Hermes SEG Pro

Hermes SEG Pro

Pro is a commercial add-on that layers six operational and administrative features
on top of the free Community Edition. Same gateway, same mail server, same encryption.
Pro adds the capabilities production deployments and managed-service providers
consistently ask for. Licensed per server, monthly or annually.

Let’s Encrypt (ACME) automation

Manually managing TLS certificates is a perennial source of outages. Pro Edition
automates issuance and renewal of free Let’s Encrypt certificates for both the
Hermes administrator console and per-domain mail TLS. Certificates are renewed
on a schedule well before expiry, deployed to the relevant services, and the
affected daemons are reloaded without operator action.

Request ACME Certificate dialog with Certificate Name, Domain Name, Notification Email, and ACME Server (Staging / Production) fields.
Request and manage ACME certificates from the admin console — Staging for testing, Production for the live cert.

For organizations that prefer commercial certificates or run an internal PKI, the
existing Community Edition third-party SSL certificate support is unchanged.
Pro’s ACME automation is opt-in per domain.

Email disclaimers

Per-domain outbound disclaimer templates — the standard
“this communication is confidential” footers that compliance, legal, or marketing
teams want appended to every outgoing message. Disclaimers are applied at the
milter level on the Postfix pipeline, which means they’re applied to every outbound
message regardless of which mail client or system generated it. No client-side
configuration, no missed messages.

New Disclaimer page with Scope (Domain, Position), Enabled toggle, and a template gallery: Confidentiality, Legal/Privileged Communication, Privacy/GDPR Notice, HIPAA/PHI Notice, and Simple Courtesy.
Five built-in disclaimer templates (Confidentiality, Legal, GDPR, HIPAA, Courtesy) or write your own — all rendered as table-based HTML for cross-client compatibility.

Templates support placeholder substitution — sender name, sender email,
date, organization name — so a single template covers the whole domain.
Different domains can have different disclaimers; you don’t need separate Hermes
installs to serve multiple brands.

Organizational signatures

Centrally-managed, per-domain employee signature templates with placeholder
substitution. Community Edition includes personal email signatures — users
manage their own signature from a template gallery. Pro adds the organizational
tier: an administrator defines a domain-wide template (with fields like name,
title, phone, organization), and the system substitutes per-user values from
the directory at send time.

Add Organizational Signature page showing Scope (Domain, Department) and a Template gallery: Modern Card, Two-Column Pro, With Social Bar, Banner with Logo, Promo Footer, Compact Text.
Six built-in signature templates ranging from full-featured (Modern Card, Banner with Logo) to minimal (Compact Text) — all with placeholder substitution from the directory.

Combined with email disclaimers and DKIM signing at the milter level, this lets
organizations enforce branding, contact-info accuracy, and legal text on every
outbound message without depending on mail clients to behave.

Intrusion Prevention (IPS)

A web UI for managing the Fail2ban jails that protect a Hermes deployment. Set
ban thresholds, ban durations, and whitelist trusted source networks from the
admin console rather than editing config files on the host. View live and
historical ban lists. Tune jail aggressiveness without an SSH session.

Intrusion Prevention Status panel showing 2 Active Jails, Currently Banned IPs, Jails Configuration table (SSO Portal, Mail Server) with Max Retry / Find Time / Ban Time, and an IP Whitelist.
Live jail status, per-jail tuning (max retry / find time / ban time), and an IP allowlist for trusted networks — all without an SSH session.

The default Fail2ban configuration that ships with Community Edition continues
to provide baseline protection — SSH, SMTP, IMAP, and admin-console
brute-force protection are active out of the box. Pro adds the operational layer
for organizations that need to tune jails on a schedule or in response to incidents.

Console firewall

A web UI for managing the host firewall protecting the Hermes admin console.
Restrict console access by source IP or network, manage exceptions, and audit the
current rule set from the admin console itself. Common operational requirements
— allowing access only from corporate VPN ranges, or temporarily opening
a maintenance window from a vendor IP — become a UI workflow instead of a
shell session.

Admin Console Firewall page showing Firewall Status, Allowed IP Addresses with per-IP toggles for Hermes Admin and Ciphermail Admin, plus notes for each entry.
Per-IP allowlist with separate toggles for Hermes Admin and Ciphermail Admin access — tighten or loosen the perimeter from the UI.

LDAP RemoteAuth

Per-domain pass-through authentication to one or more external LDAP servers,
including Active Directory. Users authenticate against your existing corporate
directory; Hermes never stores or sees their primary password, but they still
get access to mailbox hosting, webmail, Nextcloud, and the end-user portal.

RemoteAuth Status: Enabled, Global TLS Settings (STARTTLS, certificate verification, retry count), and a Domain Mappings table with per-domain server, port 389, remote DN pattern, and synced status.
Domain-by-domain mapping to external LDAP / Active Directory backends — each row a different customer or tenant.

Different domains on the same Hermes install can authenticate against different
directories. A multi-tenant MSP deployment can serve a dozen customers, each with
their own Active Directory, from one Hermes install — without provisioning
and syncing user accounts into Hermes’s local OpenLDAP.

Same product, with operational ergonomics

Pro is not a different product. It’s the same Community Edition with six additional
features that production teams have asked for. There is no feature gap in
security, encryption, mail-server, or Nextcloud integration — everything described
on the features page works the same in both editions. Pro
customers receive a serial number that unlocks the six Pro features in their existing
Hermes install; activation is online and bound to the appliance’s hardware UUID.

Support

Two Pro license tiers exist: license-only, and license-plus-support. The
license-plus-support tier includes two support incidents per year — one incident
covers one defined issue worked to resolution. Additional incidents can be purchased
individually at any time. For complex deployments or MSPs needing higher-touch support,
contact us for annual support contracts. See the pricing page
for details.

See Pro pricing
Community features