I do this. It's not easy, but it's not as bad as most of the comments here would lead you to believe. If you have the wherewithal to run things on a server it's definitely within reach, albeit probably not a cost-effective way to spend your time.
Let me make a few recommendations. I'm not a sysadmin by trade but I know a few things you can do that will improve your lot in life running mail.
- Postfix and Dovecot. They have the right combination of ease of use, power and security. Don't overconfigure; try to get it working with basic settings first and then evolve it towards what you dream of rather than setting out to configure it that way first.
- SPF and DKIM. I have no trouble getting messages to Gmail and I think this is part of why.
- Make sure your hosting provider is not huge and very high quality. I chose RootBSD because they're small but highly technical. If you have a lot of spare cash, iNetU are quite good and sometimes help with FreeBSD. The larger or crappier the host is, the more likely you'll wind up in blacklisted IP space. (BSD hosting companies tend to be smaller and more technical, and BSD is great software, so I'd recommend that if you're interested.) Getting off a blacklist isn't a lot of fun and it's not hard to wind up on one, but I find being on a discriminating host is a good preventative measure.
- Rely on IMAP. If you want webmail, try and find one that is really just an IMAP frontend. I tried and liked Roundcube a while back; these days I have IMAP clients everywhere so I don't know what the new hot stuff is, but IMAP is fantastic.
- I strongly recommend you get an account with DNSReport.com. Their software can detect most of the DNS problems you can get yourself into that wreak havoc with mail. Odds are good you'll be doing a lot more DNS than before, it's a great tool to have in the toolbox.
- Stay on top of your security updates. I recommend running sshguard and whatever other security software/IDS/firewall type stuff you can stand. Make sure you're not giving out a bunch of shell accounts with root on this server. Seems obvious, but people forget or get lazy. FreeBSD will email you a security message every day; if something like that isn't coming your way, consider trying to set it up. It tells me, among other things, who tried to log into the server, how many times they failed, what their IP was, and lots of other stuff.
There are a number of nice upsides to running your own mail server.
- Email can be hooked up to the database various ways.
- Automatic emailing for free (keep an eye on it).
- Scripted email handling for free (Procmail etc).
- Get system-generated messages emailed (Nagios/monit etc., login/sudo failures, etc.)
- Advanced forwarding/wildcard accounts.
Anyway, I hope you do give it a shot despite the nay-saying. Cost-effective? No, but it's a blast, and many of the upsides would be hard to replicate with Gmail. Of course the web mail UI will be worse. Tradeoffs.
I've run my own mail server for 15 years, since I got my first permanent connection. I host on the end of it as I have a large distrust of "the cloud".
It is cost effective for me as it has increased my merchantable skill portfolio. I've ended up designing some mail systems (50k+ users) for some large ISPs in the past thanks to my accumulated knowledge.
Debian is probably the easiest to get off the ground - it's pretty much "sudo aptitude install postfix dovecot" and follow the instructions. I was a FreeBSD user but primarily due to apathy, I tend to use Debian.
This is about to change however, when FreeBSD supports the raspberry pi as it's a much lower memory and power footprint device so some of FreeBSD's simplifications and optimisations will assist there.
For me, a Raspberry Pi with a 32 gig SD card plugged into my 12Mbit connection will suffice for the 18 users and 5 domains via IMAP that are currently being hosted on a much larger machine. Cost to me: $40-50. No brainer.
32GB of storage satisfies 18 users? That surprises me. I have 5GB in one mailbox and I'm not much of an e-mail hoarder. Also, what do you do for backups? Do you have offsite backups? How do you search your email? How do you filter spam? What about calendars, shared contacts, and internal document storage? Do you have multi-factor auth and application-specific passwords? Google Apps has a ton of features and it's reliable. Not to mention, it's cheap. Unless your time is worth very little, setting-up and maintaining your own mail server is going to cost a lot more.
People use e-mail constantly. It's important. $50 per person per year isn't a blip on the radar. Do you know how much money you'll lose if your 18 users can't access their mail for an hour? Now consider how much time they'll spend setting up their own mail clients instead of using Gmail. Think of the increased time and frustration waiting for searches to finish. Think of the extra time they'll spend deleting spam. You're paying a lot more than $40-50 for that mail server, but the real cost is obscured from you.
It's a no-brainer: skimping on email hosting is simply not worthwhile.
Our biggest mailbox is 200mb. Pretty much everything gets deleted or moved out of the mail system. It's not a file system. If you think it is, you're doing it wrong.
Backups: tar and gzip daily, then scp to a friend's server in another country. Also take manual backups to encrypted USB stick weekly which I carry around on me at all times.
Searching: you only have to search it if you have lots of it. I have 9 messages in my maildir. I receive perhaps 20-30 messages a day. No problems - they all fit on the screen. If it's worth keeping, it goes as a ticket/wiki entry or in the hg repo as a document.
Spam: get one or two a week per user. Just delete by hand at the moment. People who use imap use their mail client's spam filtering stuff. If it gets problematic I'll probably install a filter.
Calendars/contacts: both in mercurial in agenda format (plain text, one line per event or contact). Very easy to manage and share. Have you tried keeping a central address book/calendar accurate using any other method?
I know how much we'll lose without email which is why it is where it is :) About 2m from me most of the time.
Cost? I've spent 20 minutes on admin this year. Everything is automated..
I'm not skimping, I'm making sure we do it right so we don't need all the tooling and features. To be honest, google is too cheap to be good if you ask me and their reputation shows regulalrly with outages and problems.
I can appreciate that for most people this is not a decision. But for technically inclined people who want to learn this stuff, there's no reason to talk them out of it. Is it substantial work? Yeah, but so is running a web server or a database and those are also critical IT components that have a lot of niggling details.
There are lots of reasons to not use Gmail. Maybe $50/year is a lot for you. Maybe your needs are modest. Maybe you want the knowledge and experience of running mail. Maybe you want or need to interface your other components with mail. Maybe you don't like the rest of Google Apps. Maybe you hate the Gmail interface. Ultimately, most people will choose Gmail despite whichever of those reasons might apply. There's no need to turn a technical decision into a dogmatic one.
I am failing to see what the big stink is about "giving up one's privacy" when using "the cloud." Yes, there are some shady providers that might put their hands in the cookie jar at their convenience. That sucks. Google isn't one of those providers, though. What advantage would they gain from reading people's mail at a whim?
Regardless, one's privacy is already compromised the moment they sign up for Internet service; that information can be made available to the right people after one subpoena.
Google read your email and use it to throw targeted ads at you.
There is a fine line between profiling, tracking and analysing communications and utilising that data for something nefarious. The only deciding factor on how far it goes is cash.
Quick dumb question about the RASPBERRY-PI: What do y'all do with the board itself as far as a case? I mean, are most of you just letting it sit on a self or something (it's so dang small anyway)? I've seen a few plastic cases floating around and they seem like the only option really (outside of just building a simple wood box and screwing it to the wall...
I've thought about doing this. Last time I tried to set up a mail server on a cheap VPS I didn't have enough memory, ClamAV was the biggest culprit. But I think the new 512 RPis would work quite well.
You don't need that much memory if you're setting up a simple IMAP server; you could probably do it on a super cheap instance on AWS, Rackspace or similar.
I ran my own email server at home for many years, but in the end I switched to Gmail/Google Apps about two years ago since
- I kept a mostly "if it works don't break it" approach, but about once a year there'd be some alert about security issues with some specific software and I'd run a "aptitude update". Invariably it'd update the packages out of order, libc would get screwed up, and I'd have to reinstall the whole server.
- I could never get the spam filtering up to snuff. I had daily auto-training spam+ham folders etc set up, the works, but I'd always get a a few spam messages in my inbox, and a handful of false positives. Used SPF but it had to be softfail since someone I visit friends/relatives who's ISPs have blocked SMTP ports aside from their own relay.
- My fault, but I ran a forwarding address for a friend, and I got blocked by my ISP since it forwarded some spam messages that got flagged.
- I don't feel properly equipped to deal with backups. (sure you can set up an rsync to somewhere else [that you have to pay for], but you also want to keep monitoring that they're good, test restores, etc)
Easily worth $50/year for me to not have to think about it.
edit: forgot the biggest reason I switched: I got an iPhone, and iOS doesn't do push email over IMAP. Gmail supports Exchange, and there's no way I'm going to be hosting that myself...
I kept a mostly "if it works don't break it" approach, but about once a year there'd be some alert about security issues with some specific software and I'd run a "aptitude update". Invariably it'd update the packages out of order, libc would get screwed up, and I'd have to reinstall the whole server.
What distribution are you using? I've never had this happen, though for important servers I tend to use Debian stable. I would be shocked if it happened on stable.
Ran into the same issues years ago (though this was only for myself and a couple family members). Didn't think I'd get myself blacklisted so easily. You really need to be up to par on spam filtering etc. Gapps is quite elegant for my needs most of the time.
For those in Europe, Hetzner do excellent FreeBSD dedicated servers. They are based in Germany. They have a server auction for older hardware as well where you can get decent dedicated servers for just over 20 euros per month.
I've done this and I'd recommend getting rDNS set up if you can, on top of your SPF and DKIM, though it sounds like maybe it's not entirely necessary.
I ran a linksys NSLU2 as my mail server for a few years, with a USB stick as its storage. With Debian linux with Dovecot, Postfix, spamassassin, and the Spamhaus DNSBLs set up I managed to keep the signal to noise ratio pretty damn high too.
If you only support public key or two factor authentication you won't need to worry about brute force attacks. Most SSH brute force attacks are dictionary based using common usernames.
You'll most likely be ok. The main attack vector is a chunk of regularly used usernames and a small selection of passwords. These are quite successful against shared hosting where password quality is hard to control properly.
If you've got a "garden variety" server with a strong password, I wouldn't worry.
I've got a laptop slung on the end of my ADSL line that has had literally millions of attempts.
If you are worried, you can install fail2ban which will block repeated attacks at the firewall level.
Virtually all SSH attacks are of the nature mysql:mysql or mysql:password, so you should be safe as long as you can trust your users not to be stupid. The attackers prefer quantity over quality when looking for targets.
And if you use SSH keys you should be totally safe.
Remember to apply security fixes though since the automatic attacks also probe for ancient versions of SSH servers.
If you're worried about ssh brute force or just don't like all the noise in your logs, moving the port tends to drop off about 95% of them. In addition, running iptables tarpit rules (or your OS equivalent) tends to kill the rest fairly quickly.
I put info like this in a password manager for sanity (Keepass, I work on a PC).
One easy way to manage it is make a folder for each hostname, and add things like mysql root password, ssh port, public IP, pivate IP as different entries relating to the all aspects of managing the host.
Let me make a few recommendations. I'm not a sysadmin by trade but I know a few things you can do that will improve your lot in life running mail.
- Postfix and Dovecot. They have the right combination of ease of use, power and security. Don't overconfigure; try to get it working with basic settings first and then evolve it towards what you dream of rather than setting out to configure it that way first.
- SPF and DKIM. I have no trouble getting messages to Gmail and I think this is part of why.
- Make sure your hosting provider is not huge and very high quality. I chose RootBSD because they're small but highly technical. If you have a lot of spare cash, iNetU are quite good and sometimes help with FreeBSD. The larger or crappier the host is, the more likely you'll wind up in blacklisted IP space. (BSD hosting companies tend to be smaller and more technical, and BSD is great software, so I'd recommend that if you're interested.) Getting off a blacklist isn't a lot of fun and it's not hard to wind up on one, but I find being on a discriminating host is a good preventative measure.
- Rely on IMAP. If you want webmail, try and find one that is really just an IMAP frontend. I tried and liked Roundcube a while back; these days I have IMAP clients everywhere so I don't know what the new hot stuff is, but IMAP is fantastic.
- I strongly recommend you get an account with DNSReport.com. Their software can detect most of the DNS problems you can get yourself into that wreak havoc with mail. Odds are good you'll be doing a lot more DNS than before, it's a great tool to have in the toolbox.
- Stay on top of your security updates. I recommend running sshguard and whatever other security software/IDS/firewall type stuff you can stand. Make sure you're not giving out a bunch of shell accounts with root on this server. Seems obvious, but people forget or get lazy. FreeBSD will email you a security message every day; if something like that isn't coming your way, consider trying to set it up. It tells me, among other things, who tried to log into the server, how many times they failed, what their IP was, and lots of other stuff.
There are a number of nice upsides to running your own mail server.
- Email can be hooked up to the database various ways.
- Automatic emailing for free (keep an eye on it).
- Scripted email handling for free (Procmail etc).
- Get system-generated messages emailed (Nagios/monit etc., login/sudo failures, etc.)
- Advanced forwarding/wildcard accounts.
Anyway, I hope you do give it a shot despite the nay-saying. Cost-effective? No, but it's a blast, and many of the upsides would be hard to replicate with Gmail. Of course the web mail UI will be worse. Tradeoffs.