All systems operational 21 cryptocurrencies accepted · Monero welcome No-KYC policy
ChainVPS

Email · no KYC

Host Mailcow on an Offshore VPS

Mailcow bundles a complete, production-grade mail stack into one Docker Compose project, so you can run your own SMTP/IMAP server on an offshore VPS without ever handing your identity to a mailbox provider.

What it is

Mailcow (mailcow-dockerized) is a self-hosted email suite that combines Postfix, Dovecot, Rspamd, SOGo webmail, ClamAV and an admin UI into a single Docker Compose deployment. It gives you unlimited domains, mailboxes and aliases with per-domain DKIM, spam filtering, actual push IMAP and a browser-based admin panel — everything a hosted inbox does, on hardware you control.

Why host it offshore

Your inbox is the master key to every other account you own, so where it lives matters: on a no-KYC, offshore VPS the mail server is tied to a jurisdiction you chose and paid for in crypto, not to a provider that can read, scan, freeze or subpoena your mail. ChainVPS keeps port 25 open, offers unmetered bandwidth for bulk sends, and lets you set a matching PTR record — the three things budget hosts usually block that otherwise kill self-hosted email.

The deploy

A working reference setup

Copy this onto a fresh ChainVPS instance. Replace the placeholders, then bring it up.

Setup on Ubuntu 24.04
# Ubuntu 24.04 — full working Mailcow deploy
# Prereq: DNS A/AAAA for mail.example.com -> your VPS IP, and a
# matching PTR (rDNS) record set from the ChainVPS panel.

# 1. Install Docker Engine + Compose plugin
curl -fsSL https://get.docker.com | sh

# 2. mailcow requires umask 0022
umask 0022

# 3. Clone the project
cd /opt
git clone https://github.com/mailcow/mailcow-dockerized
cd mailcow-dockerized

# 4. Generate mailcow.conf (prompts for the mail FQDN + timezone).
#    Use a subdomain like mail.example.com — NEVER the bare domain.
./generate_config.sh

# 5. (optional) trim heavy containers on a small VPS
sed -i 's/^SKIP_CLAMD=.*/SKIP_CLAMD=y/' mailcow.conf   # saves ~1-2 GB RAM
sed -i 's/^SKIP_SOLR=.*/SKIP_SOLR=y/'   mailcow.conf   # disables full-text search

# 6. Pull images and bring the stack up
docker compose pull
docker compose up -d

# 7. Admin UI: https://mail.example.com  (default login: admin / moohoo)
#    Log in, CHANGE the password, add your domain, then copy the
#    generated DKIM record into DNS alongside SPF and DMARC.

Firewall

Ports to open

PortProtocolPurpose
25TCPSMTP — inbound mail from other servers and outbound relay (must be unblocked in and out)
587TCPSubmission (STARTTLS) — authenticated client sending
465TCPSMTPS — authenticated client sending over implicit TLS
143TCPIMAP with STARTTLS
993TCPIMAPS — mail client access over implicit TLS
110TCPPOP3 with STARTTLS
995TCPPOP3S
4190TCPManageSieve — server-side mail filters
80TCPHTTP — Let's Encrypt ACME challenge and HTTPS redirect
443TCPHTTPS — SOGo webmail and the admin UI

Right-sizing

Which plan you need

Light (personal / 1-2 domains, a handful of mailboxes)

VPS Small — 2 vCPU / 6 GB RAM / 60 GB

6 GB is the comfortable floor for the full stack; keep ClamAV on for real spam/virus filtering.

Medium (small team, 10-30 mailboxes, moderate volume)

VPS Pro — 4 vCPU / 8-12 GB RAM / 160 GB SSD

Headroom for Rspamd, Solr full-text search and busy IMAP; scale disk with mailbox retention.

Heavy (many domains, 100+ mailboxes, large archives, newsletters)

Dedicated / Storage VPS — 8+ vCPU, 16-32 GB RAM, large disk

Move mail volumes to a Storage plan for cheap TB-scale retention; dedicated CPU keeps ClamAV + Solr from starving delivery.

Best locations: Pick a privacy-tier location (NL, CH, RO, IS, MD, LU) so your mailbox jurisdiction is deliberate — Switzerland and Iceland have the strongest data-privacy and disclosure standards for stored mail. Whichever you choose, confirm port 25 is open both ways and set a PTR (rDNS) record that matches your MAILCOW_HOSTNAME; unmetered bandwidth on these nodes is what makes bulk and newsletter sending viable, and included DDoS protection keeps SMTP reachable under flood.

Lock it down

Hardening checklist

  • Deliverability is DNS: publish SPF (v=spf1 mx ~all), copy Mailcow's generated DKIM key into DNS, add a DMARC record, and set a PTR/rDNS that exactly matches MAILCOW_HOSTNAME — without matching forward+reverse DNS most servers reject you.
  • Change the admin/moohoo default immediately and enable TOTP two-factor on the admin and mailbox logins from the Mailcow UI.
  • Mailcow ships its own netfilter/fail2ban container that manages iptables directly — do NOT layer ufw on top; if you run a host firewall, only whitelist the mail ports and leave the DOCKER-USER chain to Mailcow.
  • Keep it patched: run ./update.sh from the mailcow-dockerized directory on a schedule, and back up regularly with helper-scripts/backup_and_restore.sh (store the backup off the VPS).
  • New offshore IPs carry no sending reputation — warm up gradually, check the IP against Spamhaus/Barracuda blocklists before going live, and request delisting if the range was previously flagged.
  • On low-RAM nodes set SKIP_CLAMD=y and SKIP_SOLR=y to fit in ~3-4 GB, but re-enable ClamAV once you can afford the RAM — it materially cuts inbound malware.

Questions

Hosting Mailcow — FAQ

Does ChainVPS block port 25 like most hosts?

No. Port 25 is open inbound and outbound so Mailcow can both receive mail and relay it directly — this is the single biggest reason budget/cloud hosts fail at self-hosted email.

Can I set reverse DNS (PTR) for good deliverability?

Yes. Set a PTR record from the panel that matches your MAILCOW_HOSTNAME (e.g. mail.example.com). Matching forward and reverse DNS is required or big providers will defer/reject your mail.

How much RAM does Mailcow really need?

Plan for 6 GB for the full stack. You can run in roughly 3-4 GB by setting SKIP_CLAMD=y and SKIP_SOLR=y in mailcow.conf, at the cost of built-in virus scanning and full-text search.

Which location is best for a private mailbox?

A privacy-tier node — Switzerland or Iceland for the strongest disclosure protections, or NL/RO/MD/LU if you want EU or offshore latency trade-offs. All keep port 25 open and support PTR.

Is my mail really private on a no-KYC VPS?

The server is yours: mail is stored on disk you control, in a jurisdiction you chose, paid for in crypto with no identity attached. Use full-disk encryption and off-site backups, and only you (not a mailbox provider) can read the store.

How do I keep it updated and backed up?

Run ./update.sh periodically from the mailcow-dockerized folder to pull new images, and use helper-scripts/backup_and_restore.sh to snapshot mail, config and DB — push those backups to a separate ChainVPS Storage plan.

Spin up Mailcow
in the next 60 seconds.

Unmetered bandwidth · DDoS included · 21 cryptocurrencies · no KYC.