SMTP Security Gateway

The only email gateway that clusters active-active without a master.

Name: NetCell MailGuard
Price: 29.00 EUR
Author: NetCell IT

Self-hosted. Open-source stack. GDPR by architecture. NetCell MailGuard places itself in front of your existing mail server via MX record — spam, phishing and malware are filtered locally on your servers. No cloud, no US third parties, no data export.

See pricing Architecture explained

curl -fsSL https://get.netcell-mailguard.de | sudo bash

Debian 12/13 · amd64 + arm64 · Single-node or cluster
Prerequisites: sudo and curl must be installed.

NetCell MailGuard admin dashboard — mail traffic, threat radar, Bayes & neural classifier statistics

Cloud dependencies — everything on your servers

∞

Cluster nodes — no quorum, no master/replica

Detection layers — from DNSBL to attachment sandbox

GDPR

by architecture — made in Germany, no data export

Made in Germany

GDPR by architecture — no compliance acrobatics required.

Cloud providers like Mimecast, Proofpoint and Hornetsecurity route every email through third-party infrastructure. For law firms, tax advisors, hospitals, public authorities and anyone under strict GDPR/BDSG supervision, that means a compliance nightmare with data-processing agreements, third-country transfers and standard contractual clauses. NetCell MailGuard runs on your server, in your data centre — the mail never leaves your infrastructure.

No data-processing agreement You are the processor — nothing goes to third parties. GDPR Art. 28 DPA is not required at all.

No third-country transfer All components stay in the EU/EEA — no Schrems II risk, no standard contractual clauses needed.

Complete audit log Every admin action, every quarantine release, every policy change with timestamp and actor — mandatory evidence for Art. 5 (1) f.

Vendor based in Germany NetCell IT, Leverkusen — German support, German contracts, no US Cloud Act access.

GDPR argument in detail →

Feature set

Eight features that set us apart.

Every vendor offers SPF/DKIM/DMARC. These eight points are our real differentiators.

Active-active without a master

Every cluster node is an equal peer — no failover, no promote, no quorum. Configuration and state are encrypted and synchronised across all nodes. Scales horizontally without limit.

GDPR by architecture

Self-hosted, no data export, no cloud provider between sender and recipient. No DPA, no third-country clauses. Law firms, tax advisors, public authorities and hospitals are the target audience.

Local attachment sandbox

Suspicious Office, PDF and archive attachments are detonated in an isolated sandbox on your server — not shipped to a cloud sandbox vendor. Operator-managed detection rules.

DACH-phishing detection

Patterns for German-speaking phishing waves: account-locked, tax refund, GEZ, Klarna, DHL parcel, Apple ID. English-trained cloud models often miss these.

End-user quarantine portal

Recipients receive a daily digest with single-click release. No admin involvement for false positives, no „can you release this mail" tickets. Token-based, secure.

White-label branding

Your logo, your product name, your digest subjects as a global cluster identity. Resellers sell MailGuard under their own brand — end customers don't see „NetCell MailGuard".

API-first with OpenAPI

Every UI function is also available via REST API. API keys with scope and rate limit, OpenAPI spec as a versioned contract, webhook hooks for quarantine and reputation events.

Per-domain policies

Quarantine threshold, detection policy, DKIM keys, DMARC reporting, mail filter lists, header rewrites — all configurable per domain. One operator team manages all domains from one UI.

All features in detail →

Attachment sandbox

Detonation on your server, not in someone else's cloud.

Suspicious Office documents, PDFs and archives are executed in an isolated YARA sandbox on your server — we observe their behaviour rather than just matching signatures. Cloud vendors like Mimecast, Proofpoint and Hornetsecurity upload every attachment to their own infrastructure; here the file never leaves your data centre.

Behaviour detection Auto-execute macros, PowerShell invocations, embedded executables in PDFs, JavaScript heap-spray — observed inside the sandbox, not just signature-matched.

Nested archives Password-protected ZIPs (with the password in the mail body!), ZIP bombs, multi-stage nested containers — unpacked and each stage detonated individually.

Operator-managed YARA rules Write your own .yar rules for fresh threats without waiting for a cloud vendor's update window. CVE patterns, malware families, your own IoC lists.

Verdict feeds back into rspamd Detonation result (clean/suspicious/virus/phish) flows back into the rspamd pipeline as a ThreatScore boost — quarantined or rejected by the same policy as every other detection layer.

Attachment sandbox in detail →

Architecture

Every node is master.

No failover drama on hardware failure. No promote script. No split-brain prevention. Every node processes incoming mail, every node replicates configuration changes to all others, every node can join or leave at any time.

   ┌──────────────┐    encrypted    ┌──────────────┐
   │  MailGuard   │ ◀──────────────▶│  MailGuard   │
   │   Node 1     │   sync          │   Node 2     │
   │              │                 │              │
   │  Detection   │                 │  Detection   │
   │  stack       │ ◀──────────────▶│  stack       │
   │  + sandbox   │                 │  + sandbox   │
   └──────┬───────┘                 └──────┬───────┘
          │                                │
          └────── MX round-robin ──────────┘
                       │
                       ▼
              Existing mail server
              (Linux MTA / Exchange / Microsoft 365 / Google Workspace)

Architecture in detail →

Transparent pricing

Free or Pro. You scale with us.

Free covers 1 domain forever — with all detection features. Pro scales with your setup: starting at EUR 29/month (10 domains, 1 server). Domain and cluster count are your choice. Cloud email security vendors (Hornetsecurity, Mimecast, Proofpoint, Microsoft Defender for O365) charge EUR 1,000-2,500/month for the equivalent volume.

Free

Single-domain protection, free forever

EUR 0 / forever

1 domain · 1 server
All 14 detection layers + sandbox
Threat feeds + DACH-phishing keywords
DKIM/DMARC + audit log + GDPR tools
No cluster, no portal, no white-label

Get Free ↗

Pro RECOMMENDED

Domain and cluster size selectable — entry 10 domains, 1 server

from EUR 29 / month

Domain count selectable (10/25/50/100/250)
Cluster nodes selectable (1-10, +EUR 10/node)
Everything from Free + reporting + end-user portal
+ White-label branding + REST API (full)
+ Email support < 48 h

Configure Pro ↗

Custom

Resellers, enterprise, custom contracts

Inquire / individual

250+ domains or 10+ nodes
SLA + phone support + account manager
On-premise perpetual license
Reseller contracts (multi-cluster)
SIEM integration + audit-log export

Contact sales

Initial install runs 30 days automatically in trial mode with full Pro feature set — then activate Free or buy Pro. See full pricing matrix →

FAQ

Frequently asked questions

How does MailGuard differ from Hornetsecurity or Mimecast?

MailGuard runs on your own servers — Hornetsecurity, Mimecast and Proofpoint are cloud services. With MailGuard you see every header, every detection decision, and you can audit-log every action. No US third parties, no data hand-off, GDPR by architecture.

How does active-active without a master work?

Every cluster node is an equal peer. Configuration and state are encrypted and synchronised across all nodes. No quorum, no failover, no promote. New nodes join with a single command. Scales horizontally without limit.

Do I need a cloud connection?

No. MailGuard runs on servers or VMs in your own infrastructure. Threat-intel feeds (OpenPhish, URLhaus) are pulled — the mails themselves never leave your infrastructure.

Which detection layers are active?

14 layers: SPF, DKIM, DMARC, ARC, RBL/URIBL, header-anomaly detection, external phishing feeds (OpenPhish, URLhaus, PhishTank), URL-shortener resolver, DACH-specific phishing keywords, suspicious-TLD self-learning, spam scanner with ML classifier (statistical + neural + reputation), virus scanner and sandbox detonation for unknown attachments — all local per node.

Can I resell MailGuard?

Yes, with two caveats: white-label branding (logo, product name, primary colour) is one global identity per cluster — i.e. one brand outward. Per-domain configurable: digest from-address, DMARC rua-address, detection policy. If you need different brands per end customer, you either run one cluster per customer or you live with one unified reseller brand. MailGuard is single-tenant — one operator team manages all domains centrally.

How does the licensing model work?

Free covers 1 domain on 1 server forever, with all detection features. Pro starts at EUR 29/month (10 domains, 1 node), with domain count (10/25/50/100/250) and node count (1-10) selectable in the shop. Default Pro 25 + 3-node-HA setup = EUR 89/month. Initial install runs 30 days in trial mode automatically. Custom licenses with SLA, phone support, on-premise perpetual or reseller contracts on request.

Ready for your own server instead of cloud?

Install NetCell MailGuard on your own server. 30 days free, then EUR 29 per server — no credit card required for the trial.

See pricing