Skip to content

Security at PostStack

Email infrastructure holds some of the most sensitive data your business owns: customer addresses, message contents, and authentication tokens. This page documents the controls PostStack uses to keep that data safe.

Encryption

  • In transit: All API and dashboard traffic is served over HTTPS with TLS 1.2 or higher. HSTS is enforced.
  • SMTP transit: Outbound mail uses opportunistic STARTTLS by default; you can switch your domain to enforced TLS in the dashboard.
  • SMTP submission: Customer submission accepts only TLS-from-connection-start (RFC 8314). Mailbox users connect on port 465 (Dovecot, implicit TLS); API key users connect on port 587 (also implicit TLS, terminated at the edge by nginx). TLS 1.2/1.3 only, AEAD ciphers only. Inbound delivery on port 25 supports STARTTLS opportunistically, per RFC 3207.
  • At rest: Customer data lives on the production host inside Hetzner's Helsinki (hel1) data centre. Daily PostgreSQL dumps are gzipped and retained on-host for seven days; AES-256 GPG encryption of the dumps is available as an opt-in (set BACKUP_ENCRYPTION_KEY) and is not enabled by default. Filesystem-level disk encryption is not currently in place; physical security relies on Hetzner's data-centre controls.

Authentication and authorization

  • Passwords are hashed with Argon2id(memory-hard, resistant to GPU cracking).
  • Mailbox passwords are hashed with bcrypt for Dovecot compatibility.
  • Two-factor authentication via TOTP is available for every user; backup codes are hashed.
  • API keys are stored as cryptographic hashes — the plaintext key is shown once at creation and never persisted. Each key has a fixed sk_live_ / sk_test_ prefix that is validated before any database lookup.
  • Sessions and API requests are scoped to a single team. Cross-team data access is blocked at the service layer.

Infrastructure

  • All production infrastructure runs in Hetzner's Helsinki (hel1) data centre in Finland. No customer data leaves the EU.
  • Postfix, Dovecot, OpenDKIM, Redis, and PostgreSQL run in isolated containers behind a firewalled network. Only the API and SMTP submission ports are exposed to the internet.
  • Outbound SMTP traffic uses dedicated IP addresses (on Pro and higher plans) with documented warmup schedules. Each IP is monitored for blocklist status.
  • Database access is restricted to the application server. The database is not directly reachable from the internet.

Application security

  • All API requests are rate-limited via Redis (sliding window, scoped per team).
  • All SQL access goes through Drizzle ORM with parameterized queries — no hand-built SQL strings touch user input.
  • Webhook deliveries include an HMAC signature header so customers can verify the payload originated from PostStack.
  • Dependency updates are reviewed continuously. Security-relevant CVEs are patched within 7 days for high severity, 30 days for moderate.

Audit logging

Every administrative action — user creation, role change, API key creation, domain modification, billing change — is recorded in an append-only audit log scoped to your team. Audit log retention follows your plan's data retention policy.

Vulnerability disclosure

If you believe you have found a security vulnerability in PostStack, please report it privately to security@poststack.dev. We will acknowledge your report within 2 business days and keep you updated as we investigate.

Please do not publicly disclose vulnerabilities before we have had a reasonable opportunity to fix them. We do not currently run a paid bug bounty program, but we will publicly acknowledge your contribution (with your permission) once a fix is shipped.

Our security.txt file is published per RFC 9116.

Scope

The following systems are in-scope for vulnerability research:

  • poststack.dev (landing, docs, dashboard)
  • api.poststack.dev (REST API + agent endpoints)
  • SMTP / IMAP / POP3 endpoints under poststack.dev
  • Open-source PostStack client packages (SDK, CLI, MCP server) at their published versions

The following are explicitly out of scope:

  • Denial-of-service (volumetric, slowloris, connection-exhaustion) — do not test
  • Social engineering of PostStack staff, customers, or third-party providers (Hetzner, Stripe, etc.)
  • Physical attacks on infrastructure
  • Findings that depend on outdated browsers, jailbroken devices, or compromised end-user systems
  • Reports generated solely by automated scanners with no proof of exploitability
  • Email spoofing or open-relay reports against domains you do not own (use a domain you control as the sender)
  • Third-party services we depend on but do not operate

Safe harbour

PostStack will not initiate legal action against, or support law enforcement action against, security researchers who:

  • Make a good-faith effort to comply with this policy and the scope above
  • Avoid privacy violations, destruction of data, and disruption of service to other users
  • Use only their own test accounts (free-tier registration is open) when exercising authenticated endpoints
  • Report findings privately to security@poststack.dev and do not publicly disclose before a fix is shipped or 90 days have passed, whichever comes first

If you are unsure whether a planned activity is in scope or compliant with this policy, contact us at security@poststack.dev before testing. We will respond within 2 business days.

Compliance

PostStack is operated by MICCI (Fyrretoften 31, 7100 Vejle, Denmark), a Danish company. We comply with the EU General Data Protection Regulation (GDPR). See our Privacy Policy and Data Processing Agreement for details on how customer data is processed.

ISO 27001 certification is on our roadmap and will be linked from this page once it is achieved.