The few who know that I personally host my own email servers in house always seem to be baffled as to why. Common responses are “what do you have to hide” or “why bother, Gmail is so easy.” Well, not that I have anything to hide but my basic principle on all things technology is I like to own my own data. Furthermore, with laws like the ECPA with rules as highlighted below, you should see why.
In its current form, ECPA protects emails from government snooping for 180 days. When the law was initially drawn up in 1986, email providers routinely removed emails from their servers a month or two after they were delivered; users would generally download the messages they intended to keep. Whatever remains on an email server after 180 days is fair game for government to access, with just a subpoena—not a warrant.
I highly doubt the day will ever come that my email records need to be searched. However, I want to be notified and have some control over the process. Who knows if Gmail will even notify you when handing over documents. But as long as government agencies are specifically requesting warrantless searches, I will host my own data for as long as I can.
The FTC claims to be a champion of consumer privacy, yet the agency wants access to Americans’ data without a warrant,” said Berin Szoka, president of TechFreedom, a technology think tank. “The Commission’s testimony today confirms long-standing rumors that it will only support ECPA reform if it gets a carve-out from the bill’s warrant requirement.
Now I will say this, for any of you who are not too familiar with running an email server of any flavor it’s hard — really hard. There are many caveats that come with running your own email server. You will be the sysadmin, and the only one at that. You are responsible for the maintenance and updates of your machine, applying critical updates (especially security ones) are well, critical. Also, if you screw up and your server is compromised you could end up with a blacklisted domain. If that happens, say good-bye to ever using your domain for email again.
Another thing to consider if you are going to run your own personal server is the physical location. If you use a VPS or shared environment you are only as secure as the people who own the box. Also, in the above case I am fairly certain the request would still go to the VPS company. If you run your machine at home, you need to take physical security into account. Power, network security, disk encryption, as well as SSL are all important things to ensure you know your way around.
I wont go into much detail on my setup, but you can find a few tutorials here and here on how to run your own email server. Here is a quick idea of what I did though to give you an idea of what to do outside of the tutorials listed.
First, my machines are rack mount servers locked in a server rack located in an interior office in my house on it’s own AC unit with dedicated power and failover uplinks (internet.) When I say locked, I mean locked… The servers are locked into the rack, the rack is locked on all sides, the rack is bolted to the ground.
Second, I actually use a two part email system. The first is Sophos UTM with Email Protection. Sophos is not only a great Firewall, but it’s Email protection suite adds a ton of security features for filtering, threat protection, and one of my favorites — automatic encryption. This acts as my gateway to my email server. All email traffic (and the emails themselves) have to pass through this box before they reach my emails server. Once the Sophos machine has given it’s blessing, then and only then will it pass it on to my email server.
Third, I lock down how to access my emails — as tight as I can. What I mean by this is while I do use Roundcube as my web based email client. It is only available inside my private network. Furthermore, IMAP and other ports are not open which means that accessing your email on a smartphone is not quite as easy. This may be a bit over the top, but I require a VPN connection first to access my email.
Fourth, I don’t play around with WiFi security! My network uses dedicated HP ProCurve access points that are secured via WPA2 that require individualized credentials.
Lastly, I keep an eye on traffic… Nothing too crazy but I have monitors in my office that show network stats and performance. I use PRTG Network Monitor for individual server performance and Observium for overall network performance. PRTG is good about keeping a history of usage, so if a server all the sudden has a lot of extra traffic I can investigate.
This may all seem very over the top, and I will agree for a few users in a home network it probably is. However, it has been a great learning experience for me. Everything I have built around my network I did myself, I researched and made sure I did it the right way. I have learned more with hands-on experience in an environment where I can mess things up and start over than I ever did in a school lab or at work.
If you want to read the full article in which the excerpts were taken, please you can do so here: Agencies Say They Need Access to Americans’ Emails Without a Warrant.