I use Zimbra with an external email gateway that only accepts authenticated email. Zimbra is pretty heavy (it’s intended to be a Microsoft Exchange replacement) but it at least has a huge amount of protection built-in to deal with spam and comes configured out of the box to not relay (well, outside of you setting up aliases and lists.)

That said, it’s not hard to find “incoming email only” configurations that deliver to local mailboxes only, for most email servers. The thing to avoid is having a single server configuration that tries to do both - accepting external email and sending locally originated email out. The configurations do exist to do that, but they’re confusing and tricky.

External email gateways… that bit is hard. I use a mail server I set up myself on a VPS. It does not listen on incoming port 25. It requires credentials. I did this largely because I was trying to send email out via Xfinity’s customer email relay, but the latter kept upping the authentication requirements until one day Zimbra just couldn’t be configured to use it any more. And each time they changed something, I wouldn’t find out until I noticed people had clearly not received the emails I’ve sent out.

VPSes are problematic as some IPs are blocked due to spam. There’s not much you can do about it if you’re stuck with a bad IP, so if you can find a way to send outgoing email via your ISP’s outgoing email server, do that. For Postfix, you can send out authenticated email using something like: in main.cf:

relayhost = [smtp.office365.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes

and in /etc/postfix/sasl_passwd:

[smtp.office365.com]:587 example@outlook.com:hunter2

So in summary:

• Consider an email-in-a-box solution like Zimbra, I understand the wish to go for something light but it might make sense if your aim is just to control your own email
• Regardless of whether you do or not, use separate servers for incoming/outgoing email.
• For incoming email, lock it down to accept local email down if you’re manually doing this rather than using an email-in-a-box solution like Zimbra.
• For outgoing email, use authentication and avoid it listening on port 25. Consider either directly using your ISPs, or if that’s not practical, configuring your outgoing email server to relay in turn to your ISP (see above for how to do this.)

Good luck.

I’m not directly familiar with either, but syncthing seems to be about backing up, so I’m not entirely surprised it’s file oriented, and jellyfin doesn’t look like it’s about user maintained content so much as being a server of content. So I’m not entirely surprised neither would support S3/Minio.

Yeah it took me a while to realize what S3 is intended to be too. But you’ll find “Blob storage” now a major part of most cloud providers, whether they support the S3 protocol (which is Amazon’s) or their own, and it’s to be used precisely the way we’re talking about: user data. Things clicked for me when I was reading the DoveCot manuals and found S3 was supported as a first class back-end storage system like maildir.

I’m old though, I’m used to this kind of thing being done (badly) by NFS et al…

It’s not always possible but it’s generally good practice to configure your applications to use external storage rather than file systems - MySQL/PostgreSQL for indexable data, and S3-clones like MinIO for blob storage.

One major reason for this is that these systems generally have data replication and fall over redundancy built-in. So you can have two or more physical servers, have an instance of each type of server on each, and have these stay synchronized. If one server goes down, the disks crash, or you need to upgrade, you can easily rebuild a set of redundant servers without downtime, and all you need to do is save the configurations (and take notes!)

Like I said, not always possible, but in general the more an application needs to store “user data”, the more likely it is it has the ability to use one of the above as a backend storage system. That will reduce, significantly, the amount of application servers that need to be backed up, and may reduce your need to consider using NFS etc to separate the data.

To own my own data and feed and have some control over what’s pushed at me?

I mean, I get it. Some people hate X and Meta. I hate them too. But if my aim was to get away from those two, I’d be on Tumblr, not Mastodon. If I was concerned that my postings to “social media” can be abused, I wouldn’t use Mastodon either, it’s completely open and there’s very little concept of privacy.

To put it bluntly, Meta doesn’t even need to join the Mastoverse with an ActivityPub instance to vacuum up your Mastoverse data. It just needs single accounts to join the big instances and follow the “Federated feed” on them, doing a little algorithmic work to link accounts to Facebook accounts. It’s actually easier for Meta to suck your data from the Mastoverse than it was Twitter or Tumblr. (I deadnamed X, because I assume X’s position is so dire that if Meta offered to pay for everyone’s feeds, Musk would sell it all. But Twitter, for all of its faults, wouldn’t have done that.)

What I’m hoping is that Meta will follow through and join properly, offering ActivityPub feeds and the ability to subscribe to ActivityPub feeds. Doing so will give Meta’s own users an off ramp, making it easier for Meta’s users to feel able to leave without losing their circle. And it’ll give the morons who insist that “OMG MASTODON IS TOO HARD YOU HAVE TO CHOOSE A SERVER!” (I can’t be polite about these people any more, the number who brag about their own idiocy is astonishing) a “simple” social network they can join with that off-ramp available for the future.

But no, in my case, I didn’t join Mastodon to get away from Meta. I joined so I have the network I want.