Email or username:

Password:

Forgot your password?
Stefano Marinelli

**BSD Mail Project Update!**

Hello everyone! I wanted to share some exciting updates about the development of BSD Mail, our privacy-focused email service designed with robustness, security, and transparency in mind. Here’s a deep dive into the technical choices I've made, focusing on my use of open source solutions and open protocols:

🌍 **Servers & Location**

- We're running on two physical servers:
- One hosted by OVH in France
- Another by Hetzner in Germany
- Both servers operate on FreeBSD with NVMe drives in a ZFS mirror configuration for speed and data integrity.

🔒 **Virtualization & Security**

- We utilize jails on both servers to ensure isolated environments for different services, managed via BastilleBSD. On one server, jails are set up directly on the hardware, whereas the other server employs nested jails.
- Each server hosts a bhyve VM running OpenBSD with OpenSMTPD for handling SMTP duties securely.

🔗 **Networking**

- A Wireguard setup connects the two servers, facilitating routing capabilities so that jails and VMs can communicate seamlessly, supporting both IPv4 and IPv6.

📧 **Email Services**

- **Dovecot** is configured for maildir replication across the servers using Dovecot sync, ensuring email availability and redundancy.
- **Rspamd** instances are tied to local KeyDB jails, set up in master-master replication for consistent and reliable spam detection and greylisting.
- **ClamAV** runs in corresponding jails for virus scanning, maintaining a high level of security.
- **SOGo** provides a web interface for email management, connected to MySQL databases in master-master replication to handle sessions and authentication smoothly.

💾 **Data Management**

- Email data is stored on separate, encrypted ZFS datasets to secure emails at rest.
- MySQL databases are used for storing credentials and managing sessions for SOGo, also in a master-master replication setup. Importantly, all passwords are securely hashed using bcrypt, ensuring they are salted and safe.

🔎 **Monitoring & Reliability**

- Our DNS is managed through BunnyNet, which continuously monitors our server status. Should one server—or a specific service—become unavailable, DNS configurations are dynamically adjusted to avoid directing users to the affected IP until full service is restored.

🌐 **Commitment to Open Source and Open Protocols**

- Every component of BSD Mail is built exclusively using open source software and open protocols. This commitment is crucial for ensuring data freedom and the reliability of the solutions we use.

This setup not only emphasizes our commitment to privacy and security but also our dedication to maintaining an open and transparent platform.
We're excited to bring you a service where your privacy, data integrity, and freedom are prioritized. Stay tuned for more updates!

#BSDMail #OpenSource #Privacy #FreeBSD #OpenBSD #EmailHosting #Email

11 comments
Kohan Ikin

@stefano If your focus is privacy & security, I'm not sure #Hetzner would be my choice.

Hetzner is known for collaborating with the Russian government to interfere with sites (see the Wiki page for more info, under "Incidents"):

en.wikipedia.org/wiki/Hetzner#

Hetzner also host the AfD website:

social.lyratris.com/@tfunken/1

Consider if the people with physical access to your servers can be trusted!

That said, I genuinely wish you well, and I apologize for being a "reply guy". Good luck for the project!

@stefano If your focus is privacy & security, I'm not sure #Hetzner would be my choice.

Hetzner is known for collaborating with the Russian government to interfere with sites (see the Wiki page for more info, under "Incidents"):

en.wikipedia.org/wiki/Hetzner#

Hetzner also host the AfD website:

Stefano Marinelli

@kohan Thank you for the comment and the links!
The choice of Hetzner stems from having another not too expensive provider (at least for the initial part) on a platform where I already have some other servers. I don't exclude the possibility of moving to another European provider in the future (due to GDPR regulations, it's easier for me to stay in Europe).
However, I always want to use bare metal servers; I don't want to rely on shared 'cloud' storage for data.
Do you have any suggestions regarding this?

Kohan Ikin

@stefano Unfortunately I don't have a good alternative suggestion! Bare metal is definitely wise and staying in Europe certainly makes sense for regulations, but I don't actually know who I could recommend. (I even see malicious traffic here coming from OVH.) Your knowledge will be way ahead of me on technical hosting details.

Ugh, sorry for bringing you a problem without bringing a solution! I need to do more research myself.

But I love to see more BSD being used, yay!

Stefano Marinelli

@kohan Don't worry, I'm glad to read your observations about it. Some of the events described in the links you sent me were not known to me, and I would like to understand the philosophy of each provider I deal with well. Thank you!

d4gli

@kohan @stefano how does it make this Hoster a “bad Hoster” from a technical perspective just because of hosting the AFD website? How does it make it a bad hoster by working together with the laws by lawful interceptions (which more or less every provider in the EU does)?

Kohan Ikin

@d4gli @stefano I'm pretty sure Russia isn't an EU member, so I don't believe those were legal intercepts (in the same way that Australian government takedown notices are ignored in the EU, understandably).

However! It's possible I have misunderstood the culture of BSD Cafe. Apologies for my intrusion!

Stefano Marinelli

@kohan @d4gli The culture of BSD Cafe is that of free exchange of ideas and opinions, for everyone's mutual growth. For me, your contribution has been incredibly valuable, and you're always welcome here!

d4gli

@kohan @stefano wow, judging a whole community by a post of a user who’s not the same opinion.

Go Up