Postfix + Dovecot —
own your mail server.
For teams who want full control of their inbox: we install and harden Postfix and Dovecot on a VPS you provide. TLS via Let's Encrypt, full deliverability stack, and a runbook so you know exactly what lives where.
A production-ready mail stack.
Configured to industry best practice — not a half-finished tutorial copy/paste.
Configured for outbound + inbound on submission (587) and SMTPS (465). TLS-only, modern cipher suite, no plaintext auth on port 25.
IMAP4rev1 + POP3 on TLS-only ports. SASL auth via system users or virtual users in MariaDB.
Auto-renewing cert for mail.yourdomain.com, applied to Postfix submission, SMTPS, and Dovecot.
Coordinated with your VPS provider so the rDNS matches your HELO — major deliverability factor.
Same authentication stack as our managed plans. opendkim signs outbound, BIND-style records published in your DNS.
Inbound spam filtering with sane defaults; brute-force protection on SMTP/IMAP/SSH ports.
Optional. Hardened install with HTTPS, plugins for password change + two-factor login.
Markdown runbook covering paths, configs, log locations, renewal commands, and how to add a mailbox.
A small VPS + DNS access.
-
VPSUbuntu 22.04 LTS or Debian 12, minimum 1 vCPU + 2 GB RAM + 20 GB disk. Hetzner, DigitalOcean, Linode, Vultr, AWS Lightsail all work.
-
Static IPv4Most providers give one by default. Required for clean reverse DNS.
-
DNS accessEither delegated (we add records) or self-managed (we send a copy-paste list).
-
Reverse DNS accessMost VPS panels let you set the PTR record yourself. We'll guide you through it.
Self-hosted mail isn't free maintenance
Once we hand it over, you'll be responsible for OS updates, certificate monitoring, and watching for IP-reputation issues. We document everything you need in the runbook, but if you'd rather not deal with that, Google Workspace or Zoho is the easier path — and we'll happily set those up instead.
Talk to us first