[ale] Why Run your own email server?

DJ-Pfulio DJPfulio at jdpfu.com
Thu Sep 29 14:31:28 EDT 2016 

SSL that is dependent on external CAs is badly broken. Multiple CAs have
been caught violating trust over the decades.

Browser-based encryption using javascript is broken (it must be) too.
Javascript implementations appear to be so broken as to be unfixable.

If you want secure email content, use a thick client and something like
gpg. Know that email headers are NOT encrypted and cannot be, so choose
simple subjects ... like the phishers do.  Got one today - "Receipt
02534-118823" ... went straight to the Junk. Got about 20 yesterday -
many with exactly the same subject/content, just to different "spammy"
email accounts used for training.



On 09/29/2016 01:41 PM, Dustin Priest wrote:
> Speaking of SSL and mail transmission... Anyone here tried running
> Darkmail yet? It's coming from Ladar Levison of Lavabit and, according
> to the specifications, does end-to-end encryption that includes
> metadata. Supposedly it's "back" compatible with SMTP as well. I've not
> looked at it in a while but it caught my interest after all the legal
> drama surrounding Lavabit and the Snowden leaks.
> 
> On 9/29/2016 1:21 PM, George P. Burdell wrote:
>> Anybody who has actually run their own mail servers for a while knows
>> how much of a tremendous chore it is just to keep your mail from being
>> blacklisted.   Most major providers will, if one person acts up in
>> your datacenter and you're not at some enormous facility with a name
>> brand, simply ban the entire netblock.   They don't care about
>> collateral damage.   I even get mail server admins who block my Google
>> Business email ... and that's a PAYING space, and ergo one of the
>> least polluted netblocks for spam on the entire internet.
>>
>> Oh yea, you can still do your own mail server.  But why on Earth would
>> you want to?   How much money is your time worth?   How valuable are
>> your emails?   How much does it cost you if an important one doesn't
>> make it?   And I say that as a card carrying member of the EFF who has
>> more than a passing distaste for the surveillance state we have
>> become.   The NSA didn't kill private email servers ... spam did.
>>
>> It also doesn't help that pretty much every stand alone mail client is
>> varying degrees of unsatisfactory (at least for my multi-account
>> needs).   Opera Mail was PERFECT.  And they killed it.   
>>
>> And we'll assume for the sake of argument that spam filtering isn't a
>> problem and there are tremendous mail clients available.    That
>> doesn't fix that the overwhelming majority of email traffic goes over
>> in clear text, and the NSA will almost certainly see and record it in
>> transit with their strategy of putting snooping stations just upstream
>> (up-pipe?) from major people of interest like Google.   If one day all
>> email is traversing over SSL, Alex's idea will be the simplest way to
>> defend your privacy without signing up for the headache of running
>> your own mail server.
>>
>> On Thu, Sep 29, 2016 at 12:01 PM, Alex Carver
>> <agcarver+ale at acarver.net <mailto:agcarver+ale at acarver.net>> wrote:
>>
>>     On 2016-09-29 02:30, DJ-Pfulio wrote:
>>     > Even client/lawyer communications aren't safe from DHS prying:
>>     >
>>     >
>>     http://www.homelandsecuritynewswire.com/dr20160927-feds-we-can-read-all-your-email-and-you-ll-never-know
>>     <http://www.homelandsecuritynewswire.com/dr20160927-feds-we-can-read-all-your-email-and-you-ll-never-know>
>>
>>     Yes, this is why I run my own server and download my free email
>>     services
>>     (gmail, etc.) to my local hard drive on a regular basis (deleting the
>>     server side copies after download).
>>

More information about the Ale mailing list