Download Hermes SEG Community Edition
Hermes SEG Community Edition is free and open-source software, distributed under the
GNU Affero General Public License v3. It includes every email security feature,
every encryption standard, every mailbox-hosting and Nextcloud integration capability
listed on this site. The same codebase that powers production deployments at
managed-service providers and in-house IT shops is yours to download, run, and modify.
System requirements
Hermes Docker Edition is a Docker Compose stack — if your host can run Docker
Engine 24.0+ and Compose v2, it can run Hermes. Any modern Linux distribution that
meets those Docker version requirements works as a host: Ubuntu, Debian, Rocky Linux,
AlmaLinux, RHEL, and Oracle Linux are all reasonable choices.
Hermes should sit behind a network perimeter firewall, with the inbound and outbound
ports listed below opened explicitly. The outbound list is longer than for most
appliances because the anti-spam stack consults several reputation and signature
services in real time (Cloudmark, DCC, Pyzor, Razor) and pulls signature updates
from Rsync feeds.
| Component | Minimum | Notes |
|---|---|---|
| Host OS |
Any Linux distribution capable of running Docker Engine 24.0+ and Compose v2. Tested reference: Ubuntu 24.04 Server. |
|
| Docker Engine | 24.0+ | Latest stable recommended. |
| Docker Compose | v2 | |
| vCPUs | 4 | More recommended for high mail volume. |
| RAM | 8 GB | 16 GB+ recommended for production with significant mail or Nextcloud use. |
| Storage | 275 GB | Thin provisioning enabled. Archive retention scales with mail volume — 5-year retention is feasible at low-to-medium traffic on this footprint. |
| Network | Static IP or DHCP reservation. Position behind a perimeter firewall with the rules below. | |
Required inbound ports
| Port | Protocol | Purpose |
|---|---|---|
| 25 | TCP | SMTP |
| 80 | TCP | HTTP (Let’s Encrypt challenge, redirects to HTTPS) |
| 443 | TCP | HTTPS (admin console, end-user portal, Nextcloud, webmail) |
Running Hermes in full-mail-server or hybrid mode? Open the standard mailbox-access
ports too: TCP/465 and TCP/587 (Submission), TCP/993 (IMAPS), TCP/995 (POP3S).
Required outbound ports
| Port | Protocol | Purpose |
|---|---|---|
| 53 | TCP & UDP | DNS |
| 80 | TCP | HTTP (image pulls, Let’s Encrypt, signature feeds) |
| 443 | TCP | HTTPS (image pulls, signature feeds, vendor APIs) |
| 25 | TCP | SMTP (outbound mail delivery) |
| 123 | TCP & UDP | NTP |
| 873 | TCP & UDP | Rsync (anti-spam and anti-virus signature feeds) |
| 2703 | TCP | Cloudmark and Razor anti-spam reputation queries |
| 6277 | UDP | DCC (Distributed Checksum Clearinghouses) anti-spam |
| 24441 | TCP | Pyzor anti-spam collaborative filtering |
See the
administrator
guide requirements page for additional configuration recommendations, including
Microsoft 365 Junk/Phishing report interception rules.
Three ways to deploy
Hermes is designed to fit your existing mail infrastructure, not the other way around.
Choose the topology that matches your situation; you can change later without re-installing.
Gateway
Hermes sits in front of your existing mail solution — in-house Exchange,
Postfix, Google Workspace, or Microsoft 365 — and scans, filters, encrypts,
and relays mail to your backend. Mailbox storage stays where it is. This is the
classic SEG deployment and the lowest-risk first step.
Full mail server
Hermes is your entire mail stack: mailbox hosting via Dovecot 2.4, webmail and file
sync via Nextcloud, calendars and contacts via CalDAV/CardDAV, single sign-on via
Authelia. No external mail backend required. Suited to teams that want to consolidate
email and basic collaboration into a single appliance.
Hybrid
Mix and match. Some domains route through Hermes as a gateway to your existing
backend; other domains host their mailboxes inside Hermes. One install, two roles.
Common during migrations away from legacy mail platforms.
Get the code
The complete source, installer scripts, and step-by-step documentation live on GitHub.
Install in under an hour on a clean Ubuntu 24.04 host with the documented bring-up
procedure; the same procedure powers production deployments today.
Need the Pro features?
Community Edition covers the entire security and infrastructure surface. Pro adds six
operational and administrative capabilities — Let’s Encrypt automation, organizational
signatures, intrusion prevention, and more — that production teams consistently ask for.
Pro is licensed per server, monthly or annually.