Tech How-To Article

How to set up a private email server

 

Setting up your own private email server puts your email infrastructure under your control.

 

This can be great for privacy since it cuts out big email service providers like Gmail and Microsoft Outlook, which can access and misuse your data. On the other hand, if you don’t set up and maintain your email server correctly, you put yourself at serious risk of security or deliverability issues.

 

There is a third option beyond using Big Tech companies or creating your own email server: Use a privacy-focused email provider. Proton Mail preserves your privacy with end-to-end encryption, while also applying the latest technology to keep your email reliable, fast, and safe from attacks. 

 

We’ll cover some of the alternatives to hosting your own email server toward the bottom of this article. But if you do decide you want to take the DIY path, this article explains how to set up your personal email server step by step.

 

What is a private email server?
Advantages and disadvantages
How to set up a personal email server
Alternatives to setting up a personal email server
How Proton Mail gives you better privacy and reliability
Appendix: Email systems comparison

 

What is a private email server?

A private email server is a system of computer hardware and software for sending, receiving, and storing emails operated by an individual. The “private” in “private email server,” simply refers to the fact that you own it. You can buy email server hardware and software at any number of tech stores. In a later section, we’ll cover the option of renting server space.

If it’s just for your personal use, your email server only needs a small amount of RAM and 20 GB of storage. This means you could even use a dedicated laptop if you don’t want to pay for more advanced hardware.

​

Advantages of setting up a private email server

There are advantages to setting up your own private email server.

• The major advantage is that you bypass the big email service providers like Gmail and Microsoft Outlook. That means you protect your email data from being mined for ad targeting, training AI, or any other uses Big Tech companies decide they want to try down the road. You also cut out the risk that they will give your email data to government agencies or any other third parties.

• There are other advantages apart from protecting your data from Big Tech. By setting up your own private email server, you can tightly control and limit the network the server is connected to, decreasing your attack surface.

• You can also encrypt the entire device in case someone physically seizes it.

 

Disadvantages of setting up a private email server

There are significant disadvantages to setting up your own private email server.

• First, it requires a certain level of technical knowledge. If you don’t already know how to configure servers and secure them, you’ll need to invest a significant amount of time to learn from trusted sources. There are many how-to sites on the internet that do not have your best interests at heart or simply get things wrong.

• Second, setting up your own secure mail server takes dedication and ongoing work. You need to stay up to date on the latest threats, security advisories, and any available patches. You need to monitor your server for hardware and software problems that could result in data loss or less than 100% uptime.

• Third, if your server malfunctions or needs to be repaired, you will temporarily, or maybe even permanently lose access to your emails. While relying on only one server may reduce the target area for attacks, it does increase the likelihood and impact of infrastructure failure. Even if you have a backup server, you can run into major trouble.

• Fourth, email deliverability will depend on the uptime of your ISP and network connection to them. Lose internet connectivity for a week due to a bad storm? You will almost certainly lose some emails forever in this situation. Many ISPs also block outgoing traffic on port 25 for residential customers as a spam-prevention measure. This port is used to send outgoing email via SMTP, and without it you will not be able to host a residential email server at all.

• Fifth, you will have to allow the entire internet to connect to your mail server on port 25 (the default SMTP port) if you want to receive email from everyone. This opens up a host of security risks to your server but also to your home network in general. Enabling mobile email access from your phone will require opening yet more ports to the outside world. If you are not very familiar with firewalls this can severely compromise your home network’s security and that of any attached devices.

• Sixth, both IP and domain reputation matter for email deliverability. And IP reputation in particular is difficult to build with low e-mail volume and for known residential IP ranges. Much of your outgoing email may go to spam, at least initially, or be rejected outright.

• And finally, having a private email server in your own home may not be the safest physical location for it. While you may have more control over it physically, storing it in a residence introduces new risks, including theft, fire, flooding, curious pets, and rowdy kids.

 

How to set up a personal email server

Below are the broad steps for how to host your own email server. You should make a detailed plan for each step before you start the project. 

​

Buy hardware

As we mentioned in an earlier section, you can get by with just a low-spec computer with a small amount of RAM and at least 10 or 20 GB of available storage. However, if you’re setting up an email server for a whole organization, you will probably need hardware with greater capacity. Consider purchasing a rack or tower server.

Keep in mind that your hardware will need to be compatible with your operating system, which will need to be compatible with the email server software you plan to use.

​

Get a static IP address with unblocked SMTP ports

You cannot use a regular residential IP address for your email server. These are typically blacklisted from other email servers to create a kind of firewall from infected home computers spewing viruses.

Contact your internet service provider to purchase a plan that comes with a static, public IP address that is not blacklisted. Make sure the IP address comes with unblocked SMTP ports, since those are the ports you need to run an email server.

​

Purchase and set up a domain

Go to a site that sells domains and pick out one you like. Your custom email domain is what appears at the end of your email address (unless you use a proxy) so choose carefully. Your email address will look something like hello@exampledomain.com.

​

Once you have purchased the domain, you will be required to register it. If you do not want your personal data to be available on the public register database, you can use a WHOis service. Most sites that sell domains offer this service. They will put their information in the public registrar as a proxy for yours.

​

Next, you need to activate a DNS service. Most sites that sell domains also offer DNS service, but you might want to set this up through a separate provider to prevent a single hack bringing down both your domain and DNS. Once you have a DNS provider, fill in the DNS fields for your domain: A, MX, TXT, and PTR records. Be sure to add SPF, DKIM, and DMARC records in a TXT record field to prevent email spoofing.

​

Obtain a TLS certificate

The TLS certificate is what allows you to encrypt your emails as they are transferred over the internet. Of course, this does not mean they are encrypted while they are on servers (and they will visit a lot of servers on the way across the internet to their intended recipient).

​

This certificate cannot be self-signed. If it is, other email servers will reject emails coming from yours. You must get a valid TLS certificate from a Certificate Authority such as Let’s Encrypt and ensure that it remains valid over time.

​

Choose email server software

Now that you have the network basics set up, it is time to pick the email server software you want to use.

There are three general roles of email server software: Mail User Agent (MUA), Mail Delivery Agent (MDA), and Mail Transfer Agent (MTA). Some software packages handle all three roles, some software packages cover parts of different roles, and some software packages only provide a few of the services included in one role. It is up to you to mix and match your email server software, depending on what fits your needs best.

​

Mail User Agent (MUA)

A Mail User Agent is the software that provides the user interface for emails. It is also called an email client or an email reader. Examples include Thunderbird, Airmail, and Outlook. The mail user agent can be a device-based application and/or a web-based application.

 

Depending on the software you choose, you will need to configure it based on your needs. Pay special attention to privacy and security configurations.

 

Mail Delivery Agent (MDA)

A Mail Delivery Agent, or the message delivery agent, is what delivers the email message into a local inbox. Typically you can configure it to use the POP protocol or the IMAP protocol for fetching emails. IMAP is usually preferred because it allows managing and organizing a single mailbox from multiple devices.

 

If your private email server has very limited storage, you may want to opt for POP since it takes up less space (the emails are stored on the MUA on the user’s device rather than on the server).

 

Examples of software that cover the Mail Delivery Agent role include Dovecot, Qpopper, Courier, and Cyrus IMAP.

 

Mail Transfer Agent (MTA)

A Mail Transfer Agent, also called “mail relay”, sends emails out using SMTP (Simple Mail Transfer Protocol). When you are configuring your SMTP parameters, consider limiting your banner so you are not broadcasting details about your system or identification.

​

As you set up your MTA, make sure DKIM, SPF, and DMARC records are configured correctly in DNS and that for DKIM the corresponding keys are installed correctly in your MTAupdated. You may have to go back to your DNS settings to manually update the TXT fields with the data created by your software’s DKIM, SPF, and DMARC functions. This is critical to making sure your outgoing emails are not rejected as spam by recipient programs.

​

Examples of software that cover the Mail Transfer Agent role include Postfix and Exim.

​

Install spam filter and virus protection

If none of your email server software comes with a spam filter or virus protection, you need to add those to your email server.

​

Examples of spam filters are programs like SpamAssassin or Rspamd.

​

For an example of a virus protection program, you can check out ClamAV.

​

Alternatives to setting up a private email server

If the above sounds too involved for you, there are some alternatives to setting up a personal email server that require far less technical expertise and investment.

​

Renting from a hosting provider

You can rent a private email server from a hosting provider. This does not mean you rent the hardware to bring home. You rent the use of a server, often located in a warehouse full of stacks of servers. If you can (although often you are not given this level of transparency), make sure to pick a hosting provider that has strong physical security at its warehouse and is in a country with good privacy laws.

​

The benefit of renting an email server is that it can eliminate some of the work on your end. For example, it is likely that the server provider already has a business-level IP address and unblocked ports ready to go for your email server.  

​

If you’re renting from a full-service hosting provider, they can do all the setup and maintenance for you, across the board.

​

One downside to all this, of course, is that you lose some control. For example, if a problem comes up with your email server’s IP address, you will not be able to address it with the internet service provider; only the server provider who owns the ISP account will be able to do that.

​

The biggest downside, though, is that most hosting providers do not provide end-to-end encryption of your emails. Like a landlord, the hosting provider gives you a lock, but they keep a copy of the key. This presents a similar disadvantage as using Big Tech email service providers.

​

Using a secure email provider

If you want to leave all the technical implementation to experts while also having your email data encrypted on servers at all times, the best alternative is an end-to-end encrypted email provider.

 

With end-to-end encryption, your emails are secured using your recipient’s public key on your device itself, before anything is even uploaded to an email server. This means no one else (other than your recipient) has access to your data at any point, including your email provider. Even if there were a data breach or the government legally forces the provider to turn over data, all they will see is cryptotext that they cannot decipher.

​

How Proton Mail gives you better privacy and reliability

Proton Mail is the largest encrypted email provider in the world. When we launched Proton Mail in 2014, we set out to solve many of the problems email self hosting attempts to address: data ownership, privacy, and freedom from Big Tech surveillance.

​

Specifically, Proton Mail offers a unique combination of benefits you can’t get by self hosting or using any other email provider:

​

• End-to-end encryption — As discussed above, Proton Mail encrypts your data on your device before sending it to our servers, so we can’t see your messages or attachments.

• Zero-access encryption — When someone emails you from a non-private email server, such as Gmail, we encrypt the message immediately using your public key, so only you can decrypt it. Learn more about zero-access encryption.

• Swiss privacy — Proton is based in Switzerland, so your data is protected by some of the world’s strongest privacy laws. We are not subject to US or EU legal jurisdiction.

• Reliability — Our service level agreement guarantees 99.95% uptime, which is among the best available. Additionally, we create multiple backups of your files in geographically separated data centers, so even if there were a natural disaster, you will not lose any data.

• Advanced security — Proton Mail uses many layers of security to protect your inbox, starting with your account security all the way to the physical security of the servers we own and operate. Your Proton Account comes with multiple tools to defend against hackers, and we’ve implemented state-of-the-art encryption techniques, such as elliptic curve cryptography. Learn more about Proton Mail security.

• Transparency — Unlike many Big Tech email providers, all our code is open source and independently audited by security experts. As scientists, we believe in transparency and peer review.

 

Finally, Proton is community-supported. We make money from subscriptions, not advertising, so our only obligation is to protect your data and provide you with high-quality service. As over 100 million people have created Proton Accounts, we have expanded our services to include calendar, cloud storage, VPN, and password manager — all part of our mission to create an internet where privacy is the default.

​

It’s free to sign up and start using all these services, and it only takes a few seconds. Create an account to get started.

​

Appendix: Email systems comparison

Below are three diagrams illustrating the way data is handled in different email systems. The first shows how Big Tech companies easily access your data. The second shows Proton Mail’s implementation, which encrypts email messages locally before sending them to the server. And the third depicts a typical private email server setup, which preserves privacy at the expense of security because emails are not end-to-end encrypted by default.

 

 

 

​