[-] naxxfish@alien.top 1 points 11 months ago

Because it's easier and cheaper than setting up your own SSL tunnel securely.

From a non hobbyists point of view, you're paying for them to handle the messy business of maintaining a secure endpoint on the Internet. The sheer amount of bot crap you get hitting your servers as a result of an open SSL port is crazy. Also you are paying for their services as a CDN, which can significantly improve latency and reduce bandwidth bills.

Most self hosters won't benefit from a CDN (the volume and global distribution of traffic is too small for it to make much of a difference) or a global internal transit network.

Of course you definitely can set up your own SSL terminating proxy (where you own the box/process that unencrypted traffic goes through), it's just a lot more money and effort to do well than most would be willing to dedicate to it. But if you're not ok with your traffic going through a third party maybe it's worth it.

Just the mechanics of setting up SSL termination is a faff. Not only do you need to set up SSL properly on your app servers, you also have to do the same on your terminating proxy - and keep the certs renewed, disable insecure configurations, patch your SSL implementation. For many, the convenience of this all being someone else's problem is worth it compared to the privacy implications.

[-] naxxfish@alien.top 1 points 1 year ago

Beyond the shorthand advice of "don't" - here's some reasons (from somene who ran a mail server) why you might not want to:

  • If your server goes down for any reason, you'll probably loose mail - and potential business - with nobody to blame but yourself.
  • You'll probably find that randomly your users can't send email to some domains for no apparent reason - even if your DNS and SPF records are perfectly in line. Fixing this is often non-trivial.
  • Gmail and the like has made people forget how much of an issue Spam (and Phishing) is. Run your own mailserver and you'll find out very quickly it's still a huge issue and mitigating it is non-trivial.
  • A mail server is a tasty target for attackers, with potentially lots of confidential information in it and the ability to impersonate your users or their contacts - and unless you're doing a full time job keeping it secure, and trust that all the software on it is being patched regularly - it is an easy one to breach.
  • At some point your users will complain that it's slow, and you will spend days trying to figure out why.
  • Either you'll enforce strict quotas on your users (which they will complain about), or you don't and need to continually feed it disk at ever increasing costs.
  • Resetting passwords / 2FA will be another workload on top of all of the above.

All of this may be worthwhile if having your own mail server is the only way to achieve your goals. But, 99% of the time, a managed service (any managed service really) is more than adaquite.

[-] naxxfish@alien.top 1 points 1 year ago

Depends on how confident you are in the security of the apps you're hosting.

If you're proxying through Cloudflare, though - isn't that already effectively exposing your apps publically anyways?

naxxfish

joined 1 year ago