Security
Take control of your email with EU-hosted, encrypted mail services
Replace US-based hyperscalers with a self-hosted, GDPR-compliant mail stack featuring mutual TLS, ClamAV, and rspamd filtering.
Secure your communications under EU jurisdiction
This page is for IT directors, DPOs, and security leads facing compliance pressure to move sensitive communications away from US-based hyperscalers. If you need to ensure data residency and strict control over your mail flow, you can now transition your email infrastructure to a self-hosted stack we operate.
The first step is a 30-minute scoping call to evaluate your migration.
Eliminate third-party data residency risks
Using US-based cloud providers for email often involves transferring metadata and message content across jurisdictions, complicating your obligations under Regulation (EU) 2016/679 (GDPR). We operate a self-hosted mail stack within the EU, ensuring that your data residency remains under your control.
Our architecture uses Postfix for Mail Transfer (MTA) and Dovecot for mailbox management, with all virtual domains and user data retrieved from a secure LDAP directory. This setup ensures that your organization, not a third-party provider, maintains the authoritative record of your communication data.
Enforce end-to-end encryption and mutual trust
Standard TLS protects the connection between the client and the server, but it does not secure the internal movement of data between infrastructure components. We implement mutual TLS (mTLS) for all internal traffic to prevent lateral movement and interception.
Our stack uses a short-lived, ephemeral Certificate Authority (CA) with a 14-day validity period. The private key is destroyed immediately after the signing process. This ensures that the connection between Postfix and Dovecot (via LMTP) and the connection between the reverse proxy and Dovecot (via IMAPS) are both cryptographically verified. Furthermore, all mailboxes are stored with data-at-rest encryption, ensuring that even physical access to the storage medium does not expose your messages.
Automate inbound threat protection
To maintain the integrity of your internal communications, every inbound message undergoes rigorous automated inspection before it reaches a user’s inbox. We integrate ClamAV for antivirus scanning and rspamd for advanced antispam scoring.
This multi-layered filtering process ensures that:
- Malicious payloads are rejected at the MTA level.
- Spam and phishing attempts are scored and mitigated.
- Outbound mail is protected via DKIM signing.
- Inbound mail is validated against SPF and DMARC records to prevent domain spoofing.
By implementing these controls, you move from a reactive security posture to a proactive, verifiable infrastructure.