Introducing MX Admin

Posted on 4 May, 2026 by David Klaverstyn

A Modern Web Interface for iRedMail

MX Admin is a self-hosted PHP web application that sits on top of an iRedMail installation and gives you a fast, modern interface for managing everything the mail server handles — domains, mailboxes, forwarding rules, aliases, groups, and more. It talks directly to iRedMail’s MariaDB database, so there’s no middleware, no API layer, and nothing extra to maintain.

What Can It Do?

  • Mailbox management — create, edit, suspend, activate, and bulk-delete user mailboxes with quota tracking and per-user aliases
  • Domain management — add and configure primary domains, alias domains, and backup MX entries
  • Mail routing — manage forwarding rules, aliases, catch-all addresses, and distribution groups
  • Mail queue — view the live Postfix delivery queue
  • Admin management — promote mailbox users to domain or global administrators
  • Two-factor authentication — TOTP-based 2FA for admin accounts with backup codes
  • Audit log — every admin action is logged with timestamp, IP address, and detail
  • Login protection — automatic IP blocking after repeated failed login or 2FA attempts, with a management page to view and unblock IPs
  • Dashboard — storage usage, quota warnings, recent activity, and admin login history
  • Retention queue — deleted mailboxes are held for a configurable period before permanent removal, with the ability to restore them

Security First

Security was a core design goal, not an afterthought. MX Admin ships with:

  • A strict Content Security Policy with no unsafe-inline script execution
  • CSRF protection on every state-changing action
  • Hardened session cookies (secure, httponly, SameSite)
  • bcrypt password hashing
  • Automatic IP blocking triggered by both IP-based and username-based brute-force patterns
  • A configurable attempt threshold (LOGIN_BLOCK_ATTEMPTS) before an IP is permanently blocked
  • Full audit logging of every admin action including the real client IP (reverse proxy aware)
  • All application code kept outside the web root, with nginx configured to execute only index.php

It’s designed to be safely exposed to the public internet, though pairing it with 2FA on all admin accounts and fail2ban on your nginx logs is strongly recommended.

Built On

  • PHP 8.x with PDO and prepared statements throughout
  • MariaDB (iRedMail’s existing vmail database)
  • Nginx with a hardened configuration
  • No JavaScript frameworks — vanilla JS with event delegation and a strict CSP
  • MX Admin is a self-hosted PHP web application that sits on top of an iRedMail installation and gives you a fast, modern interface for managing everything the mail server handles — domains, mailboxes, forwarding rules, aliases, groups, and more. It talks directly to iRedMail’s MariaDB database, so there’s no middleware, no API layer, and nothing extra to maintain.
  • What Can It Do?
  • Mailbox management — create, edit, suspend, activate, and bulk-delete user mailboxes with quota tracking and per-user aliases
  • Domain management — add and configure primary domains, alias domains, and backup MX entries
  • Mail routing — manage forwarding rules, aliases, catch-all addresses, and distribution groups
  • Mail queue — view the live Postfix delivery queue
  • Admin management — promote mailbox users to domain or global administrators
  • Two-factor authentication — TOTP-based 2FA for admin accounts with backup codes
  • Audit log — every admin action is logged with timestamp, IP address, and detail
  • Login protection — automatic IP blocking after repeated failed login or 2FA attempts, with a management page to view and unblock IPs
  • Dashboard — storage usage, quota warnings, recent activity, and admin login history
  • Retention queue — deleted mailboxes are held for a configurable period before permanent removal, with the ability to restore them
  • Security First
  • Security was a core design goal, not an afterthought. MX Admin ships with:
  • A strict Content Security Policy with no unsafe-inline script execution
  • CSRF protection on every state-changing action
  • Hardened session cookies (secure, httponly, SameSite)
  • bcrypt password hashing
  • Automatic IP blocking triggered by both IP-based and username-based brute-force patterns
  • A configurable attempt threshold (LOGIN_BLOCK_ATTEMPTS) before an IP is permanently blocked
  • Full audit logging of every admin action including the real client IP (reverse proxy aware)
  • All application code kept outside the web root, with nginx configured to execute only index.php
  • It’s designed to be safely exposed to the public internet, though pairing it with 2FA on all admin accounts and fail2ban on your nginx logs is strongly recommended.
  • Built On
  • PHP 8.x with PDO and prepared statements throughout
  • MariaDB (iRedMail’s existing vmail database)
  • Nginx with a hardened configuration
  • No JavaScript frameworks — vanilla JS with event delegation and a strict CSP
  • No Composer dependencies except one QR code library for local 2FA setup

Get Started

Full installation instructions — including database setup, nginx configuration, and deployment steps — are available on the wiki:

MX Admin Installation Guide

Changelog

MX Admin is actively developed. You can follow releases and see what’s changed at:

MX Admin Changelog

This entry was posted in Product. Bookmark the permalink.