1 00:00:00,000 --> 00:00:04,600 Imagine trying to fly a 747 commercial jet, right? 2 00:00:04,600 --> 00:00:09,599 But the cockpit has a million unlabeled switches. 3 00:00:09,599 --> 00:00:10,439 Oh, boy. 4 00:00:10,439 --> 00:00:12,919 And if you flip the wrong one, you don't just crash. 5 00:00:12,919 --> 00:00:14,640 You get, like, permanently banned 6 00:00:14,640 --> 00:00:16,080 from every airport on Earth. 7 00:00:16,080 --> 00:00:18,039 That sounds incredibly stressful. 8 00:00:18,039 --> 00:00:18,640 It is. 9 00:00:18,640 --> 00:00:20,400 And for decades, that is exactly 10 00:00:20,400 --> 00:00:22,640 what running your own email server has felt like. 11 00:00:22,640 --> 00:00:23,719 Welcome to the Deep Dive. 12 00:00:23,719 --> 00:00:24,560 Glad to be here. 13 00:00:24,560 --> 00:00:27,320 Today, we are dismantling that nightmare. 14 00:00:27,399 --> 00:00:29,960 But first, speaking of taking back control 15 00:00:29,960 --> 00:00:32,759 of your infrastructure, we are thrilled to have SafeService 16 00:00:32,759 --> 00:00:34,200 supporting this Deep Dive. 17 00:00:34,200 --> 00:00:37,439 Because every organization wrestles 18 00:00:37,439 --> 00:00:40,240 with how to manage their communication tools. 19 00:00:40,240 --> 00:00:42,679 And so often, the default is to just surrender 20 00:00:42,679 --> 00:00:46,200 to these incredibly expensive proprietary services. 21 00:00:46,200 --> 00:00:48,920 Right, like Microsoft Exchange or Google Workspace. 22 00:00:48,920 --> 00:00:49,439 Exactly. 23 00:00:49,439 --> 00:00:52,200 We just accept those heavy subscription costs as a given. 24 00:00:52,200 --> 00:00:54,079 But open source solutions can actually 25 00:00:54,079 --> 00:00:56,359 replace those massive ecosystems 26 00:00:56,359 --> 00:00:57,679 at a fraction of the cost. 27 00:00:57,679 --> 00:00:59,560 And well, when you're dealing with organizational 28 00:00:59,560 --> 00:01:02,839 communication, you're inherently dealing with compliance. 29 00:01:02,839 --> 00:01:04,400 I mean, if your business is navigating 30 00:01:04,400 --> 00:01:06,599 strict requirements around email retention 31 00:01:06,599 --> 00:01:09,359 or heavy data protection laws, 32 00:01:09,359 --> 00:01:11,039 safeguarding financial records, 33 00:01:11,039 --> 00:01:13,799 or maintaining pristine audit trails. 34 00:01:13,799 --> 00:01:14,959 It gets complicated fast. 35 00:01:14,959 --> 00:01:15,799 It does. 36 00:01:15,799 --> 00:01:18,280 Data sovereignty isn't just a corporate buzzword 37 00:01:18,280 --> 00:01:19,599 in those cases. 38 00:01:19,599 --> 00:01:21,920 It is a legal necessity. 39 00:01:21,920 --> 00:01:24,480 You need to know exactly where your data lives, 40 00:01:24,480 --> 00:01:27,599 who has access to it, and that no third party tech 41 00:01:27,599 --> 00:01:28,799 giant is scanning it. 42 00:01:28,799 --> 00:01:30,599 Which is exactly why SafeServer 43 00:01:30,599 --> 00:01:31,960 is tackling this pain point. 44 00:01:31,960 --> 00:01:34,480 They help organizations find and implement 45 00:01:34,480 --> 00:01:36,480 the right open source solutions 46 00:01:36,480 --> 00:01:38,159 tailored to their specific needs. 47 00:01:38,159 --> 00:01:39,760 Yeah, and they handle the hard parts. 48 00:01:39,760 --> 00:01:42,040 Right, everything from the initial consulting phase 49 00:01:42,040 --> 00:01:44,359 right through to the daily operation of these tools. 50 00:01:44,359 --> 00:01:47,200 And they do it all on highly secure German servers. 51 00:01:47,200 --> 00:01:49,439 So you get the cost benefits of open source 52 00:01:49,439 --> 00:01:51,240 with the enterprise grade reliability 53 00:01:51,240 --> 00:01:53,920 and data sovereignty your organization actually needs. 54 00:01:53,920 --> 00:01:54,760 Exactly. 55 00:01:54,760 --> 00:01:56,520 So if you are ready to stop overpaying 56 00:01:56,520 --> 00:01:57,920 for proprietary lock-in, 57 00:01:57,920 --> 00:02:01,880 head over to www.safeserver.de for more information. 58 00:02:01,880 --> 00:02:03,360 It's a vital service really. 59 00:02:03,360 --> 00:02:05,440 And it perfectly mirrors the ethos 60 00:02:05,440 --> 00:02:07,320 of what we are analyzing today. 61 00:02:07,320 --> 00:02:08,480 It really does. 62 00:02:08,480 --> 00:02:10,920 Because today, our sources are the official 63 00:02:10,920 --> 00:02:13,240 GitHub repository, some code breakdowns, 64 00:02:13,240 --> 00:02:15,080 and the documentation pages 65 00:02:15,080 --> 00:02:17,360 for a piece of open source software called Chasquid. 66 00:02:17,360 --> 00:02:18,180 Chasquid. 67 00:02:18,180 --> 00:02:19,020 Yeah. 68 00:02:19,340 --> 00:02:21,340 Our mission for you, the listener, 69 00:02:21,340 --> 00:02:23,860 is to explore how this specific project 70 00:02:23,860 --> 00:02:27,900 acts as a beginner-friendly, secure alternative. 71 00:02:27,900 --> 00:02:30,540 It's designed to help individuals and small groups 72 00:02:30,540 --> 00:02:32,700 take back control of their email. 73 00:02:32,700 --> 00:02:33,620 Okay, let's unpack this. 74 00:02:33,620 --> 00:02:34,460 Let's do it. 75 00:02:34,460 --> 00:02:36,540 Before we get into what makes Chasquid unique, 76 00:02:36,540 --> 00:02:38,620 we need to establish the baseline. 77 00:02:38,620 --> 00:02:41,140 We are talking about an MTA, a mail transfer agent. 78 00:02:41,140 --> 00:02:41,980 Right. 79 00:02:41,980 --> 00:02:43,260 And since our audience generally understands 80 00:02:43,260 --> 00:02:45,180 that an MTA is the software responsible 81 00:02:45,180 --> 00:02:48,340 for routing mail from server to server over the internet, 82 00:02:48,379 --> 00:02:51,140 my question is, why is configuring an MTA, 83 00:02:51,140 --> 00:02:55,099 historically, such a fragile, terrifying process? 84 00:02:55,099 --> 00:02:57,099 Well, you have to look at the history of the internet 85 00:02:57,099 --> 00:02:58,620 to understand the complexity there. 86 00:02:58,620 --> 00:02:59,460 Okay. 87 00:02:59,460 --> 00:03:01,740 The legacy MTAs that run most of the world's 88 00:03:01,740 --> 00:03:04,580 email-to-day software, like Postfix or... 89 00:03:04,580 --> 00:03:07,939 They were originally conceived in the 1980s and 90s. 90 00:03:07,939 --> 00:03:09,219 Wow, that long ago. 91 00:03:09,219 --> 00:03:10,140 Yeah. 92 00:03:10,140 --> 00:03:13,219 And back then, the internet was a high-trust environment. 93 00:03:13,219 --> 00:03:16,140 It was mostly universities and government researchers 94 00:03:16,140 --> 00:03:17,539 passing text files around. 95 00:03:17,539 --> 00:03:18,859 There was no spam. 96 00:03:18,859 --> 00:03:21,219 There were no highly sophisticated phishing syndicates. 97 00:03:21,219 --> 00:03:23,739 So as those threats evolved over the decades, 98 00:03:23,739 --> 00:03:26,259 the developers of those legacy MTAs 99 00:03:26,259 --> 00:03:30,620 had to bolt on security features, spam filters, 100 00:03:30,620 --> 00:03:32,780 and encryption protocols after the fact. 101 00:03:32,780 --> 00:03:34,500 So instead of a unified architecture, 102 00:03:34,500 --> 00:03:36,299 you are looking at decades 103 00:03:36,299 --> 00:03:38,259 of accumulated patches and work around. 104 00:03:38,259 --> 00:03:39,099 Exactly. 105 00:03:39,099 --> 00:03:40,659 You end up with configuration files 106 00:03:40,659 --> 00:03:42,819 that are hundreds of lines long, 107 00:03:42,819 --> 00:03:44,739 filled with obscure syntax. 108 00:03:44,739 --> 00:03:47,299 Which is why that 747 analogy is so apt. 109 00:03:48,100 --> 00:03:50,860 I mean, Postfix and Exim are incredibly powerful. 110 00:03:50,860 --> 00:03:52,260 They can route millions of emails 111 00:03:52,260 --> 00:03:53,980 for massive internet service providers 112 00:03:53,980 --> 00:03:56,780 and handle every bizarre edge-case routing scenario 113 00:03:56,780 --> 00:03:58,060 you can imagine. 114 00:03:58,060 --> 00:03:59,100 But to get that power, 115 00:03:59,100 --> 00:04:02,100 the administrator has to navigate an absolute minefield 116 00:04:02,100 --> 00:04:03,460 of configuration options. 117 00:04:03,460 --> 00:04:05,860 And complex code is where bugs hide 118 00:04:05,860 --> 00:04:07,380 and complex configuration files 119 00:04:07,380 --> 00:04:09,140 are where human error thrives. 120 00:04:09,140 --> 00:04:11,620 Yeah, and the documentation for Chasquid 121 00:04:11,620 --> 00:04:13,380 makes it clear that they are approaching this 122 00:04:13,380 --> 00:04:15,060 from a completely different angle. 123 00:04:15,099 --> 00:04:16,819 It is written almost entirely 124 00:04:16,819 --> 00:04:18,459 in the Go programming language. 125 00:04:18,459 --> 00:04:21,100 Yeah, about 86.8% of the code base. 126 00:04:21,100 --> 00:04:21,939 Right. 127 00:04:21,939 --> 00:04:25,860 So why does the choice of Go matter for a mail server? 128 00:04:25,860 --> 00:04:28,180 Well, Go was designed from the ground up by Google 129 00:04:28,180 --> 00:04:31,180 to build fast, reliable server software. 130 00:04:31,180 --> 00:04:33,660 Its greatest strength is concurrency. 131 00:04:33,660 --> 00:04:35,939 Concurrency, like doing multiple things at once. 132 00:04:35,939 --> 00:04:37,220 Exactly. 133 00:04:37,220 --> 00:04:40,060 The ability to handle thousands of simultaneous, 134 00:04:40,060 --> 00:04:42,379 lightweight tasks efficiently. 135 00:04:42,420 --> 00:04:45,899 An email server might have hundreds of incoming connections 136 00:04:45,899 --> 00:04:47,579 sitting open at any given moment, 137 00:04:47,579 --> 00:04:49,139 slowly transmitting data. 138 00:04:49,139 --> 00:04:49,980 Oh, I see. 139 00:04:49,980 --> 00:04:51,659 Older languages often struggle with that, 140 00:04:51,659 --> 00:04:53,939 but Go handles it natively. 141 00:04:53,939 --> 00:04:56,819 What's fascinating here is the more important shift 142 00:04:56,819 --> 00:04:58,500 is actually philosophical. 143 00:04:58,500 --> 00:04:59,339 How so? 144 00:04:59,339 --> 00:05:00,740 The creators of Chasquid 145 00:05:00,740 --> 00:05:03,819 looked at that commercial jet cockpit of legacy MTAs 146 00:05:03,819 --> 00:05:04,659 and said, 147 00:05:04,659 --> 00:05:07,459 what if we just build a reliable car for a small team? 148 00:05:07,459 --> 00:05:08,899 But I have to push back on that a bit. 149 00:05:08,899 --> 00:05:09,740 Sure. 150 00:05:09,740 --> 00:05:10,579 When we talk about internet infrastructure, 151 00:05:10,620 --> 00:05:12,339 the landscape is hostile. 152 00:05:12,339 --> 00:05:15,740 Your server is constantly being probed by automated bots 153 00:05:15,740 --> 00:05:16,699 looking for weaknesses. 154 00:05:16,699 --> 00:05:18,019 Oh, constantly. 155 00:05:18,019 --> 00:05:20,379 Right, so if Chasquid is prioritizing simplicity 156 00:05:20,379 --> 00:05:21,740 for beginners, 157 00:05:21,740 --> 00:05:25,819 does that mean we are sacrificing raw power or security? 158 00:05:25,819 --> 00:05:28,060 Are we just building an underpowered toy? 159 00:05:28,060 --> 00:05:30,219 That is the core tension, for sure. 160 00:05:30,219 --> 00:05:32,019 But the reality is quite the opposite. 161 00:05:32,019 --> 00:05:34,659 Their philosophy is security through simplicity. 162 00:05:34,659 --> 00:05:35,500 Okay, so blame that. 163 00:05:35,500 --> 00:05:37,419 By explicitly narrowing the scope, 164 00:05:37,419 --> 00:05:38,259 saying, 165 00:05:38,259 --> 00:05:40,779 we are only building this for individuals and small groups, 166 00:05:40,779 --> 00:05:43,180 not for massive enterprise ISPs, 167 00:05:43,180 --> 00:05:45,180 they completely eliminated the need 168 00:05:45,180 --> 00:05:48,740 for those thousands of edge case configuration options. 169 00:05:48,740 --> 00:05:50,819 So by removing the dials and switches 170 00:05:50,819 --> 00:05:52,579 a small business will never use anyway, 171 00:05:52,579 --> 00:05:55,180 you're actually closing off a thousand potential ways 172 00:05:55,180 --> 00:05:57,459 a beginner could accidentally misconfigure the server. 173 00:05:57,459 --> 00:05:59,699 You are hitting on the exact mechanism. 174 00:05:59,699 --> 00:06:00,539 Wow. 175 00:06:00,539 --> 00:06:02,420 The documentation explicitly states 176 00:06:02,420 --> 00:06:05,139 that Chasquid is built to be hard to misconfigure 177 00:06:05,139 --> 00:06:06,699 in ways that are harmful. 178 00:06:06,740 --> 00:06:09,300 They didn't just write a manual on how to be secure. 179 00:06:09,300 --> 00:06:11,099 They hard-coded the guardrails 180 00:06:11,099 --> 00:06:13,620 directly into the software's foundation. 181 00:06:13,620 --> 00:06:15,259 Let's look at those guardrails 182 00:06:15,259 --> 00:06:18,219 because the sources highlight a few specific protections 183 00:06:18,219 --> 00:06:20,459 that usually trip up beginners. 184 00:06:20,459 --> 00:06:21,899 For instance, 185 00:06:21,899 --> 00:06:24,899 the server absolutely refuses to operate 186 00:06:24,899 --> 00:06:26,099 as an open relay. 187 00:06:26,099 --> 00:06:27,019 Right. 188 00:06:27,019 --> 00:06:29,379 Now for anyone who hasn't managed a network before 189 00:06:29,379 --> 00:06:32,099 is an open relay basically like a post office 190 00:06:32,099 --> 00:06:34,740 that leaves its loading dog wide open at night. 191 00:06:34,740 --> 00:06:35,579 Yeah. 192 00:06:35,620 --> 00:06:36,939 Anyone walk in, 193 00:06:36,939 --> 00:06:39,819 slap the post office's official return address 194 00:06:39,819 --> 00:06:42,300 on their own junk mail and send it out. 195 00:06:42,300 --> 00:06:44,259 That captures the spirit perfectly. 196 00:06:44,259 --> 00:06:47,339 In the 90s, open relays were actually considered polite. 197 00:06:47,339 --> 00:06:48,300 Polite, really? 198 00:06:48,300 --> 00:06:49,139 Yeah. 199 00:06:49,139 --> 00:06:50,620 Servers would happily forward mail 200 00:06:50,620 --> 00:06:53,019 for other servers to help the network function. 201 00:06:53,019 --> 00:06:55,379 But today, if your server is an open relay, 202 00:06:55,379 --> 00:06:57,819 automated spam bots will find it within minutes. 203 00:06:57,819 --> 00:06:58,939 And then what happens? 204 00:06:58,939 --> 00:06:59,779 They will use your server 205 00:06:59,779 --> 00:07:01,860 to blast out millions of spam emails 206 00:07:01,860 --> 00:07:03,259 and your server's IP address 207 00:07:03,259 --> 00:07:04,579 will be permanently blacklisted 208 00:07:04,579 --> 00:07:07,219 by Google, Microsoft, everyone. 209 00:07:07,219 --> 00:07:09,459 Your legitimate emails will simply vanish. 210 00:07:09,459 --> 00:07:10,300 That's brutal. 211 00:07:10,300 --> 00:07:12,259 Legacy MTAs often require you 212 00:07:12,259 --> 00:07:15,899 to explicitly configure relay access carefully. 213 00:07:15,899 --> 00:07:18,259 chasquid bypasses the risk entirely 214 00:07:18,259 --> 00:07:21,219 by hard coding a total block on unauthorized relaying. 215 00:07:21,219 --> 00:07:22,740 It simply cannot be done. 216 00:07:22,740 --> 00:07:25,139 It also prevents clear text authentication, right? 217 00:07:25,139 --> 00:07:25,979 Right. 218 00:07:25,979 --> 00:07:27,620 It forces encrypted connections 219 00:07:27,620 --> 00:07:30,379 before it even allows a user to type in their password. 220 00:07:30,379 --> 00:07:32,819 Which sounds incredibly basic to us now, 221 00:07:32,819 --> 00:07:34,139 but you would be shocked 222 00:07:34,139 --> 00:07:36,620 at how many legacy systems will quietly fall back 223 00:07:36,620 --> 00:07:39,659 to allowing plain text passwords over the open internet 224 00:07:39,659 --> 00:07:42,019 if a single line in a configuration file 225 00:07:42,019 --> 00:07:43,500 is missing or mistyped. 226 00:07:43,500 --> 00:07:44,699 Yikes. 227 00:07:44,699 --> 00:07:46,579 That brings us to how the software handles 228 00:07:46,579 --> 00:07:49,060 encryption in transit, specifically TLS. 229 00:07:49,060 --> 00:07:49,939 Right, TLS. 230 00:07:49,939 --> 00:07:51,620 The sources know that chasquid tracks 231 00:07:51,620 --> 00:07:53,300 per-domain TLS support 232 00:07:53,300 --> 00:07:55,100 to prevent connection downgrading. 233 00:07:55,100 --> 00:07:57,699 How does a downgrade attack actually work mechanically? 234 00:07:57,699 --> 00:08:00,459 If we connect this to the bigger picture 235 00:08:00,459 --> 00:08:01,500 of internet security, 236 00:08:01,540 --> 00:08:03,540 you have to understand the handshake process 237 00:08:03,540 --> 00:08:05,019 between two email servers. 238 00:08:05,019 --> 00:08:05,860 Okay. 239 00:08:05,860 --> 00:08:07,660 When your server connects to a receiving server, 240 00:08:07,660 --> 00:08:09,259 it usually starts in plain text 241 00:08:09,259 --> 00:08:10,100 and then asks, 242 00:08:10,100 --> 00:08:11,860 hey, do you support TLS encryption? 243 00:08:11,860 --> 00:08:13,779 This is called the start ls command. 244 00:08:13,779 --> 00:08:15,660 If the other server says yes, 245 00:08:15,660 --> 00:08:18,699 they upgrade the connection and encrypt the email. 246 00:08:18,699 --> 00:08:20,100 So where does the attack happen? 247 00:08:20,100 --> 00:08:22,699 An attacker performing a man in the middle attack 248 00:08:22,699 --> 00:08:24,579 sits between the two servers. 249 00:08:24,579 --> 00:08:27,139 When your server sends that start ls question, 250 00:08:27,139 --> 00:08:29,420 the attacker intercepts it, blocks it, 251 00:08:29,420 --> 00:08:30,980 and replies to your server saying, 252 00:08:31,020 --> 00:08:32,860 nope, I don't support encryption. 253 00:08:32,860 --> 00:08:34,779 You have to send this in plain text. 254 00:08:34,779 --> 00:08:35,620 Oh, wow. 255 00:08:35,620 --> 00:08:37,740 Yeah, and older servers wanting to ensure 256 00:08:37,740 --> 00:08:39,420 the mail gets delivered no matter what 257 00:08:39,420 --> 00:08:41,740 will often accept that lie, drop their shields, 258 00:08:41,740 --> 00:08:43,740 and send the email completely unencrypted. 259 00:08:43,740 --> 00:08:45,700 Allowing the attacker to read everything. 260 00:08:45,700 --> 00:08:46,899 Exactly. 261 00:08:46,899 --> 00:08:47,899 That's wild. 262 00:08:47,899 --> 00:08:50,379 They tricked the server into volunteering the data, 263 00:08:50,379 --> 00:08:53,019 but chasquid tracks historical TLS support. 264 00:08:53,019 --> 00:08:54,180 Yes. 265 00:08:54,180 --> 00:08:56,580 It maintains an internal database. 266 00:08:56,580 --> 00:08:58,820 If your server has successfully used encryption 267 00:08:58,820 --> 00:09:00,659 with a specific domain in the past 268 00:09:00,779 --> 00:09:02,059 and suddenly that domain claims 269 00:09:02,059 --> 00:09:04,100 it doesn't support encryption anymore, 270 00:09:04,100 --> 00:09:06,100 chasquid recognizes the anomaly. 271 00:09:06,100 --> 00:09:06,899 Oh, that's smart. 272 00:09:06,899 --> 00:09:09,100 It knows it's likely a downgrade attack. 273 00:09:09,100 --> 00:09:10,819 So instead of dropping its shields 274 00:09:10,819 --> 00:09:12,699 and sending the mail in plain text, 275 00:09:12,699 --> 00:09:14,579 it drops the connection entirely. 276 00:09:14,579 --> 00:09:15,939 It protects the data. 277 00:09:15,939 --> 00:09:17,219 That is brilliant. 278 00:09:17,219 --> 00:09:19,699 And the documentation mentions a whole suite 279 00:09:19,699 --> 00:09:22,059 of alphabet soup security protocols 280 00:09:22,059 --> 00:09:23,939 built right in to verify senders. 281 00:09:23,939 --> 00:09:27,019 Oh, yeah. SPF, MTA STS, checking. 282 00:09:27,019 --> 00:09:28,779 And DKIM support, right. 283 00:09:28,779 --> 00:09:30,139 Both for signing and verifying. 284 00:09:30,139 --> 00:09:31,539 Right. In older software, 285 00:09:31,539 --> 00:09:34,899 you usually have to manually generate cryptographic keys 286 00:09:34,899 --> 00:09:36,620 and weave them into the system. 287 00:09:36,620 --> 00:09:38,460 How does chasquid handle this? 288 00:09:38,460 --> 00:09:39,620 It handles it natively. 289 00:09:39,620 --> 00:09:41,340 For those listeners who might be rusty 290 00:09:41,340 --> 00:09:42,699 on their email protocols, 291 00:09:42,699 --> 00:09:46,019 think of these as the cryptographic proof of identity. 292 00:09:46,019 --> 00:09:46,860 Okay. 293 00:09:46,860 --> 00:09:49,100 SPF is like leaving a guest list at the door. 294 00:09:49,100 --> 00:09:51,340 It's a DNS record that tells the world 295 00:09:51,340 --> 00:09:54,659 which IP addresses are allowed to send mail on your behalf. 296 00:09:54,659 --> 00:09:55,500 And DKIM. 297 00:09:55,500 --> 00:09:56,539 DKIM is more complex. 298 00:09:56,539 --> 00:10:00,019 It acts like a cryptographic wax seal on the envelope. 299 00:10:00,019 --> 00:10:02,340 chasquid automatically uses private keys 300 00:10:02,340 --> 00:10:03,779 to sign outgoing emails. 301 00:10:03,779 --> 00:10:04,980 Okay, so it seals it. 302 00:10:04,980 --> 00:10:05,819 Exactly. 303 00:10:05,819 --> 00:10:06,659 Yeah. 304 00:10:06,659 --> 00:10:08,179 When the receiving server gets the email, 305 00:10:08,179 --> 00:10:10,460 it checks the public key in your DNS records 306 00:10:10,460 --> 00:10:13,419 to verify that the wax seal hasn't been broken 307 00:10:13,419 --> 00:10:16,139 and that the email wasn't altered in transit. 308 00:10:16,139 --> 00:10:19,379 Having DKIM signing built directly into the MTA, 309 00:10:19,379 --> 00:10:21,899 rather than requiring the admin to install 310 00:10:21,899 --> 00:10:24,460 and configure a separate piece of software 311 00:10:24,460 --> 00:10:26,579 just to handle the cryptography 312 00:10:26,579 --> 00:10:28,340 is a massive usability win. 313 00:10:28,340 --> 00:10:29,340 It really is. 314 00:10:29,340 --> 00:10:30,980 It also integrates natively 315 00:10:30,980 --> 00:10:34,019 with let's encrypt for TLS certificates. 316 00:10:34,019 --> 00:10:35,980 So instead of buying a security certificate, 317 00:10:35,980 --> 00:10:37,500 manually installing it 318 00:10:37,500 --> 00:10:39,980 and inevitably forgetting to renew it a year later 319 00:10:39,980 --> 00:10:41,660 when it expires and breaks your server. 320 00:10:41,660 --> 00:10:42,820 We've all been there. 321 00:10:42,820 --> 00:10:43,660 Right. 322 00:10:43,660 --> 00:10:46,220 chasquid automates the entire lifecycle. 323 00:10:46,220 --> 00:10:48,019 Okay, so the foundation is Fort Knox. 324 00:10:48,019 --> 00:10:48,860 Yeah. 325 00:10:48,860 --> 00:10:49,680 The doors are locked. 326 00:10:49,680 --> 00:10:51,139 The downgrade attacks are neutralized 327 00:10:51,139 --> 00:10:53,980 and the cryptographic wax seals are applied. 328 00:10:53,980 --> 00:10:55,580 But a secure server is useless 329 00:10:55,580 --> 00:10:57,660 if it cannot handle a business expanding. 330 00:10:57,660 --> 00:10:58,500 True. 331 00:10:58,539 --> 00:11:00,059 What happens when a user wants to run 332 00:11:00,059 --> 00:11:02,379 three different business websites off this one server? 333 00:11:02,379 --> 00:11:04,700 Well, security has to be balanced with utility 334 00:11:04,700 --> 00:11:06,419 and the developers clearly understood 335 00:11:06,419 --> 00:11:08,580 the daily needs of a sysadmin. 336 00:11:08,580 --> 00:11:11,500 chasquid supports multiple or virtual domains 337 00:11:11,500 --> 00:11:12,340 out of the box. 338 00:11:12,340 --> 00:11:13,179 Oh, nice. 339 00:11:13,179 --> 00:11:14,700 So you can host the email for your business, 340 00:11:14,700 --> 00:11:17,340 your personal blog and a local community group 341 00:11:17,340 --> 00:11:19,419 all on the same single instance. 342 00:11:19,419 --> 00:11:21,700 It also supports international usernames 343 00:11:21,700 --> 00:11:23,340 and domain names natively. 344 00:11:23,340 --> 00:11:25,379 Mechanically, it uses modern protocols 345 00:11:25,659 --> 00:11:28,580 like SMTP UTF-8 and IDNA. 346 00:11:28,580 --> 00:11:29,659 What does that mean in practice? 347 00:11:29,659 --> 00:11:32,379 It means a user in Tokyo can have an email address 348 00:11:32,379 --> 00:11:34,419 entirely in Japanese characters 349 00:11:34,419 --> 00:11:37,620 and chasquid routes it flawlessly. 350 00:11:37,620 --> 00:11:39,179 Legacy MTAs that were built 351 00:11:39,179 --> 00:11:41,259 when the internet was strictly English only, 352 00:11:41,259 --> 00:11:44,659 ASCII text, often require a complex workarounds 353 00:11:44,659 --> 00:11:45,860 to prevent them from crashing 354 00:11:45,860 --> 00:11:47,659 when they see non-Latin characters. 355 00:11:47,659 --> 00:11:49,860 Here's where it gets really interesting for me though. 356 00:11:49,860 --> 00:11:52,539 There is a feature built in called suffix dropping. 357 00:11:52,539 --> 00:11:53,940 Ah, yeah. 358 00:11:53,980 --> 00:11:55,780 It sounds incredibly dry, 359 00:11:55,780 --> 00:11:59,260 but it is deeply practical for the end user. 360 00:11:59,260 --> 00:12:01,700 The documentation shows this formula user 361 00:12:01,700 --> 00:12:03,140 plus something at domain 362 00:12:03,140 --> 00:12:05,060 transforms into just user at domain. 363 00:12:05,060 --> 00:12:05,900 Right. 364 00:12:05,900 --> 00:12:06,740 So for you listening, 365 00:12:06,740 --> 00:12:08,100 here's what that means in the real world. 366 00:12:08,100 --> 00:12:10,860 Say your email is alexatmybusiness.com. 367 00:12:10,860 --> 00:12:12,380 You can sign up for a software service 368 00:12:12,380 --> 00:12:16,140 using Alex plus software name at mybusiness.com. 369 00:12:16,140 --> 00:12:17,780 chasquid sees the plus sign, 370 00:12:17,780 --> 00:12:19,700 drops the suffix for the delivery routing 371 00:12:19,700 --> 00:12:21,980 and drops the email straight into your main inbox. 372 00:12:21,980 --> 00:12:24,580 But the crucial part is that the tag remains intact 373 00:12:24,580 --> 00:12:25,779 in the email headers. 374 00:12:25,779 --> 00:12:26,620 Right. 375 00:12:26,620 --> 00:12:29,220 So you can easily set up filters in your inbox 376 00:12:29,220 --> 00:12:30,580 based on those tags. 377 00:12:30,580 --> 00:12:31,940 Or even better, 378 00:12:31,940 --> 00:12:35,019 if you suddenly start getting phishing spam sent to Alex 379 00:12:35,019 --> 00:12:37,659 plus that tone software at mybusiness.com, 380 00:12:37,659 --> 00:12:40,700 you know definitively which company sold your data 381 00:12:40,700 --> 00:12:41,820 or suffered a data breach. 382 00:12:41,820 --> 00:12:42,740 Exactly. 383 00:12:42,740 --> 00:12:44,340 It is an incredibly empowering way 384 00:12:44,340 --> 00:12:45,899 to track your digital footprint 385 00:12:45,899 --> 00:12:49,259 and the server handles the routing logic automatically 386 00:12:49,259 --> 00:12:51,019 without you having to create a new alias 387 00:12:51,059 --> 00:12:52,259 for every single signup. 388 00:12:52,259 --> 00:12:53,579 It is a phenomenal feature. 389 00:12:53,579 --> 00:12:54,699 But looking at the utility, 390 00:12:54,699 --> 00:12:56,460 we also need to address the limitations. 391 00:12:56,460 --> 00:12:57,460 Okay, what's missing? 392 00:12:57,460 --> 00:13:00,899 What does chasquid not do and how does it compensate? 393 00:13:00,899 --> 00:13:02,819 Well, it is an MTA. 394 00:13:02,819 --> 00:13:05,620 Its core job is to transfer mail securely. 395 00:13:05,620 --> 00:13:07,100 It deliberately does not try 396 00:13:07,100 --> 00:13:09,379 to be a monolithic antivirus engine 397 00:13:09,379 --> 00:13:12,340 or an overly complex spam filter all on its own. 398 00:13:12,340 --> 00:13:14,899 And the documentation highlights how they solve that. 399 00:13:14,899 --> 00:13:15,860 They use hooks. 400 00:13:15,860 --> 00:13:16,740 Yes, hooks. 401 00:13:16,740 --> 00:13:19,419 There are hooks for gray listing, antivirus, 402 00:13:19,420 --> 00:13:21,700 anti-spam and deep RRC. 403 00:13:21,700 --> 00:13:24,340 This raises an important question regarding flexibility. 404 00:13:24,340 --> 00:13:26,620 And major concern with simplified software 405 00:13:26,620 --> 00:13:28,820 is the fear that you will outgrow it. 406 00:13:28,820 --> 00:13:30,180 Like it's too basic. 407 00:13:30,180 --> 00:13:31,020 Right. 408 00:13:31,020 --> 00:13:33,300 If your small business suddenly gets heavily targeted 409 00:13:33,300 --> 00:13:36,660 by malware campaigns, you need serious filtering. 410 00:13:36,660 --> 00:13:37,780 The developers solved this 411 00:13:37,780 --> 00:13:39,820 using the classic Unix philosophy. 412 00:13:39,820 --> 00:13:40,660 Which is? 413 00:13:40,660 --> 00:13:42,900 Do one thing well, transfer mail securely 414 00:13:42,900 --> 00:13:46,260 but allow easy integration with specialized tools. 415 00:13:46,260 --> 00:13:49,020 Mechanically, a hook is a clearly defined doorway 416 00:13:49,019 --> 00:13:49,860 in the code. 417 00:13:49,860 --> 00:13:50,699 Okay. 418 00:13:50,699 --> 00:13:53,939 When an email arrives, Jaskwood pauses the delivery, 419 00:13:53,939 --> 00:13:55,539 hands the message through the hook 420 00:13:55,539 --> 00:13:58,579 to an external dedicated program like Spam Assassin, 421 00:13:58,579 --> 00:14:00,860 asks, is this safe? 422 00:14:00,860 --> 00:14:03,179 And waits for the verdict before proceeding. 423 00:14:03,179 --> 00:14:04,220 So you aren't walled in. 424 00:14:04,220 --> 00:14:06,179 You get the simplicity of the core server. 425 00:14:06,179 --> 00:14:07,019 Right. 426 00:14:07,019 --> 00:14:08,179 But you have the freedom to plug in 427 00:14:08,179 --> 00:14:10,899 robust industry standard filtering tools 428 00:14:10,899 --> 00:14:13,019 as your organization's needs scale up. 429 00:14:13,019 --> 00:14:13,860 Precisely. 430 00:14:13,860 --> 00:14:15,500 It keeps the core architecture clean 431 00:14:15,500 --> 00:14:17,139 while remaining highly extensible. 432 00:14:17,179 --> 00:14:19,220 So we have a tool that is secure by design 433 00:14:19,220 --> 00:14:21,819 and highly useful for daily operations. 434 00:14:21,819 --> 00:14:23,580 But a tool like this is really only as good 435 00:14:23,580 --> 00:14:25,539 as the visibility you have into its operations. 436 00:14:25,539 --> 00:14:26,539 Oh, absolutely. 437 00:14:26,539 --> 00:14:28,620 What happens when the engine sputters? 438 00:14:28,620 --> 00:14:29,460 If an email you send 439 00:14:29,460 --> 00:14:31,419 to your most important client doesn't arrive, 440 00:14:31,419 --> 00:14:33,500 you need to know exactly why immediately. 441 00:14:33,500 --> 00:14:35,299 Observability is where self-hosting 442 00:14:35,299 --> 00:14:36,580 usually becomes a nightmare. 443 00:14:36,580 --> 00:14:38,059 Historically, if you wanted to know 444 00:14:38,059 --> 00:14:39,899 what an email server was doing, 445 00:14:39,899 --> 00:14:42,179 you had to remotely log into the terminal 446 00:14:42,179 --> 00:14:46,100 and continuously monitor massive dense text files 447 00:14:46,100 --> 00:14:47,740 called server logs. 448 00:14:47,740 --> 00:14:49,060 Oh, sounds awful. 449 00:14:49,060 --> 00:14:49,899 It is. 450 00:14:49,899 --> 00:14:51,820 You are essentially using command line tools 451 00:14:51,820 --> 00:14:54,019 to hunt for a single line of text 452 00:14:54,019 --> 00:14:57,740 among thousands of interleaved concurrent processes 453 00:14:57,740 --> 00:15:01,460 trying to piece together why a specific email bounced. 454 00:15:01,460 --> 00:15:03,180 But the documentation for ChaskWid 455 00:15:03,180 --> 00:15:06,139 highlights a built-in mockering HTTP server 456 00:15:06,139 --> 00:15:09,340 with exported variables and tracing to help debugging. 457 00:15:09,340 --> 00:15:10,899 So what does this all mean 458 00:15:10,899 --> 00:15:12,620 for the person actually running this? 459 00:15:12,620 --> 00:15:14,779 It means they built a modern web dashboard 460 00:15:14,819 --> 00:15:16,779 directly into the backend of the software. 461 00:15:16,779 --> 00:15:17,939 Instead of flying blind 462 00:15:17,939 --> 00:15:19,939 or digging through archaic text files, 463 00:15:19,939 --> 00:15:21,779 you can point a web browser at the server 464 00:15:21,779 --> 00:15:25,179 and see a structured, real-time visual representation 465 00:15:25,179 --> 00:15:26,539 of its internal status. 466 00:15:26,539 --> 00:15:28,819 And the tracing aspect is what really caught my eye. 467 00:15:28,819 --> 00:15:30,019 Tracing is vital. 468 00:15:30,019 --> 00:15:32,379 Mechanically, tracing means the server assigns 469 00:15:32,379 --> 00:15:33,860 a unique internal ID 470 00:15:33,860 --> 00:15:36,779 to every single incoming and outgoing message. 471 00:15:36,779 --> 00:15:38,980 It then logs every solitary step 472 00:15:38,980 --> 00:15:41,779 of that specific message's journey in isolation. 473 00:15:41,779 --> 00:15:43,939 Received from sender, encryption checked, 474 00:15:43,980 --> 00:15:46,460 authentication verified, spam hook triggered, 475 00:15:46,460 --> 00:15:49,580 DNS lookup performed, delivery attempted. 476 00:15:49,580 --> 00:15:52,220 Because it is isolated by that unique ID, 477 00:15:52,220 --> 00:15:53,460 if an email fails, 478 00:15:53,460 --> 00:15:55,460 the trace shows you the exact millimeter 479 00:15:55,460 --> 00:15:56,500 where it hit a wall 480 00:15:56,500 --> 00:15:59,060 without the noise of the 50 other emails 481 00:15:59,060 --> 00:16:01,540 the server was processing at that exact same second. 482 00:16:01,540 --> 00:16:04,660 That visibility is a massive paradigm shift. 483 00:16:04,660 --> 00:16:05,900 It takes the guesswork out 484 00:16:05,900 --> 00:16:07,340 of being a system administrator. 485 00:16:07,340 --> 00:16:08,220 It really does. 486 00:16:08,220 --> 00:16:10,100 If you couple that with their community support, 487 00:16:10,100 --> 00:16:12,140 I mean, we're looking at nearly a thousand stars 488 00:16:12,179 --> 00:16:15,939 on GitHub, active contributors, live chat via IRC, 489 00:16:15,939 --> 00:16:17,939 and a dedicated private channel 490 00:16:17,939 --> 00:16:19,980 for reporting security vulnerabilities 491 00:16:19,980 --> 00:16:22,259 directly to the primary developer, 492 00:16:22,259 --> 00:16:25,539 it becomes a highly sustainable project to rely on. 493 00:16:25,539 --> 00:16:28,500 By building that observability directly into the tool, 494 00:16:28,500 --> 00:16:31,179 they make operating an email server long-term 495 00:16:31,179 --> 00:16:33,460 a realistic proposition for a small team 496 00:16:33,460 --> 00:16:35,460 without a dedicated IT department. 497 00:16:35,460 --> 00:16:37,220 It really pulls the curtain back. 498 00:16:37,220 --> 00:16:40,179 So to recap the takeaways from this deep dive for you, 499 00:16:40,220 --> 00:16:42,100 what Chaswood proves is that running 500 00:16:42,100 --> 00:16:43,860 your own custom email infrastructure 501 00:16:43,860 --> 00:16:45,940 doesn't have to be a terrifying ordeal 502 00:16:45,940 --> 00:16:48,420 where one typo in a configuration file 503 00:16:48,420 --> 00:16:50,860 ruins your business's reputation. 504 00:16:50,860 --> 00:16:54,060 By utilizing a modern Go-based architecture, 505 00:16:54,060 --> 00:16:57,740 the developers stripped away decades of legacy bloat. 506 00:16:57,740 --> 00:17:00,180 They hard-coded the strict security guardrails 507 00:17:00,180 --> 00:17:01,820 directly into the foundation, 508 00:17:01,820 --> 00:17:04,019 neutralizing threats like downgrade attacks 509 00:17:04,019 --> 00:17:06,140 and open relays by default. 510 00:17:06,140 --> 00:17:08,820 And with smart mechanisms like suffix dropping, 511 00:17:08,819 --> 00:17:10,460 automated let's encrypt certificates 512 00:17:10,460 --> 00:17:12,500 and clear tracing dashboards, 513 00:17:12,500 --> 00:17:15,659 it represents a highly accessible, powerful gateway 514 00:17:15,659 --> 00:17:18,460 into reclaiming your communication infrastructure. 515 00:17:18,460 --> 00:17:20,779 It redefines the baseline of what is possible 516 00:17:20,779 --> 00:17:23,099 for a small organization to manage independently 517 00:17:23,099 --> 00:17:25,859 without compromising on enterprise-grade security. 518 00:17:25,859 --> 00:17:28,700 And taking back that independence is exactly why 519 00:17:28,700 --> 00:17:30,259 we are so glad to have SafeService 520 00:17:30,259 --> 00:17:31,539 supporting this deep dive. 521 00:17:31,539 --> 00:17:33,259 We've just spent the last section exploring 522 00:17:33,259 --> 00:17:36,099 how modern open-source software like Chaswood 523 00:17:36,099 --> 00:17:37,740 can completely replace the need 524 00:17:37,740 --> 00:17:41,099 for massive opaque third-party systems. 525 00:17:41,099 --> 00:17:43,380 Organizations, whether you are a scaling business, 526 00:17:43,380 --> 00:17:46,460 a nonprofit association, or a specialized group stand 527 00:17:46,460 --> 00:17:49,099 to gain immense value, compliance security 528 00:17:49,099 --> 00:17:50,859 and massive cost savings 529 00:17:50,859 --> 00:17:53,819 by making the switch from expensive proprietary software 530 00:17:53,819 --> 00:17:55,339 to open-source solutions. 531 00:17:55,339 --> 00:17:58,019 And SafeServer makes that transition seamless. 532 00:17:58,019 --> 00:17:59,059 They really do. 533 00:17:59,059 --> 00:18:00,539 They can be commissioned for consulting 534 00:18:00,539 --> 00:18:02,259 to determine whether Chasquid 535 00:18:02,259 --> 00:18:04,660 or a comparable open-source alternative 536 00:18:04,700 --> 00:18:08,100 is the perfect fit for your exact operational needs. 537 00:18:08,100 --> 00:18:09,860 They help you reclaim your data sovereignty 538 00:18:09,860 --> 00:18:13,100 and they handle the operation on secure German servers. 539 00:18:13,100 --> 00:18:17,620 You can learn more and get started at www.safeserver.de. 540 00:18:17,620 --> 00:18:19,060 It is a critical conversation 541 00:18:19,060 --> 00:18:21,340 for any organization to have regarding their data. 542 00:18:21,340 --> 00:18:23,420 And it leaves us with something deeper to consider 543 00:18:23,420 --> 00:18:26,100 about the tools we rely on every single day. 544 00:18:26,100 --> 00:18:28,140 If independent open-source developers 545 00:18:28,140 --> 00:18:30,779 have managed to take something as notoriously complex 546 00:18:30,779 --> 00:18:33,220 as an SMTP server and re-engineer it 547 00:18:33,220 --> 00:18:36,180 to be this elegant, simple, and inherently secure, 548 00:18:36,180 --> 00:18:38,819 what other pieces of our daily digital infrastructure 549 00:18:38,819 --> 00:18:41,700 are we needlessly outsourcing to massive tech conglomerates 550 00:18:41,700 --> 00:18:43,299 simply because we falsely assume 551 00:18:43,299 --> 00:18:45,100 they are too hard to run ourselves?