Open Source Webmail

Andy Hochhaus d09513e348 Tweak HSTS defaults 1 year ago
src d09513e348 Tweak HSTS defaults 1 year ago
.envrc d5980a2998 Update deps 2 years ago
.gitignore c98c52f2bf Use responsive skeleton 2 years ago
AUTHORS fb426df029 HSTS preload 2 years ago
LICENSE 2080098b19 Initial commit 4 years ago
Makefile 8fcb9eafae Update favicon for new logo. 2 years ago d09513e348 Tweak HSTS defaults 1 year ago
closure-templates.patch 537242002e Add incremental-dom (idom) based closure-templates (soy) support 2 years ago d1701f07ba Fetch closure-library from release packages. 2 years ago


MammothMail is in a pre-alpha heavy development stage. Current use is only suited for developers.

MammothMail is a web-based email client that interoperates with your existing email infrastructure. Both the client and the server are open source (GNU AFFERO GENERAL PUBLIC LICENSE Version 3) making MammothMail well suited for self-hosting environments.

Client requirements

MammothMail only requires a modern web browser:

The current and previous major releases of the four major browsers are supported.

Server requirements

  • Existing mail server infrastructure (SMTP and IMAP servers)
  • PostgreSQL 9.5+ server
  • TLS/SSL certificates




$ git clone
$ cd mammothmail
$ # setup GOROOT, GOPATH, etc
$ ./
$ make
$ make lint  # prior to sending Pull Request

$ # launch server
$ sudo setcap cap_net_bind_service=+ep bin/mammoth
$ bin/mammoth --config=../config



Setup PostgreSQL database (Debian wiki):

$ sudo apt-get install postgresql-9.5 postgresql-client-9.5
$ sudo su - postgres
$ psql
postgres=# CREATE DATABASE mammothmail OWNER mammoth;
postgres=# \q


Generate new pepper value for secure password storage (create a backup):

openssl rand -out private/pepper 1024

Configure MammothMail web server and database connectivity:

  "HTTPHost": "",
  "RedirHTTPHost": "",
  "PostgresqlConn": "dbname=mammothmail user=mammoth password='...'",
  "PepperFile": "private/pepper",
  "CertChainFile": "certs/",
  "TLSKeyFile": "certs/"

By default, MammothMail enables HSTS with the follow policy:

Strict-Transport-Security: max-age=315360000; includeSubDomains; preload

If this policy is too strict for your hosting environment, you can disable HSTS with:

  "StrictTransportSecurity": "disable"

Alternatively, you can also specify an alternate configuration with:

  "StrictTransportSecurity": "max-age=...; [includeSubDomains;] [preload]"

By default MammothMail disables HPKP. If you wish to enable public key pinning you can do so with:

  "PublicKeyPins": "pin-sha256=\"...\"; pin-sha256=\"...\"; max-age=...; [includeSubDomains;] [report-uri=\"\"]"

Enabling public key pinning can be risky. Ensure you understand the trade-offs before turning it on!

Future work

  • Use multiple email accounts from unified interface
  • Integrated chat support
  • Extensions support (eg: PGP, etc)
  • Android and iOS native client applications