Specs at a look: Helm Private Server
Quad-core 1.6GHz ARM Cortex-A72 w/TrustZone crypto module
128GB NVMe SSD w/256-bit AES-XTS encryption
802.11ac/a/b/g/n, Bluetooth four.2, Gigabit Ethernet, 2x USB-C three.zero
111.1mm x 180.9mm x 130.1mm (four.375″ x 7.125″ x 5.125″)
$499.99 on the Helm retailer (plus $99/12 months subscription, waived for first 12 months)
As Ars security-meister Dan Goodin famous in his preliminary write-up again in October, the Helm Private Server is a small-ish ARM-based e mail server that sits in your house and does for you what Gmail or Outlook.com or whomever your present e mail supplier does for you. It’s a full-featured, single-domain (for now) MTA in a field that you should use with an infinite variety of e mail addresses and accounts, and it provides you 128GB of house to make use of as a mail retailer for these accounts. It additionally provides you CalDAV calendaring, notes, and CardDAV contacts, and it does all of it with open-source functions which might be chosen and configured in a approach that demonstrates a strong bias towards particular person safety and privateness.
And I prefer it. I prefer it loads. I didn’t suppose I might, however after spending every week with the system, I’m nearly able to spring for one—nearly. And that’s excessive reward, coming from a paranoid e mail self-hoster like me.
Primarily based on my brief time with the Private Server, the reward is correctly earned. The Helm staff based mostly its product principally across the identical mail stack that I personally choose and use—the holy trinity of Postfix for SMTP, Dovecot for IMAP, and SpamAssassin for protecting issues clear. The system correctly makes use of SPF, DKIM, and DMARC—and handles all of the DNS stuff essential to make these issues work. Finish-user knowledge is well encrypted at relaxation and in flight. Intelligent use of tunneling to AWS-based gateways transparently works round frequent ISP blocks on e mail service ports. And, maybe most significantly, you don’t must know what any of that stuff means to make use of the system securely—informal of us who possibly simply need to reduce their reliance on Google or Microsoft will discover the transition to Helm comparatively painless, and there aren’t some ways to screw it up and make your self much less safe.
However technical customers may balk at a few of its shortcomings and annoyances—the underlying Postfix/Dovecot configuration (together with the constellation of smaller apps like OpenDKIM which might be essential to make it work) can’t be seen, modified, or edited. If you happen to’re bringing an current area to the Helm service, you presently must switch your area’s authoritative DNS to Helm’s AWS-based DNS servers in order that the service can handle the mandatory MX and TXT information. The selection of AWS for DNS means Helm presently doesn’t supply DNSSEC assist. And some different minor points may make skilled e mail sysadmins hesitant—although conversations with Helm’s assist staff throughout the evaluation have me satisfied of the corporate’s willingness to evolve the product in a path extra suitable with the (generally tough) calls for of energy customers like me.
All that being stated, the tl;dr right here is that I like Helm. I like what the corporate is doing, and I like the way in which it’s doing it. With just a few minor modifications (and a few extra uncovered knobs and levers so I can tweak issues a bit), I’d fortunately purchase a tool and transition my e mail internet hosting off of my present setup.
Now let’s dig somewhat deeper into what we’ve obtained right here.
How Helm matches into the email-hosting dilemma
In early 2014, I penned a four-part sequence about how you can host your individual e mail to your personal area, based mostly alone adventures in self-hosting. Though the guides are at this level in dire want of updating, they’re among the many hottest issues I’ve written in my whole tenure at Ars (eclipsed solely by the point I talked continuous about farts for a complete week). Doing my very own e mail internet hosting has on the entire been a rewarding and difficult endeavor that’s yielded super quantities of data, expertise, and grey hair—and, after doing it for a bit greater than 5 years, I’ve no plans to cease.
There are important advantages to self-hosting your e mail, however they arrive with important downsides, too—most notably, you’re on the hook for any errors or issues. “E mail,” stated Previous Lee, “is sort of a pet, and when you step up and personal your individual pet, you’ve obtained to handle it, clear up after it, and ensure evil folks do not infect it with horrible viruses and remodel it right into a zombie.” Taking care of an e mail server does often require work—a accountable sysadmin must sustain with updates, regulate the log information, verify recurrently on RBLs, be conscious of deliverability and sender status, and different miscellaneous sysadmin-y duties. It’s not overly onerous, however it’s not hands-off, both.
Helm goals to provide the better of each worlds—the reassurance of getting a tool stuffed with delicate data bodily below your management, however with nearly all the heavy sysadmin lifting executed for you.
The first issue Helm will face right here is the advertising message—who is that this factor for? Most folk within the offended graybeard set (of which I rely myself a member) are both already self-hosting or have dismissed self-hosting as much more bother than it’s price; the casual-user set doesn’t actually suppose a lot about how e mail works or what “internet hosting” actually means.
Helm due to this fact has determined in its advertising literature to lean closely on the privateness elements of self-hosting. Helm’s web site leads with that message and performs up how switching to Helm is a approach to take possession of 1’s on-line identification and divorce oneself from technological dependence on large data-hungry companies:
Your most crucial knowledge (like emails, search historical past, passwords, photographs, and movies) is saved on an enormous company server outdoors your private home.
More and more, this leaves you weak to hacks, firms profiting out of your knowledge and on-line habits, and mass authorities surveillance.
It’s a advertising message not with out some crucial caveats—so long as you’re exchanging emails with different individuals who use these massive company providers, you’re simply as weak to mass surveillance and knowledge harvesting as earlier than, since marketeers (together with any three-letter company) will merely vacuum up your message on the receiving finish reasonably than the sending finish. And Helm’s utilization of AWS for a lot of its infrastructure—even with a accountable eye towards encryption and protecting delicate knowledge correctly siloed—means you’re nonetheless relying closely on probably the most data-hungry companies of all of them.
The message, nonetheless, isn’t wholly inaccurate—you’re higher off self-hosting. It stays an open query, although, of whether or not the common client (and even the common tech-savvy Ars reader) can be keen to spend $499 and a further $99 every year for a nebulous and difficult-to-fully-quantify improve in safety. Convincing folks to take action shall be Helm’s biggest problem—in all probability a fantastic deal tougher than truly designing the service within the first place.
The Helm service—or, “the place does my $99 a 12 months go?”
I need to speak only for a second about precisely what that ongoing $99/12 months cost pays for. Clearly, Helm has workers, and they should make payroll; the Helm service requires ongoing work behind the scenes for it to stay long-term purposeful. However the subscription charge additionally covers a good quantity of actual AWS-based infrastructure prices that include every Helm system bought.
Helm makes use of Amazon’s Route 53 DNS service on the back-end, which supplies you a strong DNS setup with a lot of quick, geographically distributed resolvers. To work round ISP restrictions on ports and to eliminate the Sisyphean activity of making an attempt to make use of a residential ISP IP addresses for e mail service, the corporate spins up Amazon EC2-based gateway machines that set up tunnels to the residential Helm gadgets. “All of the gateway does is ahead packets forwards and backwards,” defined Helm CEO and co-founder Giri Sreenivas to Ars. “All TLS terminates on this system. All we’ve executed is introduce an additional hop on the Web. We’re funneling encrypted visitors.”
Helm additionally places some care into the AWS IP addresses assigned to the Helm gateway, doing all the mandatory legwork to vet these addresses towards the ever-changing checklist of anti-spam IP tackle blacklists utilized by most e mail servers.
The AWS prices for Helm additionally embody built-in cloud redundancy; the corporate makes use of Amazon’s US-West-2 area for its gateways and retains machines in all three of the area’s availability zones. The corporate makes use of a separate area, US-East-1, for all of its knowledge storage—that’s, the place the place your gigabytes of encrypted e mail back-ups reside.
The mail circulation
These EC2-based gateways are one of many keys to creating Helm work. When your native Helm server powers on, it establishes an IKEv2-based tunnel to an EC2 gateway. That EC2 occasion is assigned the general public IP tackle referenced in your area’s MX information, and makes use of good ol’ iptables to ahead choose packets by the tunnel to your Helm server.
The trail is identical whether or not you’re an IMAP consumer checking your inbox or one other e mail server transmitting a message over SMTP—all the things goes through the gateway.
Curiously, which means that e mail shoppers on the identical LAN because the Helm server nonetheless run their visitors throughout the Web, by the tunnel by the use of AWS. If you configure your consumer, you level it at “helm.yourdomain.com” for SMTP and IMAP and ahead DNS lookups on that hostname will at all times return the AWS gateway’s Web IP tackle.
I requested Helm assist about bypassing the tunnel and addressing the Helm server’s mail ports immediately on the LAN, which is perhaps one thing a buyer with split-horizon DNS would do. The response was reassuring: “This should not be an issue,” the assist folks stated. “If the consumer units up DNS to level on to the native Helm IP tackle for native shoppers, these ports are presently open, and so it ought to work. This isn’t a configuration that we now have examined, nonetheless, however technically we don’t see any challenge with this.”
(Whereas the SMTP and IMAP ports are regionally addressable, there’s not a lot else you may truly do to the Helm server immediately—there is no such thing as a approach to log into it. Configuration duties are all executed through an app, which we’ll get to shortly.)
The choice to wrap all server comms in a tunnel pleasantly sidesteps the 2 main points that always include making an attempt to self-host an e mail server on a residential ISP connection. Specifically, you don’t have to fret about your ISP blocking inbound connections on frequent e mail ports, and also you don’t have to fret about the truth that most residential IP addresses are everlasting residents on nearly each blacklist ever. By shifting the connection level to Amazon’s cloud and being picky with the IP tackle pool they must work with, Helm saves you no scarcity of complications. (You additionally don’t have to fret about updating a DNS entry when/if your private home IP tackle modifications, however that’s principally a solved drawback at this level anyway.)
Unboxing and setup
The server comes packaged with a quickstart information, a community cable, a good-quality branded AC adapter, a USB key for storing your backup encryption key(s), and a Helm sticker (our evaluation system additionally got here with a separate USB stick loaded with press property and pictures).
Setup is fairly darn straightforward. You unbox the server, peel off the plastic protecting movie round it and its AC adapter, plug it in, and join it to your LAN. The system has built-in 802.11ac and may be run wi-fi, however that you must set issues up wired first earlier than you may configure Wi-Fi. Replace: Helm notified me after the evaluation went reside that the preliminary setup can certainly be executed wirelessly if desired.
After you have plugged within the community cable, you flip the factor on, set up the cellular app in your iOS or Android system, and comply with the steps.
Right here it’s: your Helm Private Server. Nicely, the field, at the least.
The highest of the field comes off, revealing a sharp package deal.
The field backside comprises the remainder of the package deal: a community cable, a sticker, a quickstart information, an AC adapter, and an important USB stick to your encryption keys. The inexperienced PNY stick is only for reviewers and comprises a presskit with photographs (a few of that are scattered by this evaluation).
The Helm Private Server, dealing with the digicam.
The Helm Private Server, dealing with away from the digicam. Seen are two USB-C ports (one reserved for energy, for the reason that AC adapter terminates in a USB-C plug), energy button/standing mild, and gigabit Ethernet.
The height of Helm’s roof comprises a small cut-out housing one other USB-C port—this one for attaching a stacking growth unit (when/if one is ultimately launched).
One of many system’s eaves homes a detachable (however glued in place) 2.5″ SATA bay.
Apologies for the standard of this picture—it was annoyingly tough to take. It is a peek into the two.5″ SATA bay.
These steps, pictured in a gallery beneath, will see you first pairing your Helm server along with your smartphone through Bluetooth to kick off the setup. The Helm server and your smartphone carry out a token change through Bluetooth that permits your cellphone to proceed getting used for admin duties; configuring new smartphones to work with the Helm app requires bodily proximity and one other Bluetooth connection. (Configuring smartphones to ship and obtain e mail with Helm, although, doesn’t—you solely want to fret in regards to the one-time Bluetooth connection for gadgets you’re going to make use of to manage the server.)
It’s vital to pause and reiterate that, after the preliminary token change through Bluetooth, all communications between your administration smartphone and the Helm server occurs over the Web through the AWS gateway. That’s the case even when your cellphone and the Helm server are on the identical LAN section. That is truly a aid for folk like me who’re maybe greater than somewhat paranoid about placing a tool we are able to’t handle or improve on a trusted LAN section with different trusted gadgets—since there is no direct communication between your administration system and the Helm server, there’s no motive you may’t completely plop the Helm server in your IoT VLAN if in case you have one and even onto its personal remoted section.
Per a observe from Helm assist, the one factor the field wants to have the ability to do is ship outbound visitors on UDP ports 500 and 4500 and on TCP port 443. You don’t want any incoming port-forward guidelines.
The evaluation items Helm despatched out had been preconfigured with take a look at domains (I obtained “helmdomain21.com”), however for those who’re an precise buyer, you’ll both have bought a website from Helm if you purchased the system otherwise you’ll have switched your current area’s authoritative DNS over to Helm’s DNS servers if you purchased the system.
No matter how you bought there, the setup continues by displaying you the area assigned to you and asking you to enter an activation code Helm sends you at buy. After that, you create your first mailbox for the area, which can also be your administrator account.
The setup assistant then prompts you to insert that flashy silver USB stick into one of many Helm’s ports. At this level, the server generates an encryption key pair and writes the non-public key to the stick. The encryption keys are used each for encrypting the Helm’s native filesystem and likewise for encrypting the server’s automated backups, that are routinely uploaded to AWS for you. In case your Helm server dies or is stolen, you’ll want this bodily key to revive your e mail backups and configuration to a substitute Helm system.
After unboxing your Helm and powering it on, you put in the app and are greeted with this.
You will need to pair your smartphone with the Helm server over Bluetooth to change a token. You will need to do that with any smartphone or pill you need to use to admin your Helm server. (You do NOT want to do that for those who simply need to ship and obtain Helm e mail on a tool—solely if you wish to set up the Helm app and do admin stuff.)
Subsequent you enter an activation code and confirm that the area preconfigured on the server matches your e mail area. (For reviewers, Helm despatched out gadgets preconfigured with generic domains for testing functions. I obtained “helmdomain21.com”.)
You then create an admin account, which can also be an e mail inbox.
Give it a password and permit notifications (which you’ll be able to disable as desired later).
Then the setup course of asks you to insert the silver USB stick that got here with the server. Your Helm server’s encryption secret’s written to the stick. Retailer it in a safe place: you will want it for those who ever have to revive a backup.
Subsequent—at the least on iOS—the Helm server will ship you some preconfigured profile information in order that you do not have to manually add your Helm inbox to your cellphone.
Tapping “set up” kicks off the profile set up course of.
One profile, three accounts.
And there they’re.
Tapping on the e-mail account exhibits pre-populated account particulars.
Calendar account particulars.
Contacts account particulars.
As soon as the profile is put in, you are prepared to begin utilizing the server.
The app’s admin interface presents you with a listing of further duties you may need to do.
The e-mail account exhibits up in your checklist of e mail accounts within the default iOS e mail consumer.
Account particulars from the iOS settings display.
Calendar account particulars.
Contacts account particulars.
Lastly—at the least on iOS, which is what I exploit—the appliance generates a set of profiles containing your Helm account’s e mail, calendar, and contacts settings. Then the appliance installs all of that for you, although you must hit OK just a few instances to shepherd the method alongside. It is a good comfort that eliminates you doubtlessly needing to copy-and-paste (or, worse, write down and manually enter) a bunch of server and account settings.
As soon as the profiles are put in, you’re instantly capable of ship and obtain e mail out of your new area. After that, the app has a set of wizard-like duties in the primary window to point out you how you can import e mail from exterior accounts, create extra e mail addresses, and set per-device passwords in your Helm account so it may be accessed on different gadgets like a laptop computer or pill.