I have been slowly learning how to run a linux VPS for a while now. Since I build websites I'm confident with running and securing a web server like nginx… or at least there haven't been any casualties yet.
However, email scares me.
Almost all websites require email to communicate with users. Most of the time email is only needed on my sites during registration as a means of verification. I hardly ever need to accept incoming mail back and I have never sent bulk email. Nevertheless, my lack off understanding of how email servers can be abused is worrying me.
Not only do you need to secure email servers – you also have to prove to the world that your emails are legit and constantly fight against being blacklisted. Insuring my emails 'good name' is not something I want to devote my life too.
What should someone like me do to send emails from my VPS? Should I look for a company to send email through that can worry about this for me? Should I just use google apps until my sites are large enough to worry about? Or is all this just ignorant fear and running your own email server (that actually works) really is easy?
Best Answer
Don't touch incoming email. Let somebody else do it. Set up an account with Google for domains (or one of the billions of other providers) and let them worry about security, spam, webmail, uptime, etc. GMail for domains is pretty awesome but it does mean you have to trust Google with quite a lot of your data.
As for sending email, install postfix and sendmail. Set it up as a local only system, so it's only listening on localhost. This will stop people using you as an open relay and getting your IP marked as spam.
If you host has other clients that are spammers and they don't do anything about it, your whole IP block might get marked as spam. In this case, you can also use external SMTP servers (including GMail) but you usually set this up on a per-application basis.
For example, a Django webapp of mine connects to gmail for SMTP and this is set up in the Django configuration. This is just so I can guarantee emails send and I get a copy in the gmail accounts Sent Mail box. Another site uses another client's email provider (Message Labs) and that's fine too. Everything else on that server uses sendmail+postfix.
Just to be clear, there's nothing inherently wrong with sending email through postfix. It usually gets there and unless you're doing big business through automated emails, you'll probably be fine sending email directly from your server.
This certainly isn't an ignorant fear. Open postfix and spamd processes taking up too many system resources are the bain of my existence. When I adopt clients and I'm troubleshooting their servers' lack of resources, I try and move as many of them to third party services as possible.