modern full-featured open source secure mail server for low-maintenance self-hosted email
Find a file
Mechiel Lukkien e52c9d36a6
support cram-md5 authentication for imap and smtp
and change thunderbird autoconfiguration to use it.

unfortunately, for microsoft autodiscover, there appears to be no way to
request secure password negotiation. so it will default to plain text auth.

cram-md5 is less secure than scram-sha-*, but thunderbird does not yet support
scram auth. it currently chooses "plain", sending the literal password over the
connection (which is TLS-protected, but we don't want to receive clear text
passwords). in short, cram-md5 is better than nothing...

for cram-md5 to work, a new set of derived credentials need to be stored in the
database. so you need to save your password again to make it work. this was
also the case with the scram-sha-1 addition, but i forgot to mention it then.
2023-02-05 16:29:03 +01:00
.go mox! 2023-01-30 14:27:06 +01:00
autotls mox! 2023-01-30 14:27:06 +01:00
config add two new log levels for tracing sensitive auth protocol messages, and bulk data messages 2023-02-03 20:33:19 +01:00
dkim in dkim-signature header, allow FWS anywhere in "z=" (copied headers), and prevent panic in cli command "mox dkim verify" when a dkim-signature cannot be parsed 2023-02-03 13:29:47 +01:00
dmarc mox! 2023-01-30 14:27:06 +01:00
dmarcdb mox! 2023-01-30 14:27:06 +01:00
dmarcrpt mox! 2023-01-30 14:27:06 +01:00
dns mox! 2023-01-30 14:27:06 +01:00
dnsbl mox! 2023-01-30 14:27:06 +01:00
dsn mox! 2023-01-30 14:27:06 +01:00
http support cram-md5 authentication for imap and smtp 2023-02-05 16:29:03 +01:00
imapclient add support for SCRAM-SHA-1 2023-02-05 12:30:14 +01:00
imapserver support cram-md5 authentication for imap and smtp 2023-02-05 16:29:03 +01:00
iprev mox! 2023-01-30 14:27:06 +01:00
junk mox! 2023-01-30 14:27:06 +01:00
message mox! 2023-01-30 14:27:06 +01:00
metrics support cram-md5 authentication for imap and smtp 2023-02-05 16:29:03 +01:00
mlog add two new log levels for tracing sensitive auth protocol messages, and bulk data messages 2023-02-03 20:33:19 +01:00
mox- support cram-md5 authentication for imap and smtp 2023-02-05 16:29:03 +01:00
moxio add two new log levels for tracing sensitive auth protocol messages, and bulk data messages 2023-02-03 20:33:19 +01:00
moxvar mox! 2023-01-30 14:27:06 +01:00
mtasts mox! 2023-01-30 14:27:06 +01:00
mtastsdb mox! 2023-01-30 14:27:06 +01:00
publicsuffix mox! 2023-01-30 14:27:06 +01:00
queue mox! 2023-01-30 14:27:06 +01:00
rfc support cram-md5 authentication for imap and smtp 2023-02-05 16:29:03 +01:00
scram add support for SCRAM-SHA-1 2023-02-05 12:30:14 +01:00
smtp add scram-sha-256 for smtp 2023-01-31 00:22:26 +01:00
smtpclient add two new log levels for tracing sensitive auth protocol messages, and bulk data messages 2023-02-03 20:33:19 +01:00
smtpserver support cram-md5 authentication for imap and smtp 2023-02-05 16:29:03 +01:00
spf mox! 2023-01-30 14:27:06 +01:00
store support cram-md5 authentication for imap and smtp 2023-02-05 16:29:03 +01:00
subjectpass mox! 2023-01-30 14:27:06 +01:00
testdata work around missing timezone in timestamps in tls reports from microsoft 2023-02-05 10:55:34 +01:00
tlsrpt work around missing timezone in timestamps in tls reports from microsoft 2023-02-05 10:55:34 +01:00
tlsrptdb mox! 2023-01-30 14:27:06 +01:00
updates mox! 2023-01-30 14:27:06 +01:00
vendor mox! 2023-01-30 14:27:06 +01:00
.dockerignore mox! 2023-01-30 14:27:06 +01:00
.gitignore mox! 2023-01-30 14:27:06 +01:00
.jshintrc mox! 2023-01-30 14:27:06 +01:00
checkhtmljs mox! 2023-01-30 14:27:06 +01:00
compatibility.txt mox! 2023-01-30 14:27:06 +01:00
ctl.go mox! 2023-01-30 14:27:06 +01:00
doc.go add two new log levels for tracing sensitive auth protocol messages, and bulk data messages 2023-02-03 20:33:19 +01:00
docker-compose-imaptest.yml mox! 2023-01-30 14:27:06 +01:00
docker-compose-integration.yml mox! 2023-01-30 14:27:06 +01:00
Dockerfile mox! 2023-01-30 14:27:06 +01:00
Dockerfile.imaptest mox! 2023-01-30 14:27:06 +01:00
export.go mox! 2023-01-30 14:27:06 +01:00
gendoc.sh mox! 2023-01-30 14:27:06 +01:00
go.mod mox! 2023-01-30 14:27:06 +01:00
go.sum mox! 2023-01-30 14:27:06 +01:00
import.go add reverse ip checks during quickstart and in "check dns" admin page/subcommand 2023-02-03 15:54:34 +01:00
import_test.go rename filename that is invalid for the go module proxy 2023-01-30 14:38:55 +01:00
integration_test.go mox! 2023-01-30 14:27:06 +01:00
junk.go mox! 2023-01-30 14:27:06 +01:00
LICENSE.MIT mox! 2023-01-30 14:27:06 +01:00
LICENSE.MPLv2.0 mox! 2023-01-30 14:27:06 +01:00
main.go support cram-md5 authentication for imap and smtp 2023-02-05 16:29:03 +01:00
main_test.go mox! 2023-01-30 14:27:06 +01:00
Makefile "make check-shadow" now produces useful output 2023-02-05 16:28:44 +01:00
mox.service mox! 2023-01-30 14:27:06 +01:00
quickstart.go add reverse ip checks during quickstart and in "check dns" admin page/subcommand 2023-02-03 15:54:34 +01:00
README.md tweak readme, making urls clickable 2023-01-30 14:43:50 +01:00
serve.go fix update check without last known version present 2023-01-31 00:16:01 +01:00
start.go mox! 2023-01-30 14:27:06 +01:00
tools.go mox! 2023-01-30 14:27:06 +01:00
updates.go mox! 2023-01-30 14:27:06 +01:00

Mox is a modern full-featured open source secure mail server for low-maintenance self-hosted email.

See Quickstart below to get started.

Mox features:

  • Quick and easy to maintain mail server for your own domain through quickstart.
  • SMTP for receiving and submitting email.
  • IMAP4 for giving email clients access to email.
  • Automatic TLS with ACME, for use with Let's Encrypt and other CA's.
  • SPF, verifying that a remote host is allowed to sent email for a domain.
  • DKIM, verifying that a message is signed by the claimed sender domain, and for signing emails sent by mox for others to verify.
  • DMARC, for enforcing SPF/DKIM policies set by domains. Incoming DMARC aggregate reports are analyzed.
  • Reputation tracking, learning (per user) host- and domain-based reputation from (Non-)Junk/Non-Junk email.
  • Bayesian spam filtering that learns (per user) from (Non-)Junk email.
  • Greylisting of servers with no/low reputation and questionable email content. Temporarily refused emails are available over IMAP in a special mailbox for a short period, helping with misclassified legimate synchronous signup/login/transactional emails.
  • Internationalized email, with unicode names in domains and usernames ("localparts").
  • TLSRPT, parsing reports about TLS usage and issues.
  • MTA-STS, for ensuring TLS is used whenever it is required. Both serving of policies, and tracking and applying policies of remote servers.
  • Web admin interface that helps you set up your domains and accounts (instructions to create DNS records, configure SPF/DKIM/DMARC/TLSRPT/MTA-STS), for status information, managing accounts/domains, and modifying the configuration file.
  • Autodiscovery (with SRV records, Microsoft-style and Thunderbird-style) for easy account setup (though not many clients support it).
  • Prometheus metrics and structured logging for operational insight.

Not supported (but perhaps in the future):

  • Webmail
  • Functioning as SMTP relay
  • HTTP-based API for sending messages and receiving delivery feedback
  • Forwarding (to an external address)
  • Autoresponders
  • POP3
  • Delivery to (unix) OS system users
  • Sieve for filtering
  • PGP or S/MIME
  • Mailing list manager
  • Calendaring
  • Support for pluggable delivery mechanisms.

Mox has automated tests, including for interoperability with Postfix for SMTP.

Mox is manually tested with email clients: Mozilla Thunderbird, mutt, iOS Mail, macOS Mail, Android Mail, Microsoft Outlook.

Mox is also manually tested to interoperate with popular cloud providers: gmail.com, outlook.com, yahoo.com, proton.me.

Mox is implemented in Go, a modern safe programming language, and has a focus on security.

Mox is available under the MIT-license. Mox includes the Public Suffix List by Mozilla, under Mozilla Public License, v. 2.0.

Mox was created by Mechiel Lukkien, mechiel@ueber.net.

Download

You can easily (cross) compile mox if you have a Go toolchain installed:

go install github.com/mjl-/mox@latest

Or you can download binaries from https://beta.gobuilds.org/github.com/mjl-/mox

Quickstart

The easiest way to get started with serving email for your domain is to get a vm/machine dedicated to serving email named ., login as an admin user, e.g. /home/service, download mox, and generate a configuration for your desired email address at your domain:

./mox quickstart you@example.com

This creates an accounts, generates a password and configuration files, prints the DNS records you need to manually add for your domain and prints commands to set permissions and install as a service.

If you already have email configured for your domain, or if you are already sending email for your domain from other machines/services, you should modify the suggested configuration and/or DNS records.

A dedicated machine is convenient because modern email requires HTTPS. You can combine mox with an existing webserver, but it requires more configuration.

After starting, you can access the admin web interface on internal IPs.

FAQ - Frequently Asked Questions

  • Why a new mail server implementation?

Mox aims to make "running a mail server" easy and nearly effortless. Excellent quality mail server software exists, but getting a working setup typically requires you configure half a dozen services (SMTP, IMAP, SPF/DKIM/DMARC, spam filtering). That seems to lead to people no longer running their own mail servers, instead switching to one of the few centralized email providers. SMTP is long-time distributed messaging protocol. To keep it distributed, people need to run their own mail server. Mox aims to make that easy.

  • Where is the documentation?

See all commands and help text at https://pkg.go.dev/github.com/mjl-/mox/, and example config files at https://pkg.go.dev/github.com/mjl-/mox/config/.

You can get the same information by running "mox" without arguments to list its subcommands and usage, and "mox help " for more details.

The example config files are printed by "mox config describe-static" and "mox config describe-dynamic".

Mox is still in early stages, and documentation is still limited. Please create an issue describing what is unclear or confusing, and we'll try to improve the documentation.

  • How do I import/export email?

Use the "mox import maildir" or "mox import mbox" subcommands. You could also use your IMAP email client, add your mox account, and copy or move messages from one account to the other.

Similarly, see the "mox export maildir" and "mox export mbox" subcommands to export email.

  • How can I help?

Mox needs users and testing in real-life setups! So just give it a try, send and receive emails through it with your favourite email clients, and file an issue if you encounter a problem or would like to see a feature/functionality implemented.

Instead of switching your email for your domain over to mox, you could simply configure mox for a subdomain, e.g. @moxtest..

If you have experience with how the email protocols are used in the wild, e.g. compatibility issues, limitations, anti-spam measures, specification violations, that would be interesting to hear about.

Pull requests for bug fixes and new code are welcome too. If the changes are large, it helps to start a discussion (create a ticket) before doing all the work.

  • How do I change my password?

Regular users (doing IMAP/SMTP with authentication) can change their password at the account page, e.g. http://127.0.0.1/account/. Or you can set a password with "mox setaccountpassword".

The admin password can be changed with "mox setadminpassword".

  • How do I configure a second mox instance as a backup MX?

Unfortunately, mox does not yet provide an option for that. Mox does spam filtering based on reputation of received messages. It will take a good amount of work to share that information with a backup MX. Without that information, spammer could use a backup MX to get their spam accepted. Until mox has a proper solution, you can simply run a single SMTP server.

  • How secure is mox?

Security is high on the priorit list for mox. Mox is young, so don't expect no bugs at all. Mox does have automated tests for some security aspects, e.g. for login, and uses fuzzing. Mox is written in Go, so some classes of bugs such as buffer mishandling do not typically result in privilege escalation. Of course logic bugs will still exist. If you find any security issues, please email them to mechiel@ueber.net.