Mailcow on a Garrison at $11.90/mo, port 25 open from minute one — no ticket, no signed AUP. One of the few no-KYC hosts where you can actually send mail rather than just receive it.
Garrison at $11.90/mo carries Mailcow comfortably for a personal or family mailbox; Ravelin at $23.90/mo for a small-team production stack with rspamd, ClamAV and Sogo.
Port 25 open by default on every tier — most no-KYC hosts block it. PTR/rDNS set via a panel ticket; the rest is SPF + DKIM + DMARC + MTA-STS.
Nordic sender-IP ranges, well-respected by Gmail/Outlook365 — no shared history with "cheap US VPS" ranges. KYC-free signup so the inbox is not a paper trail to your name.
Email is the oldest universal identifier on the internet. The address you used to register your bank, your tax authority, your domain registrar, your password manager — that address is the recovery surface for everything else. Handing that surface to a third-party mailbox provider means handing them the keys to the recovery surface for everything else.
Self-hosting email used to be the default; it became the exception when spam-arms-race dynamics made deliverability genuinely hard, and large free providers turned mailbox-hosting into a loss-leader for adjacent products. The result is concentration: a handful of providers handle the majority of personal mail flowing on the public internet. That concentration is a single point of policy failure for everyone downstream.
The operational story is more tractable than reputation suggests. Mailcow gives you a docker-compose stack that includes everything (Postfix, Dovecot, rspamd, ClamAV, Sogo webmail, Z-Push); the deliverability hard parts (SPF, DKIM, DMARC, MTA-STS, PTR) are well-documented; the IP-reputation warm-up is a known process measured in weeks rather than months. The hard part is patience during weeks 1–4, not the software.
The right question is not "self-host or hosted" in the abstract — it is "do I want my recovery-surface identifier anchored to a domain and a box I control". If the answer is yes, the rest of this page is the recipe.
For a personal or family-size mailbox (one to ten accounts, modest sending volume, a few hundred messages a day inbound), the Garrison ($11.90/mo, 4 vCPU, 8 GB, 240 GB NVMe) is the sweet spot. Mailcow's container set — Postfix, Dovecot, rspamd, ClamAV, Sogo, Redis, MariaDB — fits comfortably; the disk holds years of mail archives even with attachments; the cores let rspamd run its machine-learning classifier without lag.
For a small-team production setup (20–100 accounts, real outbound volume, Sogo as the primary webmail, server-side calendar sync), the Ravelin ($23.90/mo, 8 vCPU, 16 GB, 480 GB NVMe) earns its keep — more rspamd worker headroom for the inbound spam load, more Dovecot connections for the IMAP IDLE crowd, and the storage to retain mail beyond the "do I need this" window.
Sentinel ($5.90/mo, 2 vCPU, 4 GB) can run a leaner stack — Mail-in-a-Box or a hand-rolled Postfix + Dovecot — for a single mailbox setup, but Mailcow on a Sentinel feels cramped under any meaningful inbound spam load. The honest recommendation is start on a Garrison and stay there.
What none of these are: a multi-tenant managed-mail offering for paying customers. NordBastion hosts the box; the deliverability story, the abuse-handling story, and the AUP for your users are your domain.
A skeleton sketch — Mailcow's upstream docs cover every container; the operational discipline below is what separates "delivers to Gmail" from "permanently lives in spam".
Before installing anything: ticket the desired PTR (e.g. mail.example.org) for the VPS's IP. Without correct PTR, deliverability is dead on arrival.
# from the NordBastion panel:# Tickets > New > "Set PTR"
# IP <your IPv4> -> mail.example.orgMailcow ships the canonical docker-compose.yml. Run generate_config.sh, give it the FQDN, accept the defaults.
curl -fsSL get.docker.com | sh
git clone https://github.com/mailcow/mailcow-dockerized
cd mailcow-dockerized
./generate_config.shAll four DNS records, all green, from day one. Mailcow generates the DKIM keypair; you publish the matching DNS record at your registrar.
; at your DNS registrar@ IN TXT "v=spf1 mx -all"
_dmarc IN TXT "v=DMARC1; p=quarantine; ..."
dkim._domainkey IN TXT "v=DKIM1; k=rsa; p=..."Postfix, Dovecot, rspamd, ClamAV, Sogo, Redis, MariaDB — the full stack in one compose. Watch the logs for the first inbound connection from a remote sender.
docker compose pull
docker compose up -d
docker compose logs -f postfix-mailcowmail-tester.com gives a deliverability score out of 10. Aim for 10/10 before sending real mail. Anything below 8 means SPF/DKIM/PTR is misconfigured.
# send a test from sogo webmail to:# the address mail-tester.com gives you
# then check the scoreStart with low volume (a few messages a day to engaged recipients). Ramp over 2–4 weeks. Avoid mass-mailing newsletters from a fresh IP — that is the surest way to land on a blocklist.
# week 1: ~10 msg/day to friends# week 2: ~50 msg/day, watch rspamd-history# week 4: normal personal use volumeOutbound port 25 is open by default on every NordBastion tier — no ticket, no signed AUP, no KYC verification of a business identity, no "wait 7 days for review". This is the single technical decision that separates "can self-host mail" from "can only self-host receive-only mail". Most no-KYC hosts have closed port 25 to avoid spam complaints; we open it because mail self-hosting is exactly the use case our platform is for.
Your email address is the recovery surface for everything else you use online. Hosting it on a box paid by your credit card means a card-issuer subpoena reveals the relationship between "the person who pays the AWS bill" and "the recovery email for these accounts". KYC-free signup + crypto billing breaks that link: the hosting account is "the prepaid balance behind this email", and the email is your concern alone.
Sender-IP reputation is partly individual, partly inherited from the ASN and the IP block's history. Nordic ranges from established hosters carry a cleaner historical reputation than the "$2/mo US VPS" address space that mass-mailers churn through. Gmail and Outlook365 weigh ASN reputation in their inbound scoring, and Nordic peering — Stockholm, Helsinki, Oslo, Reykjavík — sits in a class with measurable deliverability advantage during the warm-up window.
Self-hosting email is the most sovereignty per dollar a personal user can buy in 2026. For roughly the price of a paid mailbox service you get the full Postfix/Dovecot/rspamd stack on a box where the address is anchored to a domain you control and the storage is yours to back up however you choose.
NordBastion is opinionated about the parts that matter for this specific job — port 25 open by default, PTR set on a ticket without friction, KYC-free signup so the inbox is not a paper trail to your name, Nordic IP ranges with cleaner inherited reputation — and deliberately ordinary about the rest. The VPS is a VPS. Docker is Docker. Mailcow is Mailcow.
The hard part is patience during the warm-up window. The software is solved. The DNS is solved. The infrastructure is open by default here. What is left is the discipline of low-volume, well-authenticated sending while Gmail learns to trust you. Two to four weeks. Then it is just email.
The eight questions mail-server self-hosters actually wrestle with before docker compose up. Port 25 policy is question one for a reason.
Outbound port 25 is the historical attack vector for botnets relaying spam. Hyperscalers (AWS, GCP, Azure) and most VPS hosts close it by default and either refuse to open it at all or require a signed AUP and KYC-verified business account first. The combination of "we will sell you a VPS but you cannot send mail from it" is now the unwritten industry norm, which is why "what is your port 25 policy" is the first question every prospective mail-server self-hoster asks. NordBastion opens port 25 by default on every tier — no ticket required.
A freshly-allocated VPS IP has no sender reputation with the big inbox providers (Gmail, Outlook365, Yahoo). The first few thousand messages it sends are treated as guilty-until-proven-innocent — provisionally accepted with a low-trust score, deliverability fluctuating between inbox and spam. Reputation builds over 2–4 weeks of consistent, low-volume, well-authenticated sending. The accelerators are: SPF + DKIM + DMARC + MTA-STS all green on every message; PTR/rDNS matching the HELO; consistent FROM domain; engagement signals (people actually opening your mail, not just receiving it).
Yes — open a ticket from your panel with the desired PTR and we set it on the upstream IP block. The convention is the IP's PTR matches the mail server's HELO/EHLO hostname (mail.example.org). Without a correct PTR, Gmail and Outlook365 both heavily penalise the sender — so this is one of the first things to settle, ideally before the first outbound message. Turnaround for the ticket is usually a few hours.
Mailcow is the modern docker-compose-native option — actively developed, web-UI-rich, ships with rspamd, ClamAV, Sogo webmail and Z-Push out of the box. Mail-in-a-Box is the "everything on one machine, opinionated, minimal config" option — ideal for a personal mailbox + a few aliases. iRedMail is the classical LAMP-stack-style option — granular configuration, broader compatibility with non-Docker shops. For most new self-hosters in 2026 the answer is Mailcow on a Garrison; everything below assumes that path.
Yes — but only with full authentication hygiene (SPF + DKIM + DMARC + MTA-STS), correct PTR, a clean sending pattern, and patience during warm-up. Gmail in particular weighs engagement heavily — people not deleting your mail, replying to it, marking it as not-spam — and a brand-new sender on a brand-new domain takes weeks to climb out of "promotional" purgatory. Self-hosted operators report stable deliverability to both inboxes within 4–8 weeks of consistent operation; the path requires discipline, not magic.
Less than you would think. Modern senders (Gmail, Outlook365, etc.) retry on connection failure for up to several days, so a primary MX down for an hour during a reboot is invisible to anyone. Backup MX servers exist mostly to handle the rare case of multi-day outages, and they are themselves spam-magnets (spambots specifically target backup MXes that are weaker than the primary). If uptime matters, the right play is monitoring + a fast restore plan, not a backup MX you maintain badly.
Mailcow ships Sogo for webmail and CalDAV/CardDAV, dovecot-sieve for server-side filtering (the canonical way to sort mail at delivery time, works with any IMAP client), and supports Z-Push for Exchange ActiveSync — which is what gives iOS Mail native push notifications without standing up a separate push-IMAP backend. For Android, the FairEmail and K-9 Mail clients work natively with IMAP IDLE for near-real-time push. The stack covers the modern mobile-mail expectations.
Mailcow ships rspamd by default and it is the right modern default — written in C, Lua-scriptable, machine-learning-augmented, faster and more memory-efficient than SpamAssassin for the same false-positive rate. SpamAssassin remains the lingua franca of legacy mail stacks and is what iRedMail defaults to; it works, but you will spend more time tuning rules. Run rspamd unless an integration constraint forces SpamAssassin.
Federated microblogging — the natural neighbour for a mail server that also handles signup confirmations and password-reset deliverability.
End-to-end encrypted Synapse — the sibling sovereignty move for operators who run their own messaging surface alongside their inbox.
Kernel-fast VPN exit on a Sentinel — for accessing your mail server's admin UI over your own tunnel rather than the public internet.