Skip to main content

Built for email sovereignty

Every component is open source, runs on your hardware, and designed for privacy-first email infrastructure.

Choose your mail server

Three options, each with different trade-offs. Switch later if your needs change.

Stalwart

Recommended

Modern, written in Rust. All-in-one: IMAP4rev2, JMAP, SMTP, built-in CalDAV/CardDAV, and web admin UI. Best for most users who want a feature-rich, low-maintenance server.

  • JMAP support
  • Built-in CalDAV/CardDAV
  • Web admin UI
  • Memory-safe (Rust)

Maddy

Minimal

Single Go binary with minimal dependencies. Ideal for low-resource systems (2GB RAM). Requires Radicale for calendar/contacts.

  • Single binary
  • ~256MB RAM
  • Go-based
  • Minimal footprint

Postfix + Dovecot

Battle-tested

Decades of production use. Separate MTA (Postfix) and IMAP server (Dovecot). Maximum community support and documentation. Requires Radicale for calendar/contacts.

  • Proven reliability
  • Extensive docs
  • Community support
  • Traditional stack

Transport & Security

Encrypted Transport

Choose WireGuard (full encrypted tunnel, recommended) or mTLS (mutual TLS, minimal footprint). Mail moves encrypted between cloud relay and home device. The relay is zero-knowledge — it forwards, never stores.

TLS Everywhere

Let's Encrypt on the cloud relay for internet-facing TLS. step-ca internal PKI for transport certificates. Configurable certificate rotation at 30, 60, or 90 day intervals. Certificate expiry alerts built in.

DNS Authentication

Automated SPF, DKIM, and DMARC configuration with the dns-setup CLI. Supports Cloudflare and Route53 API integration, or manual setup with generated records. Dry-run by default — requires explicit --apply.

Reliability

Encrypted Offline Queuing

Home device goes offline? Mail queues encrypted (age encryption) on the relay with configurable timeout (default 7 days). S3-compatible overflow to Storj, AWS S3, or MinIO when local queue exceeds threshold. Auto-drains on reconnect.

Configurable Queue Behavior

Choose queue-or-bounce: queue mail encrypted when home is unreachable, or bounce immediately. 200MB RAM limit, 10K message limit, rate-limited drain at 10 messages/tick to prevent thundering herd.

Health Monitoring

Web-based monitoring dashboard with mail queue status, service health, certificate expiry dates, and delivery logs. Alerts via email, webhooks (Slack/Discord), or Healthcheck.io integration.

User Experience

Device Onboarding

Apple .mobileconfig profiles for one-tap iOS/macOS setup (Email + CalDAV + CardDAV in one profile). QR codes for Android. Thunderbird and Outlook autodiscovery. App-generated passwords for enhanced security.

Webmail Options

Roundcube (feature-rich, mobile-responsive Elastic skin) or SnappyMail (modern, fast, lightweight). IMAP passthrough authentication — no separate webmail database. 60-minute sessions with auto-refresh.

Calendar & Contacts

Stalwart includes built-in CalDAV/CardDAV. Maddy and Postfix+Dovecot use Radicale with file-based storage. Shared family calendars and address books. Well-known URL auto-discovery.

Operations

Migration Tools

CLI wizard migrates from Gmail, Outlook, Yahoo, iCloud, Fastmail, ProtonMail, or Zoho. OAuth2 device flow for Gmail/Outlook (no browser redirect). Dry-run mode previews before executing. Handles large mailboxes.

Spam Filtering

Rspamd with greylisting (5-minute delay, score threshold ≥ 4.0). SPF/DKIM/DMARC validation. Conservative thresholds: reject=15, header=6, greylist=4. Private network whitelist prevents greylisting relayed mail. Authenticated submission bypasses filters.

Multi-User & Multi-Domain

Virtual mailbox domains with aliases, catch-all addresses, and user isolation by maildir path. Add users and domains via web UI (Stalwart), config files (Maddy), or virtual maps (Postfix+Dovecot).

Platform Support

Multi-Architecture

All components build and run on arm64 and x64. GitHub Actions multi-arch build pipeline with component selection. Pre-built Docker images for common stack configurations. Cloud relay container ~35MB.

Runtime Flexibility

Docker, Podman 5.3+ (rootful for cloud relay, rootless for home device), and Apple Containers on macOS. Override files for Podman — no base compose forks. SELinux-compatible volume labels. Runtime validation script included.

Platform Guides

Deployment guides for Raspberry Pi 4+, TrueNAS Scale, Unraid Community Applications, Proxmox LXC, Synology Container Manager, and generic Docker/Podman hosts. Memory optimization for constrained systems.

Ready to take back your email?

30-60 minutes from zero to sending and receiving on your own hardware.

Get Started View Source on GitHub