I was trying to deploy Ghost on a DigitalOcean droplet and found that DO and many different VPS services have started to block the default SMTP ports to try to combat the various types of abuse they get. To actually configure my app, I had to hack together a Postfix relay.
In another project, I had a static site which had a contact form, but my free Formspree account was occasionally hitting usage limits and I desperately wanted some of the anti-spam features they had gated behind their paid accounts so I put together a caddy module to catch HTTP POSTs and bounce them to my provider.
I kept bumping into these same email issues. Many of the services I wanted to host (Gitea, Mastodon, Umami, Comentario) ran into the same limitations. This felt like a really common issue that had no good solution.
Posthorn is what I built to solve this. It's a small Go binary (or 10 MB docker image) that sits between your self hosted apps and your transactional email provider of choice (shipping with support for Postmark, Resend, Mailgun, Amazon SES or an outbound SMTP relay). It also accepts POSTs from HTML forms to support static site needs while adding security layers such as honeypot fields, origin checks and IP rate limiting. There's also a JSON HTTP API that supports Bearer auth for backend scripts or cron jobs that just want a /send endpoint.
I now use this personally in multiple scenarios and I've spent a lot of time beating this up and testing against what I can validate. I'd love to hear how this might be useful for you, what breaks and any feedback you might have. It's open source under Apache 2.0 and I'd love contributions. I'm planning to support and grow this for the long haul.
Code: https://github.com/craigmccaskill/posthorn
Docs: https://posthorn.dev/
Longer write up: https://craigmccaskill.com/introducing-posthorn/
Previous HN discussion on the exact issue I'm trying to solve: https://news.ycombinator.com/item?id=43620318
Discussion (56 Comments)Read Original on HackerNews
Personally, I have used nullmailer in the past to provide a sendmail compatible local install that immediately forwards email to the SMTP server of my choice. Has worked flawlessly.
Obviously, that doesn't come with HTML form support, but then I am also not sure I would like the same binary to handle both a HTTP(S) endpoint and email submission :)
Posthorn ended up the way it did because I had three different things all hitting Resend at the same time: a contact form, a couple of apps that only had SMTP email support and some scripts I wanted to email results from. I didn't want to have to maintain three different things doing functionally the same routing. Putting them in one binary helped me consolidate credentials and logs.
You're not wrong about the split though, I thought about breaking the two out. I'd originally written the http form handler as a caddy module (which I called caddy-formward to be cute) but ultimately I went the other way because the code after the ingress is the same regardless of how you come into the service and I didn't want to rewrite all that logic.
Have you encountered a similar issue with multiple apps where nullmailer hasn't been enough? Curious how you handled it if so.
At work I'm using Apprise (https://appriseit.com/) to deliver notifications.
Are you planning to add more services or to limit Posthorn to emails?
My current plans are for Posthorn to stay focused on email. There's enough work here that I think it justifies a dedicated tool.
I have some v2 roadmap ideas for things like multiple outputs per endpoint so that a contact form submission can fire both an email and a webhook in the same call to support things like form -> email + slack or script triggers an email + pager duty alert.
That's complimentary to the email though, not something I had planned to build out as a stand alone use case. I'd be interested in hearing how that would be useful for you though!
Apprise does not accept SMTP protocol as input, so you're bound exclusively to API, binary exec or third party integrations.
I think Posthorn could fill a gap if it will integrate the possibility to send a webhook (alongside/instead of email).
Seems like most setups only really need 2-3 channels, rather than the ~140 supported by Apprise. Definitely worth me looking into when I start to work towards a v2 release and supporting webhooks in general.
The part I'm not sure about yet is how I'm going to implement it. My current approach is to custom write a transport layer for each provider, so a generic webhook would be the first non-bespoke transport. I don't want to lock myself into the path of writing a bespoke solution for every email provider and every channel (that's basically reimplementing Apprise in Go with better email support). I'm hoping I can get a generic webhook that would be good enough for most use cases.
I'll also need to think about if I want to support an email + webhook use case or pick one per request. If I built that and you deployed it for email + telegram, would that be good enough for your use case? You could also just deploy it alongside Apprise if you have an email need that we handle better (and I think we definitely do, especially once I ship html email in 1.x).
If you do end up using Posthorn, please let me know how it goes and feel free to open up any issues you see on GitHub.
My current provider since almost two decades without any issues, except speed and storage limitations is all-inkl.com, but I really just use it for email and nothing else, therefore most likely overpriced at ~6β¬/month.
I would love to switch to some VPS/root or anything where I can SSH and install, compile my own services, but something where security is high and support is 24/7 available.
1) Posthorn doesn't host email - no inbox, no IMAP so it doesn't replace what it sounds like all-inkl is doing for you. All it does is take the outgoing messages from any of your hosted/local apps and take care of the plumbing of handing them off to a transactional provider (like Resend or Postmark). Those servers are the ones sending the mail, using their IPs and their sending reputation. Any blacklist concern is really tied to your sending domain and not a new risk from Posthorn. Just the same setup you'd do if you were calling something like Resend directly. If you're following their guidelines, you'll be fine.
2) On the VPS side, if your goal is to be able to ssh in, install some stuff and run your own services, something like Hetzner is a well regarded EU centric option with solid technical support baked in. Security is mostly on you and down to what you install and how you configure it. That can be a huge learning curve and a whole other kettle of fish, definitely not without risk.
> something where security is high and support is 24/7 available
You are not going to get great 24/7 support inside anything like β¬6/month (though many may promise it!), so that service may not be as overpriced as you think.
Another thing to consider is that many VPS providers have βdirtyβ IP ranges so you will have trouble with getting your mail delivered. A common solution to this is to use a mail delivery service (like mailgun, mxroute, and many others) so your mail comes from a managed βcleanβ source and has less chance of summarily being declared spam just from the source address alone (these services also reduce the need to think about spf/dkim/etc and keep an eye out on changes that may happen in that realm). Essentially by self-hosting a service like this, you are taking back the admin of managing all that so you have to ask yourself if it is worth saving a few β¬ per month, and consider what you might lose if something goes wrong and all your mail starts bouncing.
> switch to some VPS/root or anything where I can SSH and install, compile my own services
Be wary of most really inexpensive options here. In most cases you will experience performance degradation (at random times, or just almost always) and other issues due to noisy neighbours on oversold infrastructure.
> I really want to try this, but I'm afraid my DNS will be blacklisted if I do.
The best (but unfortunately time-consuming) way to get comfortable with this is probably to register a sacrificial domain and set it all up for that domain on hosts not associated with your domains that normally send mail. Play with it, break it, fix it, break it again, etc., until you feel confident you aren't going to screw yourself by trusting your own admin of all this on a domain that actually matters.
For something simple try https://mailinabox.email/
> would love to switch to some VPS/root or anything where I can SSH and install, compile my own services, but something where security is high and support is 24/7 available.
Those sound like expensive requirements to me. You want managed self hosted email? Some else providing support will be expensive.
I do. Though I am self hosting it to have my personal email, being well... personal. Not for my company so maybe I am not the target.
Interesting project though. I always felt missing API to just send emails from some script in my mail server.
Posthorn is built for the opposite end of that, you've already decided you want to use a transactional provider for app mail and you just want to stop having to deal with wiring it into all of the things. Obviously for a big production app you build your own mail service, but for gluing together a bunch of different apps you're self hosting, I think this makes sense and addresses a real issue.
If you want an API piece to augment what you already have, Posthorn might still be useful regardless of how the rest of your mail is set up. A Posthorn JSON endpoint is just a POST with Bearer auth and an idempotency key. Example from my docs:
curl -X POST https://posthorn.yourdomain.com/api/transactional \ -H "Authorization: Bearer $WORKER_KEY_PRIMARY" \ -H "Content-Type: application/json" \ -H "Idempotency-Key: reset:user-123:$(date -u +%FT%H)" \ --data '{ "to_override": "bob@example.com", "subject_line": "Reset your password", "message": "Click here: https://app.example.com/reset/abc" }'
Could run alongside your existing mail server. It's a small enough overhead that the juice might be worth the squeeze.
This is the exact case where I'd be really afraid of running it on my own and this I VERY STRONGLY BELIEVE should NOT be the case. Participating in email should be easy.
Anyway yeah it looks interesting. In theory I could start it up with my mail server, which already is using docker compose, configure it and use API for sending emails.
I will give it a try.
Let me know how it works out for you, happy to help in any way I can. Also feel free to make any feature requests or open an issue on GitHub.
I do not remember if I have ever used the GNU mail program that is available on Linux, but my e-mail server is hosted on FreeBSD, so I have used very frequently the FreeBSD CLI utility to send e-mail messages from scripts.
Moreover, all FreeBSD servers come configured by default to send automatically a variety of e-mail reports to the administrator, to inform about incidents or statistics, so there are a lot of examples of usage from scripts.
Similar idea in that it receives SMTP and transforms it to a provider specific API but it's unique for the ProtonMail use case of bridging to your personal mail client and it handles both sending (SMTP) and receiving (IMAP).
Posthorn is server side and outbound only. It runs in your stack and enables apps to send email that otherwise can't. It fronts multiple transactional providers via config and doesn't touch inbound at all.
postfix/sendmail/dovecot/ingress setup
I am really happy with the setup. (So far)
How much effort has it been to keep it running? Glad that it works for you!
Would like to publish the setup so others can try it out as well.
A fun thing was to route local domain emails locally so they never have to leave the server.
Very little maintenance so far, mustn't speak to soon though.
My (intentional) reference was to the older mail courier horn.
If all the apps you're running can already integrate via HTTPS API, Posthorn doesn't solve anything for you in that case, unless the unified credential, single retry policy and logging meaningfully simplifies things for you.
And honestly, SES was the easiest integration for me to write (even if it ended up being the most LOC), their documentation, examples and error responses gave me a really easy time setting it up. Additionally, because it does need such a verbose implementation SES ends up being a great case study for Posthorn and not needing to maintain the same 200 line signing routine in multiple different places.
We do, and thats why we use Postal [1].
The more SaaS applications that self-host email the better. It forces the big guys, ie Microsoft, to improve their blocklists and not lazily block entire ranges. Yes its work contacting them occasionally, but it keeps the internet open. The alternative is an internet where they control it all.
1. https://docs.postalserver.io/
I should probably tighten up that line. What I really meant to say is that the average self-hoster who just wants to enable a few services to send email doesn't want to run a mail server. Different audiences, different (and both correct) answers.
I set out to solve some pretty specific problems of my own but I'm genuinely curious how others have tackled these things. Posthorn and Postal don't compete in my head. Postal makes you into your own provider, which is something I personally deeply want to avoid. Posthorn assumes you've already picked a provider (which might be Postal, actually, it would work just fine pointed at a self-hosted Postal instance).
Maybe I'm confused, maybe the label "self-hoster" is broader than the definition in my mind, but that's exactly what self-hosters want to do, that's why we call ourselves self-hosters, we want to host the stuff we use ourselves :)
If I just wanted to "enable a few services" I'd use AWS or whatever the modern alternatives are.
That said, none of it has to do with my own personal email, which has been on Gmail for long enough to drink, so we are probably talking about two different situations.
But then you'd be using AWS for those services too.
I think there's a meaningful gap between folks who are willing and able to self host their own applications but have decided that running their own MTA is a separate and much harder commitment. Different line, but still self-hosting in any reasonable read of the term. I've been on both sides of that line at one point, I'm trying to avoid going back. :)
Only a sith self-hosters want to self-host absolutely everything.
https://github.com/postalserver/postal/blob/8ef89606bc34146f...
https://rubyonrails.org/maintenance
Not great, but better than 6.x.
I don't know rails well, but that sounds like 7.1 (that is unsupported) and not 7.2?