Why I Host My Own Email

The few who know that I personally host my own email servers in house always seem to be baffled as to why. Common responses are “what do you have to hide” or “why bother, Gmail is so easy.” Well, not that I have anything to hide but my basic principle on all things technology is I like to own my own data. Furthermore, with laws like the ECPA with rules as highlighted below, you should see why.

In its cur­rent form, ECPA pro­tects emails from gov­ern­ment snoop­ing for 180 days. When the law was ini­tially drawn up in 1986, email pro­viders routinely re­moved emails from their serv­ers a month or two after they were de­livered; users would gen­er­ally down­load the mes­sages they in­ten­ded to keep. Whatever re­mains on an email serv­er after 180 days is fair game for gov­ern­ment to ac­cess, with just a sub­poena—not a war­rant.

I highly doubt the day will ever come that my email records need to be searched. However, I want to be notified and have some control over the process. Who knows if Gmail will even notify you when handing over documents. But as long as government agencies are specifically requesting warrantless searches, I will host my own data for as long as I can.

The FTC claims to be a cham­pi­on of con­sumer pri­vacy, yet the agency wants ac­cess to Amer­ic­ans’ data without a war­rant,” said Ber­in Szoka, pres­id­ent of Tech­Free­dom, a tech­no­logy think tank. “The Com­mis­sion’s testi­mony today con­firms long-stand­ing ru­mors that it will only sup­port ECPA re­form if it gets a carve-out from the bill’s war­rant re­quire­ment.

Now I will say this, for any of you who are not too familiar with running an email server of any flavor it’s hard — really hard. There are many caveats that come with running your own email server. You will be the sysadmin, and the only one at that. You are responsible for the maintenance and updates of your machine, applying critical updates (especially security ones) are well, critical. Also, if you screw up and your server is compromised you could end up with a blacklisted domain. If that happens, say good-bye to ever using your domain for email again.

Another thing to consider if you are going to run your own personal server is the physical location. If you use a VPS or shared environment you are only as secure as the people who own the box. Also, in the above case I am fairly certain the request would still go to the VPS company. If you run your machine at home, you need to take physical security into account. Power, network security, disk encryption, as well as SSL are all important things to ensure you know your way around.

I wont go into much detail on my setup, but you can find a few tutorials here and here on how to run your own email server. Here is a quick idea of what I did though to give you an idea of what to do outside of the tutorials listed.

First, my machines are rack mount servers locked in a server rack located in an interior office in my house on it’s own AC unit with dedicated power and failover uplinks (internet.) When I say locked, I mean locked… The servers are locked into the rack, the rack is locked on all sides, the rack is bolted to the ground.

Second, I actually use a two part email system. The first is Sophos UTM with Email Protection. Sophos is not only a great Firewall, but it’s Email protection suite adds a ton of security features for filtering, threat protection, and one of my favorites — automatic encryption. This acts as my gateway to my email server. All email traffic (and the emails themselves) have to pass through this box before they reach my emails server. Once the Sophos machine has given it’s blessing, then and only then will it pass it on to my email server.

Third, I lock down how to access my emails — as tight as I can. What I mean by this is while I do use Roundcube as my web based email client. It is only available inside my private network. Furthermore, IMAP and other ports are not open which means that accessing your email on a smartphone is not quite as easy. This may be a bit over the top, but I require a VPN connection first to access my email.

Fourth, I don’t play around with WiFi security! My network uses dedicated HP ProCurve access points that are secured via WPA2 that require individualized credentials.

Lastly, I keep an eye on traffic… Nothing too crazy but I have monitors in my office that show network stats and performance. I use PRTG Network Monitor for individual server performance and Observium for overall network performance. PRTG is good about keeping a history of usage, so if a server all the sudden has a lot of extra traffic I can investigate.

This may all seem very over the top, and I will agree for a few users in a home network it probably is. However, it has been a great learning experience for me. Everything I have built around my network I did myself, I researched and made sure I did it the right way. I have learned more with hands-on experience in an environment where I can mess things up and start over than I ever did in a school lab or at work.

If you want to read the full article in which the excerpts were taken, please you can do so here: Agencies Say They Need Access to Americans’ Emails Without a Warrant.

Labor Day Weekend at Lake Mead

It’s been awhile since I have really gotten into Photography. However, I was able to snap a few photos of the Lake at sunrise one morning with my girlfriends Canon 5D. I wish I had a tripod, but for handheld and quick post work they didn’t turn out so bad.

Why I Cannot Stand Technology Forums

Why are so many people in the technology world so unhelpful and well, an asshole? It never fails that when I need to search for an answer Google will serve me up some forum where someone else has asked the same question. However, I always see some kind of response that is totally useless and does not help with the problem the person who asked the question is facing.

Forum ResponseTake for example the screenshot above; the original question was how to send messages to the z/OS console. Now I don’t know what the original person was going for when they asked, but after I read two of these in a row I just hit the back button. Now, I know why I wanted to send messages to the console and I don’t believe it is a really bad idea. I am in the process of building a virtual tape robot that monitors a dedicated console for mount commands. I wanted to be able to send certain commands to the robot via console.

My point is larger though, people should be more engaged and helpful if they are going to be on forums dedicating to helping people. This is particularly bad in the mainframe world where older more seasoned users either completely dismiss the idea, or tell them to go ask someone in their shop if they don’t know. This makes it incredibly hard for the younger generation to learn mainframe.

My suggestion: If you think it’s a terrible idea, fine. However, at least ask why the person is doing it. Just because it’s not the way you would do it, doesn’t make it terrible. I think my personal favorite that still makes me cringe thinking about it was “If you don’t know, you shouldn’t be asking” …yeah, that’s helpful.



I have struggled for quite awhile finding the perfect way to track my To-Do list. There are numerous apps out there to help you be the most productive. However, one app that I have found that sticks out in the crowd for me is Todoist. This app has been around for awhile now, but over the past year or so it has really come along as a powerful tool that I now use exclusively for tracking my To-Do list.

It’s available on almost every platform, as well as plenty of plugins such as Gmail, Thunderbird, Outlook, and Chrome. Todoist is feature rich with options such as recurring tasks that are set in english (“every friday” for example) as well as sub-tasks, dependencies, syncing, projects, and sub-projects.

Here is the catch, while it is free for the most part — it is $30 to get the premium version of the app. Unfortunately, if you want things such as notifications or reminders via email or push, you have to have a premium account. You also get things such as labels and filters, I use the labels on all of my tasks to help me sort through them. The only thing I find completely useless but I am sure some people like is the “karma” rating which tracks your productivity. I guess it’s really more of a motivational tool, but I pretty much ignore it.

Adding New DASD to z/OS in Hercules

If you are running any of the ADCD distributions in Hercules, you should probably add your own DASD. The reason I say this is you should keep the stuff you create separate from the default distribution. This way if you upgrade your ADCD version, all of your data isn’t lost as well.

Note: I am going to assume if you are running z/OS on Hercules or anything other than IBM licensed hardware that you somehow were able to get a licensed version legally and you are abiding by that license.

Step One: Create a new DASD disk with the “dasdinit” command, I recommend using some sort of compression unless your machine is prone to power failures. The way to do this is run the following command “dasdinit -a <filename> <dasdtype> <serial>.” So if I wanted to create a 3390 device with the serial USR001 here is what I would issue: “dasdinit -a usr001.cckd 3390 USR001” which will create a compressed DASD file. Just for your reference, I will also list the different 3390 types and their approximate space.

3390 – 1113 cylinders (~946mb)
3390-2 – 2226 cylinders (~1.9gb)
3390-3 – 3339 cylinders (~2.85gb)
3390-9 – 10017 cylinders (~8.5gb)
3390-27 – 32760 cylinders (~27.8gb)
3390-54 – 65520 cylinders (~60gb)

Step Two: Add the new DASD to your Hercules configuration file. Example: <addr> 3390-54 /path/to/usr001.cckd

Step Three: Once you have restarted your Mainframe (yes, you could also use the attach command) take the device offline in your Hercules console by issuing the following two commands: “v <addr>,offline” and then “s dealloc.”

Step Four: initialize the DASD with JCL


Make sure to update the <addr> to the hardware address you assigned, the <serial> to the serial you set, the <user> to the owner/group, and the <totalcyl> to how much you want to allocate to VTOC. I recommend for this that you set the total cylinders to the total amount of the DASD you created. For instance, a 3390-3 device would have 3339 cylinders and a 3390-9 devices would have 10,017.

Fifth, watch the z/OS Console and make sure to reply U to the alter volume confirmation. If you are not familiar with how to reply to requests in the Console it may be confusing at first, but it’s actually pretty simple. It should give you a request number, say the request number is 04 you would reply like this: “r 04,u” and make sure to note the space between “r” and “04.”

Step Six: Bring the device back online and mount it by issuing two commands. The first is “v <addr>,online” and the second is “m <addr>,vol=(sl,<serial>),use=<class> where class can be PRIVATE, PUBLIC, or STORAGE. Most will be storage, but here is a quick rundown of what they mean:

  • PRIVATE = New datasets will be created only if the VOLSER is specified

  • PUBLIC = Temporary datasets or specified datasets

  • STORAGE = Any dataset that is not specified

Step Seven: Modify the VATLIST so the volumes will be mounted at IPL. Look in your PARMLIB for something like VATLST00 and make the required edits. Note: this is a mainframe file so the column positions are important!

  • Columns 1-6…: Volume serial

  • Column 8…..: Just use 0

  • Column 10….: Use attribute – STORAGE = 0, PUBLIC = 1, PRIVATE = 2

  • Columns 12-19.: Device type

  • Column 21….: Mount if volume is not present during IPL

  • Columns 23-71.: Comments

Blocking Ads with Sophos UTM at Home

Maybe I am a bit OCD, actually I know I am, but I really hate advertisements. I loathe them in any medium, television, radio, and especially the internet. There isn’t much I can do about television or radio but I damn sure can block them on my network. There are tons of ways you can do this at home, but I find Sophos UTM to be the easiest to setup and the most straight forward. Sure you can buy/download applications to do this specific to your browser but I wanted something that happens in the background, that will apply to every device I use.

For this to work, you will need a two very important things. First, you will need to download Sophos UTM Home Edition and get your free license setup. This is a fully functional version, with a few slight restrictions. Primarily they brand some things “FOR HOME USE ONLY” and you are limited to 50 internal IP’s which should be enough for most home users. The second thing you will need in order to make this all happen in the background is a spare PC to put this on. I had an extra Dell PowerEdge 1950 laying around which has worked perfectly for this. This machine will essentially be your router, if you plan to use an additional router that will take some extra configuration but it is not impossible. In my home setup I went with a HP ProCurve MSM422 Wireless Access Point vs. an additional router; you can pick them up now for around $50 on eBay.

I am going to assume you have some basic knowledge of networking and how to install and configure the software, so I won’t go into any details there. Just know that Sophos UTM will replace your operating system and it will become a dedicated machine. What you will need to do is configure your UTM to be what is called a “Transparent Proxy.” Which essentially is a proxy server that put’s itself between your networked machines and the internet without any configuration done by the user.

Once you have configured everything you are going to want to go into Web Protection -> Filtering Options -> Websites and add the following websites to the category “Web Ads” and mark their reputation “Malicious” which will instruct the UTM to block them. This is by no means an exhaustive list, but it is a good start. You can do some further searching to find more sites to add to your list.


The second thing you are going to want to do is go into Web Protection -> Application Control -> Application Control Rules and create a new rule. Set the action to “Block” and control by to “Applications.” Then in the “Control These Applications” section do a search for “ads” or anything similar, pick the ones that look most like ad services to you. If you happen to block something important or that you didn’t mean to, this is most likely where it will happen. Just come back here and remove anything that you don’t want to block. Most are obvious, some are not however but you can use your best judgement. Make sure not to block any CDN (content delivery network) services otherwise you may break a lot of websites.

That’s it! Now you can enjoy an (mostly) advertisement free internet.

P.S.: I recommend setting up some Bypass Users in your Web Protection settings, just incase something gets blocked you want to be able to still access.

Clear Screen in REXX on the Mainframe

For those of you who have tried to figure out how to clear the screen in REXX, here is what you will need to do. Granted, if you are in a production shop you may want to check around and see if anyone has already done something similar. However, this is targeted for those who are either running some sort of Mainframe via Hercules or in a test environment. The bottom line is for whatever reason IBM does not include any functionality to clear the screen. You have to build that out yourself.

Step One, create some assembly code… This may be the most complicated code you will ever write.

BR 14

Step Two, compile the code! You will need to add a job card to this JCL, and modify the bold. However, this is all you need to do!

//SYSUT1 DD UNIT=3390,SPACE=(CYL,(20,5))
//SYSUT2 DD UNIT=3390,SPACE=(CYL,(10,1))
//SYSUT3 DD UNIT=3390,SPACE=(CYL,(2,1))
//SYSUT4 DD UNIT=3390,SPACE=(CYL,(2,1))
// SPACE=(CYL,(1,1,1)),UNIT=3390
//SYSUT1 DD UNIT=3390,SPACE=(6160,(230,760))

After that, you should be able to clear the screen with the command “clear” in your REXX code.


Hercules & z/OS Networking

I suppose it is entirely possible I am just terrible at searching through Google; but I didn’t seem to find a good resource on how to get networking up and running on Hercules and z/OS. After reading through a few different articles I found a solution that work’s well for my environment. Also, since it seem’s to be like pulling teeth to get people to help you in the Mainframe world without questions like “why would you want to do that?” or “just forget you even had that idea” I wanted to post a quick tutorial on how I got it all working. Oh yeah, before I forget this was done on Linux (Ubuntu to be precise) so for you Windows folks out there, sorry, this won’t apply to you.

Note: I am going to assume if you are running z/OS on Hercules or anything other than IBM licensed hardware that you somehow were able to get a licensed version legally and you are abiding by that license.

The first thing you want to do is setup your Hercules configuration file. This is the easy part, just add the following line to your configuration file, make a few adjustments, and you are done with the first step.

0E20    3088    CTCI /dev/net/tun 1500

Okay, so the first thing you see is “0E20” which is your hardware address, as well as “3088” which the hardware “type” so to speak. Next you see CTCI which stands for “Computer to Computer Interface.”  After that you see “/dev/net/tun” which is the tunnel device (this is using the TUN/TAP driver) and 1500 which is the MTU. All of this is good information to know so you have some idea of what’s going on, but none of this you will change unless you know what you are doing. I also want to point out that for some reason even though the TUN/TAP driver is included with the version of Ubuntu I am running, I had to install the open-vpn package to make it work properly. Lastly, you see “” and this is where you get to start making some changes. The first IP is the address you will assign your Mainframe, the second is the IP of the TUN/TAP driver, and the last one is your subnet mask. The first and second IP you can pretty much make whatever you want as long as it’s on the same subnet as your current network. However, the subnet mask you will need to set to match your current network. If you are not too familiar with networking I would be willing to bet your home network is You can give that a try and see if it works.

Okay, now that we have that out of the way go ahead and IPL (initial program load if you have been curious what that means) your system and login to TSO/ISPF. Once you are logged in you will want to locate your TCPIP configuration. If you are not sure where that is, you can check your PROCLIB’s and find TCPIP and look for a line that says “PROFILE” in the JCL. If you are running an ADCD distribution there is a good chance you will find it in the ADCD datasets. However, there are some modified versions of ADCD out there so it is impossible for me to know exactly where it is. You could also try doing a catalog search in the Data Set List Utility (3.4) and putting the Dsname Level as “*.PROCLIB” or “*.*.PROCLIB” and it should come up. You wouldn’t normally want to do this on a production system, but you should be fine here.

Once you find your active TCPIP profile, you will want to go ahead and edit it. Look for “DEVICE” and make sure they are all commented out with a semicolon before them. I went ahead and commented out the default HOME and GATEWAY information as well and added new ones so that I had a reference point if I messed something up. Here is what you will want to add to your profile, making sure the information (outside of the MTU) matches what you put in your Hercules configuration.





Okay, we are almost done! Go ahead and shutdown your system on an unmodified version of ADCD you will type “s shutdown” in your primary console, and once it finishes processing type “z eod” and wait a bit, then type quiesce finalize shutting it all down. This is also where it get’s a bit tricky. You will have to add a static route to your system so that it can communicate properly, but you can only add that route once Hercules is running. What I did to solve this is create two shell scripts, start.sh and console.sh. The first script (start.sh) will delete the route out of the system and startup Hercules. The second will add the routes back in, do some other networking stuff, and open up a console that will be the primary console for z/OS. One other note, this assumes you have the package c3270 installed on your system. Below I will put a simplified version of both of these scripts.


echo $pid > /tmp/mainframestart.pid

#Setup networking, it may not exist but if it does it needs to be removed
ip route delete via >/dev/null 2>&1

#Start up Hercules
/usr/bin/hercules -f your_hercules_config_here > hercules.”$(date +”%Y.%m.%d-%H%M”)”.log

rm -f /tmp/mainframestart.pid
exit 1


echo $pid > /tmp/mainframeconsole.pid

#Do some networking stuff
echo “1” > /proc/sys/net/ipv4/ip_forward
echo “1” > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo “1” > /proc/sys/net/ipv4/conf/tun1/proxy_arp

#Add the route so you can access your mainframe
ip route add via >/dev/null 2>&1

#Start a 3270 session to the console
c3270 localhost:3270

rm -f /tmp/mainframeconsole.pid
exit 1

I know if you are not used to scripting that may not make a whole lot of sense, or maybe you are and I just did this an odd way. However, to better explain how I startup my system I will give you a quick overview. I have a dedicated Linux machine that I only use for Hercules. I startup the machine and in the first console (tty1) I login and launch start.sh. After that, I go to a second linux console (tty2) and login and startup console.sh. This allows me to go back and forth between Hercules and the z/OS console pretty easily. If you do not have the ability to install Hercules on a dedicated Machine or VM, you can always do the same with two different shell sessions.

I hope this helps, good luck!