Host Your Own Email Client

CompactHost · March 24, 2026

I got tired of Gmail reading my inbox. Not paranoid—just pragmatic. When I realized I was paying nothing for email storage while my data funded a surveillance machine, I decided to host my own email infrastructure. This tutorial walks you through deploying Roundcube, a self-hosted webmail client, on your homelab or VPS so you reclaim control over your messages.

Why Self-Host Email?

Before we dive into the how, let's be clear about the why. Hosting your own email means:

Privacy: No corporate scanning, no ad profiling, no terms-of-service violations.
Control: You own the encryption keys, the backups, the data retention policies.
Customization: Full plugins, custom branding, automation rules that actually work.
Cost: If you already run a homelab, it's essentially free beyond electricity.

The catch? You either need an existing email server (Postfix, Dovecot) or a mailbox provider that lets you connect an external client. I'm going to show you both paths. For most homelabbers, Roundcube as a webmail client connected to an existing mail server is the sweet spot—less operational overhead than running your own SMTP.

Option 1: Roundcube With an External Mail Provider

This is the easiest path. If you already have email hosting (even cheap shared hosting), Roundcube lets you access it via a beautiful, self-hosted web interface instead of Gmail's ads and tracking.

I prefer this approach because I run email through Mailbox.org (privacy-focused, encrypted, no ads), then use Roundcube as my frontend. My inbox stays on their hardened infrastructure, but the client runs on my hardware in my network.

Install Roundcube via Docker Compose

mkdir -p ~/docker/roundcube && cd ~/docker/roundcube
cat > docker-compose.yml << 'EOF'
version: '3.8'

services:
  roundcube:
    image: roundcube/roundcubemail:latest
    container_name: roundcube
    restart: unless-stopped
    ports:
      - "8080:80"
    environment:
      ROUNDCUBEMAIL_DEFAULT_HOST: "imap.mailbox.org"
      ROUNDCUBEMAIL_DEFAULT_PORT: "993"
      ROUNDCUBEMAIL_SMTP_SERVER: "smtp.mailbox.org"
      ROUNDCUBEMAIL_SMTP_PORT: "465"
      ROUNDCUBEMAIL_SKIN: "elastic"
      ROUNDCUBEMAIL_PLUGINS: "managesieve,zipdownload,emoticons"
    volumes:
      - roundcube_data:/var/www/html
    networks:
      - mail_network

  db:
    image: mariadb:10.11
    container_name: roundcube_db
    restart: unless-stopped
    environment:
      MYSQL_ROOT_PASSWORD: changeme_strongly
      MYSQL_DATABASE: roundcube
      MYSQL_USER: roundcube
      MYSQL_PASSWORD: changeme_db_password
    volumes:
      - db_data:/var/lib/mysql
    networks:
      - mail_network

volumes:
  roundcube_data:
  db_data:

networks:
  mail_network:
    driver: bridge
EOF

docker-compose up -d

After a minute, Roundcube will be live at http://localhost:8080. On first login, it auto-creates your local config. Use your email address and password from your mail provider.

Tip: Change those database passwords immediately. Use openssl rand -base64 32 to generate strong credentials, then update the .env or compose file.

Add a Reverse Proxy

Roundcube shouldn't sit naked on port 8080. I use Caddy because its ACME automation and clean config save me hours. Here's a Caddyfile snippet:

mail.your-domain.com {
  reverse_proxy localhost:8080
  encode gzip
  header / {
    Strict-Transport-Security "max-age=31536000; includeSubDomains"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "SAMEORIGIN"
  }
}

Point your DNS at your server's IP, reload Caddy, and you've got HTTPS with zero manual certificate handling.

Option 2: Full Mail Stack With Mailcow

If you want complete independence—your own mail server, DNS, everything—Mailcow is the most practical self-hosted email suite. It bundles Postfix, Dovecot, Roundcube, and a management UI into one Docker Compose stack.

When I set this up on a 2GB VPS from Hetzner, it took about 30 minutes after DNS propagation. Full email independence for under €5/month.

Deploy Mailcow

cd /opt
git clone https://github.com/mailcow/mailcow-dockerized.git
cd mailcow-dockerized

# Generate config (interactive)
./generate_config.sh

# Edit .env with your domain and settings
nano .env

# Spin up all containers
docker-compose up -d

# Check status
docker-compose ps

The generate script asks for your domain, hostname, and timezone. Mailcow then creates DNS records you'll add to your registrar. It typically needs:

mail.yourdomain.com A pointing to your VPS IP
MX yourdomain.com 10 mail.yourdomain.com
SPF, DKIM, DMARC records (Mailcow generates these; you copy them in)

After DNS propagates (can take 24 hours), you can create mailboxes from the Mailcow admin panel at https://mail.yourdomain.com/admin.

Watch out: Running your own mail server means you're responsible for uptime, backups, and spam filtering. If your IP gets blacklisted, all outgoing mail dies. Most homelabbers use a mail provider's SMTP for sending, then Roundcube as the client. It's a hybrid approach that trades ops burden for simplicity.

Security Hardening

Email is sensitive. Lock it down:

Enable 2FA on Roundcube

Roundcube supports TOTP (Google Authenticator, Authy) via plugins. Enable it in your config:

docker exec roundcube apt-get update && apt-get install -y php-gmp
# Then in Roundcube admin, enable "2fa" plugin

Use Fail2Ban for Brute-Force Protection

If exposed to the public internet, add fail2ban to block repeated login failures:

sudo apt-get install fail2ban

# Create /etc/fail2ban/jail.d/roundcube.conf
[roundcube]
enabled = true
port = http,https
filter = roundcube
logpath = /var/log/roundcube/errors
maxretry = 5
findtime = 600
bantime = 3600

Firewall Access

Use UFW to restrict who can reach your email:

sudo ufw default deny incoming
sudo ufw allow 22/tcp       # SSH only from your IP
sudo ufw allow 80/tcp       # HTTP for Caddy redirect
sudo ufw allow 443/tcp      # HTTPS
sudo ufw allow 25/tcp       # SMTP (if running full stack)
sudo ufw allow 143/tcp      # IMAP
sudo ufw allow 993/tcp      # IMAPS
sudo ufw enable

Daily Ops: Backups and Maintenance

Your email data matters. Automate backups. For Roundcube + external mail provider, you mainly need to back up the local database:

#!/bin/bash
# /root/backup-roundcube.sh

BACKUP_DIR="/mnt/backup/roundcube"
mkdir -p "$BACKUP_DIR"

docker exec roundcube_db mysqldump \
  -u roundcube \
  -pchangeme_db_password \
  roundcube > "$BACKUP_DIR/roundcube_$(date +%Y%m%d).sql"

# Clean old backups (keep 30 days)
find "$BACKUP_DIR" -mtime +30 -delete

echo "Roundcube backup complete"

Add to crontab: 0 2 * * * /root/backup-roundcube.sh (runs daily at 2 AM).

For a full Mailcow stack, use Mailcow's built-in backup tool or script the Docker volumes directly:

docker-compose -f /opt/mailcow-dockerized/docker-compose.yml exec postgres-mailcow \
  pg_dump mailcow > /mnt/backup/mailcow_$(date +%Y%m%d).sql

Accessing Email From Clients

Roundcube is a web interface, but you can also use your self-hosted client with desktop or mobile apps by adding IMAP/SMTP settings:

Desktop: Thunderbird, Evolution (use your mail provider's IMAP/SMTP info)
Mobile: K-9 Mail (Android), Canister (iOS) — same credentials

The beauty of this setup: whether you access via web browser, Thunderbird, or your phone, it all syncs instantly because the mail lives on your server or provider's infrastructure.

Next Steps

Start with the Roundcube + external provider route (Option 1). It's low-risk, requires no public DNS, and runs fine on homelab hardware. Once comfortable, explore Mailcow if you want full autonomy. Either way, you've reclaimed your inbox from ad networks.

Pair this with Vaultwarden for password management and Authelia for single sign-on across your services. Build a complete privacy-first digital life, one app at a time.