Steven M Jones wrote: > For home I use SA, Spamhaus' Zen RBL, and a greylisting milter with > sendmail as the underlying MTA. Works pretty darned well.
I imagine that the already small population of geeky people who ran mail servers for personal use has gotten even smaller. It used to be the best reason to run your own server was to retain control and have mail received at a domain you control. Over the last decade spam has gotten worse (or at least leveled off from a significant volume), while mail hosting has gotten a bit better and cheaper. Now you can find lots of providers that do an OK job hosting a domain you control for little money, if not free. Unless you have some specialized needs, it is hard to justify the effort to keep up with spam filtering tech. One remaining use case for self-hosting is privacy. Any time you outsource your data to the cloud, you're relying on people you don't know to implement security, and resist social engineering exploits. Plus, recent court cases have suggested that in some cases the government can consider mail stored in the cloud as abandoned if it has been read and is more than 90 days old, and thereby access it without a warrant or notice. (I don't have the link to the article handy, but I'm sure someone can dig it up.) So it could still be valuable to have a self-hosted server to receive financial correspondence and to use as an email contact on the countless services that will gladly reveal your password (or reset it) for anyone who can receive (or intercept) your email. Has anyone tried implementing a home mail setup that forgoes all the spam filtering and simply limits access to a manually controlled whitelist of clients? Obviously the challenge is determining who a client is, with IP address, as guided by SPF, being the likely choice. Though what about clients that don't use SPF? The very type of senders you'll want to receive mail from, like large banks, are notoriously bad at making use of "new" tech, like SPF. (They even have a tendency to outsource their mail to 3rd parties that send it using the provider's servers and domains. Great way to train your customers to ignore important signs that a message might be a phishing attempt.) Is it time for SMTP 2.0? (That's a metaphorical 2.0.) I used to scoff at the impracticality of the various schemes proposed in the 1990's to secure SMTP with PKI and other similar tech. What good does knowing who a sender is if you don't know whether that sender is someone you want to hear from or a spammer? And email was often used as a point of first contact, where putting up barriers between you and the sender would defeat the purpose. But in a more constrained and controlled environment where you've accepted that your mail server doesn't open its door to any and all senders, does it makes sense to have some sort of "SMTP 2.0" protocol and only speak to senders that use SMTP 2.0? (Practically speaking there would be a long transition period, so you'd have to use some sort of whitelisting scheme in parallel.) Even if SMTP 2.0 was widely adopted, this would likely mean refusing mail from sites like gmail.com that send massive amounts of mail on behalf of third parties, with a whitelist to permit only specific senders from gmail.com. John Miller wrote: > Any new shared-hash solutions like Razor? I'm curious about that as well, but I don't think the cost/benefit is there. It takes enough effort to implement such a system that it won't be widely adopted unless there is a substantial upside. The same could be said for "SMTP 2.0." -Tom -- Tom Metro Venture Logic, Newton, MA, USA "Enterprise solutions through open source." Professional Profile: http://tmetro.venturelogic.com/ _______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
