What is the safest email server?

safe-vs-risk-email-server-security

When someone recently asked me about which email server was the most “safe” I immediately wondered what they considered to be the risk of email. Were they concerned about email privacy, email security, or email anonymity? Depending on their definition of risk, I had different answers and it takes a bit of explanation about how email servers work.

TL;DR – cloud servers can be anonymous, more secure in some ways, but less private. Private servers can be more private and secure, but only if the person who set them up did their homework.

There is a lot of value in understanding email server technology. Email runs our lives and servers run our email. A server can be defined as a computer or program that provides information to other devices called “server clients.”

When I send email from an app on my phone, a web browser, or an email program on my laptop – then that program is the “server client”.

Making Safe Connections to Email Servers

Clients connect to the server over the internet. When data is being transferred, it will normally pass through several devices – or more depending on your local network, your Internet Service Provider (ISP), and the destination network.

Let’s get really geeky for a second. I’m going to show you something that I find to be fascinating.

The image below contains the output of a program called a traceroute – for the context of this article, this a report of the path that an email data packet will take from a client to a server. In this case, I traced the data from 2 locations to the same Gmail server – a home and a datacenter. The upper measurement is from a HOME and the lower measurement is from a DATACENTER. The numbers on the left are called HOPS and each hop represents a new device (or possibly sub-device). As you can see below, there are 14 hops from a home using residential internet and only 6 hops from a datacenter (essentially connected directly to the internet).

 

traceroute-home-vs-datacenter-internet-hops

Why should we care about how many devices our email passes through?

From home, hop 12 is the first Google server but at the datacenter, hop 3 is the first Google server. I found out who controls each IP address by doing what is called a WhoIS search using the IP – but I am not going to go into that further today.

The main point is that some of these devices could be owned or monitored by other parties – including the NSA – but all of these connections/devices have the capacity to capture my information as it passes through them.

Without either the sender or recipient being able to detect them – any attacker or curious entity (NSA) can capture data being sent from your email client to your email server or from your email server to another email server.

This is known as a Man-In-The-Middle (MITM). If the data is encrypted by a modern strong encryption algorithm  – it will be unreadable. Encrypted data will look like a bunch of gibberish if you do not have the proper encryption key.

Email Encryption Explained in 1 Minute

Here is an example of SMTP (sending email) that is encrypted. The only thing that can be read from the data packets is the encryption method – otherwise, the rest of the data looks like random numbers, letters, and symbols.

tcp-smtp-data-encryption-tls-wireshark

When you setup your email account on your email client app/program or browse to your email server – you will have an option to check boxes for SSL/TLS or type HTTPS instead of HTTP. SSL, TLS, and HTTPS are all encrypted protocols.

Encryption requires having a certificate on your server. If you run your own server, this requires a high-degree of expertise or a lot of dedicated time on YouTube/Google to set up. Most cloud email services automagically take care of this for you. At WSP, we setup private email servers all the time for people who don’t want to be in the cloud.

Private Servers vs Cloud Servers

There are two basic categories of email servers – private and cloud. Let’s take a second to understand the difference.

virtual-private-server-physical-server

Cloud Email Servers

The term cloud is thrown around a lot. At this point, I am going to define cloud as a layer of abstraction – essentially, if you or your company cannot see the physical hardware, then it is in the cloud. Cloud email servers are run by companies like AOL, Gmail, GSuite, Yahoo, Hotmail, Live, Office 365, or other hosted exchange services.  In general, these servers are very secure – but there are some questions about privacy. These servers also do not require you to verify your identity – for example, you could create a Gmail account using a churn and burn IP address somewhere in the Virgin Islands and use a name such as “Urchin Rex” and then email to your hearts content as this alter-ego.

Cloud servers are still run by teams of humans. Even the most advanced teams make mistakes – for instance, the largest hacking incident in history was just revealed. In Sept 2016, Yahoo finally realized that it’s servers had been infiltrated back in 2014 and 500 million accounts had been compromised.

500. Million. Accounts. Hacked.

It wasn’t just usernames and passwords which were stolen. It was a lot of information. If you have ever had a Yahoo! account, then someone out there now has a database out there with your dog’s name, your mother’s maiden name, the street you grew up on and your dob.

Private Email Servers

Private email servers are by YOU or a company like WSP. The physical servers generally run in your home or in a datacenter – the datacenter servers are divided into colocation (you own hardware), dedicated server (you rent hardware), or VPS (you rent virtual hardware). VPS servers can also be setup to run on Amazon AWS, Digital Ocean, or NoLag Hosting. In general, running your own server requires a high level of expertise to run securely, however, privacy is in your hands. For instance, as we learned from Hilary Clinton, when you delete something, you can go to great measures to make sure that it has been deleted forever. Private email servers are definitely not anonymous. Servers require an IP address and there are lots of records about who owns an IP address at a given time – so, it leaves a trackable record (unless your server is in Russia/Ukraine) – hosting companies there don’t seem to believe in tracking IP addresses to owners accurately.

If you run a little private email server, chances are that you are not as great of a target as someone like Yahoo!. There is something to be said about security through obscurity. I

If you are on the internet, there are 100’s of probing programs checking out your router, email server, and website daily and probing it to see if there is any way to get in – testing every possible username and password.

I can show you log files to prove how often this happens on an unprotected server. This is why it is essential to have a security expert like WSP setup your email server for you or do your homework.

A Quick Review of Email Server Software

Private email servers either run open-source or closed-source software. The most common are Zimbra and (open and free) or Microsoft Exchange (closed and expensive). Either software could have built-in backdoors – but closed-source servers are far more likely to have backdoors.

Most of the major companies – Google, Yahoo!, Microsoft – have built their own custom Message Transfer Agent (MTA) software. Email servers require an MTA – message transfer agent/mail transfer agent. All of the modern MTA varieties (PowerMTA, Postfix, Exim, other custom ones) are all based on the logic of sendmail – the mother of all email transfer agents built in 1983.

Should I run my own email server?

If you know what you are doing and/or are willing to hire someone like WSP to set it up for you – then, yes. It can make a lot of sense. There are pros and cons of running a private email server.

If you want to take a crack at setting up a fairly simple server try iRedMail on Ubuntu 14.04.05 using this video. I like this guy’s pacing and voice – plus he has a little photo of himself on the desktop which makes me laugh but also trust him more.