#smtp #e-mail #mail #email #server

app samotop-server

SMTP server with focus on privacy

7 releases (4 stable)

1.2.0 Aug 4, 2021
1.1.0 Feb 6, 2021
1.0.1 Aug 24, 2020
1.0.1-snapshot Aug 13, 2020

#26 in Email

MIT/Apache and GPL-3.0-or-later

333 lines

Build Status

samotop-server 1.2.0

You can run your own privacy focussed, resource efficient mail server. Samotop docker image is available for your convenience.



  • Tiny docker image - only contains statically compiled samotop and openssl, no OS clutter.

Common (MDA/MTA/MSA)

  • The server will receive mail and write it to a given maildir folder. Another program can pick the folder and process it further.
  • STARTTLS can be configured if you provide a cert and identity file.

Mail delivery agent (MDA)

  • Encryption at rest
  • Accounts
  • LMTP
  • Sockets

Mail transfer agent (MTA)

  • Mail relaying
  • Antispam features:
    • SPF - refuse mail with failing SPF check
    • Greylisting

Mail submission agent (MSA)

  • Authentication


  • Using cargo:
    cargo install samotop-server
  • Using docker:
    docker pull brightopen/samotop


  • locally, run samotop-server --help for command-line reference.
  • in docker, run docker run --rm -ti samotop

Both should produce a usage information not too different from this:

samotop 1.2.0

    samotop-server [FLAGS] [OPTIONS] --cert-file <cert file path> --identity-file <identity file path>

    -h, --help       Prints help information
        --no-tls     Disable TLS suport
    -V, --version    Prints version information

    -n, --name <SMTP service name>              Use the given name in SMTP greetings, or if absent, use hostname
    -b, --base-dir <base dir path>              What is the base dir for other relative paths? [default: .]
    -c, --cert-file <cert file path>            Use this cert file for TLS. Disabled with --no-tls. If a relative path
                                                is given, it will be relative to base-dir
        --banner_delay <delay>                  Should we enforce prudent banner deleay? Delay is in miliseconds
    -i, --identity-file <identity file path>    Use this identity file for TLS. Disabled with --no-tls. If a relative
                                                path is given, it will be relative to base-dir
    -m, --mail-dir <mail dir path>              Where to store incoming mail? If a relative path is given, it will be
                                                relative to base-dir [default: inmail]
    -p, --port <port>...                        SMTP server address:port, such as or localhost:12345. The
                                                option can be set multiple times and the server will start on all given
                                                ports. If no ports are given, the default is to start on localhost:25
        --command_timeout <timeout>             Should we enforce prudent command timeout? Timeout is in miliseconds


You can run these openssl commands in docker as well. This will run an openssl with the current folder mounted under /data and that is also the work dir:

docker run --rm -ti -v "$PWD:/data/" -w "/data/" --entrypoint openssl samotop help

Generate a cert and ID with openssl:

openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out Samotop.crt -keyout Samotop.key


openssl s_client -connect localhost:25 -starttls smtp

Debug with STARTTLS:

openssl s_client -connect localhost:25 -debug -starttls smtp

Other useful hints for TLS

For native-tls, you'd convert to pfx:

openssl pkcs12 -export -out Samotop.pfx -inkey Samotop.key -in Samotop.crt

Extracting pub key from cert:

openssl x509 -pubkey -noout -in Samotop.crt  > Samotop.pem


MIT OR Apache-2.0


Unless you explicitly state otherwise, any contribution submitted for inclusion in samotop projects by you, as defined in the Apache-2.0 license, shall be licensed as above, without any additional terms or conditions.


~460K SLoC