📱 Available on the App Store

Your mailbox.
No spam.

PostfixMe is a native iOS app and supporting API layer that puts your email aliases and password control in your pocket. Highly secure. No snooping. Your server. Your data. Full stop.

Narrow purpose by design. This app only works if you use your own Postfix-based mail server with PostfixAdmin and the PostfixMe API extension. If that's not you, then this app won't be useful to you. If your mail administrator sent you here, then welcome; you're in the right place!

Zero analytics or tracking
iOS 18+ native SwiftUI
Keychain-secured credentials
Encrypted communication
Open source API (GPL-2.0)
Fully self-hosted

Deliberately,
narrowly useful.

PostfixMe is not a general-purpose email client. It does not send or receive messages. If you're already using PostfixAdmin to administer your own mail domain and you're tired of opening a browser every time you need to manage a forwarding alias or change a password (for you or one of your users), then PostfixMe is exactly what you need.

  • You run a Postfix-based mail server that you administer yourself (or someone administers for you)
  • You use PostfixAdmin to manage mailboxes and aliases
  • You want to manage those aliases from an iPhone or iPad
  • You care about privacy and don't want any snooping third-party telemetry

Right for this app

Personal family mail server, small business with self-hosted email, privacy-conscious self-hosters who use aliases as disposable addresses, sysadmins who already operate PostfixAdmin.

Not for this app

Gmail, Outlook, iCloud, or any hosted email service. This app cannot create accounts, manage DNS, or send/receive messages. It has no value without a PostfixMe API endpoint you control or have access to.

Everything you need.
Nothing you don't.

PostfixMe is a focused, native iOS application. Every feature exists because a real mail server administrator -- this app's author -- actually needed it.

Full Alias Management

Create, edit, enable, disable, and delete email aliases on your server directly from your iPhone or iPad. View all aliases for your mailbox in a clean, searchable list.

Password Management

Change your mailbox password directly from the app. Server-enforced passowrd policy is managed only by your mail server administrator.

Quick Search

Sticky search bar filters aliases as you type. Always visible, find the right alias in seconds.

Keychain Storage

Server URL and JWT tokens are stored exclusively in the iOS Keychain, the same secure enclave used by banking apps and password managers. Never in UserDefaults. Never in plaintext.

15 Themes

Light, Dark, System, Amber 🍂, Beach 🏖️, Crimson 🌹, Forest 🌲, Lavender 💜, Midnight 🌙, Mint 🌿, Ocean 🌊, Pro, Sakura 🌸, Space 🪐, and Viest 🦂. Each theme is fully accessible and supports Dynamic Type.

Accessibility-First

Full Dynamic Type support across all text sizes. VoiceOver-compatible throughout. Passes WCAG AA contrast ratios in all 15 themes. Respects system Reduce Motion settings.

JWT Authentication

Log in with your PostfixAdmin (mailbox) credentials. Access tokens expire in quickly; secure refresh tokens last longer and live only on your server. No credentials are ever cached or transmitted in plaintext.

Flexible Server Config

Point the app at any PostfixMe API endpoint such as your home lab, a VPS, or inside a corporate VPN. No app update required when you change servers. HTTPS required in production.

Zero Telemetry

No analytics. No crash reporters phoning home. No ad SDKs. No third-party frameworks. The app talks to exactly one server: the one you configure. That's the entire network footprint.

15 hand-crafted themes

From minimal monochrome to vibrant palettes, there's a theme for your mood; all accessible, all tested.

Aliases are your
best anti-spam tool.

Spam filters let spam reach you, then react to it. Aliases prevent delivery entirely. Here's the three-step playbook:

01
Create a unique alias per contact
Give every company, service, or subscription its own throwaway forwarding address that you setup as a new alias, just for them. Your real mailbox address never leaves your server.
[email protected][email protected]
02
Spam arrives? You know exactly who leaked it.
Spam in [email protected]? That vendor sold or leaked your address. No guessing. No circumstantial evidence. Irrefutable.
03
One tap. Alias gone. Spammer blocked forever.
Disable or delete the alias from your iPhone or iPad. The sender can no longer reach your server at all; they lose.
Spam Filters
  • Spam still arrives; it's just sorted to another folder
  • Legitimate mail gets caught in the crossfire
  • No insight into who is sharing or selling your address
  • Spammer keeps sending; you keep filtering
  • Reactive: always cleaning up after the fact
Aliases + PostfixMe
  • See spam? Kill the compromised alias. No more spam.
  • One tap permanently silences all mail to the compromised alias
  • Know exactly which contact leaked your address
  • Proactive: prevent delivery, don't just sort it
  • Real mail flows to your inbox untouched

One alias per contact

Create a dedicated alias for each service, shop, or person. Your real address stays completely hidden from the wider Internet.

Pinpoint the leak

Spam lands in [email protected]? You know exactly which vendor sold or leaked your address. No guessing, no circumstantial evidence.

Kill it in seconds

Disable or delete the compromised alias from your phone the moment spam appears. The sender is silenced immediately everywhere, with one tap.

Primary address stays clean

Your real mailbox address never appears anywhere on the public Internet provided you never share it with anyone, ever. It's your permanent backstage pass. Never expose it, never need to change it, never lose it to a vendor data breach.

Many recipients, one alias

Each alias can forward to multiple inboxes on the same domain which is handy for shared department addresses, household aliases, or small team routing. Adjust recipients at any time.

Your infrastructure, your data

Throwaway addressing at scale with none of the third-party services, subscriptions, or privacy trade-offs. Your aliases live on your server and nowhere else.

Security that holds up
under scrutiny.

PostfixMe is built by a systems administrator for systems administrators with open source code you can review yourself. Every security decision has a rationale you can audit.

Token algorithm RS256 (2048-bit RSA, asymmetric) Private key signs; public key verifies. Protect your private key, share your public key. Keys are generated by you and stored as Docker secrets. Rotate your keys at any time.
Access token TTL 15 minutes (configurable) Short-lived access tokens limit blast radius of interception. Automatic refresh is handled transparently by the iOS app.
Refresh token model Opaque tokens, server-side rotation Refresh tokens are stored in your database with JTI revocation. Logout explicitly invalidates all tokens for the session. No silent persistence.
TLS enforcement Required in production (configurable header) The API rejects non-TLS requests by reading a trusted proxy header (X-Forwarded-Proto). CIDR-based proxy validation prevents header spoofing.
Rate limiting 5 attempts / 5 min window (configurable) Per-IP rate limiting on auth endpoints. Exceeding the threshold triggers a configurable lockout; default 10 cumulative failures locks for 30 minutes.
Audit logging Full auth attempt trail, 90-day retention Every authentication event is logged: success, failure, IP, timestamp. Summarized daily and optionally archived. Maintenance scripts included.
Data access scope Users see only their own aliases The API enforces ownership at the database query level, not just at the controller. A user cannot read, modify, or delete another mailbox's aliases.
iOS credential storage iOS Keychain exclusively Server URL and all tokens are stored in the iOS Keychain with whenUnlockedThisDeviceOnly protection. No iCloud sync. No plaintext fallback.
Auth flow
PostfixMe iOS App
Sends credentials over TLS
POST /api/v1/auth/login
PostfixMe API
Validates via PostfixAdmin DB
RS256-signed JWT pair
App receives tokens
Stored in iOS Keychain
Bearer: access_token (15 min)
Alias operations
GET, POST, PUT, DELETE /aliases
Auto-refresh on expiry
Logout
Server-side token revocation

We collect nothing,
because we receive nothing.

PostfixMe has no backend, no cloud service, no analytics endpoint, and no developer server that your app ever contacts. Privacy isn't a setting you enable; it's the entire architecture.

No analytics

No Mixpanel, Amplitude, Firebase, or any other analytics service. Usage data is yours alone.

No location

The app never requests location permissions. There is no use case for your GPS coordinates.

No contacts

Your address book is never accessed. The app only sees email aliases you explicitly manage.

No device IDs

No IDFA, IDFV, or device fingerprinting. Your device is anonymous even to the app itself.

What is stored on-device: your server URL, your JWT tokens (Keychain), and your theme + biometric preference (UserDefaults). Nothing else. None of it ever leaves your device to us.

Read the full Privacy Policy →

The API you deploy.
The source you can read.

PostfixMe doesn't require you to trust a closed-source backend. The entire server component is open source under GPL-2.0-or-later, with no obfuscation and no telemetry hooks to remove.

It's a clean PHP 8.1+ REST API that adds a layered authentication and alias-management endpoint on top of your existing PostfixAdmin database without modifying any PostfixAdmin tables or source code.

Container-first design
PHP 8.1+ with no framework overhead
MySQL / MariaDB, PostgreSQL, or SQLite
Docker Compose quickstart included
Zero external runtime dependencies
Additive schema; PostfixAdmin tables are left untouched
JWT keys you generate, you own, you rotate
Comprehensive PHPUnit test suite
Apache, nginx, or any reverse proxy
Quick Start
# Clone with submodules
git clone --recursive \
  https://github.com/wwkimball/postfixadmin-postfixme-api.git

# Generate sample secrets
cd postfixadmin-postfixme-api
./docker/scripts/generate-sample-secrets.sh

# Start the development stack
./build.sh --start

# Test authentication
curl -s -X POST \
  http://localhost:8080/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username":"[email protected]",
     "password":"testpass123"}' | jq

# Response
{
  "access_token":  "eyJ...",
  "refresh_token": "abc123",
  "token_type":    "Bearer",
  "expires_in":    900
}

Clean, versioned endpoints.

All endpoints return structured JSON. Auth errors include code, message, and details fields.

GET /api/v1/health Service health check
POST /api/v1/auth/login Authenticate, get token pair
POST /api/v1/auth/logout Revoke current session
POST /api/v1/auth/refresh Rotate refresh token
GET /api/v1/auth/password-policy Retrieve password rules
POST /api/v1/auth/change-password Update mailbox password
GET /api/v1/destinations List valid forward targets
GET /api/v1/aliases List aliases (paged, searchable)
POST /api/v1/aliases Create new alias
PUT /api/v1/aliases/{id} Update alias
DELETE /api/v1/aliases/{id} Delete alias (must first be inactive)

Three components.
All under your control.

PostfixMe has no cloud subscription, no vendor lock-in. If you already run a self-hosted mail server, you already have the hard part out of the way.

You are strongly encouraged to run PostfixAdmin and PostfixMe API in a Docker Compose stack to isolate them from your main mail server and vastly simplify deployment and updates. An example for doing this is provided with the PostfixMe API source.

01

An iPhone or iPad

The PostfixMe app runs on any Apple device meeting the system requirements.

  • iOS 18.0 or later
  • Any iPhone or iPad
  • Available on the App Store
02

A Postfix Mail Server

Your own Postfix-based mail server, already running and serving real email.

  • Postfix MTA (any recent version)
  • PostfixAdmin installed and configured
  • MySQL/MariaDB, PostgreSQL, or SQLite (for PostfixAdmin and PostfixMe API)
  • A reverse proxy with TLS (Apache, nginx, Caddy, Traefik, etc.)
03

The PostfixMe API

The open source PHP extension that adds the mobile API layer to your existing PostfixAdmin database.

  • PHP 8.1+ with PDO and OpenSSL
  • Docker Compose quickstart included
  • RSA key pair you generate yourself
  • Reachable by HTTPS from your iPhone
  • Source: GitHub ↗

Your peace of mind is waiting.

Deploy the API (or have your mail administrator do so), install the app, and manage your aliases and mailbox password from anywhere.

Free and open source.
No subscription. No vendor lock-in. No server you don't control. No mysterious third-party services. Just you, your private mail server, and your phone.