Install Your Own Private E-mail Server in the Cloud
Update: You might be interested in Why Clinton’s Secure Email Server Has Legs.
Background & Motivations
The concept of privacy is rapidly under threat as technology advances – it’s clearly a time of great cultural change and policy shifts. Living in Seattle, authorities can track me via cell phone, automated license plate reader, bus pass, and even the transmitter in my drivers license. And, if a warrant is issued for my credit card, email, Internet or Car2go activity, then my life becomes an open book. I know a little about all this – I helped nab Wired writer Evan Ratliff in its 2009 Vanish contest.
The NSA revelations this week make it clear that our privacy is not just tenuous, it’s imaginary at this point. The best writing I’ve seen to make sense of this story is by Slate’s Manjoo: “…now, after it has just proven itself so inept at handling its own information, the [NSA] still wants us to believe that it can securely hold on to all of our data”. It can’t. And that’s just one more reason this kind of government power is a terrible idea. Another reason is that the really bad people are smart enough to avoid mass surveillance like PRISM. Wonkblog’s description of the difference between authoritarian surveillance states and democratic ones is also excellent.
But this doesn’t mean that we need to roll over and give Google and the government ready access to our email.
I’ve been slowly working on this tutorial for some time but last week’s disclosures of the NSA’s domestic spying led me to complete it now. For some time I’ve had growing concerns of our dependence on Google and Facebook and the increasing commodification of our personal information for profit. Last year’s Petraeus affair made the power of the government’s access to GMail more obvious and I quit using Facebook in January. The shutdown announcement for Google Reader, stories of being cut off from GMail without notice and Google technical outages also motivated me to consider other options, for privacy and redundancy.
While I’m not entirely surprised by the PRISM disclosure, I am disgusted by the U.S. government’s wholesale violation of Americans’ Fourth Amendment Right to privacy in the electronic age and President Obama’s heightened attacks on whistleblowers. I’m also dismayed by what I expect will turn out to be Clinton-esque lies by Google and Facebook about their “lack of” involvement in PRISM. In my view, Edward Snowden is a stronger protector of the Bill of Rights than President Barack Obama. I especially admire his courage in light of the torture of Bradley Manning. I refuse to adjust to the new normal of the authoritarian surveillance state.
A Tutorial to Self-Host Your Email in the Cloud
This tutorial provides step by step instructions for installing an open source email server – a path away from GMail which reduces your reliance on Google and at least makes it a bit harder for your communications to be swept up in broader government surveillance such as PRISM.
A former colleague, Allen Gunn, once said, “If you’re not paying for the product, you are the product.” Currently, Facebook and Google treat us this way, studying our most intimate relationships and packaging us up to advertisers. In addition to avoiding mass surveillance, this tutorial is also aimed at helping you avoid being their product – or at least being a less valuable product.
I’ve written before that email is one of the most vital, least innovated technology applications (see Twelve Gmail Ideas to Revolutionize Email Again and SimplifyEmail) of the past twenty years. I’m hopeful that if more technologists adopt leading open source email technology, more of them will contribute their time and money towards innovating this platform. I’m also encouraged by the launch of the Mailbox app and expect it will soon be compatible with iRedMail (Sanebox provides a similar service on the web).
Specifically, this tutorial describes installing a self-hosted, open source email server, iRedMail (demo) with Roundcube web mail access (demo) and Dovecot IMAP support in the Amazon AWS cloud. It’s not for the faint of heart – but it is perfect for technologists interested in exploring new ground. It’s also not free – running your own email properly can cost from $7 to $15 monthly or more, depending on your configuration – but for many of you, this will be worth it (note: Amazon offers a free year of AWS usage for new customers.) If you prefer, you can pay $99 to iRedMail and they’ll install it on your Linux server of choice.
This tutorial also addresses how to make sure your email is delivered and free from spam, although the solutions I describe for this are also not free – I am using Mailgun; Amazon’s SES is a less well supported, less expensive option.
The iRedMail configuration can also be used as a redundant backup for your GMail accounts, if that is more of a concern to you than privacy. I also discuss ways for using vanity domain-based email addressing to increase anonymity with everyday websites.
I haven’t and won’t fully move away from GMail and Google Drive – especially for work, but I have been using iRedMail successfully for personal email for several months and appreciate the independence of it.
Amazon’s Cloud Doesn’t Guarantee Privacy Either
I have no illusions that self-hosting your email will keep the government from reading it if it wants to – (Amazon recently received a $600 million contract to run the CIA’s cloud operations and my use of Mailgun opens up another point of surveillance), but it will make it slightly more difficult and encourage open source innovators to move platforms towards a more private, more secure world. Furthermore, you can use the instructions here to run your email on any Linux system or cloud (e.g. RackSpace, Linode) – you don’t have to use Amazon.
Self-hosting your email is a complicated undertaking. Completely securing your email is even more challenging. You may actually be creating more headaches and risks for yourself by moving away from a professional service provider e.g. managing reliability, fending off hackers. This tutorial is oriented towards taking you out of PRISM’s immediate sights – but you’ll have to do more work to be completely secure. Full disclaimer: I’m glad to take responsibility for your success but none for your failure. Installing your own e-mail is tiny act of resistance against the surveillance state, but is not a trivial act.
FastMail: A GMail Alternative For Non-Technical Folks
If you aren’t technical but simply want to move your email off of Google, check out FastMail*. It’s a solid email hosting service provided by the folks who make Opera. They responded quickly to my query regarding PRISM: “Opera Software Australia Pty Ltd is a company incorporated in Australia with Australian employees on Australian soil. The servers we have are based in the US, but owned by the Australian company. No person in the US has login access to the servers. Based on interpretation of the law that we’ve received, we’re subject to Australian telecommunications laws and Australian privacy laws. These laws specifically forbid us from releasing any electronic communications or data without an appropriate Australian warrant.” While this is no guarantee of privacy, it’s more likely that you’d be given notice before your email is handed over to authorities. Full disclosure, I am signed up for the FastMail referral partner program and will receive a tiny commission with any new sign ups from this tutorial. Read my disclosures.
A colleague also suggests Norwegian Runbox.com for good privacy policies, though their web interface is not as smooth as FastMail.
Writing this tutorial has demonstrated to me that securing the bulk of your email from government snooping beyond the per-message level is a task whose complexity far exceeds the capability of the average person, perhaps even the average technologist. For this reason alone, the fact that maintaining your privacy in the digital age is so difficult, is one reason that the surveillance state should be illegal. The more impossible it becomes for the average person to secure their digital privacy, the more seriously the courts should return to backing the intent of the Fourth Amendment. Conversely, it’s quite easy for really bad people to encrypt their most private communications.
Get more information on pricing options here. Ready to sign up for AWS? Already have an account? Please feel free to post corrections, questions or comments below. You can also reach me on Twitter @reifman or email me directly. If you like this tutorial, please share it on Twitter.