modern full-featured open source secure mail server for low-maintenance self-hosted email
Find a file
Mechiel Lukkien 6abee87aa3
improve webserver, add domain redirects (aliases), add tests and admin page ui to manage the config
- make builtin http handlers serve on specific domains, such as for mta-sts, so
  e.g. /.well-known/mta-sts.txt isn't served on all domains.
- add logging of a few more fields in access logging.
- small tweaks/bug fixes in webserver request handling.
- add config option for redirecting entire domains to another (common enough).
- split httpserver metric into two: one for duration until writing header (i.e.
  performance of server), another for duration until full response is sent to
  client (i.e. performance as perceived by users).
- add admin ui, a new page for managing the configs. after making changes
  and hitting "save", the changes take effect immediately. the page itself
  doesn't look very well-designed (many input fields, makes it look messy). i
  have an idea to improve it (explained in admin.html as todo) by making the
  layout look just like the config file. not urgent though.

i've already changed my websites/webapps over.

the idea of adding a webserver is to take away a (the) reason for folks to want
to complicate their mox setup by running an other webserver on the same machine.
i think the current webserver implementation can already serve most common use
cases. with a few more tweaks (feedback needed!) we should be able to get to 95%
of the use cases. the reverse proxy can take care of the remaining 5%.
nevertheless, a next step is still to change the quickstart to make it easier
for folks to run with an existing webserver, with existing tls certs/keys.
that's how this relates to issue #5.
2023-03-02 18:15:54 +01:00
.go mox! 2023-01-30 14:27:06 +01:00
autotls add basic webserver that can do most of what i need 2023-02-28 22:19:24 +01:00
config improve webserver, add domain redirects (aliases), add tests and admin page ui to manage the config 2023-03-02 18:15:54 +01:00
dkim in dkim-signature header, allow FWS anywhere in "z=" (copied headers), and prevent panic in cli command "mox dkim verify" when a dkim-signature cannot be parsed 2023-02-03 13:29:47 +01:00
dmarc fix typo's 2023-02-06 11:00:11 +01:00
dmarcdb mox! 2023-01-30 14:27:06 +01:00
dmarcrpt mox! 2023-01-30 14:27:06 +01:00
dns mox! 2023-01-30 14:27:06 +01:00
dnsbl mox! 2023-01-30 14:27:06 +01:00
dsn consistently use log.Check for logging errors that "should not happen", don't influence application flow 2023-02-16 13:22:00 +01:00
http improve webserver, add domain redirects (aliases), add tests and admin page ui to manage the config 2023-03-02 18:15:54 +01:00
imapclient consistently use log.Check for logging errors that "should not happen", don't influence application flow 2023-02-16 13:22:00 +01:00
imapserver in imapserver, do not advertise STARTTLS if TLS isn't configured 2023-02-27 14:10:43 +01:00
iprev mox! 2023-01-30 14:27:06 +01:00
junk consistently use lower-cased field names for logging lines 2023-02-25 12:37:59 +01:00
message mox! 2023-01-30 14:27:06 +01:00
metrics make account web page configurable separately from admin, add http auth rate limiting 2023-02-13 13:53:47 +01:00
mlog add funtionality to import zip/tgz with maildirs/mboxes to account page 2023-02-16 09:57:27 +01:00
mox- improve webserver, add domain redirects (aliases), add tests and admin page ui to manage the config 2023-03-02 18:15:54 +01:00
moxio change mox to start as root, bind to network sockets, then drop to regular unprivileged mox user 2023-02-27 12:19:55 +01:00
moxvar mox! 2023-01-30 14:27:06 +01:00
mtasts mox! 2023-01-30 14:27:06 +01:00
mtastsdb consistently use log.Check for logging errors that "should not happen", don't influence application flow 2023-02-16 13:22:00 +01:00
publicsuffix mox! 2023-01-30 14:27:06 +01:00
queue consistently use lower-cased field names for logging lines 2023-02-25 12:37:59 +01:00
ratelimit add basic rate limiters 2023-02-07 23:18:15 +01:00
rfc another rfc (we don't implement it) 2023-02-27 22:35:07 +01:00
scram add support for SCRAM-SHA-1 2023-02-05 12:30:14 +01:00
smtp add scram-sha-256 for smtp 2023-01-31 00:22:26 +01:00
smtpclient when delivery fails due to missing 8bitmime/smtputf8 extensions, make it temporary failure 2023-02-17 21:58:05 +01:00
smtpserver change mox to start as root, bind to network sockets, then drop to regular unprivileged mox user 2023-02-27 12:19:55 +01:00
spf consistently use lower-cased field names for logging lines 2023-02-25 12:37:59 +01:00
store change mox to start as root, bind to network sockets, then drop to regular unprivileged mox user 2023-02-27 12:19:55 +01:00
subjectpass mox! 2023-01-30 14:27:06 +01:00
testdata improve webserver, add domain redirects (aliases), add tests and admin page ui to manage the config 2023-03-02 18:15:54 +01:00
tlsrpt work around missing timezone in timestamps in tls reports from microsoft 2023-02-05 10:55:34 +01:00
tlsrptdb consistently use log.Check for logging errors that "should not happen", don't influence application flow 2023-02-16 13:22:00 +01:00
updates on admin page, show warning when user hasn't enabled "check updates" 2023-02-27 15:03:37 +01:00
vendor update dependencies, including bolt with stability fixes 2023-02-17 18:55:01 +01:00
.dockerignore mox! 2023-01-30 14:27:06 +01:00
.gitignore change mox to start as root, bind to network sockets, then drop to regular unprivileged mox user 2023-02-27 12:19:55 +01:00
.jshintrc improve webserver, add domain redirects (aliases), add tests and admin page ui to manage the config 2023-03-02 18:15:54 +01:00
checkhtmljs mox! 2023-01-30 14:27:06 +01:00
compatibility.txt add notes on tests with microsoft outlook. 2023-02-05 17:54:00 +01:00
ctl.go change mox to start as root, bind to network sockets, then drop to regular unprivileged mox user 2023-02-27 12:19:55 +01:00
doc.go add basic webserver that can do most of what i need 2023-02-28 22:19:24 +01:00
docker-compose-imaptest.yml change mox to start as root, bind to network sockets, then drop to regular unprivileged mox user 2023-02-27 12:19:55 +01:00
docker-compose-integration.yml change mox to start as root, bind to network sockets, then drop to regular unprivileged mox user 2023-02-27 12:19:55 +01:00
docker-compose.yml improve webserver, add domain redirects (aliases), add tests and admin page ui to manage the config 2023-03-02 18:15:54 +01:00
docker-release.sh fix cross-compiled docker images 2023-02-27 13:46:29 +01:00
Dockerfile change mox to start as root, bind to network sockets, then drop to regular unprivileged mox user 2023-02-27 12:19:55 +01:00
Dockerfile.imaptest help run mox with docker 2023-02-24 14:16:51 +01:00
Dockerfile.moximaptest help run mox with docker 2023-02-24 14:16:51 +01:00
Dockerfile.release fix cross-compiled docker images 2023-02-27 13:46:29 +01:00
export.go consistently use log.Check for logging errors that "should not happen", don't influence application flow 2023-02-16 13:22:00 +01:00
gendoc.sh add basic webserver that can do most of what i need 2023-02-28 22:19:24 +01:00
go.mod update dependencies, including bolt with stability fixes 2023-02-17 18:55:01 +01:00
go.sum update dependencies, including bolt with stability fixes 2023-02-17 18:55:01 +01:00
import.go better error message if import fails, only stack traces for unexpected panics (i.e. not the special sential panic value) 2023-02-26 22:25:57 +01:00
integration_test.go change mox to start as root, bind to network sockets, then drop to regular unprivileged mox user 2023-02-27 12:19:55 +01:00
junk.go consistently use log.Check for logging errors that "should not happen", don't influence application flow 2023-02-16 13:22:00 +01:00
LICENSE.MIT mox! 2023-01-30 14:27:06 +01:00
LICENSE.MPLv2.0 mox! 2023-01-30 14:27:06 +01:00
main.go improve webserver, add domain redirects (aliases), add tests and admin page ui to manage the config 2023-03-02 18:15:54 +01:00
Makefile change mox to start as root, bind to network sockets, then drop to regular unprivileged mox user 2023-02-27 12:19:55 +01:00
mox.service more permissions in mox.service to ease with upgrade to v0.0.2 2023-02-27 15:48:37 +01:00
quickstart.go change mox to start as root, bind to network sockets, then drop to regular unprivileged mox user 2023-02-27 12:19:55 +01:00
README.md improve webserver, add domain redirects (aliases), add tests and admin page ui to manage the config 2023-03-02 18:15:54 +01:00
serve.go add basic webserver that can do most of what i need 2023-02-28 22:19:24 +01:00
tools.go mox! 2023-01-30 14:27:06 +01:00
updates.go fix output of "mox checkupdate", and specify changes to be from newest to oldest 2023-02-17 20:14:26 +01:00

Mox is a modern full-featured open source secure mail server for low-maintenance self-hosted email.

See Quickstart below to get started.

Features

  • Quick and easy to start/maintain mail server, for your own domain(s).
  • SMTP (with extensions) for receiving and submitting email.
  • IMAP4 (with extensions) for giving email clients access to email.
  • Automatic TLS with ACME, for use with Let's Encrypt and other CA's.
  • SPF, verifying that a remote host is allowed to sent email for a domain.
  • DKIM, verifying that a message is signed by the claimed sender domain, and for signing emails sent by mox for others to verify.
  • DMARC, for enforcing SPF/DKIM policies set by domains. Incoming DMARC aggregate reports are analyzed.
  • Reputation tracking, learning (per user) host- and domain-based reputation from (Non-)Junk email.
  • Bayesian spam filtering that learns (per user) from (Non-)Junk email.
  • Slowing down senders with no/low reputation or questionable email content (similar to greylisting). Rejected emails are stored in a mailbox called Rejects for a short period, helping with misclassified legitimate synchronous signup/login/transactional emails.
  • Internationalized email, with unicode names in domains and usernames ("localparts").
  • TLSRPT, parsing reports about TLS usage and issues.
  • MTA-STS, for ensuring TLS is used whenever it is required. Both serving of policies, and tracking and applying policies of remote servers.
  • Web admin interface that helps you set up your domains and accounts (instructions to create DNS records, configure SPF/DKIM/DMARC/TLSRPT/MTA-STS), for status information, managing accounts/domains, and modifying the configuration file.
  • Autodiscovery (with SRV records, Microsoft-style and Thunderbird-style) for easy account setup (though not many clients support it).
  • Webserver with serving static files and forwarding requests (reverse proxy), so port 443 can also be used to serve websites.
  • Prometheus metrics and structured logging for operational insight.

Mox is available under the MIT-license and was created by Mechiel Lukkien, mechiel@ueber.net. Mox includes the Public Suffix List by Mozilla, under Mozilla Public License, v2.0.

Download

You can easily (cross) compile mox if you have a recent Go toolchain installed (see "go version", it must be >= 1.19; otherwise, see https://go.dev/dl/ or https://go.dev/doc/manage-install and $HOME/go/bin):

GOBIN=$PWD CGO_ENABLED=0 go install github.com/mjl-/mox@latest

Or you can download a binary built with the latest Go toolchain from https://beta.gobuilds.org/github.com/mjl-/mox, and symlink or rename it to "mox".

Verify you have a working mox binary:

./mox version

Note: Mox only compiles for/works on unix systems, not on Plan 9 or Windows.

You can also run mox with docker image "docker.io/moxmail/mox", with tags like "latest", "0.0.1" and "0.0.1-go1.20.1-alpine3.17.2", etc. See docker-compose.yml in this repository for instructions on starting.

Quickstart

The easiest way to get started with serving email for your domain is to get a vm/machine dedicated to serving email, name it [host].[domain] (e.g. mail.example.com), login as root, create user "mox" and its homedir by running useradd -d /home/mox mox && mkdir /home/mox (or pick another directory), download mox to that directory, and generate a configuration for your desired email address at your domain:

./mox quickstart you@example.com

This creates an account, generates a password and configuration files, prints the DNS records you need to manually create and prints commands to start mox and optionally install mox as a service.

A dedicated machine is highly recommended because modern email requires HTTPS, and mox currently needs it for automatic TLS. You could combine mox with an existing webserver, but it requires more configuration. If you want to serve websites on the same machine, use the webserver built into mox.

After starting, you can access the admin web interface on internal IPs.

Future/development

Mox has automated tests, including for interoperability with Postfix for SMTP. Mox is manually tested with email clients: Mozilla Thunderbird, mutt, iOS Mail, macOS Mail, Android Mail, Microsoft Outlook. Mox is also manually tested to interoperate with popular cloud providers: gmail.com, outlook.com, yahoo.com, proton.me.

The code is heavily cross-referenced with the RFCs for readability/maintainability.

Roadmap

  • Strict vs lax mode, defaulting to lax when receiving from the internet, and strict when sending.
  • "developer server" mode, to easily launch a local SMTP/IMAP server to test your apps mail sending capabilities.
  • Rate limiting and spam detection for submitted/outgoing messages, to reduce impact when an account gets compromised.
  • Privilege separation, isolating parts of the application to more restricted sandbox (e.g. new unauthenticated connections).
  • DANE and DNSSEC.
  • Sending DMARC and TLS reports (currently only receiving).
  • OAUTH2 support, for single sign on.
  • Using mox as backup MX.
  • ACME verification over HTTP (in addition to current tls-alpn01).
  • Add special IMAP mailbox ("Queue?") that contains queued but not-yet-delivered messages.
  • Old-style internationalization in messages.
  • Sieve for filtering (for now see Rulesets in the account config)
  • Calendaring
  • JMAP
  • Webmail

There are many smaller improvements to make as well, search for "todo" in the code.

Not supported

But perhaps in the future...

  • HTTP-based API for sending messages and receiving delivery feedback
  • Functioning as SMTP relay
  • Forwarding (to an external address)
  • Autoresponders
  • POP3
  • Delivery to (unix) OS system users
  • PGP or S/MIME
  • Mailing list manager
  • Support for pluggable delivery mechanisms

FAQ - Frequently Asked Questions

Why a new mail server implementation?

Mox aims to make "running a mail server" easy and nearly effortless. Excellent quality mail server software exists, but getting a working setup typically requires you configure half a dozen services (SMTP, IMAP, SPF/DKIM/DMARC, spam filtering). That seems to lead to people no longer running their own mail servers, instead switching to one of the few centralized email providers. Email with SMTP is a long-time decentralized messaging protocol. To keep it decentralized, people need to run their own mail server. Mox aims to make that easy.

Where is the documentation?

See all commands and help text at https://pkg.go.dev/github.com/mjl-/mox/, and example config files at https://pkg.go.dev/github.com/mjl-/mox/config/.

You can get the same information by running "mox" without arguments to list its subcommands and usage, and "mox help [subcommand]" for more details.

The example config files are printed by "mox config describe-static" and "mox config describe-dynamic".

Mox is still in early stages, and documentation is still limited. Please create an issue describing what is unclear or confusing, and we'll try to improve the documentation.

How do I import/export email?

Use the import functionality on the accounts web page to import a zip/tgz with maildirs/mbox files, or use the "mox import maildir" or "mox import mbox" subcommands. You could also use your IMAP email client, add your mox account, and copy or move messages from one account to the other.

Similarly, see the export functionality on the accounts web page and the "mox export maildir" and "mox export mbox" subcommands to export email.

How can I help?

Mox needs users and testing in real-life setups! So just give it a try, send and receive emails through it with your favourite email clients, and file an issue if you encounter a problem or would like to see a feature/functionality implemented.

Instead of switching email for your domain over to mox, you could simply configure mox for a subdomain, e.g. [you]@moxtest.[yourdomain].

If you have experience with how the email protocols are used in the wild, e.g. compatibility issues, limitations, anti-spam measures, specification violations, that would be interesting to hear about.

Pull requests for bug fixes and new code are welcome too. If the changes are large, it helps to start a discussion (create a ticket) before doing all the work.

Where can I discuss mox?

Join #mox on irc.oftc.net, or #mox on the "Gopher slack".

For bug reports, please file an issue at https://github.com/mjl-/mox/issues/new.

How do I change my password?

Regular users (doing IMAP/SMTP with authentication) can change their password at the account page, e.g. http://127.0.0.1/. Or you can set a password with "mox setaccountpassword".

The admin password can be changed with "mox setadminpassword".

How do I configure a second mox instance as a backup MX?

Unfortunately, mox does not yet provide an option for that. Mox does spam filtering based on reputation of received messages. It will take a good amount of work to share that information with a backup MX. Without that information, spammers could use a backup MX to get their spam accepted. Until mox has a proper solution, you can simply run a single SMTP server.

How do I stay up to date?

Please set "CheckUpdates: true" in mox.conf. Mox will check for a new version through a DNS TXT request for _updates.xmox.nl once per 24h. Only if a new version is published will the changelog be fetched and delivered to the postmaster mailbox.

The changelog is at https://updates.xmox.nl/changelog.

You could also monitor newly added tags on this repository, or for the docker image, but update instructions are in the changelog.

Keep in mind you have a responsibility to keep the internect-connected software you run up to date and secure.

How secure is mox?

Security is high on the priority list for mox. Mox is young, so don't expect no bugs at all. Mox does have automated tests for some security aspects, e.g. for login, and uses fuzzing. Mox is written in Go, so some classes of bugs such as buffer mishandling do not typically result in privilege escalation. Of course logic bugs will still exist. If you find any security issues, please email them to mechiel@ueber.net.

I'm now running an email server, but how does email work?

Congrats and welcome to the club! Running an email server on the internet comes with some responsibilities so you should understand how it works. See https://explained-from-first-principles.com/email/ for a thorough explanation.