[mschuster91]

> Hear me out: the Internet was supposed to be about peer-to-peer connected computers, and the privileged roles ISPs and later "cloud" providers assumed changed that for the worse.

The main problem aren't privileged actors like ISPs (although shit like asymmetric DSL or CGNAT definitely prevents people from self-hosting)... it is abuse and the complete unwillingness of almost everybody from private actors over governments to international organizations to put a fucking stop on it.

You open up a server on the Internet? Not even sixty seconds and the first Shodan or whatever using script-kiddies will attempt to hack you. And god forbid you run some popular software that can be sniffed like Drupal or Wordpress - you end up in Shodan just as well and will be automatedly exploited as soon as the CVE gives enough hints to people to write an exploit. You wish to send your own emails? You find yourself greylisted by almost everyone in their futile attempts to keep their users from spam. You wish to communicate with someone? Better read up on crypto because governments and ISPs just love to mine data. Operate a service that allows user-generated content? Beware for a deluge of everything from warez groups to CSAM spreaders that can and will expose you to serious legal liability.

The old protocols were all designed with implicit trust in mind and the assumption that no actor on the internet would abuse their position. That worked reasonably well as long as it was only universities (but even then, first viruses appeared from enterprising prankster students)... but once the Internet got mainstream, all of that broke down, and it completely collapsed once people started realizing they might make money shilling grey-imported penile enlargement pills. And the more people were on the Internet, the harder the work of "abuse departments" got, which led to most organizations simply dismantling the department or redirecting complaints to /dev/null. The fact that some governments (particularly China and Russia) take a completely blind eye towards hacking originating from their countries as long as they themselves aren't targeted (just look how many malware samples have a dead-man switch when they encounter information that the target might be Russian) just makes the problem worse.

Unfortunately, by that time the old protocols and standards were so widespread in use there was no chance to replace them, and so layers upon layers upon layers of bullshit got placed over the old layers in the end.

[foobarbecue]

You're right that there are a lot of bad actors out there, but in my experience they are pretty easy to deal with if you set things up right. The biggest annoyance for me self-hosting has been ISP refusing to give static IP and decent upstream bandwidth.

I've hosted my own website and email server for decades. It does take a little work to keep up with things like DMARC, reverse DNS etc, but if you get a good score on https://internet.nl/test-mail/ and don't spam anybody, self-hosted email works fine. FYI you are misusing "greylist."

[mschuster91]

> You're right that there are a lot of bad actors out there, but in my experience they are pretty easy to deal with if you set things up right.

Sure, it's possible to defend against hackers to a degree, but even using a completely static website still leaves you open to attack surfaces in the webserver software or to remotely exploitable vulnerabilities in the Linux network stack.

> FYI you are misusing "greylist."

I assume we share the definition of "greylisting" to be the receiver MTA blocking the first delivery of an incoming email with "try again later", and the sender MTA then retrying after that time frame? If yes then this exactly describes my experience in administrating self-hosted mail servers with popular large mail providers.

[foobarbecue]

Ah, my apologies, I jumped to conclusions that you were misusing "greylisting". I've never actually checked if I'm getting greylisted sending to large providers, but I think initial greylisting of new addressses is pretty reasonable.

My mail server (MailInABox) has postgrey enabled by default, greylisting incoming email each time email is received from a new address. I thought that was a little overzealous so turned it off.

[mschuster91]

It might be reasonable, but highly annoying if you run a, say, sign-up double opt-in or an email-based second factor/OTP. Customers don't like waiting an hour or whatever greylisting period, and so as a SaaS operator you are all but forced to go to one of the big e-mail senders like AWS SES because you don't stand a chance otherwise.

[foobarbecue]

Ah, darn... I'm starting a web app with email verification now, using my own email server for sending and I didn't consider this. Thanks for the warning. Guess I'm about to find out how bad it is.

Pretty annoying to test for this reliably as well...