Home

Self-hosted email security, mail server, calendar, contacts, files, groupware — one stack.

Hermes Secure Email Gateway is an open-source Docker Compose stack that combines
a hardened anti-spam and anti-malware gateway, a full Dovecot 2.4 mail server,
end-to-end encryption, and Nextcloud for files, calendars, and contacts. Deploy
it as a gateway in front of Microsoft 365, as a complete mail server, or in
hybrid mode.

Download free
See Pro pricing

Hermes SEG admin dashboard: System Info (version, build, edition, uptime, license status, OS update status), Messages Processed donut chart (Clean / Spam / Virus / Banned / Bad Header / Other), and System Resources gauges (CPU, Memory, Root, Data, Vmail, Nextcloud filesystem utilization).

What Hermes does

Secure Email Gateway

Every inbound and outbound message passes through SpamAssassin, ClamAV with
Fangfrisch-managed third-party feeds, multi-instance OpenDKIM, OpenDMARC, and
OpenARC before it touches an inbox. SPF is checked; DMARC is enforced and
aggregated; ARC keeps forwarding chains intact.

Full mail server

Dovecot 2.4 mailbox hosting with IMAPS, POP3S, Submission, and LMTP. Per-domain
and per-mailbox quotas, shared mailboxes, signed mobile-device profiles,
user-defined Sieve rules, Nextcloud Mail webmail. No external backend required.

Open source by default

Hermes Community Edition is AGPLv3, every feature included. The same codebase
powers production deployments at managed-service providers and in-house IT
shops worldwide. Pro adds six commercial-only administration features on top.

Deploy it the way that fits your stack

Three Hermes deployment topologies: gateway, full mail server, and hybrid.

Gateway mode

Hermes filters and encrypts mail in front of an existing backend —
Microsoft 365, Google Workspace, Exchange, or Postfix. Mailbox storage stays
where it is.

Full mail server mode

Hermes is the entire mail stack: gateway, mailbox hosting, webmail, file sync,
calendars, and contacts. One install replaces your mail provider end-to-end.

Hybrid mode

Some domains relay through Hermes to an external backend; other domains host
their mailboxes inside Hermes. One install, two roles, common during migrations.

Hermes SEG Pro adds six features

Pro is a commercial layer on top of Community for the operational and administrative
features production teams ask for. Same gateway, same mail server, same encryption.
Per-server, monthly or annually.

Let’s Encrypt automation

Automatic ACME issuance and renewal for console and per-domain TLS.

Email disclaimers

Per-domain outbound disclaimers applied at the milter level.

Organizational signatures

Centrally-managed per-domain signature templates with placeholder substitution.

Intrusion Prevention UI

Web UI for managing Fail2ban jails, thresholds, durations, whitelists.

Console firewall UI

Full management UI for the host firewall protecting the admin console.

LDAP RemoteAuth

Per-domain pass-through authentication to Active Directory and other LDAP servers.

Pro feature detail
Pricing

Stay in the loop

Release notes, security advisories, and the occasional deep-dive on email-security
topics. No spam — we run an email-security product, so we know.



Powered by our self-hosted mailing-list system at lists.deeztek.com. Unsubscribe any time.

From the blog

Release notes, deployment guides, and field reports from running Hermes in production.

Read the blog