Hermes SEG

Hermes Secure Email Gateway

Self-hosted email security, mail server, calendar, contacts, files, and groupware — one stack.

Hermes Secure Email Gateway is an open-source Docker Compose stack that combines a hardened anti-spam and anti-malware gateway, a full Dovecot 2.4 mail server, end-to-end encryption, and Nextcloud for files, calendars, and contacts. Deploy it as a gateway in front of Microsoft 365, as a complete mail server, or in hybrid mode.


Visit hermesseg.io
Download free

Hermes SEG admin dashboard

What Hermes does

Secure Email Gateway

Every inbound and outbound message passes through SpamAssassin, ClamAV with Fangfrisch-managed third-party feeds, multi-instance OpenDKIM, OpenDMARC, and OpenARC before it touches an inbox. SPF is checked; DMARC is enforced and aggregated; ARC keeps forwarding chains intact.

Full mail server

Dovecot 2.4 mailbox hosting with IMAPS, POP3S, Submission, and LMTP. Per-domain and per-mailbox quotas, shared mailboxes, signed mobile-device profiles, user-defined Sieve rules, and Nextcloud Mail webmail. No external backend required.

Open source by default

Hermes Community Edition is AGPLv3 — every feature included, and free for commercial use with no per-mailbox or per-seat fees. The same codebase powers production deployments worldwide. Pro adds six commercial-only features on top.

Deploy it the way that fits your stack

Hermes deployment topologies: gateway, full mail server, and hybrid modes

Gateway mode

Hermes filters and encrypts mail in front of an existing backend — Microsoft 365, Google Workspace, Exchange, or Postfix. Mailbox storage stays where it is.

Full mail server mode

Hermes is the entire mail stack: gateway, mailbox hosting, webmail, file sync, calendars, and contacts. One install replaces your mail provider end-to-end.

Hybrid mode

Some domains relay through Hermes to an external backend; other domains host their mailboxes inside Hermes. One install, two roles — common during migrations.

Hermes SEG Pro

A commercial layer on top of Community for the operational, administrative, and security features production teams ask for — same gateway, same mail server, same encryption. Licensed per server, monthly or annually.

  • Link Guard — safe-links protection for inbound mail.
  • Email disclaimers — per-domain outbound disclaimers applied at the milter level.
  • Organizational signatures — centrally-managed per-domain signature templates with placeholder substitution.
  • Intrusion Prevention UI — web UI for managing Fail2ban jails, thresholds, durations, and whitelists.
  • Console firewall UI — full management UI for the host firewall protecting the admin console.
  • LDAP RemoteAuth — per-domain pass-through authentication to Active Directory and other LDAP servers.

See Pro pricing, documentation, and downloads at hermesseg.io

Go to hermesseg.io →