To our clients using our email hosting:

I hope you had a great Thanksgiving!

Yesterday we turned on a shiny brand new mail server.

We've done our best to preserve all settings and logins, but there are some drastic changes under the hood, so you might want to check that everything is working as expected.

In particular, check your Spam folder, which everyone now has -- with a brand new spam filter in place, it's still learning what is spam and what is not. If you see any legitimate mail, drag it back to your Inbox, which should train the spam filter to not catch that in the future.

Otherwise, let us know if you have any issues... Or read on for more details...

Changes

A few notable changes with this upgrade:

Spam Filter -- Dspam replaced with Rspamd

Dspam has been abandoned for quite some time, and no longer was working effectively. Our new spam filter rejects a lot more spam before it ever reaches your inbox. For its fuzzy learning, it shares training data across all of our mailboxes, so even if you don't ever tell it about your spam, it should improve as others do. But in these early days, I am finding some legitimate commercial mail I don't consider spam being caught there -- be sure to check your spam folder a bit extra, at least for the next couple weeks.

  1. Spam folder -- any mail that Rspamd considers suspicious, but it's not absolutely sure, ends up here. If you drag a mail out of your spam folder to any other folder, it "trains" Rspamd that that message should not have been caught, and it should do better next time. Any mail you drag into either the "Spam" or the "Junk" folder will train Rspam that it is spam -- and it should eventually learn and divert it to the spam folder in the future.
  2. Mail rejection -- for messages that score beyond a certain level, it simply rejects the mail before it goes any further in the system. This should greatly reduce a lot of spam right out of the gate.
  3. Grey Listing - For less suspicious mail, the server now initially bounces the message. A legitimate server will try again later, and the spam filter will let it through -- most spammers won't retry. So this can lead to delayed mail. This could affect things like password resets, if it's for a website that appears spammy...
  4. Tighter restrictions on mail arriving at the server. In the ~24 hours since we've turned the new server on, we are rejecting a lot more mail right at the edge of the server, and I'm seeing a huge drop in the amount of spam coming in as a result. The new spam filter is helping a lot right away, but it's showing only about 20% spam coming in out of several thousand messages -- the big drop is just enforcing mail best practices.

This means a lot of poorly set up mail now won't reach us at all. Since this is mostly spam, I think this is an improvement!

Junk vs Spam

You actually might see two different folders here -- Spam and Junk. Both work the same way if you move mail in or out of them -- they will train the spam filter based on your action. However, incoming spam will always go to the "Spam" folder. We've set it up this way so you can drag stuff into Junk and not have to see it again -- but you still may want to check Spam for misclassified mail, especially for the next couple weeks.

"Trash" on the other hand is regular mail you don't need anymore -- anything you put in Trash will stay there until it gets purged. This happens automatically to messages that have been in there for 30 days.

The server automatically deletes "Spam" messages after 30 days, and "Junk" messages after 10 days.

New addresses for IMAP and SMTP server

We have had a report of mail sending failing. If you have this trouble, you might need to change the port on your outgoing mail settings, from port 25 to port 587. You will need to use either SSL or TLS on the outgoing mail settings -- SSL on port 465 or TLS on port 587 -- with your email address and password.

In addition, we have set up imap.freelock.com and smtp.freelock.com as additional names for our mail server -- many mail programs set these by default when you add a new account, and these should now work with our service.

In general we have tightened up the security of the server -- currently we have disallowed logins on non-encrypted connections. If you have trouble connecting from a device, check to see if it's set to use encryption, and if not, enable it. Let us know if this is not possible -- we may need to relax this security if you have no other options.

Mail Filtering rules, Folder subscriptions

The underlying folder structure inside the mailboxes have changed. Previously a folder (under the hood) might have been called "INBOX.Archives.2018" for example -- and now it's called "Archives/2018". We attempted to update the subscription list so everything stayed the same in your email -- but if you don't see a mail folder, open up the "Subscribe" tab for the account in your email software -- it is there but might be under a slightly different nesting structure.

If you had any mail filtering rules set up, this might have broken them. You should be able to manage these rules using any "Sieve" extension for mail, or you can just log into RoundCube at https://mail.freelock.com/ and go to Settings -> Filters and check that the folder names are showing the nested folder and not a long name with dots in it.

Domain Verification/DKIM signing

A big improvement for our outgoing mail is we now support the latest in "Mail Reputation" policies. We've long supported "SPF", but that is considered broken. Our new software supports "DKIM" aka "Domain Keys", which involves signing every message with a key that is validated through DNS, and we are also adding "DMARC" policies to tell receiving servers to ignore mail from us that is not signed.

This needs to be set up on each domain that sends mail through our servers, and involves setting up two DNS records. If we have access to your DNS, we can set this up for you -- if not, let us know and we can coordinate getting these added for your domain.

Having DKIM-signed messages can help keep your mail out of your recipients' spam folders. This is especially important for mail coming from websites we manage (if we have not set them up to route through a different service).

Outbound rate limits

There's one other change we're putting in place: outbound rate limits. Over the years we have had several incidents where an email account has had its password cracked (usually because they were very weak/obvious passwords in the first place). When this happens, the hacked email account has been used to send tens of thousands of spams very, very quickly. And then it takes us weeks to repair our mail server reputation with various providers (such as Gmail, Office 365, Comcast, etc).

Our new spam filter allows us to set a cap on how much email you can send in a short period of time. We will be experimenting with this level over the coming weeks -- we don't intend to block any legitimate emails, but if you're sending to more than a couple hundred people in an hour, you should be using a mailing list or something designed for bulk email instead of a generic email account.

Maintainability for the future

We're really excited to have this project done! It's been a low-priority back-burner project for the past year, and it was our last major system not put into our regular "Docker"-based infrastructure. This meant it was getting really far behind, and if we had had an incident we could have had some prolonged downtime to get everything back up. No longer! We've now put everything in place for rapid recovery, as well as keeping everything up to date as we move forward. Which is the baseline of what we do for WordPress and Drupal websites -- we keep them current, backed up, and easily recoverable.

This also means we're at a point where we're happy to provide more email hosting. We are firm believers that the Internet should consist of more than a handful of tech giants, and big advocates of "self hosting". If you know any companies who would prefer to have their own mail server instead of buying a subscription from Google or Microsoft, we would be happy to manage one for them. Feel free to send them our way!

Thank you for your support and business over the years, and have a great holiday season!

Cheers,

John Locke and the Freelock crew

 

Add new comment

The content of this field is kept private and will not be shown publicly.

Filtered HTML

  • Web page addresses and email addresses turn into links automatically.
  • Allowed HTML tags: <a href hreflang> <em> <strong> <blockquote cite> <cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h1> <h2 id> <h3 id> <h4 id> <h5 id> <p> <br> <img src alt height width>
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.