// the find
forwardemail/forwardemail.net
Privacy-focused encrypted email for everyone. All-in-one alternative to Gmail + Mailchimp + Sendgrid.
The actual production codebase behind ForwardEmail.net — IMAP, POP3, SMTP, CalDAV, CardDAV, a web UI, an API, and background jobs, all in one JavaScript monorepo. Each user's mail is stored in an individually encrypted SQLite database so the operator never holds plaintext. For developers who want to self-host email with real privacy guarantees rather than just moving trust from Google to a smaller provider.
Per-user encrypted SQLite is the real architectural bet here: ChaCha20/AES-256 per mailbox means a database dump leaks nothing without the user's passphrase — most 'privacy-focused' email services stop at transport encryption. The ops coverage is unusually complete for an open-source project: Ansible playbooks handle full provisioning, LUKS disk encryption with auto-mount, NVMe bonding, rsync storage mirroring, and bare-metal NUMA tuning. Domain Connect integration and RFC 6186/6764 autodiscovery means users can configure Thunderbird or Apple Mail without touching SRV records by hand — that UX detail matters for adoption. The service scope is genuinely full-stack: this isn't a relay wrapper, it implements actual IMAP and SMTP servers, CalDAV/CardDAV, and a Sieve filter engine.
The README pins Node v18.20.4, which hit EOL in April 2025 — over a year ago at this point. Running a publicly exposed mail server on an EOL runtime is a real operational risk, not just a hygiene complaint. The deployment guide is 30+ steps involving MongoDB, Redis, SQLite, PM2, Ansible, DKIM key generation, and manual certificate management; the blast radius of misconfiguring any one layer (SPF, DKIM, DMARC, TLS) is deliverability going to zero, and there's no smoke-test harness to catch it before go-live. The license is BUSL 1.1 for most of the codebase — OSI doesn't recognize it, you can't build a competing service on it, and the 'open source after the change date' clause is a promise from a company, not a right. With ten separate services (web, api, bree, smtp, mx1, mx2, imap, pop3, sqlite, caldav/carddav), the integration test story is opaque from the outside — the CI badge is green but it's unclear what surface area it actually covers.