Can I send email to Gmail from a .onion mail server?

Technically possible but practically difficult. Clearnet mail servers (Gmail, Outlook) reject email from Tor exit node IPs because Tor exit IPs are listed in spam blocklists. Solutions: (1) configure Postfix to send outgoing clearnet email through a non-Tor relay service (a dedicated outbound SMTP relay with a clean IP, or through ProtonMail's SMTP bridge), (2) use a different transport for outbound clearnet email that does not use Tor exit IPs. For purely internal communication (all participants on the .onion mail server): clearnet delivery is not needed and this is not an issue.

How many users can a .onion mail server support?

An Iceland VPS I ($29.99/mo) comfortably serves 10-50 users with moderate email volume. The main resource consumers are Postfix (low overhead), Dovecot (low overhead), Roundcube (moderate PHP processing), and storage (email accumulates). For 100+ users with high email volume: Iceland VPS II ($59.99/mo) provides more CPU and RAM headroom. Monitor disk usage and set per-user storage quotas in Dovecot to prevent one user exhausting all storage.

Is .onion email more private than ProtonMail?

Different privacy properties. ProtonMail provides E2EE for ProtonMail-to-ProtonMail email (both parties on ProtonMail), zero-access encryption for stored email, and privacy from ISPs. ProtonMail is a Swiss company subject to Swiss law and has complied with legal requests (IP logs) when ordered by Swiss courts. A self-hosted .onion email server provides: no company can be compelled to produce data (you are the company), no IP logs (all connections from Tor exit IPs), and storage under your control. Both require PGP for E2EE - without PGP, server-side access to message content is possible for both ProtonMail and a self-hosted server.

How do I configure Thunderbird for .onion IMAP?

Configure Thunderbird: go to Account Settings > Server Settings. Set IMAP server to youraddress.onion, port 993, connection security SSL/TLS. Set SMTP server to youraddress.onion, port 25 or 587. In Network Settings: set SOCKS host to 127.0.0.1, port 9050 (Tor's SOCKS port), SOCKS version 5, and enable 'Proxy DNS when using SOCKS v5' (prevents DNS leaks). Accept the self-signed TLS certificate when Thunderbird presents the certificate warning. Test by sending a test email within the .onion domain.

What maintenance does a self-hosted email server require?

Regular maintenance tasks: OS security updates (weekly), mail queue monitoring (check for stuck/bounced messages in Postfix queue: mailq), spam filter database updates (SpamAssassin SA-Update or rspamd statistics updates), disk space monitoring (email accumulates), and backups (Dovecot mailboxes + Postfix configuration + database). Email servers require more ongoing attention than most self-hosted services because delivery issues directly affect user communication. Allocate time for diagnosis when email delivery problems occur.

Private Email Server as a Tor Hidden Service

Self-hosting email is one of the most technically demanding privacy infrastructure projects, but it provides the highest level of control over communication. Commercial email providers - even privacy-focused ones like ProtonMail - have server-side access to message metadata (who communicates with whom, timestamps). A self-hosted email server on .onion gives you full control over every aspect of the email infrastructure: no company can compel disclosure, no third party holds your message data, and users access email via Tor Browser without exposing their IP to the mail server. Running an email server as a .onion hidden service is appropriate for closed communities where all participants are known - sending email from a .onion server to the clearnet (Gmail, Outlook) is significantly more complex due to anti-spam measures.

Need this done for your project?

We implement, you ship. Async, documented, done in days.

Start a Brief

Email Server Architecture for .onion Deployment

A complete email server stack: Postfix (SMTP server - handles sending and receiving email), Dovecot (IMAP/POP3 server - allows mail clients to retrieve email), Roundcube (web mail client - accessible via Tor Browser), and optional spam filtering (SpamAssassin, rspamd). Configuration for .onion deployment: all components listen on 127.0.0.1. Postfix SMTP listens on 127.0.0.1:25, Dovecot IMAP on 127.0.0.1:993 (IMAP over TLS), Roundcube on 127.0.0.1:80. Tor hidden service configuration: HiddenServicePort 80 127.0.0.1:80 (Roundcube web), HiddenServicePort 25 127.0.0.1:25 (SMTP), HiddenServicePort 993 127.0.0.1:993 (IMAP). Users configure mail clients (Thunderbird) with SOCKS5 proxy and connect to the .onion IMAP and SMTP addresses.

Domain and Address Configuration

Email addresses on a .onion mail server use the .onion domain: user@youraddress.onion. Postfix configuration: set mydomain = youraddress.onion and myhostname = youraddress.onion in /etc/postfix/main.cf. Configure Dovecot to use virtual mailboxes (users are stored in a database or file, not as system users). Create Postfix virtual user maps: add entries for each email address and the mailbox path. Sending to the outside world (clearnet email to Gmail, etc.): Postfix can relay outgoing email through a Tor exit node, but clearnet mail servers will reject email from Tor exit IPs (due to spam blocking). For a closed community (all participants on the same .onion mail server): sending works perfectly. For external email: use a relay service or configure separate clearnet delivery routing.

Roundcube Web Mail on .onion

Roundcube provides a browser-based email interface similar to Gmail. Install Roundcube: apt install roundcube. Configure Roundcube to connect to Dovecot on localhost (127.0.0.1:993 for IMAP). Configure Roundcube's default host in config.inc.php: $config['default_host'] = 'ssl://127.0.0.1'. Configure Nginx to serve Roundcube on 127.0.0.1:80. Access Roundcube via Tor Browser at the .onion URL. Users log in with their email credentials (username = email address, password = account password). Roundcube features: compose email, read inbox, manage folders, address book. For composing to other .onion addresses: use the full user@youraddress.onion address. Roundcube plugins: install the password plugin to allow users to change their own passwords, and the enigma plugin for PGP email encryption within Roundcube.

TLS Configuration for .onion Email

TLS is important even on .onion email infrastructure (defense in depth against any future vulnerabilities in Tor's encryption). Self-signed certificates: generate a self-signed TLS certificate for the mail server: openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/mail.key -out /etc/ssl/mail.crt -subj '/CN=youraddress.onion'. Configure Postfix to use TLS for SMTP: smtpd_tls_cert_file = /etc/ssl/mail.crt and smtpd_tls_key_file = /etc/ssl/mail.key in main.cf. Configure Dovecot to use TLS for IMAP: ssl_cert =

Email Encryption and PGP Integration

Email on .onion is private in transit (Tor encrypts connections) and at rest (stored on your own server), but email content is not end-to-end encrypted by default - the server can read all messages. For E2EE email: use PGP (OpenPGP). Each user generates a PGP key pair. Outgoing messages are encrypted with the recipient's public key - the server stores encrypted ciphertext. Incoming encrypted messages are decrypted on the client. Roundcube's Enigma plugin supports PGP directly in the web interface. Thunderbird has built-in PGP support (OpenPGP). Key distribution: for a closed .onion community, distribute public keys through a keyserver on the same .onion or via direct exchange. The combination of .onion email infrastructure + PGP provides both transport privacy (Tor) and content privacy (PGP).

Related Services

Offshore VPS from $17.90/mo Dedicated Servers DevOps Services

Why Anubiz Host

100% async — no calls, no meetings

Delivered in days, not weeks

Full documentation included

Production-grade from day one

Security-first approach

Post-delivery support included

Bulletproof Hosting Providers

DMCA-Ignored Servers

Offshore VPS Hosting

Anonymous Hosting Solutions

Ready to get started?

Skip the research. Tell us what you need, and we'll scope it, implement it, and hand it back — fully documented and production-ready.

Start a Brief Iceland VPS I - $29.99/mo