Community email host?

The gitplace for t/suki has got me thinking about a slightly wild idea.

The problem

• Gmail, Outlook and adjacent services are becoming increasingly undesirable, especially for more than just personal use. They’re not only being enshittified as products, but also doing increasingly objectionable things, such as using spying on private communications for advertising and undisclosed purposes, and feeding private data to unethical AI. They also hold outsized power over the digital presence and daily business of their users - we’re always one automated moderation action away from becoming locked out of almost everything we do over the internet, with literally no customer service to speak to, and no recourse short of lengthy legal action, possibly involving forced arbitration.
• Self-hosting an email service competent enough for the modern day is tedious and costly, which makes it somewhat impractical for an individual user.

The idea

What if we hosted a community email server? Setting it up for a larger group of people would make the effort and money investment much more bearable than on an individual basis, and may have the added benefit of making it look less “suspicious” to the overly aggressive spam filters out there. Each member could have an encrypted mailbox, with the possibility of attaching it to their own domain. (My preliminary research on that last part suggests it too can be a little tricky, so figuring it out once for everyone would certainly help.)

Would some of y’all be interested in such a thing?

making it look less “suspicious” to the overly aggressive spam filters out there.

This is the real problem for anyone who sends email, the big providers just don’t care and will filter to oblivion even if you set up proper security (dkim and such), I feel like even folks on a big service like protonmail had issues (hopefully they’ve more or less sorted it out by now…)

There are all sorts of nice benefits from having a gitplace for game developers to share, but one of the reasons I want to provide a gitplace for t/suki is that I don’t currently see very many places that provide attractive offerings for game developers. I’m pretty confident you can get big wins from self-hosting just on the aspect of price.

Game developers usually require private repositories and relatively large LFS storage, something that is usually quite expensive at other places. For example:

As you can see, it’s much cheaper to run a self-hosted gitplace simply due to storage costs. Most gitplaces charge quite a premium for LFS storage (I’m assuming this is because they all use high performance storage), but if we look for storage on our own we have the choice of picking less performant storage for a much cheaper bulk price. S3-style storage is slower, but it’s much, much cheaper.

However, for email, the situation is quite different. Not only is it notoriously difficult to get past modern spam filters even if you are a large established company as @ZeikJT pointed out, email servers are also quite heavy loads to run last I checked. Here, I think the economies of scale work out in the favor of existing companies.

Just consider ProtonMail, for example. I would recommend ProtonMail to everyone as it’s one of the most secure options and it’s established enough that I generally don’t have issues with receiving or sending mail. It’s also not being enshittified (as far as I can tell) and they can’t read your email or feed it to LLMs because it’s E2EE.

Now, I pay for ProtonMail so I can have additional features, but there are cheaper tiers like the free one. That’s right, it’s literally free. I think that’s a pretty good deal for a pretty good service, so I don’t think self-hosting email is the right thing for us to do.

In fact, I decided to pay ProtonMail to deliver mail for us (for Discourse and Forgejo) instead of setting up our own email server because it’s still cheaper even though there’s only one user. It only costs $7/mo/user at ProtonMail. The cheapest Atlantic.Net VPS on the other hand is $10/mo, it wouldn’t be able to keep up with the workload, and it would be a huge pain to set up as mentioned earlier.

1. This is the price for both storage and bandwidth, which are charged separately. ↩︎

2. The price for non-profits, though this would involve incorporating t/suki as a non-profit first. ↩︎

3. The price of this may increase if we might need to upgrade the VPS to handle more load. ↩︎

4. Using Backblaze B2 cloud storage. ↩︎

When it comes to ProtonMail, there are several red flags about it:

• The founder and CEO is functionally a nazi supporter:
  • Proton Mail Says It’s “Politically Neutral” While Praising Republican Party
  • Screenshot of tweet
• They have their own generative AI integration - though they don’t seem to be actively promoting it on their website any more
• They make dubious or misleading claims about their services:
  • They boast being fully open-source despite none of their backend source code being available, and their public repos seeing near-nonexistent outside contributions
  • They aggressively advertise E2EE, “trustless architecture”, “zero access encryption”, etc., despite storing email subjects and metadata in cleartext, and E2EE being physically impossible to ensure for incoming email from outside ProtonMail
• Proton left Mastodon claiming “limited resources”, despite 47k followers, as well as still maintaining 11+ other social media profiles, incl. twitter, threads, and whatsapp.

That aside, for practicality’s sake in the nearest future, I will likely look into other established, paid email services, and might end up attaching one of those to my domain.

Nonetheless, I’d still be very interested to see (and participate in) some research into the viability of setting up an email service, including the costs. It’s not something I’d recommend any one individual do for themself or their family, but with a big enough community I feel like it could be an interesting self-sustainability project. Perhaps there’s someone here who has more behind-the-scenes knowledge about this?

With the way modern cloud/VPS offerings are structured, I’d actually expect the largest part of the cost to be storage rather than compute. A lot of existing email server software elements are rather convoluted and large, but I don’t feel like they’d require a terrible amount of CPUs to deal with the volume of emails for 10-50 users. RAM could be an issue, given a lot of said software ships in docker containers, but that might also be possible to mitigate.

I think you bring up fair concerns about ProtonMail. However, I’d also like to point out that:

• On the page where they boast about being open source, they boast that “All Proton apps are open source” (emphasis mine) and they don’t make that claim for literally their entire stack. I can see how someone might miss that detail though.
• They might have few outside contributions, but they do get audited by third parties. For example, ProtonMail was audited in 2021 by Securitum.
• Unfortunately, the email protocol necessitates knowing the metadata in plaintext and I don’t think this is something you can get around, E2EE or not. I can see why you would criticize them for advertising E2EE so aggressively, but I think it’s also true that they use E2EE to the fullest extent possible as allowed by the email protocol. See: Why Email Isn't the Best Choice for Privacy and Security - Privacy Guides

As far as privacy goes, privacyguides.org has some information that could be useful, but their requirements are strict enough that they only recommend three email services, of which ProtonMail is one.

I agree that email would be an interesting service to provide when the organization is larger, but I have some reservations for why I would be reluctant to do provide it. E-mail is unfortunately often used as a way to identify users online and it’s very important for doing many things online. Like, what should we do if we ban a user from t/suki who only uses the email service we provide? Should we prevent people from using their t/suki email as their email for their t/suki account, or should we allow it? What if we mess something up and someone gets locked out of all their other accounts online because they can’t access their mail anymore? What if someone on the t/suki maintenance staff gets tricked into giving a malicious agent access to someone’s account due to social engineering?

These are all questions I don’t feel like I have great answers for and they’re all admittedly questions we can answer when we get there. However, I’m sharing them now to point out that I feel like with e-mail, the stakes and difficulty are much higher than something like Discourse and Forgejo. I don’t think it’s just just the minimum system requirements we have to consider – I think we would need experienced IT professionals (not me; I’m just a funny software developer) administering and maintaining the mail server as well.

IMO their website and advertising (especially on social media) is designed to make people miss that detail, and it feels rather disingenuous, that’s why I included that.

I agree that’s technically mostly true (tho check Tuta for a service that also encrypts subject lines), and to be fair, it does seem to be a common marketing tactic around privacy-focused email, but it is nonetheless a misleading one.

I do agree with your assessment of community-hosting. Those are all very important things to keep in mind. While I believe there is value in trading off a large corporation that treats its customers as expoitable and disposable for a small hobby group that may not have every security detail fully locked in and vetted, but cares about its users and is far more ethical, this is still, as you pointed out, a higher stakes situation that we’re probably unprepared for.