Write programs that do one thing and do it well.
Write programs to work together.
– Douglas McIlroy
Still borrowing an email address? Are you running your business or personal brand from @gmail.com, @outlook.com, or even an address tied to your ISP?
Imagine you’re a small business owner who relied on their ISP-provided email address for years. Suddenly, the ISP pulls the plug on email services – a real scenario that happened to half a million Vodafone NZ users in 2017. Critical customer emails vanish overnight. New messages bounce. Years of contacts become useless. The dismissive minimization? “The younger generation probably have Gmail…so they won’t be so affected.” Cold comfort when your business communication lifeline is severed.
Take the reins with your own email domain Using an email address at your own domain (like you@yourcompany.com or hello@yourpersonalbrand.net) is fundamental. Why?
- Boost Your Brand: Project professionalism and build a cohesive identity.
- Own Your Data: Your email history isn’t locked in someone else’s ecosystem.
- Gain Flexibility: Create aliases, manage addresses easily, and adapt as needed.
- Ensure Long-Term Stability: Your email address isn’t tied to the whims of a giant corporation or your current internet provider. You decide its fate.
(I explore this more deeply in a previous post.)
Choosing the best way to operate email on your own domain?
You’ve got options, each with trade-offs:
- The Tech Giants (Google Workspace, Microsoft 365): Ubiquitous, feature-rich suites. Often the default choice. But they come with potential privacy concerns, vendor lock-in, and costs that can scale quickly. Their focus is broad, not always purely on standards-compliant email excellence.
- Other Managed Providers (Fastmail, Proton Mail, Zoho, Tutamail, Purelymail, etc.): Offer hosted email, often with specific niches like privacy or different feature sets. They take away the server management burden.
- DIY Self-Hosting (Mail-in-a-Box, Mailcow, etc.): You build and manage everything on your own server (perhaps a RimuHosting VM). This path offers ultimate customization but demands significant technical expertise, ongoing maintenance, and responsibility for security and deliverability. It’s a major commitment.
- Managed Open Source (That’s Us!): This is where 25mail.st fits. We provide a fully managed service, handling the complexity, but build it transparently using best-of-breed open-source components. You get the benefits of open source (no lock-in, transparency) without the DIY headache.
If you value open standards, want to support a decentralized web, and are curious about what goes into building a robust, managed open-source email service, read on.
The Birth (and Rebirth) of 25mail.st
Back in 2011, we previewed 25mail.st (pronounced ’25 Mail Street’, a nod to SMTP port 25 and the concept of an address). Like many RimuHosting services, it wasn’t born in a vacuum; it emerged from a constant customer request: “Can you just set up and manage an email server for us?”
We quickly realized that building a reliable, standards-compliant email stack involves juggling many components, each requiring upkeep. Instead of creating bespoke setups repeatedly, we decided to build one really good managed system based on open source, focusing our efforts on maintaining and improving that.
The v1 Challenge: The Golden Image Dead-End Our initial approach involved perfecting a setup, capturing it as a ‘golden image’, and deploying that image. It worked… for a while. But as component versions updated and Linux distributions evolved (hello Debian 8!), we hit a wall. Updating individual pieces on these golden images became increasingly difficult. We were stuck, unable to easily bring the latest features, and performance improvements to our users. That feeling of being technologically stagnant started to gnaw at me.
Time for a Reboot: Designing v2 We knew we needed a fundamentally different approach. We asked ourselves:
- What constitutes a best-of-breed email stack today?
- What components are modern, well-regarded stacks (like Mail-in-a-Box, Mailcow, Mailu, iRedMail – popular choices for our VM customers) using?
- What worked well in v1, and what were the persistent pain points?
- Crucially, how could we build v2 so that future updates and feature additions are smooth and sustainable?
The Open Source Philosophy in Practice
Most of our services follow this pattern: assemble trusted Open Source components and provide them as a managed service on reliable Linux VMs.
- RimuHosting VMs run on Xen.
- Zonomi DNS relies on PowerDNS and MariaDB.
- Bakop Secure Storage uses vsftpd and OpenSSH.
- Woop! Host Managed WordPress integrates WordPress, Varnish, Redis, Nginx, and MariaDB.
These services often use just a handful of core components. Email, however, is a different beast.
Why is Email Hosting So Complex? A Quick Primer
The drive to find ways to communicate at distance is in our DNA: smoke signals, the pony express, telegraph networks, postal services. Email, born conceptually around 1971, joined this list. Standard protocols like SMTP (sending) and IMAP (receiving/accessing) emerged, formalized in RFC documents. This standardization allowed different software projects to implement these protocols.
This is the heart of a decentralized internet: standard protocols, diverse implementations, and user choice.
You might expect a single, monolithic open-source application that “does everything” for email. Good luck finding one! (Apache James gets part of the way there with by providing both SMTP and IMAP, but it’s not the common approach).
Instead, robust email stacks are typically assembled from specialized components, reflecting the Unix philosophy:
- Write programs that do one thing and do it well.
- Write programs to work together.
Need an SMTP server? Choose Postfix, Exim, or Sendmail. Need an IMAP server? Dovecot, Courier, Cyrus. These core pieces then provide hooks (like Postfix’s ‘milters’) allowing other specialized tools to plug in:
- A milter might add a DKIM signature (proving email origin).
- Another might scan for spam or viruses.
- Another might check sender reputation using SPF or DMARC.
Components also cooperate. Postfix (sending) and Dovecot (receiving) can share a database for user accounts, enabling single sign-on. Tools like Postfixadmin can manage this database via a web UI. Webmail clients like Roundcube use plugins to let you, the user, manage settings like spam filters (Sieve rules) or vacation responders.
Building an email stack, therefore, is an exercise in selection and integration: choosing the right components and meticulously wiring them together. This complexity is precisely why a managed service is so valuable for many users.
Building 25mail.st v2: Deployment Decisions
A key goal for v2 was escaping the golden image trap. We committed to building the stack from the ground up, starting with a clean OS install, installing our mail stack components, and then carefully configuring the components to work seamlessly with each other.
Reproducible Deployments: The Key to Agility
We aim for idempotency – the ability to run our setup scripts repeatedly and always arrive at the same, consistent configuration. The benefits include:
- Reliable Updates: We can confidently roll out improvements and security patches.
- Faster Feature Development: Adding new capabilities is much easier.
- Consistency: Every client gets the same high-quality, tested setup.
- Disaster Recovery: Rebuilding a server becomes a predictable process.
My colleague Liz drafted the initial v2 setup scripts, and I’ve spent the last few months refining the stack and integrating it with our automation systems. It’s an ongoing process of improvement.
Our Foundational Choices:
- Debian Linux: We chose Debian 12 (“Bookworm”) as our base. Debian gets regular releases, with up to date components, and has predictable and manageable configurations. We’re also keeping an eye on the upcoming Debian 13 (“Trixie”) release.
- VM-Based Orchestration: We leverage RimuHosting’s core strength: virtual machines. Using our Python API tools, we automate spinning up VMs, installing the 25mail.st stack, monitoring services, setting DNS records (like PTR/rDNS), and managing updates.
- Benefit: This allows easy scaling (adding new mail servers in different locations) and provides strong security isolation by default.
- Benefit: We can offer dedicated mail server instances with unique IP addresses for clients needing higher isolation or specific configurations.
- Why not Docker? For us, VMs are the fundamental building block we know intimately. They provide excellent isolation. If a need arises, containerizing within a VM is always an option later.
- Database-Driven Configuration: Most settings (domains, mailbox credentials, SpamAssassin states, usage data via mtpolicyd) are stored in a database, not flat files.
- Benefit: This allows changes (like adding a user) without requiring service restarts and enables faster authentication lookups.
- Reliable Email Storage: Emails are stored in the robust
Maildirformat on RAID-protected, SSD-backed filesystems.
Inside the 25mail.st v2 Stack: Features & Benefits
Okay, let’s dive into the components we chose and, more importantly, what they do for you:
Rock-Solid Security
Protecting your communication is paramount.
- Encrypted Connections: We enforce secure TLS (TLSv1.2 and higher) for all IMAP, POP3, and SMTP connections, safeguarding your credentials and email content in transit.
- Automatic SSL Certificates: Using LetsEncrypt, we automatically obtain and renew SSL certificates for mail server hostnames, ensuring seamless encrypted connections for your mail clients and webmail.
- Strong Password Protection: We don’t store your mailbox password directly. Following best practices, we only store secure cryptographic hashes (SHA512-CRYPT).
- Brute-Force Protection:
fail2ban– a web application firewall – automatically monitors logs and blocks IP addresses attempting rapid, repeated login failures, thwarting common automated attacks. - Continuous Health Checks: Automated tests run regularly, checking everything from individual components to end-to-end email delivery, ensuring the system is operating correctly after updates and day-to-day.
Intelligent Email Processing & Deliverability
Getting the right email in, keeping the bad stuff out, and ensuring your emails reach their destination.
- Advanced Virus Detection: An up-to-date
ClamAVscans incoming mail for malware. We’re monitoring its effectiveness closely. - Effective Spam Filtering: The latest
SpamAssassinanalyzes incoming mail, assigning spam scores. Benefit: You have control! Adjust spam settings directly within the Roundcube webmail interface. - Reliable Email Forwarding (SRS): Need to forward
you@yourdomain.comto another address (like Gmail)? Simple forwarding often breaks sender verification (SPF). We usePostSRSdto implement the Sender Rewriting Scheme (SRS). Benefit: Your forwarded emails arrive reliably without being flagged as spam due to SPF failures, and bounces still correctly return to the original sender. - DKIM Signing (Authenticity):
OpenDKIMautomatically signs your outgoing emails with a private cryptographic key on the server tied to your domain (validated via a public key in your DNS). Benefit: This proves the email genuinely came from your domain, improving deliverability and reducing the chance of landing in spam folders. We check for your DNS records hourly to enable signing promptly and automatically. - DMARC Enforcement (Anti-Spoofing): We’ve added
OpenDMARC. DMARC builds on SPF and DKIM, allowing you (the domain owner) to tell receiving servers exactly how to handle emails claiming to be from you but failing authentication checks. We configure it to reject failures by default. Benefit: This makes it much harder for spammers or phishers to impersonate your domain, protecting your reputation and recipients. DMARC helps shift email security from “filter out known bad” to “only accept verified good.” (See our email acronym primer for more). - Smart Email Usage Accounting (
mtpolicyd): Replacing the oldercluebringer,mtpolicydtracks email usage without rigidly enforcing limits mid-stream. Benefit: This allows us to identify potential abuse patterns (like compromised accounts sending spam), protect the server’s sending reputation (crucial for your deliverability), and provide data for fair usage billing. - Generous Email Size Limit: Send and receive messages up to 134MB (significantly larger than Gmail’s 25MB limit).
- Powerful Email Rule Filters: Use the flexible Sieve language to create custom rules for incoming emails (e.g., getting rid of spam, or automatically filing messages from specific senders, flagging important subjects). Benefit: Manage these rules easily via Roundcube webmail or compatible desktop clients using the ManageSieve protocol.
- (Deprecated) Greylisting: We removed greylisting from v2. While it could block some spam, it did so by delaying initial email delivery, which is frustrating (especially for time-sensitive emails like password resets). As spammers adapt, its effectiveness has decreased. Benefit: Faster, more predictable email delivery without annoying delays.
Enhanced End-User Experience
Technology should make things easier, not harder.
- Effortless Thunderbird Setup: As heavy Thunderbird users ourselves, we implemented Thunderbird’s Autoconfig standard. Benefit: Just enter your name, email address (
you@yourdomain.com), and password – Thunderbird automatically finds and configures all the correct server settings (IMAP, SMTP, ports, security). No more manual entry! - Modern, Responsive Webmail (
Roundcube): The latest Roundcube provides a clean, fast web interface accessible from any device. We’ve enabled useful plugins:- Manage spam preferences & mark messages as spam/not spam.
- Change your own mailbox password.
- Create and manage Sieve email filters.
- Set up vacation / out-of-office auto-replies.
- Save reusable text snippets for common replies.
- Option for persistent login (“Keep me logged in”).
- “Oops!” Protection (Postponed Delete): Deleted emails aren’t immediately gone. They move to a special
AutoDeletefolder for 7 days before permanent removal. Benefit: Gives you a safety net to recover accidentally deleted messages. - Faster DNS Propagation: We run a local Unbound DNS resolver on each mail server. Benefit: Changes to DNS records (needed for setup or certificate renewals) are detected much faster than relying solely on public resolvers, speeding up validation processes.
Continuous Improvement: What’s Next?
The 25mail.st v2 stack is live and is now the default for new client setups! But we’re not stopping there. Here’s what’s on our roadmap:
- Easier DNS Setup: Streamlining the process for clients to configure the necessary DNS records (MX, SPF, DKIM, DMARC, Autoconfig) for their domains.
- Refined Email Limits: Using the data from
mtpolicydto implement smarter, fairer policies for identifying and managing higher-volume sending or potential abuse, replacing the rigid limits of the past. - Exploring Commercial Spammer Blacklists: Investigating reputable Real-time Blackhole Lists (RBLs) and other external services to potentially further enhance spam detection accuracy.
- Integrated Mailbox Management: Adding mailbox creation/management directly within the main
25mail.st/cppanel, potentially including self-service password resets for end-users to reduce admin overhead. - Upgrading v1 Servers: Developing a smooth migration path to move existing clients on the original stack to the improved v2 platform.
- Multi-Server Accounts: Enabling accounts to have multiple mail servers (e.g., for resellers, geographic distribution, or allowing v1 clients to test v2 on a separate instance).
- Testing Vacation Replies: Finalizing testing for the vacation/out-of-office reply feature.
Longer-Term Opportunities:
- CalDAV/CardDAV: Adding support for synchronizing calendars and contacts.
- Open Sourcing Recipes: Sharing our setup and configuration scripts with the community.
- IMAP Full-Text Search: Implementing faster searching within mailboxes.
- Your Feedback! What features are most important to you? Let us know!
Reference: Software Versions (v1 vs. v2)
For the technically curious, here’s a snapshot of the key component upgrades:
| Component | Purpose | Original (v1) | Current (v2) |
|---|---|---|---|
| Postfix | Sending/Receiving Email (SMTP) | 2.11 | 3.7 |
| Dovecot | Accessing Email (IMAP/POP3) | 2.2 | 2.3 |
| OpenDKIM | Signing Outgoing Email (DKIM) | 2.9 | 2.11 |
| Postfixadmin | Web UI for Domains/Mailboxes | 2.3 | 3.3 |
| OpenDMARC | Checking Incoming Email Auth (DMARC) | – | 1.4 |
| Roundcube | Webmail & User Settings | 1.1 | 1.6 |
| ManageSieved | Server for Sieve Filter Management | – | 2.3 |
| SpamAssassin | Spam Scoring | 3.4 | 4.0 |
| PostSRSd | Sender Rewriting Scheme for Forwarding | – | 2.0 |
| ClamAV | Antivirus Scanning | 0.100 | 1.0 |
mtpolicyd | Email Accounting & Policy | – | 2.05 |
cluebringer | Old Policy/Quota Enforcement (Replaced) | 2.0 | – |
| Distro | Base Operating System | Debian 8 | Debian 12 |
Reference: Feature Matrix Snapshot
| Feature | Status | Notes |
|---|---|---|
| Mailboxes | Unlimited | Subject to fair use |
| Own Email Domain | Yes, Required | The core concept! |
| Mail Storage | Unlimited | Subject to fair use |
| Domains | Unlimited | Manage multiple domains |
| Sub-domains | Yes | |
| SPF / DKIM / DMARC Support | Yes | Essential for deliverability & security |
| Catch-All Address | Yes | Configurable per domain |
Sub/Plus-Addressing (user+tag@) | Yes | Automatic filtering |
| SRS (Forwarding Compatibility) | Yes | Ensures forwarded mail passes SPF checks |
| Sieve Filters / ManageSieve | Yes | Powerful server-side filtering |
| IMAP / POP3 / SMTP Access | Yes | Standard protocols for email clients |
| Webmail (Roundcube) | Yes | Modern, responsive interface |
| Contacts (Roundcube) | Yes | Basic contact management in webmail |
| Admin Interface (Postfixadmin) | Yes | For managing domains/mailboxes |
| Thunderbird Autoconfig | Yes | Easy client setup |
| Mail Server Locations | Dallas, Frankfurt, Reading, Auckland, Sydney | Choose the location closest to you |
| Company Jurisdiction | New Zealand | Strong privacy and consumer protection laws |
| — | — | — |
| 2FA/MFA | No¹ | Planned for future |
| ARC Support | No¹ | Authenticated Received Chain (future) |
| WebDAV / CardDAV / CalDAV | No¹ | Contact/Calendar Sync (planned) |
| Exchange ActiveSync | No² | Primarily for Outlook mobile sync (unlikely) |
| Outlook Autodiscover | No² | Easy Outlook setup (maybe later) |
| Bulk Email Sending | No³ | Use dedicated services (e.g., Mailgun, SES) |
| Mailing List Manager | No¹ | Consider Mailman, etc. (maybe later) |
| High Availability (HA) Cluster | No¹ | Potential future offering |
| Encryption at Rest | No¹ | Data encrypted on disk |
Footnotes: ¹ Maybe later. ² Maybe later, but with grumbling (complex/proprietary). ³ Intentionally not supported; specialized bulk senders are better.
Conclusion: Your Email, Your Control, Our Expertise
Rebuilding the 25mail.st stack was a significant undertaking, driven by our commitment to providing a reliable, secure, and continuously improving email hosting service built on open principles. Our goal with v2 is clear:
- Empower you to take control of your digital identity with email on your own domain.
- Offer a trustworthy, managed alternative to tech giants and DIY complexity, rooted in open source.
- Leverage our expertise to handle the technical heavy lifting, so you can focus on communication.
We believe the decisions we’ve made – from reproducible deployments to carefully selected components – put us in a strong position to serve our clients well into the future.
Ready to ditch the borrowed address and own your email?
We invite you to grab your domain (if you haven’t already!) and explore the 25mail.st managed email platform.
What are your thoughts on email hosting? Do you prefer managed services, DIY, or sticking with the giants? Let us know in the comments below!