Anyone wanting to break free of Microsoft Exchange or M365 while keeping data sovereignty over email traffic quickly arrives at one question: “How do you run your own mail server today without sinking into Postfix/Dovecot/SpamAssassin/ClamAV/SOGo/MariaDB/Redis configuration hell?” For many DATAZONE customers the answer is Mailcow:dockerized. It bundles the mature open-source components into a Compose stack that’s ready in 30 minutes — and the result has been proven for years in production SMB environments. This article shows when Mailcow is the right choice, what’s inside, what it’s not — and what to watch for during commissioning.
What is Mailcow?
Mailcow is a German open-source project led by Servercow/Servercon. It bundles a complete mail server stack as a Docker Compose setup. License: GPLv3, commercial support optional via Servercow.
In the stack:
| Component | Role |
|---|---|
| Postfix | SMTP server (inbound + outbound) |
| Dovecot | IMAP/POP3 server, mail storage, Sieve filter rules |
| SOGo | Webmail + CalDAV (calendar) + CardDAV (contacts) + ActiveSync frontend |
| Rspamd | Spam detection, DKIM signing, DNS libraries |
| ClamAV | Antivirus scanning |
| MariaDB + Redis | Database/cache for configuration and locks |
| Nginx | Reverse proxy, TLS termination |
| Watchdog | Self health checks and auto-recovery |
| Solr | Full-text search in IMAP mailboxes |
| Unbound | Local DNS resolver for DNSBL lookups |
| PHP-FPM | Backend for the admin UI |
The key design decision: one Docker Compose file describes the entire setup. Updates pull all containers together — no version drift between Postfix and Dovecot, no post-update incompatibility.
What Mailcow does out of the box
Functionally, Mailcow delivers everything a classic Exchange server does — except for a few Exchange-specific concepts (see the limits section):
- Unlimited domains on one instance, each with its own DKIM signing
- Multiple mailboxes per domain, with aliases, catch-alls and forwarders
- ActiveSync via integrated SOGo (for iOS/Android, Outlook Mobile)
- SOGo webmail with drag&drop, calendar sharing, tasks and multiple languages
- CalDAV/CardDAV for native mail clients (Thunderbird, Apple Mail, eM Client)
- Rspamd training UI for shared spam training across all users
- Sieve filters via webmail or directly
- Two-factor authentication for web-UI access
- Quarantine with release function — recipients decide whether to retrieve individual mails from spam
- Per-user inbox whitelisting without admin intervention
- Built-in backup tool (snapshot-consistent via
mailcow.conf) - Detailed logging via docker compose logs and Mailcow’s own UI
Setup on Proxmox in practice
We typically install Mailcow in its own Debian VM on Proxmox, not in an LXC — Docker best practice (Docker in LXC works but isn’t clean for production).
Hardware recommendation for 25–100 mailboxes:
- 4 vCPU
- 8 GB RAM (16 GB more comfortable)
- 60 GB OS disk
- Separate data disk on TrueNAS storage via NFS or iSCSI (depending on setup) — for snapshot granularity and growth
- A dedicated public IPv4 address with PTR record
Steps:
# On the fresh Debian 12 VM
apt update && apt -y install curl git ca-certificates
# Docker official repo
curl -fsSL https://get.docker.com | sh
# Pull Mailcow
cd /opt
git clone https://github.com/mailcow/mailcow-dockerized
cd mailcow-dockerized
# Generate configuration
./generate_config.sh
# Hostname: mail.customerdomain.com
# Timezone: Europe/Berlin
# Start
docker compose pull
docker compose up -dA few minutes later https://mail.customerdomain.com/admin is reachable — default user admin, password moohoo (change immediately!). Mailcow fetches first TLS certificates automatically via Let’s Encrypt (provided port 80 is reachable from the outside).
DNS preparation: mandatory records
Without correct DNS records every mail server is worthless — mail lands in spam folders. For every hosted domain:
| Record | Value | Purpose |
|---|---|---|
| A | mail.domain.tld → IPv4 | Server address |
| AAAA | mail.domain.tld → IPv6 (if available) | IPv6 server address |
| MX | domain.tld → mail.domain.tld (prio 10) | Mail routing |
| SPF (TXT) | v=spf1 mx ~all | Sender validation |
| DKIM (TXT) | Export from Mailcow UI | Signature validation |
| DMARC (TXT) | v=DMARC1; p=quarantine; rua=mailto:dmarc@domain.tld | Policy for SPF/DKIM failures |
| PTR (Reverse DNS) | IPv4 → mail.domain.tld | Reverse lookup at the receiver |
The PTR record is set at the ISP / hosting provider, not in your own DNS zone. Without PTR, every outgoing mail to a Microsoft server lands in spam automatically.
We covered SPF, DKIM and DMARC in detail in Email security: SPF, DKIM and DMARC — required reading before any mail server setup.
Backup strategy
Mailcow ships its own helper-scripts/backup_and_restore.sh that consistently captures all relevant volumes. Pragmatic approach in a standard DATAZONE environment:
- Hourly ZFS snapshots of the Mailcow data disk (on TrueNAS)
- Daily Mailcow backup script via cron with 30-day retention
- Weekly offsite replication to a second TrueNAS or cloud backup
- Restore test every 6 months — otherwise no one knows whether the backup actually works
What Mailcow is not
Set expectations — three points where Mailcow does not replace Exchange/M365:
1. Outlook MAPI integration
Outlook on Windows ideally speaks MAPI/RPC (Exchange) or IMAP. Mailcow delivers IMAP — works, but Outlook features like server-side search indexing, server-side rules and “public folders” are limited. ActiveSync covers mobile Outlook well; Desktop Outlook is fine but not as seamless as with Exchange.
2. Global address lists / GAL
Exchange syncs the global address list across the entire organization. SOGo offers per-domain collection addresses but no full GAL via auto-discover. Workaround: LDAP integration with a separate directory service.
3. Public folders
Exchange public folders have no direct Mailcow equivalent. In the SOGo world shared resources are mapped as shared calendars, shared address books or shared mailboxes — different structure, often leaner, but the migration path isn’t 1:1.
When Mailcow pays off
| Profile | Mailcow suitable? |
|---|---|
| 10 employees, classic trades, no IT affinity | No — M365 is structurally better here |
| 25–150 employees, dedicated IT person, compliance need | Yes — sweet spot |
| Tax/law firm with high data-sovereignty awareness | Yes, very |
| 250+ employees with Active Directory dominant strategy | Usually no — Exchange SE or M365 fits better |
| Hosting provider with many end customers | Yes — Mailcow scales well per domain |
| Pure backup mail system as fallback for M365 | Yes — as a parallel disaster recovery rail |
High availability
Mailcow is not a high-availability stack by default. Two paths for HA:
- Script-based HA via
mailcow-stretch-mode(two Mailcow instances, one active, one passive, replication manual or via rsync). Medium effort, solid functionality. - Hot standby via VM replication (e.g. PVE VM replication to a second node). Manual cutover by DNS change on failure. Low effort, failover in minutes.
For most SMBs the second variant is enough; true active/active HA needs real mail server ops with dedicated admins.
Updates and maintenance
./update.sh from the Mailcow repo pulls all container images, checks configuration, restarts. We recommend:
- Monthly update window (plannable)
- Mailcow distribution image security updates are rolled by the project itself
- Take a VM-level Proxmox snapshot before each update — rollback in 30 seconds
- Check logs after updates:
docker compose logs --tail=100
DATAZONE recommendation
In 2026 Mailcow is the most mature self-hosted mail server stack in the open-source world. We deploy it for customers when three conditions align: 25–150 employees, clear need for data sovereignty or GDPR sensitivity, and an IT lead (in-house or via service provider) able and willing to maintain a Docker stack.
Where Mailcow is not the right tool we say so openly — usually that’s the very small setups (too much effort for 5 mailboxes) or the very large with full M365 integration. In between, Mailcow is often simply the most cost-effective and technically best option.
Related articles:
- Replacing Microsoft Exchange: ROI for SMBs
- End of support for Microsoft Exchange 2019
- Email security: SPF, DKIM and DMARC
- Nginx reverse proxy: publishing services securely
- Linux server hardening
Sources
More on these topics:
More articles
Authentik: Single Sign-On for Self-Hosted Services
Authentik as self-hosted SSO and identity provider: OIDC, SAML2, LDAP, MFA. Example setup with Nextcloud, GitLab and Vaultwarden — plus comparison with Authelia.
Proxmox VE 9.2 — Dynamic Load Balancer, WireGuard SDN & Kernel 7.0
Proxmox VE 9.2 is here: dynamic load balancing for HA clusters, WireGuard as an SDN fabric, Ceph Tentacle, Linux Kernel 7.0 and custom CPU models in the GUI. All highlights, versions, known issues and upgrade tips.
Replacing Microsoft Exchange: ROI Analysis for SMBs
Exchange Server 2019 is out of support. Which alternatives are worthwhile for SMBs? Exchange Online, Mailcow, Kerio, MDaemon and Exchange SE 2025 compared qualitatively — with ROI factors for three company sizes.