{"id":15147019,"url":"https://github.com/danwin/mail-hosting","last_synced_at":"2025-10-24T01:31:24.772Z","repository":{"id":41335732,"uuid":"492586662","full_name":"DanWin/mail-hosting","owner":"DanWin","description":"This is a setup for a Tor based mail hosting server","archived":false,"fork":false,"pushed_at":"2024-12-20T16:48:05.000Z","size":422,"stargazers_count":25,"open_issues_count":19,"forks_count":8,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-01-30T22:35:33.133Z","etag":null,"topics":["dovecot","hidden-service","imap","mail","onion","php","pop3","postfix","prosody","rspamd","smtp","tor","xmpp"],"latest_commit_sha":null,"homepage":"https://danwin1210.de/mail/","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DanWin.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"DanWin","liberapay":"DanWin1210"}},"created_at":"2022-05-15T19:42:09.000Z","updated_at":"2024-12-20T16:48:08.000Z","dependencies_parsed_at":"2023-10-12T03:39:16.904Z","dependency_job_id":"d972edf9-0ac4-441f-bb1f-f8fe2ba486f3","html_url":"https://github.com/DanWin/mail-hosting","commit_stats":{"total_commits":128,"total_committers":4,"mean_commits":32.0,"dds":0.328125,"last_synced_commit":"1dfaf11b6a6543183415c963d2f256163b882427"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DanWin%2Fmail-hosting","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DanWin%2Fmail-hosting/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DanWin%2Fmail-hosting/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DanWin%2Fmail-hosting/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DanWin","download_url":"https://codeload.github.com/DanWin/mail-hosting/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":237901379,"owners_count":19384385,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dovecot","hidden-service","imap","mail","onion","php","pop3","postfix","prosody","rspamd","smtp","tor","xmpp"],"created_at":"2024-09-26T12:21:26.670Z","updated_at":"2025-10-24T01:31:19.283Z","avatar_url":"https://github.com/DanWin.png","language":"PHP","funding_links":["https://github.com/sponsors/DanWin","https://liberapay.com/DanWin1210"],"categories":[],"sub_categories":[],"readme":"General Information:\n--------------------\n\nThis is a setup for a Tor based email hosting server. It is provided as is and before putting it into production you should make changes according to your needs. This is a work in progress and you should carefully check the commit history for changes before updating.\n\nInstallation Instructions:\n--------------------------\n\n### Primary mail server with Tor:\n\nUninstall packages that may interfere with this setup:\n```\nDEBIAN_FRONTEND=noninteractive apt-get purge -y apache2* dnsmasq* eatmydata exim4* imagemagick-6-common mysql-client* mysql-server* nginx* libnginx-mod* php7* resolvconf \u0026\u0026 systemctl disable systemd-resolved.service \u0026\u0026 systemctl stop systemd-resolved.service\n```\n\nIf you have problems resolving hostnames after this step, temporarily switch to a public nameserver like 1.1.1.1 (from CloudFlare) or 8.8.8.8 (from Google)\n\n```\nrm /etc/resolv.conf \u0026\u0026 echo \"nameserver 1.1.1.1\" \u003e /etc/resolv.conf\n```\n\nInstall git and clone this repository\n\n```\napt-get update \u0026\u0026 apt-get install git -y \u0026\u0026 git clone https://github.com/DanWin/mail-hosting \u0026\u0026 cd mail-hosting\n```\n\nInstall files and programs\n```\n./install_binaries.sh\n```\n\nCopy (and modify according to your needs) the site files in `etc` to `/etc` after installation has finished. Then restart some services:\n```\nsystemctl daemon-reload \u0026\u0026 systemctl restart tor@default.service\n```\n\nReplace the default .onion domain with your domain:\n```\nsed -i \"s/danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion/`cat /var/lib/tor/hidden_service/hostname`/g\" /etc/prosody/prosody.cfg.lua /etc/nginx/sites-enabled/mail /var/www/mail/common_config.php /etc/postfix/main.cf\n```\n\nReplace the default clearnet domain with your domain:\n```\nsed -i \"s/danwin1210.de/YOUR_DOMAIN/g\" /etc/prosody/prosody.cfg.lua /etc/postfix/main.cf /etc/dovecot/dovecot.conf /etc/nginx/sites-enabled/* /var/www/mail/common_config.php /var/www/mail/www/squirrelmail/config/config.php\n```\n\nCreate a mysql users and databases:\n```\nmysql\nCREATE DATABASE postfix;\nCREATE DATABASE prosody;\nCREATE USER 'postfix'@'%' IDENTIFIED BY 'MY_PASSWORD';\nCREATE USER 'postfix_readonly'@'%' IDENTIFIED BY 'MY_PASSWORD';\nCREATE USER 'prosody'@'%' IDENTIFIED BY 'MY_PASSWORD';\nGRANT ALL PRIVILEGES ON postfix.* TO 'postfix'@'%';\nGRANT SELECT ON postfix.* TO 'postfix_readonly'@'%';\nGRANT ALL PRIVILEGES ON prosody.* TO 'prosody'@'%';\nFLUSH PRIVILEGES;\nquit\n```\n\nThen update the passwords you've set in your configuration files:\n```\nnano /etc/dovecot/dovecot-dict-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext /etc/postfix/sql/mysql_* /etc/prosody/prosody.cfg.lua /var/www/mail/common_config.php\n```\n\nGenerate a keypair for rspamd with `rspamadm keypair gen` and add it to /etc/rspamd/local.d/worker-fuzzy.inc, add the public encryption key to /etc/rspamd/override.d/fuzzy_check.conf\n\nSet a password for the web interface with `rspamadm pw` and add the hash for it to /etc/rspamd/override.d/worker-controller.inc\n\nGenerate DKIM signing keys and add them to /etc/rspamd/local.d/arc.conf /etc/rspamd/local.d/dkim_signing.conf, then add the printed DNS records to your domain:\n```\nrspamadm dkim_keygen -d YOUR_DOMAIN -s $(date +\"%Y%m%d\")-rsa -b 4096 -t rsa -k /var/lib/rspamd/dkim/YOUR_DOMAIN-rsa\nrspamadm dkim_keygen -d YOUR_DOMAIN -s $(date +\"%Y%m%d\")-ed25519 -t ed25519 -k /var/lib/rspamd/dkim/YOUR_DOMAIN-ed25519\n```\n\nCreate a password used for your TURN server and replace all `YOUR_SECRET` in `/etc/prosody/prosody.cfg.lua` with it.\n\nInstall [acme.sh](https://github.com/acmesh-official/acme.sh) or [certbot](https://certbot.eff.org/) to obtain a free letsencrypt SSL certificate, then update the path to this new certificate in the following files:\n```\nnano /etc/prosody/prosody.cfg.lua /etc/dovecot/dovecot.conf /etc/postfix/main.cf /etc/nginx/nginx.conf /etc/nginx/sites-enabled/mail /etc/nginx/sites-enabled/openpgpkey\n```\n\nAdd your other servers IP under `unrestricted access to these IPs` in `/etc/rc.local`\n\nCreate database tables, activate firewall and enable cron:\n```\npostmap /etc/postfix/header_checks\ncd /var/www/mail \u0026\u0026 php setup.php \u0026\u0026 chmod +x /etc/rc.local \u0026\u0026 /etc/rc.local \u0026\u0026 systemctl enable mail-cron.timer\n```\n\nGenerate a wireguard keypair and add the public key generated here to the primary mail server wireguard config:\n```\nexport PRIV=$(wg genkey)\nsed -i \"s~YOUR_PRIVATE_KEY~$PRIV~g\" /etc/wireguard/wg0.conf\necho $PRIV | wg pubkey\n```\n\nReplace `YOUR_IP` with the IP of your other server, then enable and start wireguard:\n```\nnano /etc/wireguard/wg0.conf\nsystemctl enable wg-quick@wg0 \u0026\u0026 systemctl start wg-quick@wg0\n```\n\nFinal step is to reboot the server and check that everything is working.\n\n### Proxy server:\n\nTo send emails to the regular internet, it is necessary to have a static IP to retain a reputation with an IP+Domain mapping. If you try sending via Tor, your emails will most certainly get blocked by spam filters. For this reason we need to setup a proxy server which will hold no user data itself, but simply act as a gateway to reach the less anonymous part of the internet.\n\nUninstall packages that may interfere with this setup:\n```\nDEBIAN_FRONTEND=noninteractive apt-get purge -y apache2* dnsmasq* eatmydata exim4* imagemagick-6-common mysql-client* mysql-server* nginx* libnginx-mod* php7* resolvconf \u0026\u0026 systemctl disable systemd-resolved.service \u0026\u0026 systemctl stop systemd-resolved.service\n```\n\nIf you have problems resolving hostnames after this step, temporarily switch to a public nameserver like 1.1.1.1 (from CloudFlare) or 8.8.8.8 (from Google)\n\n```\nrm /etc/resolv.conf \u0026\u0026 echo \"nameserver 1.1.1.1\" \u003e /etc/resolv.conf\n```\n\nInstall git and clone this repository\n```\napt-get update \u0026\u0026 apt-get install git -y \u0026\u0026 git clone https://github.com/DanWin/mail-hosting \u0026\u0026 cd mail-hosting\n```\n\nInstall files and programs\n```\n./install_binaries_proxy.sh\n```\n\nCopy (and modify according to your needs) the site files in `etc_clearnet_proxy` to `/etc` after installation has finished.\n\nAdd the password for your TURN server you created for prosody in the main server and replace `YOUR_AUTH_SECRET` in `/etc/turnserver.conf` with it.\n\nInstall [acme.sh](https://github.com/acmesh-official/acme.sh) or [certbot](https://certbot.eff.org/) to obtain a free letsencrypt SSL certificate, then update the path to this new certificate in the following files:\n```\nnano /etc/postfix/main.cf /etc/nginx/nginx.conf /etc/turnserver.conf\n```\n\nReplace `YOUR_PASSWORD` in `/etc/postfix/sql/mysql_tls_policy_out.cf` with the one you've generated previously on the other server.\n\nGenerate a wireguard keypair and add the public key generated here to the primary mail server wireguard config:\n```\nexport PRIV=$(wg genkey)\nsed -i \"s~YOUR_PRIVATE_KEY~$PRIV~g\" /etc/wireguard/wg0.conf\necho $PRIV | wg pubkey\n```\n\nReplace `YOUR_IP` with the IP of your other server and `ens3` with your network interface name, then enable and start wireguard:\n```\nnano /etc/wireguard/wg0.conf\nsystemctl enable wg-quick@wg0 \u0026\u0026 systemctl start wg-quick@wg0\n```\n\nEdit and create your admin user with the following script:\n```\nnano /var/www/mail/tools/create_admin.php\nphp /var/www/mail/tools/create_admin.php\n```\n\nCopy the file `/etc/postfix/danwin1210-mail.crt` from your main server to the same location on the proxy server.\n\nFinal step is to reboot the server and check that everything is working.\n\n### General Domain settings\n\nAdd the following DNS records to your domain, with the IPs of your proxy server:\n```\n@    IN    TXT    \"v=spf1 ip4:your.ip.v4.address ip6:your:ip:v6:address -all\"\n_dmarc    IN    TXT \"v=DMARC1;p=quarantine;adkim=r;aspf=r;fo=1;rua=mailto:postmaster@yourdomain;ruf=mailto:postmaster@yourdomain;rf=afrf;ri=86400;pct=100\"\n_adsp._domainkey\tIN\tTXT\t\"dkim=all;\"\n_domainkey\tIN\tTXT \"o=-;r=postmaster@yourdomain\"\n*._report._dmarc\tIN\tTXT \"v=DMARC1\"\n_mta-sts    IN  TXT \"v=STSv1; id=2024060601\"\n_smtp._tls  IN  TXT \"v=TLSRPTv1; rua=mailto:postmaster@yourdomain\"\n_imaps._tcp\tIN\tSRV\t0 0 993 yourdomain.\n_submission._tcp\tIN\tSRV\t0 0 587 yourdomain.\n@\tIN\tMX\t0 yourdomain.\n@\tIN\tA\tyour.ip.v4.address\n@\tIN\tAAAA\tyour:ip:v6:address\nwww\tIN\tA\tyour.ip.v4.address\nwww\tIN\tAAAA\tyour:ip:v6:address\nmta-sts\tIN\tA\tyour.ip.v4.address\nmta-sts\tIN\tAAAA\tyour:ip:v6:address\nconference\tIN\tA\tyour.ip.v4.address\nconference\tIN\tAAAA\tyour:ip:v6:address\nproxy\tIN\tA\tyour.ip.v4.address\nproxy\tIN\tAAAA\tyour:ip:v6:address\nupload\tIN\tA\tyour.ip.v4.address\nupload\tIN\tAAAA\tyour:ip:v6:address\n_xmpp-server._tcp.conference\tIN\tSRV\t5 0 5269 yourdomain.\n_xmpp-server._tcp.conference\tIN\tSRV\t0 0 5269 your_onion_domain.\n_xmpp-client._tcp\tIN\tSRV\t5 0 5222 yourdomain.\n_xmpp-client._tcp\tIN\tSRV\t0 0 5222 your_onion_domain.\n_xmpps-client._tcp\tIN\tSRV\t5 0 5223 yourdomain.\n_xmpps-client._tcp\tIN\tSRV\t0 0 5223 your_onion_domain.\n_xmpp-server._tcp\tIN\tSRV\t5 0 5269 yourdomain.\n_xmpp-server._tcp\tIN\tSRV\t0 0 5269 your_onion_domain.\n_stun._udp\tIN\tSRV\t0 0 3478 yourdomain.\n_turn._udp\tIN\tSRV\t0 0 3478 yourdomain.\n_stun._tcp\tIN\tSRV\t0 0 3478 yourdomain.\n_stuns._tcp\tIN\tSRV\t0 0 3479 yourdomain.\n_turn._tcp\tIN\tSRV\t0 0 3478 yourdomain.\n_turns._tcp\tIN\tSRV\t0 0 5349 yourdomain.\n_xmppconnect\tIN\tTXT\t\"_xmpp-client-xbosh=https://yourdomain:5281/http-bind\"\n_xmppconnect\tIN\tTXT\t\"_xmpp-client-websocket=wss://yourdomain:5281/xmpp-websocket\"\n```\n\nSet the PTR record of your proxy servers IPs to your domain. This can usually be done from your hosting panels configuration, but may not be available with every hosting provider, where you can then request them to do it via a support ticket.\n\nConsider registering your domain with [DNSWL](https://www.dnswl.org/), [SNDS](https://sendersupport.olc.protection.outlook.com/snds/), [Google Postmaster Tools](https://postmaster.google.com/) and [YahooCFL](https://senders.yahooinc.com/complaint-feedback-loop/) for valuable insights into your delivery.\n\nConsider enabling DNSSEC on your domain, when available by your Domain registrar. Some registrars may charge extra for it. Once enabled, you can also enable DANE, which increases security. Use [TLSA Record Genearator](https://ssl-tools.net/tlsa-generator) to help you create an appropriate DNS record.\n\nConsider adding your domain to [HSTS Preload List](https://hstspreload.org/) which will prevent browsers from even trying to access your domain on the insecure http:// protocol and automatically upgreade to https://\n\n### Final configuration steps\n\nFollow [SnappyMail installation instructions](https://github.com/the-djmaze/snappymail/wiki/Installation-instructions#now-access-the-admin-page) to finish setting it up at yourdomain/mail/snappymail/?admin\n\n\n\nTranslating:\n------------\n\nTranslations are managed in [Weblate](https://weblate.danwin1210.de/projects/DanWin/mail-hosting).\nIf you prefer manually submitting translations, the script `update-translations.sh` can be used to update the language template and translation files from source.\nIt will generate the file `locale/mail-hosting.pot` which you can then use as basis to create a new language file in `YOUR_LANG_CODE/LC_MESSAGES/mail-hosting.po` and edit it with a translation program, such as [Poedit](https://poedit.net/).\nOnce you are done, you can open a pull request, or [email me](mailto:daniel@danwin1210.de), to include the translation.\n\nLive demo:\n----------\n\nIf you want to see the script in action, and/or register for a free anonymous E-Mail address, you can visit my [Tor hidden service](http://danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion/mail/) or [my clearnet proxy](https://danwin1210.de/mail/) if you don't have Tor installed.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdanwin%2Fmail-hosting","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdanwin%2Fmail-hosting","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdanwin%2Fmail-hosting/lists"}