Mail-in-a-Box

Turn a fresh Ubuntu server into a fully configured, self-hosted email system in minutes — SMTP, IMAP, DNS, TLS, webmail, and spam filtering all pre-wired and ready to go.

15.3Kstars
1.5Kforks
CC0 1.0 Universal
Python

Mail-in-a-Box solves one of self-hosting’s hardest problems: running your own email server without spending days wrestling with Postfix configs, DKIM keys, DNSSEC zones, and TLS certificates. It reduces a multi-day sysadmin project to a single install script on an Ubuntu 22.04 machine, producing a production-grade mail server that actually delivers.

The system bundles Postfix for SMTP, Dovecot for IMAP, Roundcube for webmail, Nextcloud for CalDAV and CardDAV, SpamAssassin and Postgrey for spam defense, and NSD4 for DNS — all automatically configured and integrated. Every piece fits together so that SPF, DKIM, DMARC, DNSSEC, DANE TLSA, and MTA-STS records are set correctly the first time, rather than discovered as missing months later when messages start bouncing.

The control panel, backed by a RESTful API, lets administrators manage users, aliases, DNS records, and TLS certificates through a browser instead of config files. Daily health checks proactively flag misconfigurations — expired certificates, wrong DNS records, failed services — before they become delivery failures. TOTP two-factor authentication protects access to this control surface.

Mail-in-a-Box is explicitly not a customizable, power-user platform. It follows one opinionated path and executes it well, which is precisely why it works reliably for individuals, small teams, and privacy-focused organizations who want to own their email infrastructure without hiring a dedicated mail operations team.

What You Get

  • Full SMTP/IMAP Stack — Postfix handles outbound and inbound mail with DKIM signing, while Dovecot provides secure IMAP with Sieve mail filtering rules and support for Outlook-style Exchange ActiveSync via z-push.
  • Automatic DNS with Every Security Record — NSD4 serves authoritative DNS and the setup script configures SPF, DKIM, DMARC, DNSSEC, DANE TLSA, MTA-STS, and SSHFP records automatically, eliminating the most common deliverability failures.
  • Let’s Encrypt TLS Everywhere — Certificates are provisioned and renewed automatically for SMTP, IMAP, webmail, autodiscovery endpoints, and the admin control panel without any manual intervention.
  • Roundcube Webmail with ActiveSync — Fully featured browser-based email with attachment support, plus z-push for ActiveSync so iOS and Android mail apps can sync email, contacts, and calendars natively.
  • Nextcloud for Contacts and Calendars — CardDAV and CalDAV sync powered by Nextcloud integrates with Roundcube to give users a unified address book and calendar accessible from any device.
  • Encrypted Incremental Backups — Duplicity performs encrypted, incremental backups to Amazon S3 or compatible storage backends, with restore capability and configurable retention.
  • Control Panel with TOTP 2FA — A web UI and REST API manage users, aliases, custom DNS records, backup settings, and system status, protected by optional time-based one-time password two-factor authentication.
  • Daily Health Monitoring — Automated checks run each day to verify that all services are up, TLS certificates are valid, DNS records are correct, and security policies are in place — flagging issues with fix instructions before they cause delivery problems.

Common Use Cases

  • Personal domain email ownership — An individual replaces Gmail or Outlook with a self-hosted address at their own domain, eliminating corporate surveillance of personal correspondence while keeping full control over storage and access.
  • Small team or family email hosting — A family or small business manages a handful of email accounts under a shared domain, with contacts and calendars synchronized across phones and desktops through Nextcloud’s CalDAV/CardDAV.
  • Journalist or activist secure communications — Privacy-focused individuals who need assurance that no third party can access, scan, or subpoena their email without direct server access choose Mail-in-a-Box to keep that control in their own hands.
  • Self-hosted infrastructure stack anchor — Technically capable users running a broader self-hosted environment use Mail-in-a-Box as the email layer alongside other services like Nextcloud, Matrix, or Gitea, treating it as a reliable appliance they don’t have to think about.
  • Domain validation and deliverability research — Developers and researchers spin up a Mail-in-a-Box instance on a VPS to study real-world SMTP behavior, test DKIM and SPF configurations, or verify that mail sent from a new domain reaches inboxes.
  • Decentralization advocacy — Individuals who care about the health of decentralized internet infrastructure run Mail-in-a-Box as a principled alternative to consolidated corporate email, contributing to the diversity of the email ecosystem.

Under The Hood

Architecture Mail-in-a-Box follows a tightly integrated appliance architecture where every component — DNS, SMTP, IMAP, webmail, backup, and health monitoring — is managed by a single Python codebase operating directly against system state. The execution flow starts with an idempotent shell setup script that invokes Python management modules to configure each service, and the management daemon exposes this same logic through a Flask-based REST API. There is intentionally no plugin system, extension API, or abstraction for swapping components: the architecture achieves reliability and simplicity by having one opinionated path rather than a configurable framework. Configuration state is tracked through a SQLite database and flat config files, and the health monitoring subsystem reads this state continuously to detect drift between intended and actual system configuration.

Tech Stack The management backend is written in Python 3.10 and served by Flask through a uWSGI-style daemon bound to a local port, with nginx acting as the public-facing reverse proxy. DNS authority is handled by NSD4 with LDNS for DNSSEC zone signing, while Postfix and Dovecot form the core mail transport and storage layer. Roundcube and Nextcloud are PHP applications managed by the setup scripts and served by nginx. TLS certificate provisioning relies on the certbot client for Let’s Encrypt, and Duplicity handles backup transport to S3-compatible storage using GnuPG encryption. The setup layer is implemented entirely in Bash scripts that call into the Python management layer for validation and state synchronization. Ruff enforces code style across the Python codebase, with tab-based indentation and a comprehensive lint ruleset targeting security, performance, and correctness.

Code Quality The codebase shows a consistent and improving approach to code quality. Ruff’s extensive lint configuration — covering security rules (S), bugbear patterns (B), type annotation checks (TC), and performance rules (PERF) among others — is enforced across all Python files, providing meaningful automated quality control. Type annotations are present in newer code but not uniform across older modules. Error handling is explicit through ValueError raises with descriptive messages in the management layer, though the shell setup scripts rely on bash exit codes and minimal error messaging. Tests exist as integration-style scripts that exercise DNS resolution, SMTP delivery, and TLS handshakes against a live system rather than as isolated unit tests — meaningful for an infrastructure tool but fragile against network conditions. Documentation quality is high: every module is commented, setup scripts explain each system change, and the CONTRIBUTING guide provides a complete Vagrant-based development workflow.

What Makes It Unique Mail-in-a-Box’s defining technical contribution is treating all email security standards — SPF, DKIM, DMARC, DNSSEC, DANE TLSA, and MTA-STS — as mandatory defaults rather than optional configuration. Most email server tutorials and tools treat these as advanced extras; Mail-in-a-Box configures all of them on first install and verifies them daily. The daily health check system is particularly sophisticated: it performs actual DNS resolution checks, TLS certificate verification, and live port probes against both local and public interfaces, then surfaces failures with specific remediation instructions through the control panel. This proactive monitoring loop — configure, verify, alert — is what makes the system maintainable by non-experts over time, distinguishing it from mail server cookbooks that hand a correctly configured system to an administrator who must then keep it correct themselves.

Self-Hosting

Mail-in-a-Box is released under the Creative Commons Zero (CC0 1.0 Universal) public domain dedication, which is one of the most permissive legal instruments available. CC0 is not a license in the traditional sense — the authors have waived all copyright and related rights to the greatest extent permitted by law. In practical terms this means you can use, modify, redistribute, sell, or incorporate Mail-in-a-Box into proprietary products with no attribution requirement, no copyleft obligation, and no need to open source your modifications. There are no commercial use restrictions, no ‘enterprise’ licensing tier, and no legal friction for organizations running it internally or building services on top of it.

Running Mail-in-a-Box yourself means taking full operational responsibility for a machine that is permanently connected to the internet and handles sensitive personal communications. The system expects a dedicated Ubuntu 22.04 LTS VPS with at least 512 MB RAM (1 GB recommended) and a static IP address with both forward and reverse DNS properly configured by your hosting provider. You are responsible for keeping the host OS patched, monitoring disk space for mail storage growth, and managing the server through unplanned events like IP reputation problems, DDoS, or hosting provider outages. The project’s idempotent setup design means you can re-run the installer to apply updates, but major version upgrades occasionally require manual migration steps documented in the CHANGELOG. There is no official commercial support option — the community forum (discourse.mailinabox.email) is the primary support channel.

Compared to a managed email service like Google Workspace or Fastmail, self-hosting with Mail-in-a-Box means accepting lower baseline deliverability from residential or new VPS IP addresses (which may be on shared blocklists), no guaranteed SLA, and manual intervention required for edge cases that managed services handle silently. There is no cloud-hosted version of Mail-in-a-Box, no paid tier, and no vendor relationship to escalate to when something goes wrong. The trade-off is complete data sovereignty, zero recurring software costs beyond your VPS, and the ability to inspect and modify every part of the stack — terms that are worthwhile for privacy-driven users but demanding for organizations that need reliable uptime guarantees or specialized deliverability support.

Join founders buildingwith open source

Opinionated takes, migration guides, cost-saving tips, and insights from the open source ecosystem.

Subscribe on Substack

No spam. Unsubscribe anytime.

Join 750+ subscribers
No spam. Unsubscribe anytime.

Search