8 categories ยท 80+ capabilities

Complete system capability map

Email, Sieve filtering, end-to-end encryption, calendars, contacts, and API in one system on your servers. Detailed technical feature list.

Request deployment Compare alternatives

Feature categories

Click a category to view the full list of capabilities

SMTP

Send and receive email

Full RFC 5321 implementation. Sending and receiving standard email with TLS 1.2/1.3 support on all connections.

IMAP

Mailbox access

IMAP4rev1 (RFC 3501) with IDLE (instant notifications), compression, and state synchronization across devices.

POP3

Message retrieval

POP3 for downloading email to local devices. Optional for legacy clients and offline scenarios.

Clients

Client compatibility

Microsoft Outlook, Apple Mail, Mozilla Thunderbird, mobile clients (Android/iOS), K-9 Mail, The Bat! - no proprietary bridge apps.

iOS Push

Push notifications on iPhone/iPad

Native push notifications via XAPPLEPUSHSERVICE in standard Apple Mail - no third-party apps. Instant new-message delivery.

Bounce

Undelivered message handling

Automatic Bounce/DSN (Delivery Status Notification) handling. Failure-cause analysis with permanent/transient classification.

Auth

Full domain authentication stack

SPF, DKIM (2048-bit RSA), DMARC, ARC, BIMI, MTA-STS, DANE, SRS - complete DNS-protection stack. Security score 100/100 (Internet.nl).

โˆž

Unlimited mailboxes, domains, aliases

Quantity is limited by server resources, not license count. Catch-all, wildcard, regex routing, disposable addresses (user+tag@).

RFC 5228

Server-side mail filtering

Sieve is the standard language for server rules (RFC 5228). Rules run on server before mailbox delivery and work even when clients are offline.

ManageSieve

Management protocol (RFC 5804)

ManageSieve on port 4190 - rule management via web UI, REST API, or standard clients (Thunderbird, K-9 Mail).

vacation

Autoresponders

Automatic inbound replies with configurable repeat intervals. Ideal for vacation, travel, and off-hours.

fileinto

Automatic sorting

Message routing by folder: orders -> "Sales", tickets -> "Support", newsletters -> "Info". Done automatically on receipt.

redirect

Forwarding and copying

Redirect to another address and copy without deleting original. Flexible message-flow routing.

reject

Blocking with message

Reject/ereject unwanted messages with customizable sender responses.

editheader

Header processing

Add (addheader) and remove (deleteheader) message headers. Useful for tagging, routing, integrations.

enotify

Notifications and extensions

Notifications (enotify - mailto), duplicate checks (duplicate), MIME processing (mime, extracttext), variables, regex, IMAP flags (imap4flags), subaddressing (user+detail). 20+ RFC extensions.

OpenPGP

End-to-End encryption (E2EE)

OpenPGP for end-to-end encrypted communication. Only sender and recipient can read content - server sees encrypted data only.

S/MIME

Enterprise X.509 certificates

S/MIME for enterprise X.509 chains. Native support in Outlook, Apple Mail, Thunderbird. Integration with enterprise PKI.

WKD

Web Key Directory

Automatic public-key discovery by email address. In isolated environments, internal WKD server for autonomous operation.

ChaCha20

Storage encryption

ChaCha20-Poly1305 for at-rest encryption. Each mailbox is a separate encrypted SQLite file. The key is derived from the user password via PBKDF2-SHA256 (32-byte salt, 25,000 iterations). Zero-Knowledge: even admin cannot read data.

SQLite

Isolated per-user storage

Per-user architecture: compromise of one mailbox does not expose others. Open SQLite format simplifies auditing, backups, and migration without vendor lock-in.

TLS

Transport encryption

TLS 1.2/1.3 + Perfect Forward Secrecy on all connections. Key compromise does not expose past sessions.

Policy

Encryption routing policies

Configurable rules: mandatory encryption for selected domains and automatic OpenPGP/S-MIME selection by recipient.

CalDAV

CalDAV (RFC 4791)

Full implementation of standard protocol. Create, edit, delete events. Standard iCalendar (.ics) format.

VTODO

Tasks and reminders

VTODO task management through CalDAV: priorities, deadlines, completion status, reminders. Email integration.

Clients

Compatibility

Apple Calendar, Mozilla Thunderbird, DAVxโต (Android), mobile devices. Two-way sync across all devices.

iOS Push

Push notifications for calendars

iOS Push for instant calendar-change notifications. Meeting invites, cancellations, reschedules delivered instantly to iPhone/iPad.

CardDAV

CardDAV (RFC 6352)

Full implementation of standard protocol. vCard format. Unified corporate address book available to all employees.

Clients

Compatibility

Apple Contacts, Mozilla Thunderbird, DAVxโต (Android), mobile devices. Two-way sync across devices.

iOS Push

Push notifications for contacts

iOS Push for instant contact-change sync. Add/edit/delete updates appear instantly on all Apple devices.

Sync

Centralized management

Corporate contact database with single management center. Photos, roles, departments - full organizational structure.

REST

REST API for automation

Full HTTP API: mailbox, domain, and alias management, JSON-based email sending. Granular API keys with fine-grained permissions.

Inbound

Webhooks - Inbound

On message receipt: parsed into JSON with HMAC-SHA256 signature for verification. Text, HTML, attachments, headers in one request.

Bounce

Webhooks - Bounce

On delivery failure: JSON notification with HMAC-SHA256 signature. Error reason, recipient address, SMTP code for automatic bounce processing.

CRM

Business-system integration

CRM, ERP, ticketing systems, business workflows. Example: email to orders@ -> webhook -> CRM task creation. Transactional mail via API.

2FA

Two-factor authentication

TOTP (Google Authenticator and compatible apps) + WebAuthn/Passkeys (hardware keys, biometrics). 10 backup recovery codes. No SMS (SIM-swap resistance).

Spam

Multi-layer anti-spam

DNSBL, greylisting, denylist/allowlist, backscatter protection, Bayesian analysis, phishing detection, URL analysis.

Domain

Per-domain content control

Per-domain settings: anti-phishing, executable blocking, antivirus (ClamAV), adult-content filtering. Flexible domain-level policies.

Rate

Rate Limiting

Request-rate limiting for SMTP, IMAP, API, Auth, Sieve, CalDAV. Protection from brute-force, DDoS, and resource overconsumption.

Quota

Storage Quotas

Storage quotas per-user and per-domain. IMAP QUOTA support (RFC 9208) with visible used/available space and threshold warnings.

FTS5

Full-text search

FTS5 full-text search across mailbox content: headers, body, attachments. Full Unicode support via IMAP SEARCH.

Audit

Auditable code

All executable code is readable files. Security teams can verify line by line. No telemetry, no phone-home, no kill switch.

Web

Web interface

Built-in full WebMail for administration and day-to-day mailbox work: themes, contacts, calendar, multi-account, fully client-side with offline support. Plus domain, mailbox, alias, security, and log management via browser. 25+ interface languages and automatic log redaction (passwords -> REDACTED).

๐ŸŒ Online

Standard perimeter (Online)

Full internet access. Automatic updates, Let's Encrypt certificates, antivirus database updates. For standard security requirements.

๐Ÿ›ก๏ธ Restricted

Restricted perimeter

Controlled perimeter. Outbound access only to required services (DNS, SMTP relay, OS updates). Inbound traffic via reverse proxy in DMZ.

๐Ÿ”’ Air-gap

Fully isolated perimeter (Air-gap)

No internet connectivity. USB updates, internal DNS, internal PKI (certificates), internal WKD server. For strict security requirements.

OS

OS recommendations

Ubuntu LTS - default recommendation. Debian Stable/LTS - fully supported. RHEL-compatible distros (Rocky/Alma) - supported with environment-specific tuning.

Docker

Containerization (Docker)

Docker containers: simple deploy, update, rollback in seconds. Compatibility with Prometheus and Grafana. Structured JSON logs.

Backup

Backup and recovery

Each mailbox is a separate file. Incremental backup with rsync, Borg, Restic. Fast mailbox-level restore without system downtime.

Comparison

Private platform vs alternatives

Objective comparison across key criteria with typical SaaS and legacy solutions

Criterion Our platform Typical SaaS Legacy (On-Premise)
Data โœ… On your servers โŒ At provider side โœ… On your servers
Encryption at-rest โœ… ChaCha20 + per-user SQLite (Zero-Knowledge) ๐ŸŸก Depends on provider ๐ŸŸก BitLocker (not per-user)
Sieve filtering โœ… Full (20+ extensions) โŒ Proprietary rules ๐ŸŸก Partial / Transport Rules
OpenPGP / S/MIME โœ… Both built in ๐ŸŸก S/MIME (partial) ๐ŸŸก S/MIME (partial)
WKD (Web Key Directory) โœ… Built in + air-gap โŒ No โŒ No
2FA (TOTP + WebAuthn) โœ… TOTP + Passkeys ๐ŸŸก Usually TOTP / SMS ๐ŸŸก TOTP (plugins)
iOS Push โœ… Email + Calendars + Contacts ๐ŸŸก App-only โŒ No
Webhooks (Inbound + Bounce) โœ… JSON + HMAC-SHA256 ๐ŸŸก Limited ๐ŸŸก Via additional software
FTS5 (full-text search) โœ… Unicode support โœ… Yes โœ… Yes
CalDAV / CardDAV โœ… Built in โŒ Proprietary protocols โŒ Requires bridge
Air-gap mode โœ… Full support โŒ Not possible ๐ŸŸก With limitations
Code audit โœ… Full (readable code) โŒ Not possible โŒ Closed binary code
Vendor Lock-in โœ… No โŒ High โŒ High
Security (Internet.nl) โœ… 100/100 ๐ŸŸก 83โ€“85/100 ๐ŸŸก ~90/100
Deployment options

3 deployment perimeters

Choose the profile that matches your security requirements

๐ŸŒ

Standard (Online)

With full internet access. Automatic updates, Let's Encrypt certificates, real-time antivirus signature updates.

  • โœ“ Automatic SSL certificates
  • โœ“ Online OS/software updates
  • โœ“ External DNS, DNSBL, antivirus
  • โœ“ Suitable for most companies
๐Ÿ›ก๏ธ

Restricted

Controlled perimeter. Outbound access only to necessary services. Inbound traffic through reverse proxy in DMZ.

  • โœ“ Whitelist of outbound connections
  • โœ“ Reverse proxy for inbound traffic
  • โœ“ Network segmentation (DMZ)
  • โœ“ Balance of security and usability
๐Ÿ”’

Air-gap (isolated)

Fully isolated perimeter without internet. USB updates, internal DNS, PKI, WKD server.

  • โœ“ No internet connectivity
  • โœ“ USB updates for OS and software
  • โœ“ Internal DNS, PKI, WKD
  • โœ“ Maximum security requirements

Server requirements

1-server setup
Up to 200 mailboxes
4 vCPU
8-16 GB RAM
100 GB NVMe SSD
Recommended
2-server setup
Core services + storage split
4+ vCPU total
16 GB ECC RAM
2ร— NVMe (RAID 1)
4-server setup
500+ mailboxes
8+ vCPU total
32 GB ECC RAM+
NVMe RAID + NAS backup

Recommended OS: Ubuntu LTS / Debian Stable-LTS. Rocky Linux and AlmaLinux are also supported with environment-specific tuning.

FAQ

Frequently asked questions

Answers to key system questions.

The platform is fully compatible. It uses standard SMTP, IMAP, CalDAV, and CardDAV protocols without proprietary bridge applications. Outlook, Apple Mail, Thunderbird, Android/iOS clients, and K-9 Mail connect directly. Native iPhone/iPad push notifications are supported in standard Apple Mail.

The platform provides full Sieve support (RFC 5228) with ManageSieve (RFC 5804) on port 4190. More than 20 extensions are available, including vacation, fileinto, redirect, reject, editheader, enotify, imap4flags, variables, and regex.

Three layers are available: OpenPGP for end-to-end encryption, S/MIME for enterprise certificate chains, and ChaCha20-Poly1305 for at-rest mailbox encryption. Zero-Knowledge design is supported for user mailboxes.

In air-gap mode, an internal WKD server can be deployed for automatic OpenPGP key discovery and distribution without internet access.

Supported methods include TOTP and WebAuthn/Passkeys (YubiKey, Touch ID, Face ID, Windows Hello). Backup recovery codes are generated during setup.

Inbound and Bounce webhooks are available. Payloads are delivered as JSON and signed with HMAC-SHA256 for secure integration with CRM/ERP/ticketing systems.

Built-in FTS5 search supports Unicode and works across headers, body, and text attachments.

Recommended: Ubuntu LTS. Also supported: Debian Stable/LTS and RHEL-compatible distributions (Rocky Linux, AlmaLinux) with environment-specific tuning.

Docker-based deployment provides consistent operation across major Linux families where required runtime capabilities are available.

Online, Restricted, and Air-gap perimeters are supported. Air-gap mode works with local DNS, internal PKI, local AV mirrors, and offline update procedures.

Let's Encrypt, wildcard, EV, and internal corporate CA certificates are supported, including fully isolated environments.

We migrate data from Exchange, IMAP servers, and cloud systems with folder structure, flags, read status, and attachments preserved. Parallel transition is supported.

After handover and credential rotation, correspondence remains under your exclusive control.

We configure SPF, DKIM, DMARC, ARC, BIMI, MTA-STS, PTR and run controlled IP warm-up to build sender reputation.

The platform includes full built-in WebMail for both administration and day-to-day mailbox work: themes, contacts, calendar, multi-account, fully client-side with offline support. External webmail solutions (Roundcube, SnappyMail) can also be connected over standard IMAP with no proprietary bridges.

Typical setups: 1-server (up to ~200 mailboxes): 4 vCPU, 8-16 GB RAM, 100 GB NVMe SSD. 2-server setup (recommended): 4+ vCPU total, 16 GB ECC RAM, 2ร— NVMe RAID 1. 4-server setup (500+ mailboxes): 8+ vCPU total, 32 GB ECC RAM+, NVMe RAID + NAS backup. Recommended OS: Ubuntu LTS / Debian Stable-LTS.

The system remains operational. It has no license keys, remote kill-switches, or activation checks. Your team can maintain it independently after handover.