Everlock modular self-hosting in one binary
Search RSS feed

Documentation

Last updated in git: 2026-06-11

Getting started: Outbound mail

This walkthrough shows how to enable Everlock's authenticated SMTP submission listener, create a sender domain, grant a user permission to send as a mailbox in that domain, and send a test message through the submission port.

1. Start Everlock with submission enabled

For a local first pass, use explicit CLI flags:

everlock serve \
  --frontend-ssh \
  --backend-admin-ssh \
  --frontend-smtp \
  --frontend-smtp-listen 0.0.0.0:2525 \
  --frontend-smtp-submission \
  --frontend-smtp-submission-listen 0.0.0.0:2587 \
  --backend-mail-smtp \
  --admin-user admin \
  --admin-password change-me

Expected startup shape:

[INFO  everlock] starting backend-mail-smtp
[INFO  everlock] starting frontend-smtp
[INFO  everlock_frontend_smtp::module] frontend-smtp: binding inbound listener on 0.0.0.0:2525
[INFO  everlock_frontend_smtp::module] SMTP inbound listener on 0.0.0.0:2525
[INFO  everlock_frontend_smtp::module] frontend-smtp: binding submission listener on 0.0.0.0:2587
[INFO  everlock_frontend_smtp::module] SMTP submission listener on 0.0.0.0:2587

The production default submission port is 587. The 2587 port above is only for local unprivileged testing.

For diagnostics during setup, start Everlock with mail logging enabled:

RUST_LOG=everlock_backend_mail_smtp=info,everlock_frontend_smtp=info everlock serve \
  --frontend-ssh \
  --backend-admin-ssh \
  --frontend-smtp \
  --frontend-smtp-listen 0.0.0.0:2525 \
  --frontend-smtp-submission \
  --frontend-smtp-submission-listen 0.0.0.0:2587 \
  --backend-mail-smtp \
  --admin-user admin \
  --admin-password change-me

2. Create a hosted sender domain

In the admin SSH console:

/mail domains create example.com
/mail domains set example.com submission=on auth=on

This means:

  • example.com is a local mail domain
  • inbound SMTP now accepts mail only for configured local domains
  • authenticated users may submit mail as @example.com mailboxes if they also have matching access grants

You can inspect the result with:

/mail domains list

Outbound identity and DKIM defaults

Everlock now identifies itself with a real outbound SMTP hostname instead of everlock.local. By default it uses mail.<domain>, for example mail.example.com.

If backend-dns-dns is active and the domain's DNS zone is hosted in Everlock, DKIM is enabled automatically when you create the mail domain:

/mail domains create example.com

That automatic setup will:

  • set the outbound hostname to mail.<domain> if none is configured
  • generate an RSA DKIM private key
  • enable DKIM signing for the domain
  • expose the matching _domainkey TXT record as a derived DNS record

If DNS is not active here, or the zone is not hosted here, Everlock leaves DKIM disabled and prints guidance in the admin CLI output.

You can also manage it explicitly from the admin CLI:

/mail domains set example.com dkim=on
/mail domains set example.com dkim=off
/mail domains set example.com hostname=mail.example.com

If you want to inspect or edit the stored config directly, it lives at:

everlock-mail/domains/example.com.toml

Example:

enabled = true

[submission]
enabled = true
auth = "authenticated"

[outbound]
hostname = "mail.example.com"

[outbound.dkim]
enabled = true
selector = "default"
private_key_pem = """
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
"""
rsa_selector = "default-rsa"
rsa_private_key_pem = """
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
"""

Notes:

  • hostname controls the outbound EHLO name and the domain used in generated Message-Id values
  • if hostname is omitted, Everlock uses mail.<domain>
  • DKIM signs with both Ed25519 and RSA when both keys are present
  • Everlock auto-generates both keys for hosted zones when you enable DKIM from the admin CLI
  • the admin CLI can enable or disable DKIM and set the outbound hostname

3. Create a sender user and grant mailbox send rights

Submission authentication uses the normal Everlock user registry. Sender authorization uses the existing access-grant model.

In the admin SSH console:

/users add alice change-me
/users grant alice smtp/mail/example.com:alice writer

This allows alice to authenticate to the submission listener and send as alice@example.com. Clients may authenticate either as alice or with the full mailbox-style login alice@example.com; Everlock prefers an exact stored credential match and otherwise falls back to the local part before @.

To grant domain-wide sender rights instead:

/users grant alice smtp/mail/example.com writer

4. Send a test message through the submission port

The easiest test is swaks:

swaks \
  --server 127.0.0.1:2587 \
  --auth \
  --auth-user alice \
  --auth-password change-me \
  --from alice@example.com \
  --to bob@example.net \
  --header "Subject: Submission test" \
  --body "Hello from Everlock submission"

If your client prefers mailbox-style SMTP logins, --auth-user alice@example.com works too as long as the stored Everlock login is alice or exactly alice@example.com.

Expected output shape:

=== Trying 127.0.0.1:2587...
<~  220
 ~> EHLO
<~  250-AUTH PLAIN LOGIN
 ~> AUTH
<~  235 2.7.0 Authentication successful
 ~> MAIL FROM:<alice@example.com>
<~  250
 ~> RCPT TO:<bob@example.net>
<~  250
 ~> DATA
<~  354
 ~> .
<~  250 2.0.0 Accepted

If the sender does not have the required grant, MAIL FROM is rejected. If authentication is missing or incorrect, submission is rejected before mail can be sent.

5. Use a normal mail client

Configure your mail client's outgoing SMTP server with:

  • server: 127.0.0.1
  • port: 2587 for local testing, 587 in normal deployments
  • connection security: None or STARTTLS
  • authentication: username/password
  • username: alice or alice@example.com
  • password: change-me
  • from address: alice@example.com

This is Everlock's submission path. It is separate from the inbound SMTP listener used for server-to-server mail receive.

6. Local vs remote recipients

When you submit mail through the submission listener:

  • recipients in hosted Everlock mail domains go through the same local delivery path and rules.toml processing as inbound SMTP
  • recipients in external domains are sent out over remote SMTP delivery
  • successful external submissions also store a copy in the sender mailbox under the sent folder

External delivery also requires the Everlock host to be able to open outbound TCP connections to remote MX servers on port 25. If your provider blocks outbound port 25, submission can authenticate successfully and still fail after DATA with:

451 4.3.0 Temporary local problem

With RUST_LOG=everlock_backend_mail_smtp=info, Everlock logs outbound steps such as:

  • MX lookup failures
  • connect timeouts or refusals to remote MX hosts
  • remote SMTP 4xx or 5xx replies

Read next

mail smtp submission getting-started