PILOT BOOK GUIDES / OPERATIONAL NOTES

Pilot Book: Mail Stack

Self-hosting business email in 2026. What works. What will quietly destroy your deliverability.

What you're building

A production business mail stack: iRedMail as the server core, Proofpoint as the security gateway, CrossBox as webmail. Dedicated IP. Full authentication records. Mail that reaches inboxes.

This is the hardest managed service to get right. More things can go wrong with mail than with almost any other infrastructure component — and most failures are silent until your users notice their mail is going to spam.

What mail actually requires in 2026

Mailbox providers (Google, Microsoft, Apple) have tightened acceptance criteria significantly. Getting into the inbox requires:

  • Clean dedicated IPv4 with correct rDNS
  • SPF record matching your sending IP
  • DKIM signature (2048-bit minimum) on every outbound message
  • DMARC policy (start at p=none, move to p=quarantine, then p=reject)
  • MTA-STS policy published and cached
  • TLS-RPT reporting configured
  • No open relay. No blocklist presence on day one.

Miss any of these and your mail goes to spam — or gets rejected silently.

Server requirements

  • Dedicated server or VPS with static IPv4 — shared IPs are a dealbreaker
  • Reverse DNS (rDNS/PTR) on the IP pointing to your mail hostname — requires control of the IP or a request to your provider
  • Port 25 open outbound — many cloud providers block this. Check before you provision.
  • Ubuntu 22.04 or AlmaLinux 9
  • Minimum 4GB RAM, 2 vCPU, 50GB storage for a small deployment

Critical: check your IP against major blocklists before you start. A new IP from a known dirty range will put you in spam from day one. Use MXToolbox or similar.

iRedMail installation

iRedMail installs the complete stack — Postfix, Dovecot, Rspamd, SOGo or Roundcube — via a single interactive script.

# Set hostname correctly before running
hostnamectl set-hostname mail.yourdomain.com

# Download and run
wget https://github.com/iredmail/iRedMail/archive/1.7.0.tar.gz
tar xzf 1.7.0.tar.gz
cd iRedMail-1.7.0
bash iRedMail.sh

Select MariaDB as the backend. Enable Roundcube. Enable SOGo if you need CalDAV/CardDAV. Take the defaults for everything else on the first pass.

After installation, iRedMail prints a summary of what was installed and where. Keep it.

DNS configuration

This is where most self-hosted mail setups fail. Every record matters.

# MX record
yourdomain.com.    MX  10  mail.yourdomain.com.

# A record for mail server
mail.yourdomain.com.   A   YOUR.SERVER.IP

# SPF - adjust to match your sending IPs
yourdomain.com.    TXT  "v=spf1 mx ~all"

# DKIM - get the key from iRedMail post-install
mail._domainkey.yourdomain.com.  TXT  "v=DKIM1; k=rsa; p=YOUR_KEY"

# DMARC - start permissive, tighten later
_dmarc.yourdomain.com.  TXT  "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"

# MTA-STS policy
_mta-sts.yourdomain.com.  TXT  "v=STSv1; id=20240101"
# Plus a .well-known/mta-sts.txt file on HTTPS

# TLS-RPT
_smtp._tls.yourdomain.com.  TXT  "v=TLSRPTv1; rua=mailto:tlsrpt@yourdomain.com"

rDNS — log into your server provider's control panel and set the PTR record for your IP to match your mail hostname. This cannot be done in your DNS registrar. It must be done at the IP/hosting level.

Proofpoint integration

Proofpoint sits in front of iRedMail as an MX gateway. Inbound mail hits Proofpoint first, gets filtered, then is delivered to iRedMail. Outbound mail from iRedMail relays through Proofpoint before reaching the internet.

Inbound: Change your MX records to point at Proofpoint's MX hosts. Configure iRedMail to accept mail only from Proofpoint's IP ranges (reject everything else on port 25).

Outbound: In Postfix main.cf:

relayhost = [outbound.proofpoint.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

This setup means iRedMail never directly receives connections from the internet and never directly sends to external mail servers. Proofpoint handles both — significantly reducing your attack surface and improving deliverability.

Webmail: Roundcube

iRedMail ships with Roundcube pre-installed. It works out of the box — IMAP-connected, supports CalDAV/CardDAV via plugins, and is fully open source.

Configure Roundcube in /opt/www/roundcubemail/config/config.inc.php. Key settings:

  • Set your IMAP and SMTP hosts to localhost
  • Enable the Password plugin so users can change their own passwords
  • Install the CardDAV plugin if you want contact sync from Roundcube

For a better UX consider Snappymail — a lighter, more modern alternative to Roundcube. Also open source, also IMAP-connected, also ships as a iRedMail-compatible install.

# Snappymail installation alongside iRedMail
wget https://github.com/the-djmaze/snappymail/releases/latest/download/snappymail.tar.gz
tar xzf snappymail.tar.gz -C /var/www/html/snappymail
chown -R www-data:www-data /var/www/html/snappymail

Note: In our managed deployments we use CrossBox — a proprietary webmail with a better interface, mobile apps, and white-label capability. For self-hosting, Roundcube or Snappymail are the right open source choices.

What breaks (and when)

Blocklist appearance — even with a clean IP, aggressive spam filtering by one user can trigger a blocklist listing. Monitor daily. MXToolbox has a free blocklist checker. Most listings are removable within 24–48 hours via the blocklist's removal process.

DKIM rotation — iRedMail's DKIM keys don't auto-rotate. Set a calendar reminder to rotate annually. Old keys on blocklists can affect deliverability.

SOGo CalDAV sync issues — SOGo's CalDAV implementation has edge cases with iOS and Outlook. If calendar sync is critical, test thoroughly before declaring production-ready.

Rspamd false positives — Rspamd's default configuration is aggressive. You'll need to whitelist legitimate senders for the first few weeks. The training process takes 2–4 weeks of user feedback to stabilize.

Queue buildup — if Proofpoint's outbound relay is misconfigured or has an incident, mail queues in Postfix. Monitor queue depth. Large queues can cause delivery delays and, in extreme cases, bounces.

Honest cost breakdown

Time investment

  • Initial setup: 8–16 hours (including DNS propagation wait, testing, troubleshooting)
  • First 2 weeks: 2–3 hours/week tuning spam filters, handling edge cases
  • Ongoing: 2–4 hours/month monitoring, updates, occasional incidents

Ongoing costs

  • Server: €20–40/month (2 vCPU, 4GB RAM, 50GB SSD)
  • Proofpoint: €10–30/month depending on tier
  • CrossBox: €14.56/month
  • IP monitoring tools: €0–20/month
  • Total: €45–100/month for the infrastructure

What this gets you Unlimited mailboxes and domains. No per-seat pricing. Full control over data retention. EU jurisdiction. Dedicated IP reputation you build yourself.

What you're trading Your time. When mail breaks at 2am before a big client pitch, you're the one fixing it.

Or let PILOT run it

If you've read this and concluded that mail is more complex than you want to own — we manage exactly this stack.

Dedicated IP. iRedMail. Proofpoint. CrossBox. EU infrastructure. We handle the blocklists, the DKIM rotation, the Rspamd tuning, and the 2am queue incidents.

Request access →