Almost everyone moved to webmail and Google hired a lot of the people who were working on the standalone services so that infrastructure is pretty rickety today.
Nope.
POP is dead, IMAP is garbage but it's what we've got.
Both are garbage but maildir is the only real option.
For user to user, S/MIME or OpenPGP. All the tooling around this is a poorly maintained mess and probably 99% of all encrypted/signed emails in the world are sent by Debian developers.
For server to server, there's now TLS support in the protocol via STARTTLS. Note that many end-user ISPs block outbound port 25.
DNS blacklists run by shady groups that misuse power, SPF, DKIM. DNSSEC remains a total clusterfuck and I expect it to be deprecated.
It's pretty much dead.
Everything's fucked.

My ISP offers pop3s, so I use it. I don't need imap, since I just want all my mail delivered to one computer at home.
I use plain old mbox to store the messages. In the past I used qmail and maildir on servers, but that's not my job anymore.
I also use my ISP's smtp server for sending mail. I guess you might have to tunnel over ssh or something if you want to use smtp to another server and your ISP is blocking outbound 25.
My ISP still has a Usenet feed, and the alt.binaries.* and some tech groups are still active. There's various others that people post to, but not much that I'm interested in.

i've used them for a while now. they fucked their system 6 months ago with the way they verify things and then forced everyone into an alternative verification mode which the versions of the clients that got shipped to distros (debian you lazy updating mother fuckers) did not update/support.

the only way to update and keep your ssl certs from letsencrypt now is to write a script yourself that shuts down you apache or nginx or whatever is running on your port 80/443, run this updater they give you, and then re-enable apache/etc.

they supposedly have some hooks or some shit to have their client do it for you but i don't trust it anymore so i write a script myself that does it, it's been working for the past year.

they need to unfuck their shit, but it's free so it's hard to complain.

also with let's encrypt you must update / verify your ip is the domain name by running this abomination of an update script every 3 months, sooner preferably, the cancer hybrid of your own script plus their shitty updater recommends once a day, it just checks and nothing happens if it isn't time to update.

also if you hit their service more than like twice a week requesting more certs they'll ban your ass. this is not necessarily a problem except for their massive verification fuckup which forces people to write their own scripts and interact with their shitty client in just the right way. they really really fucked up on that one, but like i said, nobody complains because it's free, nobody wants to pay for the $100-$1000 for the jew SSL racket that is HTTPS

IMAP also offers push notifications for new messages, which is nice.
If your client connects to port 25, you're doing it wrong. Use TLS.

Why though? I only send my username/password over pop3s.

Your smtp server supports unauthenticated sending? Sounds like a spam or fraud desaster waiting to happen.
You transmit your e-mails as plain text? I mean, there are people who prefer to go outside naked. Why not.

Is there an email app on Android that would show full text of an email (with headers, etc) like old fags used to see?
I've never been able to find one, and these 'advanced' mail programs are backward and make you more susceptible to phishing attacks.

In the past I could look at the email headers and raw text and tell the email was a spoof in under 5 seconds, now I have to export, save, decode from b64, view, and probably more shit I've forgotten - just to work out if the link points to what it says, all because the email program thinks hiding it is a good idea.

The smtp server knows who I am, since they're my ISP and they assign me an IP address and route my packets.
Yeah I send emails in the clear. Why not? Hardly anyone uses PGP, and the protocol doesn't enforce encryption. I guess you could use "openssl s_client" to connect directly to the desination mail server but they might refuse you (to avoid acting as a spam relay).

So their smtp server accesses their dhcp database? Ewww.
Also you could still spoof mail of family members or room mates.
Mail servers talk TLS to each other. Mine refuses to connect to connect to servers that don't offer TLS. I've never had an issue in many years except once when I tried to contact some chink ISP.

Well if it's so easy, then go read all the emails I'm sending. All hops are within my ISP's network, so you'll have to hack into one of their routers or the mail server (I don't use wifi, so scratch that out). And then you'll have some emails with nohting useful in them, because I don't send secret stuff via email without PGP.

Don't you ever take one of your devices outside of your ISP's network? I guess many people do. Will the mail server then refuse to accept mail? This would be unexpected for most users.

No, my computer stays home, and my phone is voice/SMS only.
The ISP does in fact give the option to use their mail server from outisde the network. Then you have to authenticate yourself first, but I didn't read all the details since I'll never use that option.

No. You can simply have the updater run like usual overwriting the old certificate. Then fu just have to reload nginx. You don't have to restart it.

No, you have to stop apache or nginx completely from serving sites on yourdomain.com, so it can host it's own verification on port 80/443, once it does that you can bring your sites up.

the let's encrypt updater must be able to claim ports 80/443 and if it can't it fails, which means apache or nginx can't be running on those ports. this is just one of the verification modes, but it's the only one that works since their other primary verification mode had some security problem.

Is running a mail server on a VPS an extremely stupid idea?

No.

I unironically roll my own using sendmail and pop3. It's fucking great. If I need to read mail remotely I use SSH rather than IMAP, because IMAP once annoyed me. Sendmail hits spamhaus, uceprotect and spamcop dns blacklists to cut down the bullshit then uses clamav and spamassassin to check the rest.

I use 25 and 110 and it stil works just like it's supposed to and as it always has for anyone who takes the time to learn what they were doing instead of blindly running servers they didn't quite understand.

Simple is better and fix your DNS first.

Attached: systemdrefuge.jpg (640x495, 59.74K)

Wow, what a bunch of placebos.
You not only blocked lots of legitimate email servers, but also read your email in a dangerous way instead of downloading and decrypting it on client.

It's not placebo it works well and blocks legitimately shit servers that either can't be bothered to secure their relays or are openly hostile. Sometimes those belong to well known corporations but that doesn't make them more legitimate or less hostile. Of course I do use a mail client, a couple of them but primarily Sylpheed. The ClamAV is there primarily for Windows clients, which I also support but generally not for my personal use. Did I imply otherwise?
Most ot this configuration has worked for decades now. Actually stable since the 1990's. Trying to patch security as an afterthought onto email is the stupid. While my server supports SSL/TLS I'm also aware of its well eatablished weakness. For secure comms it's out of band preshared keys or nothing.

Tell me, how much did you pay to spamhaus before you fixed your shit?

You can use TLS and use port 25. That's how it was designed to be used. The alternate ports exist because ISPs fucked the internet with mandatory firewalls on user-class internet but not business-class internet. Don't see neutrality faggots over on reddit crying about that one, though. Strange.

Don't use that shitty botnet updater. Use acme-client from the OpenBSD guys. You can set up your existing webserver to publish a directory it can write to and it can take care of the rest without fucking everything or requiring stupid permissions.

I can see how this passes for net neutrality supporters as long as ISPs are fucking with all mail providers equally. Also I'd like a source on the claim that ISP firewalling caused alternate ports.

this is still a webserver restart.
this also forces you to modify your apache configuration to support a static directory that this can use.
i'm not totally against this approach but the last time i tried it when they had their security fuckup i for some reason abandoned this approach in favor of a script that brings down apache, gives runs certbot, and then brings it back up, because this webroot mode was throwing errors and giving me shit.
it might be the best way to do it though

...

this, and it's not just port 25, try running some shit on 80,443 or openvpn common ports. if they aren't outright blocked you'll be getting a notice from your ISP that you better pay up for a business line or your shit's getting canceled asap

They're also selling slow and fast internet. That's also multiple tiers. I think you don't understand the argument behind net neutrality.

Protonmail is pozzed

ur mom is pozzed

No retard, reloading != restarting. The webserver will still serve requests while it's reloading.

yes, if you don't have any experience or if you aren't willing to do a lot of homework.


But you can compose your mail with an editor, use GnuPG to encrypt it and then just copypasta the ciphertext into your webmail

Speaking from experience, you'll have to read a FUCK TON of documentation. Maybe mailinabox is easier to setup, I did postfix+dovecot and I needed to read a lot of things. MTAs are really complicated pieces of software.