A year of mox
A lot has happened for mox in the past year. And despite good intentions, I haven’t written a blog posts about any of it!
Wait, what is mox?
A modern, secure, all-in-one mail server. The goal is to make it easy to run your own mail server. So you can stay in control of your data, and help keep email decentralized.
Mox implements the essential protocols for accessing/sending/receiving email, such as IMAP4/SMTP/SPF/DKIM/DMARC/MTA-STS/DANE, takes care of junk filtering, implements Internationalization, ACME for automatic TLS certificate management, comes with a webmail client, and more.
The new mox website, https://www.xmox.nl/ has a video where I use the quickstart command to set up mox on a new machine for a new domain in 5 minutes. And that includes configuring the initial account in Thunderbird, and sending and receiving messages, also with the webmail client.
So what happened in the past year?
First a brief history of mox: prototyping had started at the end of 2021, a spare time effort. In mid 2022 I switched to full-time work on mox, to get the first release out. That happened with v0.0.1 in February 2023, just after I started using it for my own mail. I continued working nearly full-time on mox since then.
So what happened in the past year? Quite a lot! After 9 releases we are now at v0.0.9. Each release came with several new features, some big. A selection:
- v0.0.1 on Feb 17: First release, already with most of the functionality mentioned above.
- v0.0.2 on Mar 6: Configurable webserver, for static files, redirects and reverse proxying (a future post will explain why).
- v0.0.3 on Apr 22: Rate limiting, catchall addresses, and “mox localserve” which is a trimmed down mox for local testing.
- v0.0.4 on Jun 4: Commands for making and verifying consistent backups.
- v0.0.5 on Jul 3: scram-sha-* and cram-md5 authentication mechanisms. Configurable “routing” for outgoing email (e.g. for sending through 3rd party SMTP service).
- v0.0.6 on Aug 16: Webmail client. IMAP extensions CONDSTORE and QRESYNC.
- v0.0.7 on Sept 24: Message threading, in storage and webmail client. Process DMARC/TLS reports for external domains.
- v0.0.8 on Nov 22: DNSSEC-awareness, DANE, SMTP requiretls extension, outgoing DMARC & TLS reports.
- v0.0.9 on Jan 9: Quota for accounts, scram-sha-*-plus authentication mechanisms with TLS channel binding, ACME improvements (external account binding, CAA records with ACME account ID), make Go packages reusable with https://tools.xmox.nl as demo.
Each release also came with smaller features, many improvements and bug fixes. The full changelog history is at https://updates.xmox.nl/changelog. For a few bugs, some users have had to run mox commands to fix up some data structures. Not great, but not disastrous either. I don’t remember making any backwards incompatible changes.
Organizational
I try to spend most of my mox-time on development: Implementing new functionality, fixing bugs, writing documentation. But some non-programming activities have been useful/interesting too:
Website
Mox now has a separate project website, https://www.xmox.nl. For the past year, the repository README at https://github.com/mjl-/mox was responsible for explaining the project. It saved me the time of making and maintaining a website. I think that worked out as intended. But github’s long file/directory listings aren’t that welcoming to first-time visitors. The website now also has generated content that is “richer” than markdown, and that I don’t want to commit to the repository. For example, the annotated configuration files that allows linking to individual config fields at https://www.xmox.nl/config/. Or the protocol support page, https://www.xmox.nl/protocols/. I intend to keep the website basic and low-effort so most time can still be spent on the software itself.
Funding
Around March 2023 I applied to NLnet’s NGI0 Entrust (https://nlnet.nl/thema/NGI0Entrust.html) for funding, so I could keep developing mox. That worked out well: The NLnet application process is very light-weight and didn’t take much of my time. The application went through several review rounds before being approved, with the maximum project budget of €50k reserved for continued development for a year, from Augustus 2023 onwards! This lets me continue development on mox practically full-time (I have a few other obligations).
Tip: If you’re in need of funding for a software project related to core internet protocols, take a look at NLnet’s current funds, https://nlnet.nl/.
Email at FOSDEM 2024
FOSDEM is a yearly conference in Brussels for and by free/open source software developers, with many community-organized tracks called devrooms. See https://fosdem.org/. I’ve attended FOSDEM quite a few times, but this year will be special: We’ll have a full-day “Modern Email” devroom, on Sunday February 4th 2024: https://fosdem.org/2024/schedule/track/modern-email/. FOSDEM hasn’t had an email devroom for a long time, which is somewhat surprising given the importance of email in our digital lives. The large number of submissions for talks make it clear a lot is going on in the open source email community, and it’s great to see so many developers taking part in the devroom, the schedule is fully packed! I’ll do a short talk on mox. If you’re an email software developer/enthousiast and want to discuss email during FOSDEM, keep an eye on the original call for participation at https://github.com/modern-email/FOSDEM-24 to coordinate meeting up on Saturday.
Special thanks to the FOSDEM organization and volunteers for facilitating and building the FOSS community, invaluable!
What’s next?
My main priority is to continue development on mox, focused time. Short term: various smaller improvements to SMTP delivery and to the webmail. Followed by a simple HTTP-based mechanism for delivery feedback and sending email. Then calendaring with CalDAV. And there is much more on the roadmap.
I plan to write more blog posts about email-related topics, and about the approach to software development I’m using in mox. I’ve been gathering topics during the past year.
I also want to start thinking about longer-term plans for mox. Once the important features have been implemented, development may not have to continue at the same pace, at least not all the time. I want to keep time reserved for mox in the long run. Some form of sustainable funding could help.
There is the option of doing paid work related to mox, or to email in general. I have a few rules though. Since mox is about letting people run their own email infrastructure, I don’t want to provide email hosting services with mox. At most, I would help others run their own mail servers. But I’m aware that could lead to misaligned incentives. Mox must stay easy to use and maintain. I don’t want mox to create a situation where anyone needs help running their own mox instance. I also want mox to stay fully open source. No “open core” variants. I would rather continue development at a slower pace if that’s what it takes. If you have ideas/suggestions/experience, I’m interested in them.
Feedback has been very helpful this past year. People with specific experience with email have pointed me in the right direction. Bugs have been reported, often with enough detail to reproduce the issue. Changes have been contributed, mostly fixes and small features. Thanks to all, I hope you’ll keep it coming and keep spreading the word!
On to the second year of mox!