In the previous posts of this series, we built the foundation of your sovereign cloud. We’ve established a hardened network, a custom router, and a powerful server environment. Now, we arrive at the most challenging and perhaps most rewarding – milestone: Self-Hosted Email.

Email is the skeleton of your digital identity. It is the recovery method for your bank accounts, the username for your social media, and the record of your private communications. Currently, the vast majority of the world’s email is controlled by two or three massive corporations. This is a systemic risk to privacy and personal freedom.

However, “Email is hard” is the common refrain in the self-hosting community. People say you will get blacklisted, your mail will never arrive, and you’ll spend your life fighting spam filters. This guide is here to prove them wrong. We are going to build an email system based on the philosophy – one that is robust, private, and, most importantly, actually works.

The Hard Truth: The “IP Reputation” Trap

Before we touch a single line of code, you must understand why self-hosted email often fails. It comes down to IP Reputation. Spam filters at Gmail, Outlook, and Yahoo are aggressive. They look at the “birthplace” of an email – the IP address of the server that sent it. If that IP address comes from a residential block (like your home internet) or a cheap VPS provider, it is often flagged as “dirty” by default.

Historically, self-hosters tried to send mail directly from their home servers. This almost always results in the “black hole” effect: your email is accepted by the recipient server but never appears in their inbox or even their spam folder.

The Solution: The Hybrid Approach

To solve this, we use a hybrid model. We host the storage, the UI, and the receiving (IMAP/POP3) capabilities on our own sovereign hardware. But for sending (SMTP), we use a “Relay” service with a high reputation. This ensures that while we own our data, our messages are delivered with the authority of a trusted sender.

&&

Box: Pilgrimage (Easy Linux) — The foothold comes from a hidden .git directory exposed on port 80. Dumping the repo leaks the full PHP source, which shows ImageMagick is called directly on user uploads with no version pin. Running identify –version confirms 7.1.0-49, vulnerable to CVE-2022-44268. Crafting a PNG with a malicious tEXt chunk set to /etc/passwd causes the resized output to embed the file contents as raw hex in the EXIF data. Decode it, grab the emily hash, crack it offline with rockyou in under 90 seconds, SSH in as emily. Privesc from there involves a root-owned Bash script in /usr/sbin/malwarescan.sh calling binwalk on every file in the uploads folder — and binwalk 2.3.2 is exploitable via CVE-2022-4510. Drop a crafted PFS file into uploads, wait for the cron, get a root shell back on your listener…

// members-only content

The rest of this post is for members.
Join to unlock the full post.

$ cat /membership/perks.txt

Unlock This Post and Much more – from $5/mo

If you want to say thanks and follow along more closely, membership is the best way to do it. You’ll get exclusive series posts, a spot on the Supporters Page, and a shout-out when you join.

Unlock Member-only Exclusive Post – $5/mo // what’s inside
  • Exclusive access to more posts like this
  • Name mention on the Supporters Page
  • Exclusive series access & messages for members
  • Shout-out for all new members
  • Support the project & keep it going
  • Cancel anytime, no contracts
$5 / month Exclusive Access

Trusted by 1,200+ students, sysadmins, and security engineers

This post first appeared at - The CyberSec Guru