129

The Death of Decentralized Email (blog.lopp.net)

submitted 1 month ago by makeasnek@lemmy.ml to c/opensource@lemmy.ml

91 comments fedilink hide all child comments

Interesting history and analysis of SMTP's history. How can we prevent fedi and other open protocols from suffering the same fates?

top 50 comments

sorted by: hot top controversial new old

[-] observantTrapezium@lemmy.ca 97 points 1 month ago

You can't successfully use a home email server.

Mostly true (server can be home but using the ISP network directly probably won't work)

You can't successfully use an email server on a (cloud) VPS.

Bullshit

You can't successfully use an email server on a bare metal machine in your own datacenter.

Bullshit

As such, it is my distinct displeasure to declare the death of SMTP. The protocol is no longer usable. And as we can see, this devolution occurred organically.

Bullshit

[-] ramble81@lemm.ee 39 points 1 month ago

You can’t successfully use an email server on a bare metal machine in your own Datacenter

Calling complete BS on that. I work in a medium size company and we do just that. Don’t know what he’s thinking.

[-] ikidd@lemmy.world 13 points 1 month ago

I'm going to add "bullshit" to the first. I've gone 2 decades running a few email domains on my home servers, on 3 different ISPs. Its not rocket surgery.

[-] coronach 5 points 1 month ago* (last edited 1 month ago)

All the ISPs I've used block the relevant ports.

load more comments (5 replies)

[-] xyguy@startrek.website 12 points 1 month ago

Can, yes.

Should, maybe.

Enjoy doing, unlikely.

And for sure your home isp has all the email ports blocked upstream.

With all that being said, to call SMTP dead is wildly insane. I do figure it will die someday though. Probably around the same time of universal IPV6 adoption during the year of the linux desktop.

load more comments (5 replies)

load more comments (13 replies)

[-] halm@leminal.space 80 points 1 month ago

I know there are problems with big email providers subverting decentralisation to benefit their business models, and throttling mail from independent or self-hosted domains. But I couldn't take the analysis seriously past this statement:

You may know me as a Bitcoin educator and engineer.

Yeah well, in that case, fuck you and the hypercapitalist horse you rode in on.

load more comments (26 replies)

[-] benjhm@sopuli.xyz 50 points 1 month ago* (last edited 1 month ago)

I don't buy this. I'm still using SMTP on my own domain and it’s working fine, a bit of spam but not unmanageable, real messages get read. Main challenge is digesting so many potentially-interesting list messages, indicating email's continued dominance for professional topics. Seems this author has another agenda.
Having said that, it's a pity the world never agreed a protocol for micro-payment for emails (and for many other services), which would resolve the spam problem, and not be a burden for honest users.

[-] angel@sopuli.xyz 5 points 1 month ago

I also host my own mailserver and I agree that it mostly works fine. However, there are some email providers that cause trouble:

Google seems to randomly sort some of my mails into the recipients spam folder, while others are delivered fine to the respective inbox. It kinda sucks that you can never be sure whether the recipient actually received your mail or whether they just don't reply. My IP and domain are not blacklisted on any spam list; SPF, DKIM and DMARC are set up correctly as well.

Even worse is the Telekom (German ISP), who use an explicit whitelist of IP addresses (only IPv4 of course) and require you to display your contact information publicly on a website reachable via the same domain your mailserver uses. Once you've set this up you need to message them to be put on their whitelist. If you're not on their whitelist, they simply reject your mails, they are not even delivered to the spam folder (maybe it's not worse than Google, because you at least get a notice from your mailserver that your mail couldn't be delivered). In the end I decided that I don't care enough to comply with their regulations and just don't send any mails to Telekom customers.

Aside Google and Telekom, I've really never had any issues though.

[-] notannpc@lemmy.world 30 points 1 month ago

Immediately skeptical by the ai generated tombstone as the article image, and the skepticism was warranted. Massive L take from a “bitcoin educator”.

[-] allywilson@lemmy.ml 5 points 1 month ago

Same, seen the AI generation and was out.

[-] amanda@aggregatet.org 26 points 1 month ago

I should have expected the rug-pull at the end when I read:

You may know me as a Bitcoin educator and engineer

However, I was still surprised!

[-] SorteKanin@feddit.dk 20 points 1 month ago

Defederating bad actors/spammers should in theory be good enough? Domains aren't free and I don't think it's worth it for them to buy a new domain to just be able to spam for a short time again.

[-] makeasnek@lemmy.ml 33 points 1 month ago* (last edited 1 month ago)

Domains aren’t free and I don’t think it’s worth it for them to buy a new domain to just be able to spam for a short time again.

Literally what e-mail spammers do.

Agreed defederating can help solve obviously malicious instances, it doesn't solve spammers abusing good instances. E-mail and AP are very similar at a protocol structure level.

[-] SorteKanin@feddit.dk 15 points 1 month ago

Is it though? Don't email spammers just spoof the domain or send without a domain? I'm not entirely sure if that's different from how the fediverse works. I'm not too knowledgeable about this topic.

[-] halm@leminal.space 12 points 1 month ago

Don’t email spammers just spoof the domain or send without a domain?

Very much so. Out of the spam that I do see in my inbox, the sender domains are usually spoofed, while the reply-to addresses are usually gmail.com, hotmail.com or outlook.com.

[-] the_crotch@sh.itjust.works 5 points 1 month ago

You need to set up dkim to prevent spoofing. Each message sent has a digital signature that matches one on a DNS record for your domain. You can also set an SPF record, which will tell the recipient what up addresses are authorized to send mail on behalf of your domain.

The recipent must have policies in place that reject mail which fails dkim/spf

[-] makeasnek@lemmy.ml 4 points 1 month ago* (last edited 1 month ago)

Don’t email spammers just spoof the domain or send without a domain?

They do both, depending on the spammer and the type of spam they send. In e-mail, you have an e-mail server, you can use it to send mail to users on other e-mail servers. Each e-mail server can choose to accept or reject email from other e-mail servers based on whatever reason they want. AP/Lemmy/Mastodon is basically identical to this. I'm not sure how exactly bluesky is setup but I get the impression it's similar. In Nostr, servers aren't federated (each relay is seperate, if you want to send/recieve content to another user on a different relays you just talk to that relay directly instead of having "your relay" act as an intermediary), but the structure is still pretty similar.

Nostr does have this hashcash type system (requiring proof-of-work to weed out spam), but I haven't come across any relays that actually enforce it, it will be interesting to see if that changes in time. I also saw a GitHub issue about adding something similar to AP but I think they chose not to implement it.

[-] SorteKanin@feddit.dk 8 points 1 month ago

Replying to your edit:

it doesn’t solve spammers abusing good instances

This is an instance moderation problem. If you're letting spammers in, you need to use a better application process or something similar to that. A big problem with email spam is that most email services allow anyone to sign up for free without any checks.

Ultimately defederating bad actors and defederating "good" actors who fail to moderate their own users is necessary.

[-] makeasnek@lemmy.ml 7 points 1 month ago* (last edited 1 month ago)

This is an instance moderation problem. If you’re letting spammers in, you need to use a better application process or something similar to that. A big problem with email spam is that most email services allow anyone to sign up for free without any checks.

Which is one reason, this author is arguing, that e-mail has become so centralized. Doing that kind of manual moderation and curation is expensive, the bigger instances out-compete the smaller ones who don't have as much resources to dedicate to it. As more and more instances get "de-federated" for not having as good of anti-spam measures as the bigger instances, more users will sign up at big instances to avoid defederation risk. Just like how many people use gmail simply because their email delivery rate is so good. If I send from g-mail, there's very few servers which will reject my message or throw it in the spam folder. I'd love to run my own mail server, but even as a dedicated sysadmin it's impossible to get decent delivery rates.

The more anti-spam checks we have, yes we weed out spam, but we also make it accessible to less users as well.

AP has been blessed so far with not having to fight too much spam. Look at very popular, very centralized, very resourced platforms like Facebook, spam is still a problem on their platform despite massive resources put towards fighting it.

[-] SorteKanin@feddit.dk 6 points 1 month ago

Hmm I feel like some pooling of effort with spam detection built into the software (lemmy for instance) could help spread the effort of spam fighting to other, smaller instances and not just centralised to the big ones.

But it's difficult to say what will happen I guess. We need to just keep being vigilant when it comes to stopping spam while keeping in mind our shared goal of a decentralised social Internet.

load more comments (1 replies)

load more comments (3 replies)

[-] GolfNovemberUniform@lemmy.ml 5 points 1 month ago

But most people don't pay for software, especially if there are "free" and legal alternatives.

[-] SorteKanin@feddit.dk 8 points 1 month ago

I'm not sure what you mean with that or how it relates to what I said, could you elaborate?

load more comments (10 replies)

[-] pyre@lemmy.world 16 points 1 month ago

i can't read anything that's presented with that shitty cover image without a hint of irony

[-] digdilem@lemmy.ml 12 points 1 month ago* (last edited 1 month ago)

(This is as much an answer to some of the comments already raised, as to the article - which like most such personal pieces has pros and cons.)

As part of a previous job I used to host email for a small business - this was about 15 years ago. I ended up spending several hours to a day a week working on it; apologising to users, tracing and diagnosing missing sent email and the endless, ENDLESS arms war against incoming spam (phishing was much less of a problem then). The trust from the company in our email operation was very poor and you'd regularly hear someone apologising to a customer because we hadn't contacted them, or answered their email. The truth is much was going astray and staff were relying more on the phone than email because they knew it worked. You might guess from this that I'm terrible at running an email system but I don't think I am. I started moving email back in the late 80s when Fidonet was the thing, so I have some miles travelled. Tools have improved a bit since then, but so have those used by the bad guys.

I still consider one of the best things I did for that company was move our company email onto Gmail Business (which was free for us as a charity) Every single one of those problems went away immediately and suddenly I had a lot more time to do more important stuff. I would never self-host email again despite running several personal servers.

Plenty of people say they self-host just fine, and great for you if that's so. But the truth is you won't always know if your outbound mail silently gets dropped and you have a far higher chance of it arriving if it comes from a reputable source. There are a huge number of variables outside of your control. (ISP, your country, your region, your software, even the latency of your MX or DKIM responses factor into your reputation)

You take the decision on whether any perceieved risks of privacy through using a third party outweighs the deliverability and filtering issues of self hosting, but please don't say it's simple or reliable for everyone. If it's simple for you, you're either incredibly lucky or just not appreciating the problem.

[-] umami_wasbi@lemmy.ml 8 points 1 month ago* (last edited 1 month ago)

I never run a mail server but Google already placing my mail sent via my xyz domain hosted on proton to spam folder silently.

I guess running my own will be a lot worst.

P.S. I know that's a bad TLD choice, and I'm planning to migrate, but that will take a lots of time and work to the point I wonders if that worth it as I don't sent many anyways.

load more comments (2 replies)

[-] ssm 6 points 1 month ago

And threads will be the death of decentralized lemmy. But we still have mailing lists, and most of my mails go to decentralized users on those lists. You just gotta know where to look, and you'll find gold.

load more comments