Hermes Secure Email Gateway
Self-hosted email security, mail server, calendar, contacts, files, and groupware — one stack.
Hermes Secure Email Gateway is an open-source Docker Compose stack that combines a hardened anti-spam and anti-malware gateway, a full Dovecot 2.4 mail server, end-to-end encryption, and Nextcloud for files, calendars, and contacts. Deploy it as a gateway in front of Microsoft 365, as a complete mail server, or in hybrid mode.

What Hermes does
Secure Email Gateway
Every inbound and outbound message passes through SpamAssassin, ClamAV with Fangfrisch-managed third-party feeds, multi-instance OpenDKIM, OpenDMARC, and OpenARC before it touches an inbox. SPF is checked; DMARC is enforced and aggregated; ARC keeps forwarding chains intact.
Full mail server
Dovecot 2.4 mailbox hosting with IMAPS, POP3S, Submission, and LMTP. Per-domain and per-mailbox quotas, shared mailboxes, signed mobile-device profiles, user-defined Sieve rules, and Nextcloud Mail webmail. No external backend required.
Open source by default
Hermes Community Edition is AGPLv3 — every feature included, and free for commercial use with no per-mailbox or per-seat fees. The same codebase powers production deployments worldwide. Pro adds six commercial-only features on top.
Deploy it the way that fits your stack
Gateway mode
Hermes filters and encrypts mail in front of an existing backend — Microsoft 365, Google Workspace, Exchange, or Postfix. Mailbox storage stays where it is.
Full mail server mode
Hermes is the entire mail stack: gateway, mailbox hosting, webmail, file sync, calendars, and contacts. One install replaces your mail provider end-to-end.
Hybrid mode
Some domains relay through Hermes to an external backend; other domains host their mailboxes inside Hermes. One install, two roles — common during migrations.
Hermes SEG Pro
A commercial layer on top of Community for the operational, administrative, and security features production teams ask for — same gateway, same mail server, same encryption. Licensed per server, monthly or annually.
- Link Guard — safe-links protection for inbound mail.
- Email disclaimers — per-domain outbound disclaimers applied at the milter level.
- Organizational signatures — centrally-managed per-domain signature templates with placeholder substitution.
- Intrusion Prevention UI — web UI for managing Fail2ban jails, thresholds, durations, and whitelists.
- Console firewall UI — full management UI for the host firewall protecting the admin console.
- LDAP RemoteAuth — per-domain pass-through authentication to Active Directory and other LDAP servers.
