What Hermes does

At its core Hermes is a Secure Email Gateway: every message that enters or leaves a Hermes
deployment passes through Postfix, Amavisd-new, SpamAssassin, ClamAV, and a stack of
standards-compliant authentication checks before it touches an inbox. SPF is verified;
DKIM is signed and verified by multi-instance OpenDKIM; DMARC is enforced and aggregated
by OpenDMARC; ARC is signed and verified by OpenARC. Encryption is end-to-end where
possible — SMTP TLS in transit, S/MIME and PGP for individual recipients,
encrypted PDF as a fallback for everyone else, Dovecot mail-crypt at rest.

Around that gateway core, Hermes Docker Edition adds a complete mail-server option:
Dovecot 2.4 mailbox hosting with IMAPS, POP3S, Submission, and LMTP; per-domain and
per-mailbox quotas; shared mailboxes; user-defined Sieve rules; signed mobile-device
configuration profiles; CalDAV and CardDAV; and a Nextcloud bundle for file sync,
webmail, calendars, and contacts. Authelia provides single sign-on for the whole stack,
with TOTP, WebAuthn, and Duo Push for multi-factor authentication.

Three deployment models, one install

Hermes is built to slot into the mail topology you already have. Run it as a pure
gateway in front of Microsoft 365, Google Workspace, or in-house Exchange and Postfix;
run it as a complete mail server with built-in mailboxes; or run it in hybrid mode,
where some domains relay to an external backend and other domains host their mailboxes
inside Hermes. The same Docker Compose file supports all three modes; the topology is
a configuration choice, not a separate product.

Open source at the core

Hermes Community Edition is released under the GNU Affero General Public License v3.
Every email security feature, every authentication standard, every mailbox-hosting
capability and Nextcloud integration is in the public source tree. Run it in production,
audit it, modify it, contribute back — the only requirement is that source
modifications you ship to users (or use to provide a service) are also released under
the AGPLv3.

Hermes Pro is a commercial add-on. It does not change anything in Community: the same
gateway, the same mail server, the same encryption. Pro layers six administrative and
operational features on top of Community for organizations that want them
— Let’s Encrypt automation, organizational signatures, an intrusion prevention UI,
and so on. Full Pro feature list.

Eighteen containers, one stack

A Hermes Docker Edition install runs eighteen tightly-scoped containers coordinated via
Docker Compose, grouped by function: Mail processing (Postfix,
Amavisd-new, SpamAssassin, ClamAV, body milter, CipherMail);
Email authentication (OpenDKIM, OpenDMARC, OpenARC, Fail2ban);
Mailbox & storage (Dovecot 2.4, MariaDB, unbound DNS);
Identity (Authelia, Authelia Redis, OpenLDAP);
Collaboration (Nextcloud, Nextcloud Redis);
and Platform (nginx, Lucee, Ofelia scheduler).

Built for production

Hermes ships with the operational ergonomics production deployments expect: an
AdminLTE-4 administrator console with real-time dashboards, message statistics, and
searchable system event logs; a self-service end-user portal; a five-tier storage
layout (Config, Data, Archive, Vmail, Nextcloud) that scales independently per tier;
an internal Certificate Authority for S/MIME; a console firewall and DNS resolver
managed entirely from the web UI. The same console that powers a single-server
install powers a multi-appliance MSP deployment.

Hermes is developed and maintained by Deeztek. Community support happens on
GitHub Discussions,
Matrix
or
Telegram
channels; commercial support is available through Pro Edition support
incidents. Get started with the free Community Edition
or see Pro pricing.