Mox – modern, secure, all-in-one email server

Original Article ↗ Hacker News Discussion ↗

Self‑hosting email & deliverability

  • Experiences are sharply mixed. Some report 15–25+ years of largely trouble‑free self‑hosting with proper SPF/DKIM/DMARC, rDNS, and clean IPs (often on smaller or “serious” VPS providers or colo).
  • Others describe self‑hosting as a “nightmare”: constant IP reputation issues, opaque rejections, random spam-foldering, especially with Microsoft (Hotmail/Outlook/O365) and sometimes Gmail.
  • Residential IPs and large cloud IP pools are often on policy blocklists or marked “dynamic,” making direct SMTP tough; workarounds include relaying via ISP SMTP, commercial services (Postmark, SES, etc.), or forwarders like forwardemail.net.
  • Some argue this difficulty is overstated “FUD”; others counter with repeated real‑world blocks and bounced invoices, especially to Microsoft, Yahoo, and some German providers.

Spam, blocklists & big providers’ behavior

  • Many complain that while small senders are heavily scrutinized, large providers themselves (AWS, Google, Microsoft) generate significant spam and ignore abuse reports.
  • Blacklists like UCEProtect are described as over‑broad, pay‑to‑delist, and hostile to self‑hosting. Some IPs are permanently tagged as “residential” and cannot be removed.
  • Technique debates: strict pre‑SMTP blocking (e.g., reverse DNS checks) vs. letting SpamAssassin/rspamd handle scoring; backup MX strategies without becoming a backscatter source.

Why (not) self‑host?

  • Pro‑self‑hosting: full control, privacy, easy rsync backups, real‑time logs, powerful aliasing and catch‑all setups, custom rules (e.g., BEC regex filters), fun/learning, avoiding “adtech” providers.
  • Anti‑self‑hosting: time cost, fragile deliverability to big providers, spam handling, complex legacy stacks (postfix/dovecot/rspamd/clamav/OpenDKIM), and the risk that important mail silently disappears. Many eventually move to Proton, Migadu, mailbox.org, etc.

Mox: architecture & features

  • Written in Go: praised for memory safety (no buffer overflows/use‑after‑free) at the cost of GC pauses, which are considered negligible for small servers.
  • All‑in‑one: SMTP, IMAP, webmail, admin UI, ACME, SPF/DKIM/DMARC, MTA‑STS, DANE, DNSSEC, junk filtering. Very low RAM footprint compared to solutions like Mailcow.
  • Single process currently handles SMTP/IMAP/HTTP; the author acknowledges security benefits of privilege separation and is considering splitting user-facing components.
  • Integrated spam filtering uses sender reputation plus a Bayesian classifier; admins can’t yet plug in external spamassassin/rspamd or AV, though milter‑like hooks are discussed.
  • Supports virtual domains, sub‑addressing, catch‑alls, Docker (with host networking), and plans for JMAP and possibly CalDAV/CardDAV.

Usability, UI & docs

  • Quickstart and DNS guidance are widely praised; several report brand‑new domains on Hetzner/OVH delivering to Gmail “out of the box.”
  • Admin/webmail UI is intentionally minimal. Some users love the “no‑nonsense, fast, Plan‑9‑ish” look; others find it “ugly” or “outdated” and expect a more polished “modern” appearance.
  • Limitations noted: no 2FA yet for webmail or Thunderbird; no backup‑MX mode; documentation for non‑typical setups (catch‑alls, reverse proxies, external spam filters) could be clearer.
  • Overall sentiment: Mox significantly lowers the barrier to a small, modern self‑hosted mail server, but ecosystem‑level deliverability politics remain the hardest problem.