After trying a few different CLI mail clients---mutt/neomutt, s-nail, etc.---I've come to love the approach of mblaze[0], _i.e._ just a collection of commands to interact with maildirs, which can be separately managed by OfflineIMAP or whatever.
I'm curious how mblaze+offlineimap compares to other similar setups: nmh[1], fdm[2], and getmail.
Started running my own email server about 10 years ago for essentially this use case. Every entity I need to give an address to gets a unique, randomly-generated one. I figured this would let me spot the leaks.
After roughly 1000 addresses handed out, surpisingly only two sources end up receiving spam: 1) addresses that I've posted on public forums, and 2) the address I use for patches to GNU software.
>Every entity I need to give an address to gets a unique, randomly-generated one. I figured this would let me spot the leaks.
I do the same, except I don't use a randomly generated address. Rather, I use something that identifies who it is. e.g., if I had a relationship with Tesla, the email address would be 'tesla@myemaildomain'.
What (if anything) is the advantage of using a randomly generated email address over the scheme I use?
N.B., I'm not dissing your strategy at all. I do exactly the same. I'm just curious about the "randomly generated" bit.
When I started, I wanted the addresses to look as innocuous as possible in order to avoid unnecessary explanations. Filling out paperwork that people hand inspect is one case where that can cause issues. I have also heard of people getting filtered as potential spam accounts when the email address matches the service name or whatnot.
Anyway, I just use pwgen to generate plausible-looking addresses: pwgen -A0 10 1. They often look like realistic abbreviations of names.
Not the parent commenter, but I've encountered “people from the counterparty organization get confused and wonder whether you're part of it too / pretending to be part of it too”. This can be mitigated with some obscuring transformation.
> I do the same, except I don't use a randomly generated address. Rather, I use something that identifies who it is. e.g., if I had a relationship with Tesla, the email address would be 'tesla@myemaildomain'.
>
I almost use the methodology except I add ramdom characters at the end. Tesla.ahcdk@domain.com
Reasoning is that its most likely if you have tesla@ you will have facebook@ tesco@. When adding characters you can filter on the . + 4 characters
The real value of this, IMHO, is that it makes it much harder to match you against services and in ad platforms. Hashing email addresses is the primary way user data is exchanged.
I cannot thank you enough for your contributions to GNU.
I always use the dingleberry subdomain that goes nowhere, except when an actual human interviense. Goes straight to the bitbucket, and 1 out of 10 gets a pervue to see if I need to add the source to my reject list which my ISP keeps peeking into for changes to their reject list.
> surpisingly only two sources end up receiving spam
Quite a few of mine get junk:
* A couple that have been subject to leeks or hacks, that I haven't got around to changing yet (linked-in for example)
* A fair few were given to businesses that are no longer in operation (hosting providers, online stores) who presumably sold their contacts databases to make a few pennies before finally closing up
* Also some junk senders seem to have worked out that the sub-domain I use for the per-entity addresses is a catch-all, I need to address that at some point.
> Also some junk senders seem to have worked out that the sub-domain I use for the per-entity addresses is a catch-all, I need to address that at some point.
I’ve recently been the target of many attempts to hijack my gmail account, including even phone calls with live agents impersonating google “security team”. Successfully hijacking my gmail address could be catastrophic for me and others I assume.
Anyway I was wondering if self hosting an email server might allow for a security layer for those of us sophisticated enough. Especially if we own our own domain. Ideally my email address with access to financial services would have 2FA to both read and send emails for example. Don’t even think there are clients or protocols but perhaps with self hosting this can be rigged up with various tricks like port security opening only with a 2FA message.
I’d be curious what other perspective on this issue is.
It's a decent amount of upkeep and cost, but I get paid do it for a bunch of clients who desire this for their companies and have my own which is humming along great. If you go the route of a script to set everything up I found iredmail to be the most mature and reliable solution, even if the upgrade path is super manual at least it gives you a chance to know at what point things went wrong rather than having to pour over logs to fix something broken that is running in production. It also pairs nicely with open source failover solutions and if you need enterprise support they're extremely responsive. Bonus points for getting it working with your phone for backups of contacts, calendar and notes with CalDAV or whatever to really decouple yourself from cloud services with shady terms (I had to pay for an app on my phone for this to really work, but it works great). Setting your whole mailserver up manually is also an option , but be prepared to sink like a month of time into learning how the hell to do that. This is technology from the 1970s with a ton to get it working in the modern world after all.
Just be wary that you'll have to upgrade kinda often. I keep subscribed to github alerts for iredmail as they're really prompt about notifying their customers when they need to patch security holes.
A perspective I've read on this (Granted, this was at least 5 years ago) was that it was paradoxically much harder to compromise a Google account than it is to hijack a domain from many registrars. I read an account by someone who had a custom domain and the attacker had social-engineered the registrar into allowing him access, then he proceeded to update the MX, directing the email into the attacker's server.
This probably varies from one registrar to the next, and hopefully all have stepped up their game somewhat since that time, but it left an impression on me and caused me to update a lot of my accounts to my Gmail. Obviously, nobody is going to be able to call into a customer service desk and talk them into updating the gmail.com MX record, so for someone to illicitly gain access to mail sent to <me>@gmail.com either I have to be pwned myself (leaked a credential somehow) or there has to be a global 0-day exploit affecting it. In the latter case I am personally willing to bet that mine would not be the first one (or even in the top 10 million) accounts that the hackers would try, so I sleep pretty well.
I thought from the headline this was about _sending_ email right from the terminal, and I thought, well that's easy, just telnet to sendmail on port 25 and say HELO.
Readit News
I'm curious how mblaze+offlineimap compares to other similar setups: nmh[1], fdm[2], and getmail.
[0]:https://github.com/leahneukirchen/mblaze
[1]:https://www.nongnu.org/nmh/
[2]:https://github.com/nicm/fdm
https://sr.ht/~rakoo/omail/
or its spiritual successors based on notmuch
https://aerc-mail.org/
After roughly 1000 addresses handed out, surpisingly only two sources end up receiving spam: 1) addresses that I've posted on public forums, and 2) the address I use for patches to GNU software.
I do the same, except I don't use a randomly generated address. Rather, I use something that identifies who it is. e.g., if I had a relationship with Tesla, the email address would be 'tesla@myemaildomain'.
What (if anything) is the advantage of using a randomly generated email address over the scheme I use?
N.B., I'm not dissing your strategy at all. I do exactly the same. I'm just curious about the "randomly generated" bit.
Anyway, I just use pwgen to generate plausible-looking addresses: pwgen -A0 10 1. They often look like realistic abbreviations of names.
Reasoning is that its most likely if you have tesla@ you will have facebook@ tesco@. When adding characters you can filter on the . + 4 characters
I always use the dingleberry subdomain that goes nowhere, except when an actual human interviense. Goes straight to the bitbucket, and 1 out of 10 gets a pervue to see if I need to add the source to my reject list which my ISP keeps peeking into for changes to their reject list.
It forwards received emails to my main mailbox with added header telling me source email with note about where I used that address.
that way I discovered few sites that were bought by some entity and that sold my email to some crypto 3rd party
2. are you able to reply to the email?
Quite a few of mine get junk:
* A couple that have been subject to leeks or hacks, that I haven't got around to changing yet (linked-in for example)
* A fair few were given to businesses that are no longer in operation (hosting providers, online stores) who presumably sold their contacts databases to make a few pennies before finally closing up
* Also some junk senders seem to have worked out that the sub-domain I use for the per-entity addresses is a catch-all, I need to address that at some point.
Could you elaborate how you'd address that?
Anyway I was wondering if self hosting an email server might allow for a security layer for those of us sophisticated enough. Especially if we own our own domain. Ideally my email address with access to financial services would have 2FA to both read and send emails for example. Don’t even think there are clients or protocols but perhaps with self hosting this can be rigged up with various tricks like port security opening only with a 2FA message.
I’d be curious what other perspective on this issue is.
Just be wary that you'll have to upgrade kinda often. I keep subscribed to github alerts for iredmail as they're really prompt about notifying their customers when they need to patch security holes.
This probably varies from one registrar to the next, and hopefully all have stepped up their game somewhat since that time, but it left an impression on me and caused me to update a lot of my accounts to my Gmail. Obviously, nobody is going to be able to call into a customer service desk and talk them into updating the gmail.com MX record, so for someone to illicitly gain access to mail sent to <me>@gmail.com either I have to be pwned myself (leaked a credential somehow) or there has to be a global 0-day exploit affecting it. In the latter case I am personally willing to bet that mine would not be the first one (or even in the top 10 million) accounts that the hackers would try, so I sleep pretty well.
Too bad you can't do the same with phone numbers.
I think there are some HN to NNTP bridges available.