{"id":309,"date":"2026-05-04T16:17:26","date_gmt":"2026-05-04T06:17:26","guid":{"rendered":"https:\/\/klaverstyn.com.au\/david\/blog\/?p=309"},"modified":"2026-05-11T10:21:14","modified_gmt":"2026-05-11T00:21:14","slug":"what-is-mx-admin","status":"publish","type":"post","link":"https:\/\/klaverstyn.com.au\/david\/blog\/2026\/05\/what-is-mx-admin\/","title":{"rendered":"Introducing MX Admin"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">A Modern Web Interface for iRedMail<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">MX Admin is a self-hosted PHP web application that sits on top of an iRedMail installation and gives you a fast, modern interface for managing everything the mail server handles \u2014 domains, mailboxes, forwarding rules, aliases, groups, and more. It talks directly to iRedMail&#8217;s MariaDB database, so there&#8217;s no middleware, no API layer, and nothing extra to maintain.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>What Can It Do?<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Mailbox management<\/strong>&nbsp;\u2014 create, edit, suspend, activate, and bulk-delete user mailboxes with quota tracking and per-user aliases<\/li>\n\n\n\n<li><strong>Domain management<\/strong>&nbsp;\u2014 add and configure primary domains, alias domains, and backup MX entries<\/li>\n\n\n\n<li><strong>Mail routing<\/strong>&nbsp;\u2014 manage forwarding rules, aliases, catch-all addresses, and distribution groups<\/li>\n\n\n\n<li><strong>Mail queue<\/strong>&nbsp;\u2014 view the live Postfix delivery queue<\/li>\n\n\n\n<li><strong>Admin management<\/strong>&nbsp;\u2014 promote mailbox users to domain or global administrators<\/li>\n\n\n\n<li><strong>Two-factor authentication<\/strong>&nbsp;\u2014 TOTP-based 2FA for admin accounts with backup codes<\/li>\n\n\n\n<li><strong>Audit log<\/strong>&nbsp;\u2014 every admin action is logged with timestamp, IP address, and detail<\/li>\n\n\n\n<li><strong>Login protection<\/strong>&nbsp;\u2014 automatic IP blocking after repeated failed login or 2FA attempts, with a management page to view and unblock IPs<\/li>\n\n\n\n<li><strong>Dashboard<\/strong>&nbsp;\u2014 storage usage, quota warnings, recent activity, and admin login history<\/li>\n\n\n\n<li><strong>Retention queue<\/strong>&nbsp;\u2014 deleted mailboxes are held for a configurable period before permanent removal, with the ability to restore them<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Security First<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Security was a core design goal, not an afterthought. MX Admin ships with:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A strict Content Security Policy with no&nbsp;unsafe-inline&nbsp;script execution<\/li>\n\n\n\n<li>CSRF protection on every state-changing action<\/li>\n\n\n\n<li>Hardened session cookies (secure, httponly, SameSite)<\/li>\n\n\n\n<li>bcrypt password hashing<\/li>\n\n\n\n<li>Automatic IP blocking triggered by both IP-based and username-based brute-force patterns<\/li>\n\n\n\n<li>A configurable attempt threshold (LOGIN_BLOCK_ATTEMPTS) before an IP is permanently blocked<\/li>\n\n\n\n<li>Full audit logging of every admin action including the real client IP (reverse proxy aware)<\/li>\n\n\n\n<li>All application code kept outside the web root, with nginx configured to execute only&nbsp;index.php<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">It&#8217;s designed to be safely exposed to the public internet, though pairing it with 2FA on all admin accounts and fail2ban on your nginx logs is strongly recommended.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Built On<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>PHP 8.x<\/strong>&nbsp;with PDO and prepared statements throughout<\/li>\n\n\n\n<li><strong>MariaDB<\/strong>&nbsp;(iRedMail&#8217;s existing&nbsp;vmail&nbsp;database)<\/li>\n\n\n\n<li><strong>Nginx<\/strong>&nbsp;with a hardened configuration<\/li>\n\n\n\n<li>No JavaScript frameworks \u2014 vanilla JS with event delegation and a strict CSP<\/li>\n\n\n\n<li>MX Admin is a self-hosted PHP web application that sits on top of an iRedMail installation and gives you a fast, modern interface for managing everything the mail server handles \u2014 domains, mailboxes, forwarding rules, aliases, groups, and more. It talks directly to iRedMail&#8217;s MariaDB database, so there&#8217;s no middleware, no API layer, and nothing extra to maintain.<\/li>\n\n\n\n<li><strong>What Can It Do?<\/strong><\/li>\n\n\n\n<li><strong>Mailbox management<\/strong>&nbsp;\u2014 create, edit, suspend, activate, and bulk-delete user mailboxes with quota tracking and per-user aliases<\/li>\n\n\n\n<li><strong>Domain management<\/strong>&nbsp;\u2014 add and configure primary domains, alias domains, and backup MX entries<\/li>\n\n\n\n<li><strong>Mail routing<\/strong>&nbsp;\u2014 manage forwarding rules, aliases, catch-all addresses, and distribution groups<\/li>\n\n\n\n<li><strong>Mail queue<\/strong>&nbsp;\u2014 view the live Postfix delivery queue<\/li>\n\n\n\n<li><strong>Admin management<\/strong>&nbsp;\u2014 promote mailbox users to domain or global administrators<\/li>\n\n\n\n<li><strong>Two-factor authentication<\/strong>&nbsp;\u2014 TOTP-based 2FA for admin accounts with backup codes<\/li>\n\n\n\n<li><strong>Audit log<\/strong>&nbsp;\u2014 every admin action is logged with timestamp, IP address, and detail<\/li>\n\n\n\n<li><strong>Login protection<\/strong>&nbsp;\u2014 automatic IP blocking after repeated failed login or 2FA attempts, with a management page to view and unblock IPs<\/li>\n\n\n\n<li><strong>Dashboard<\/strong>&nbsp;\u2014 storage usage, quota warnings, recent activity, and admin login history<\/li>\n\n\n\n<li><strong>Retention queue<\/strong>&nbsp;\u2014 deleted mailboxes are held for a configurable period before permanent removal, with the ability to restore them<\/li>\n\n\n\n<li><strong>Security First<\/strong><\/li>\n\n\n\n<li>Security was a core design goal, not an afterthought. MX Admin ships with:<\/li>\n\n\n\n<li>A strict Content Security Policy with no&nbsp;unsafe-inline&nbsp;script execution<\/li>\n\n\n\n<li>CSRF protection on every state-changing action<\/li>\n\n\n\n<li>Hardened session cookies (secure, httponly, SameSite)<\/li>\n\n\n\n<li>bcrypt password hashing<\/li>\n\n\n\n<li>Automatic IP blocking triggered by both IP-based and username-based brute-force patterns<\/li>\n\n\n\n<li>A configurable attempt threshold (LOGIN_BLOCK_ATTEMPTS) before an IP is permanently blocked<\/li>\n\n\n\n<li>Full audit logging of every admin action including the real client IP (reverse proxy aware)<\/li>\n\n\n\n<li>All application code kept outside the web root, with nginx configured to execute only&nbsp;index.php<\/li>\n\n\n\n<li>It&#8217;s designed to be safely exposed to the public internet, though pairing it with 2FA on all admin accounts and fail2ban on your nginx logs is strongly recommended.<\/li>\n\n\n\n<li><strong>Built On<\/strong><\/li>\n\n\n\n<li><strong>PHP 8.x<\/strong>&nbsp;with PDO and prepared statements throughout<\/li>\n\n\n\n<li><strong>MariaDB<\/strong>&nbsp;(iRedMail&#8217;s existing&nbsp;vmail&nbsp;database)<\/li>\n\n\n\n<li><strong>Nginx<\/strong>&nbsp;with a hardened configuration<\/li>\n\n\n\n<li>No JavaScript frameworks \u2014 vanilla JS with event delegation and a strict CSP<\/li>\n\n\n\n<li>No Composer dependencies except one QR code library for local 2FA setup<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Get Started<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Full installation instructions \u2014 including database setup, nginx configuration, and deployment steps \u2014 are available on the wiki:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><a href=\"https:\/\/klaverstyn.com.au\/david\/wiki\/index.php?title=MX_Admin\" target=\"_blank\" rel=\"noreferrer noopener\">MX Admin Installation Guide<\/a><\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Changelog<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">MX Admin is actively developed. You can follow releases and see what&#8217;s changed at:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><a href=\"https:\/\/klaverstyn.com.au\/david\/downloads\/mxa-changelog.html\" target=\"_blank\" rel=\"noreferrer noopener\">MX Admin Changelog<\/a><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A Modern Web Interface for iRedMail MX Admin is a self-hosted PHP web application that sits on top of an iRedMail installation and gives you a fast, modern interface for managing everything the mail server handles \u2014 domains, mailboxes, forwarding &hellip; <a href=\"https:\/\/klaverstyn.com.au\/david\/blog\/2026\/05\/what-is-mx-admin\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":38,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[14],"tags":[],"class_list":["post-309","post","type-post","status-publish","format-standard","hentry","category-product"],"_links":{"self":[{"href":"https:\/\/klaverstyn.com.au\/david\/blog\/wp-json\/wp\/v2\/posts\/309","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/klaverstyn.com.au\/david\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/klaverstyn.com.au\/david\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/klaverstyn.com.au\/david\/blog\/wp-json\/wp\/v2\/users\/38"}],"replies":[{"embeddable":true,"href":"https:\/\/klaverstyn.com.au\/david\/blog\/wp-json\/wp\/v2\/comments?post=309"}],"version-history":[{"count":2,"href":"https:\/\/klaverstyn.com.au\/david\/blog\/wp-json\/wp\/v2\/posts\/309\/revisions"}],"predecessor-version":[{"id":312,"href":"https:\/\/klaverstyn.com.au\/david\/blog\/wp-json\/wp\/v2\/posts\/309\/revisions\/312"}],"wp:attachment":[{"href":"https:\/\/klaverstyn.com.au\/david\/blog\/wp-json\/wp\/v2\/media?parent=309"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/klaverstyn.com.au\/david\/blog\/wp-json\/wp\/v2\/categories?post=309"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/klaverstyn.com.au\/david\/blog\/wp-json\/wp\/v2\/tags?post=309"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}