[Advice needed] Self-hosted Mail Server

Hey Ballers!

I’m looking for some advice regarding setting up a self hosted mail server.

I’ve been with Pavin over at Mailcheap for nearly a year now for my family’s emails but am finding his control panel to be a complete pain in the arse to use (sorry!!!) for large numbers of accounts. MXRoute is also in use across a number of my domains but because of lack of GDPR compliance, I’m limited by which domains I can use there.

Self-hosting is definitely on the table, but I’d like to hear some experiences about inbound spam, outbound delivery and how relay MX servers work. I accept that this will be a learning curve and that it will take time to tune filters to an acceptable level.

Inbound spam - is SpamAssassin sufficient or will I be looking at a mixture of tools to get a spam-free inbox?

Outbound delivery - these domains send < 500 emails per month combined. I have my own, clean and unused /24 which I guess will be my first port of call for outbound, but is it worth looking at balancing across my /24, MailChannels, Sendgrid, Mailgun etc?

Relay MX - is this a case of failover based on DNS priority? When the relay receives an email does it continuously try to redeliver to primary? Is my understanding completely borked?

Thanks for any help you can offer!

SpamAssassin, Pyzor, Razor, DCC

I route important domains through Amazon SES, everything else (mails sent from PHP, notifications…) goes directly. Saves me the hassle of dealing with shitty solutions (I think it was McAfee I had problems with) which are extremely trigger-happy and will flat out refuse your emails for no reason.

You don’t need that. Even if your primary MX is hard down, the sending mail server will attempt to retry sending at least several times.


Wouldn’t it be easier to get yourself a reseller hosting plan just to handle the email? Pretty much as setting up Mxroute.com email.
This way let someone else worry about all that.

@Jarland I’ve been thinking about this MXroute <> GDPR thingy, but for someone liek @JackHadrill there’s really no implication as you would delete all his info anway (in terms of domains etc…) just not his account.
So his family details (or let’s say clients) would be safe in terms of GDPR as @JackHadrill could delete the data himself.

Does this make sense to anyone? or just me?..

MXroute is a Data Processor in terms of client data. Let’s say I’m a web designer or MSP who offers MXroute-based mail hosting - that also makes me a Data Processor. And my clients are Data Controllers.

I as a Data Processor cannot use non compliant Data Subprocessors, as that would make me personally responsible for this violation.

Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations.

Thing is, unless Mxroute actively seeks to withhold the data, they really have no processes in place to withhold it because its not MXroute who manages the domains MXroute is processing email for. So in practical terms they only hold their direct client information (name, address, etc), being that client the web designer, not his clients. Actually Mxroute haves no clue who this web designer clients are (name, address, etc).

You think it makes no difference? probably doesnt…

MXroute holds client data though - they store the emails.

And it’s the webdesigner’s responsibility to ensure the hosting platform he uses is GDPR compliant, therefore the webdesigner can’t use MXroute, which is not GDPR compliant.

Yeah, that’s what GDPR says… just looking into understanding if there was some grey area. Guess not.
What a clusterf…

Come on. Its not that hard to be compliant. Its a hassle to write the policies which I have not yet done for MXroute.io. Just delete the clients data, export billing info prior to delete clients data. Including: Client area account, email accounts, backups. Done.

Btw Jack, in case you are interested in MailChannels, happy to open an exception for ya for a 5k emails plan for 30EUR/yr. MailChannels will be GDPR compliant in the 25th May, and we already have a Dedicated EU Relay as well if you do not want to transmit your data to the US.

I guess it depends on what sort of company you are. Small and new companies should have no problems complying with GDPR. The big ones are struggling quite a lot.

Fun fact, it seems like no part of my government is going to be GDPR compliant on 25th May.

Think I should clear a few things up…

I want to self host my family email because that’s not mission critical and will provide me with a good, low volume/low risk learning experience. This is as much about learning as it is about looking after my data. I have a BuyVM reseller account that I use for a number of things but somewhat understandably have delivery issues with Gmail and Outlook.

Thanks @Miguel, unfortunately I’d be looking for something that had a lower cost of entry. I think in this case, MXRoute.io is perhaps too good for my needs. I need a solution that will let me learn about mail routing, and not just a one stop shop that I can setup and ignore :frowning:

Will look into these, thanks!

Will take a look at their pricing - PayG I assume?

Fantastic, thanks! This is a relief. I guess secondary MX’s primary use case would be in case of planned downtime and allowing for migration of stuff etc.

Slightly off topic, having spoken to @Jarland and reading some of his comments on various threads, I completely understand his reluctance to align to laws that don’t apply in his own country. In my opinion, this would be analogous to an EU company not wanting to comply with the US’s DMCA act. I imagine that there would be policies that are in place that do overlap. But there are a hell of a lot of countries in this world, and aligning to the laws of each of them would be a massive undertaking with several contradictions. It would just not work. MXRoute(.com) is non-GDPR compliant and THAT IS FINE. This is my take on the situation for anyone landing on this thread that thinks I’m shitting on MXRoute’s non-compliance. I’m not, they’re just not the right fit for the few domains that I need GDPR compliance under. MXRoute is a great service, and I have three yearly/biyearly packages with them and will be renewing when the time comes.


Big thank you to @FHR, you’ve given me some things to think about!

1 Like

Yes. I sent 50 emails including few megs of attachments through SES this month and owe Amazon $0.03, which they don’t charge. (I think they start charging your credit card at around $0.15 to $0.25 bill)

You’re welcome!

It actually depends on what sort of data you process, not the company size.

Can also do 2k for 20 EUR per year, and that’d be a great promo, since we no longer offer those. :stuck_out_tongue:
But, should you decide to do it without any sort of delivery providers, I’m more than glad to help you out whenever you need help.

That’s true. However if you are a large company with a ton of internal processes, auditing everything and every department to make sure everything is done according to the GDPR can be a royal pain in the ass.

The technology also differs. For example, small company is unlikely going to be using tape storage for backups. Complying with the “right to be forgotten” if you store years worth of backups on tapes is going to be difficult.

Correct, but it also depends on what you store.

E.g: financial data in Portugal can’t be deleted for 10 years.
Now, ADN results, criminal details, etc, it’s a whole different thing.

Yeah, that’s exactly why everything has to be audited. I think the 10 year fiscal data retention requirement is sort-of consistent across EU, as it’s the same in Czechia.

Yeah I think so…

10 years is really long, only need to keep financial records for 5 years over here.

Speaking of mandatory data retention, how do you do it with WHMCS? I presume you just export it to some accounting software?