Step-by-Step Guide to Self-Hosting a Company Email Server on Proxmox VE with Cloudflare Zero Trust Tunnel
This tutorial combines our detailed discussion on DNS records, self-hosted email servers, resource planning, Proxmox deployment, and Cloudflare Zero Trust tunnel configuration to build a professional email service for ~300 users.
1. Understand Domain Name Records Relevant for Email Services
Before setting up your email server, ensure your domain DNS is properly configured with these essential records:
- A and AAAA Records: Point your domain/subdomains to IP addresses.
- MX Records: Specify mail servers responsible for email delivery.
- TXT Records: Include SPF, DKIM, and DMARC policies for email authentication.
- CNAME Records: Configure aliases if needed.
- NS Records: Define authoritative name servers.
2. Choose the Right Email Server Software
For company use (~300 emails), these are recommended:
| Software | Features | Best Use Case |
|---|---|---|
| Mailcow | Dockerized, full suite, UI | Enterprise-grade, multi-domain |
| iRedMail | Stable, bare-metal/Linux install | Simpler setup, less resource heavy |
| Mailu | Lightweight Docker stack | Resource-conscious deployments |
| Maddy | Minimal, Go-based, very light | Small servers, minimal overhead |
| Mail-in-a-Box | Automated full setup | Beginners, minimal Linux skill |
3. Plan Resource Allocation for 300 Users
| Resource | Minimum | Recommended | Notes |
|---|---|---|---|
| CPU | 2 vCPUs | 4–6 vCPUs | Mail servers handle multiple processes |
| RAM | 4 GB | 8 GB | Spam filters & IMAP sessions require memory |
| Storage | 300 GB SSD | 500 GB SSD or NVMe | Fast disk I/O improves email access |
| Network | 100 Mbps | 1 Gbps preferred | For smooth inbound/outbound mail flow |
4. Deploying Your Mail Server on Proxmox VE
4.1 Create Virtual Machines or LXC Containers
- Mail Server VM: 6 vCPUs, 8GB RAM, 500GB SSD (running Mailcow or iRedMail)
- Mail Gateway VM: 2 vCPUs, 4GB RAM, 40GB SSD (optional, for Proxmox Mail Gateway)
4.2 Install Mail Server Software
Mailcow Installation (Recommended Docker Setup):
apt update && apt install -y git docker.io docker-compose
# Clone Mailcow and generate config
git clone https://github.com/mailcow/mailcow-dockerized
cd mailcow-dockerized
./generate_config.sh
docker compose pull && docker compose up -d
Access the admin panel at https://mail.example.com
iRedMail Installation (LXC or VM):
# Download and extract
wget https://github.com/iredmail/iRedMail/archive/tags/1.6.2.tar.gz
tar zxvf 1.6.2.tar.gz
cd iRedMail-1.6.2
bash iRedMail.sh
Choose required options during setup.
4.3 Configure DNS Records
- Set MX records to point to your mail server domain.
- Add SPF, DKIM, and DMARC TXT records.
- Configure A/CNAME records for mail-related subdomains.
5. Using Proxmox Mail Gateway (PMG) for Spam Filtering (Optional but Recommended)
- Install PMG as separate VM.
- Configure PMG to relay mail to your Mailcow/iRedMail server.
- Set your MX records in DNS to point to PMG.
6. Integrate Cloudflare Zero Trust Tunnel for Secure External Access
6.1 Create Tunnel
- In Cloudflare Zero Trust dashboard, create a new tunnel.
- Download configuration/token.
6.2 Install cloudflared
curl -L -o cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
sudo dpkg -i cloudflared.deb
cloudflared service install <your-token>
6.3 Map Subdomains and Ports
- In Zero Trust dashboard, add hostnames such as
mail.example.comand map to your mail server IP and ports.- Use HTTPS for webmail/admin interface.
- Use TCP tunneling for SMTP (25, 465, 587), IMAP (143, 993).
6.4 DNS Settings in Cloudflare
- Use DNS-only (grey cloud) for mail protocol ports.
- Use Proxy (orange cloud) for web interfaces.
6.5 Secure Access
- Apply Zero Trust access policies requiring authentication to admin panels.
- Restrict inbound access to tunnel IP only.
7. Firewall and Network
- Block all direct public access to mail ports except from Cloudflare tunnel.
- Open firewall ports on VMs for Cloudflare's IP ranges
- Use static IPs and bridge networking in Proxmox.
8. Backup, Monitoring, and Maintenance
- Schedule daily backups + snapshots of mail storage and VMs.
- Monitor Cloudflare tunnel service and logs.
- Regularly update mail server software and cloudflared.
- Monitor spam statistics and user mailbox quotas.
Summary
By following these steps, you build a robust, efficient, and secure self-hosted email solution on Proxmox VE, leveraging Cloudflare Zero Trust tunnel for external access and strong identity control. This setup balances performance, security, and manageability, tailored to a company with 300+ emails.
If you want, I can assist with detailed configurations, example scripts, or troubleshooting next. Just let me know your preferred mail server software and Proxmox setup details!