Wild Duck Mail

What is this?

WildDuck is an open source email server software and this webpage runs on the default webmail software for WildDuck.

Source for the mail server Source for the Webmail Create demo account

To test it out create a new account here. This would give you an actual working email address. Next you could try turning on two factor authentication or logging into IMAP with an application specific password.

This entire webservice is just a front-end to WildDuck API. The web application does not make any database connections, everything is handled by using REST API calls against the API.


1. OSX Profile demo

The following video demonstrates:

  • Creating a new account and logging in
  • Generating a new Application Specific Password
  • Exporting the password as OSX Mobileconfig file to set up OSX/iOS mail applications
  • Inserting messages to the INBOX of new users

2. PGP encryption demo

The following video demonstrates:

  • Sending and receiving a cleartext message
  • Setting up PGP encryption for cleartext messages
  • Receiving a cleartext message that the server encrypts before storing it to the mail store

3. Sending to the onion network

The following video demonstrates:

  • Composing a normal email message and addressing it to an onion email address
  • Sending the message
  • Receiving the message sent from WildDuck Mail Server to an onion email service


  • Generated email address is a real address and can be used with any mail client. IMAP is handled by WildDuck, MX messages are received by Haraka and outgoing messages are delivered by ZoneMTA.
  • All data is stored in a sharded MongoDB database. If there is not enough space then adding a new shard should fix that
  • Mail daemon processes avoid touching the filesystem (WildDuck and ZoneMTA do not touch file system after startup, Haraka writes and reads messages from a queue and spool folder) and do not execute any shell commands. Daemon processes run as unprivileged users. All compiled node dependencies are optional and can be removed to avoid potential buffer overflows and such.
  • Messages sent through SMTP are automatically copied to the Sent Mail folder. This mostly affects POP3 users as IMAP clients usually upload the message by themselves
  • When sending, non-authorized From: address in the message header is replaced. "From: User Name <otheruser@domain>" becomes "From: User Name <username@example.com>"
  • Dots in usernames and addresses are ignored. user.name@example.com is the same as username@example.com
  • Labels in incoming email addresses are ignored. user+label@example.com is the same as user@example.com
  • Moving messages to and out of the Junk Mail folder raises a junk status change event for that message. This is currently not used though
  • Enabling TOTP based 2FA disables account password for IMAP, POP3 and SMTP
  • Application Specific Password comes with automatically generated mobileconfig file for iOS/OSX mail applications
  • Incoming messages are checked against user defined filters. Matching messages can be marked as seen or flagged. Messages can be moved to specific mailbox folder. Messages tagged as spam are moved to Junk Mail folder.
  • Messages can be forwarded to another email address or uploaded to an URL account wide (all incoming messages are forwarded) or filter based (only messages matching specific filter are forwarded)
  • All authentication related events are logged and shown in the account security page. This behavior will change in the future as mail clients generate a lot of noise (re-authenticating after short period of time). Such logins should be joined somehow into single events.
  • This web service also makes use of the built-in GPG encryption feature of WildDuck where all cleartext messages are encrypted with user's public key before stored to disk. The encryption step is applied after filtering step so you could still filter messages by body text.
  • All new users get default emails generated and injected to INBOX as flagged messages.