I use Zimbra with an external email gateway that only accepts authenticated email. Zimbra is pretty heavy (it’s intended to be a Microsoft Exchange replacement) but it at least has a huge amount of protection built-in to deal with spam and comes configured out of the box to not relay (well, outside of you setting up aliases and lists.)

That said, it’s not hard to find “incoming email only” configurations that deliver to local mailboxes only, for most email servers. The thing to avoid is having a single server configuration that tries to do both - accepting external email and sending locally originated email out. The configurations do exist to do that, but they’re confusing and tricky.

External email gateways… that bit is hard. I use a mail server I set up myself on a VPS. It does not listen on incoming port 25. It requires credentials. I did this largely because I was trying to send email out via Xfinity’s customer email relay, but the latter kept upping the authentication requirements until one day Zimbra just couldn’t be configured to use it any more. And each time they changed something, I wouldn’t find out until I noticed people had clearly not received the emails I’ve sent out.

VPSes are problematic as some IPs are blocked due to spam. There’s not much you can do about it if you’re stuck with a bad IP, so if you can find a way to send outgoing email via your ISP’s outgoing email server, do that. For Postfix, you can send out authenticated email using something like: in main.cf:

relayhost = [smtp.office365.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes

and in /etc/postfix/sasl_passwd:

[smtp.office365.com]:587 example@outlook.com:hunter2

So in summary:

• Consider an email-in-a-box solution like Zimbra, I understand the wish to go for something light but it might make sense if your aim is just to control your own email
• Regardless of whether you do or not, use separate servers for incoming/outgoing email.
• For incoming email, lock it down to accept local email down if you’re manually doing this rather than using an email-in-a-box solution like Zimbra.
• For outgoing email, use authentication and avoid it listening on port 25. Consider either directly using your ISPs, or if that’s not practical, configuring your outgoing email server to relay in turn to your ISP (see above for how to do this.)

Good luck.

The big problem with blocking GA altogether is that GA is usually how people who put together websites find out what browsers people are using to browse those websites.

And if you’re about to say “But they can just look at the user agent in access.log!”, sure they can, but those are in logs that are accessed by sysadmins, not people trying to find out how their websites are used. The first thing someone who’s trying to find out how to optimize their website does is go into GA. If they see no Firefox users in GA, then they don’t care about Firefox compatibility. They may even filter it out to prevent bots.

In order to fix the tracking cookies thing we need to do more than block a popular tool for getting website metrics, we need to understand why it’s used and provide alternatives that respect privacy.

I think the implicit assumptions about the “Police carry insurance” thing are:

1. Non-criminal Qualified immunity protections are replaced by insurance carriage
2. LEOs have to pay their own insurance (presumably with a pay hike that’s the “average” insurance payment

Without QI, LEOs would be liable. Insurance companies can certainly force LEOs to fight court cases, but the costs of doing so will fall on the insurance companies. An LEO that’s constantly a problem will find themselves in court a lot, and will end up costing the insurance company a lot, regardless of whether it’s just legal fees, or massive damages to their victims in addition to legal fees. So the insurer will force them to pay ever increasing premiums, and eventually they won’t be able to afford to be in law enforcement.

Most of what you’re saying would undermine the existing professional insurance requirements for doctors etc. Hell, it’d undermine insurance requirements for driving!

Also remember insurance companies rarely insure just one thing. You may get a carrier that specializes in LEOs, but in practice like most insurers it’ll cover a wide variety of different types of liability insurances, directly or indirectly. So it’s not necessarily in its best interests to defend LEOs regardless of what they’ve done. That just encourages bad law enforcement, pushing up its costs elsewhere.

The only thing I can think of (aside from the remote possibility that someone’s trying to move something very wide along the walkway and their way is blocked by 1") is that it’s very pseudo-OCD triggering, which definitely would put it in the Mildly Infuriating camp, just not in the way that is normally posted here.

Matrix is good, though I’ve been reconsidering it ever since I read this: https://telegra.ph/why-not-matrix-08-07

Also I’ve considered it less than perfect since they added encryption and managed to make it a hell to set up. If you can’t get people to understand Mastodon because “yOu hAvE To cHoOsE A SeRvEr” how the hell are you going to get them to set up a Matrix account when it involves downloading files and other crap that you need to keep with you when setting up all your clients.

Revolt looks nice but until it’s possible to use one account (and browser tab) to access multiple servers (in the computing sense, not the Discord sense), it’s not going to be ideal as a Discord replacement.

Or just mark the resource as private and only serve it to the user who created it until they associate a post with it.

You would probably need a separate server to stage images like this, as your main image server probably shouldn’t have a login wall, which probably slightly complicates things but not badly.

Yes. Section 230 has no requirements that someone needs to form a non-profit or anything like that. It applies to anyone who has responsibility for a website that accepts user submitted content, or more widely anything on the Internet not created by yourself. whether a private individual or a giant corporation.

https://www.eff.org/issues/cda230 describes it in more detail, but to give you an example, even forwarding an email from someone else to a mailing list has some protection (https://www.eff.org/issues/cda230/cases/batzel-v-smith)

Anyone in the US considering running a public Lemmy or Mastodon instance should check what their obligations are under the DMCA and Section 230 and do them.

Section 230’s protections and limitations are documented here: https://www.eff.org/issues/bloggers/legal/liability/230 - note that the limitations are not unlimited but generally if you act in good faith you’ll be covered for almost all of the non-copyright related situations you’re concerned about.

The DMCA requires you take action to protect your forum, notably registering an agent (which can be you!) with the Copyright Office, and posting contact information on your website. https://borgheselegal.com/news/44-internet-law/85-reducing-company-website-liability-steps-to-verify-dmca-safe-harbor-compliance has information on how to remain DMCA compliant, but basically it means responding to take down notices in a timely manner. It’s bureaucracy you don’t want to do, but it’ll protect your website from Sony if someone uploads the whole of Morbius to it.

Remember when you’re panicking about evil people posting to your website that there’s a whole host of websites everyone knows about such as the various American *chans that have never, to the best of my knowledge, been the subject of a raid.

TBH it’s not that he opposed same sex marriage that bothers me. People make poor decisions. It’s:

1. He donated to the campaign AFTER it became clear that campaign was using the funds to put up ads claiming gays were a danger to children.

2. His response to people working under him who were upset and had legitimate concerns they wouldn’t be treated fairly was: “the donation does not in itself constitute evidence of animosity. Those asserting this are not providing a reasoned argument, rather they are labeling dissenters to cast them out of polite society.” He has never withdrawn this insult and made little attempt to deal with it before or after becoming Mozilla CEO.

I’m also pissed that the right wing has managed to lie about what happened to the point that if you go against the false narrative, that falsely claims Eich was fired from Mozilla for his hateful views, he was actually promoted to CEO and resigned after a lot of outside pressure made it clear he was harming Mozilla by keeping the role, then you tend to get flamed, downvoted, modded “Troll”, etc in most tech forums.

I’m inclined not to boycott products because I dislike the people who made them’s views, but that said I don’t particularly want to find I’m contributing to the monetization of something that goes to a homophobic asshole, especially at a time when LGBT people are under attack at a level I haven’t seen in 30 years. So I will not be using Brave for that reason, regardless of what I think about the product technologically.

I’m not directly familiar with either, but syncthing seems to be about backing up, so I’m not entirely surprised it’s file oriented, and jellyfin doesn’t look like it’s about user maintained content so much as being a server of content. So I’m not entirely surprised neither would support S3/Minio.

Yeah it took me a while to realize what S3 is intended to be too. But you’ll find “Blob storage” now a major part of most cloud providers, whether they support the S3 protocol (which is Amazon’s) or their own, and it’s to be used precisely the way we’re talking about: user data. Things clicked for me when I was reading the DoveCot manuals and found S3 was supported as a first class back-end storage system like maildir.

I’m old though, I’m used to this kind of thing being done (badly) by NFS et al…

It’s not always possible but it’s generally good practice to configure your applications to use external storage rather than file systems - MySQL/PostgreSQL for indexable data, and S3-clones like MinIO for blob storage.

One major reason for this is that these systems generally have data replication and fall over redundancy built-in. So you can have two or more physical servers, have an instance of each type of server on each, and have these stay synchronized. If one server goes down, the disks crash, or you need to upgrade, you can easily rebuild a set of redundant servers without downtime, and all you need to do is save the configurations (and take notes!)

Like I said, not always possible, but in general the more an application needs to store “user data”, the more likely it is it has the ability to use one of the above as a backend storage system. That will reduce, significantly, the amount of application servers that need to be backed up, and may reduce your need to consider using NFS etc to separate the data.

A lot of this is purely teething issues related to (1) the fact federation seems difficult to understand to some people and (2) the fact it’s early and people keep thinking “Hey, wouldn’t it be great if there was a WORLD NEWS forum?” and they create it without realizing that actually a ton of other people have already created one.

It’s not like Reddit didn’t have a ton of duplicate or overlapping subs.

Maybe it should be easier to merge subs and instance admins could maybe encourage it if there’s no obvious reason why they have a sub that’s clearly a duplicate of one on another server.

Probably cached in that case. There’s almost certainly multiple caches between Reddit and a web browser, and the only time the system feels the need to build a page and not use the cache will be when you’re logged in.

The issue should ultimately correct itself as these pages do become stale and get deleted.

In all honesty, there’s nothing you can do with any VPS (or cloud - AWS, Azure, etc) provider to prevent them from accessing your server as you’re reliant on them to make sure there are no back doors in their images or hardware, and they have a vested interest (maintenance etc) in making sure they have at least some access. But it’s usually rare they do actually log in.

You can tighten up security a little bit by:

• Avoiding use of the console and logging out of it when AFK
• Checking /etc/passwd and /etc/shadow for passwords for accounts that should be inaccessible, and removing them.
• Verifying pam.conf doesn’t provide access to an external authentication system under the VPS operator’s control.

But those three still rely upon there being no back doors embedded deeper into the OS.

In the end, if it’s confidentiality you need, you’re better off setting the VPS up as a proxy to data that’s held on a server you have full control over (ie one that’s in your house), with no secrets kept on the VPS itself. That can be a tough one to set up and is beyond the scope of a simple Lemmy post…

Remember to log out of the console, as I’ve personal experience of seeing someone at Racknerd type commands into it (presumably by mistake but possibly because that’s SOP - this was shortly before they shut down the server claiming it was responsible for a networking issue after being hacked. Never found evidence it was hacked but Linux can glitch from time to time. So it’s possible they were taking advantage of the fact I was looking at the console at the time to see what the state of the machine was and then realized I was watching.)

Note I’m referring to the console here, not random ssh sessions. While there may be technical ways for them to hijack those, there’s not a lot of point in doing so, there are easier ways to gain access to VMs via, say, backdoor passwords.