OwnMaily Docs
GitHub Get OwnMaily

SSL

Going to Production

HTTPS is required for production. Email clients flag HTTP links as unsafe, and some will refuse to load tracking pixels or follow redirects over plain HTTP. Your subscribers will see security warnings in browsers if they visit any OwnMaily-generated URLs that use HTTP.

The good news: SSL certificates are free (thanks to Let's Encrypt) and the tooling to set them up automatically has gotten genuinely easy.

Using Dokploy, Coolify, or Caprover

If you are deploying OwnMaily through a self-hosted PaaS like Dokploy or Coolify, SSL is handled automatically. These platforms provision Let's Encrypt certificates for you and terminate HTTPS at the reverse proxy level. You do not need to follow the steps below.

Just make sure your domain is pointing to the correct server IP and SSL is enabled in your platform's app settings.

Option 1: Caddy (easiest)

Caddy is a modern web server that handles SSL certificate provisioning and renewal automatically with zero configuration. If you are setting up SSL manually, this is the recommended path.

Install Caddy

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

Create a Caddyfile

Create or edit /etc/caddy/Caddyfile: 

mail.yourdomain.com {
    reverse_proxy localhost:4400
}

Replace mail.yourdomain.com with your actual domain.

Start Caddy

sudo systemctl reload caddy

Caddy will automatically obtain an SSL certificate from Let's Encrypt, configure HTTPS, and set up auto-renewal. Within a minute or two, https://mail.yourdomain.com should be live.

If something goes wrong, check the Caddy logs: 

sudo journalctl -u caddy --follow

Port 80 must be open. Caddy uses HTTP on port 80 for the Let's Encrypt ACME challenge to verify domain ownership. Make sure your server firewall allows inbound traffic on ports 80 and 443. On Ubuntu: sudo ufw allow 80 && sudo ufw allow 443

Option 2: Nginx + Certbot

If you are already running Nginx or prefer it, you can use Certbot to provision a Let's Encrypt certificate.

Install Nginx and Certbot

sudo apt update
sudo apt install -y nginx certbot python3-certbot-nginx

Configure Nginx

Create a site config at /etc/nginx/sites-available/ownmaily:

server {
    server_name mail.yourdomain.com;

    location / {
        proxy_pass http://localhost:4400;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
sudo ln -s /etc/nginx/sites-available/ownmaily /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

Run Certbot

sudo certbot --nginx -d mail.yourdomain.com

Certbot will modify your Nginx config to add HTTPS and set up auto-renewal. Follow the prompts to complete the process.

Verify SSL is working

After setup, visit https://mail.yourdomain.com in your browser. You should see a padlock in the address bar and OwnMaily should load. If it does not, check that:

  • Your domain DNS A record is pointing to the correct server IP
  • Port 443 is open in your firewall
  • The reverse proxy (Caddy or Nginx) is running and pointing to port 4400