SMTP listener
Dispatch listens for SMTP on the standard ports 25 and 587 by default. Point any app, device, or appliance that speaks SMTP at it.
Binding 25/587 needs elevation - the installers and the appliance run with it (the systemd unit is
granted CAP_NET_BIND_SERVICE; Windows runs as a service; the container runs as root). If port 25
can’t be bound - it’s already in use, or the process lacks privilege - the listener automatically
falls back to 2525 (587 is still used when it’s free). You’ll see this in the logs at startup.
Key settings
Section titled “Key settings”| Setting | Default | Notes |
|---|---|---|
| Ports | 25, 587 |
Comma-separated; falls back to 2525 if 25 can’t be bound |
| Bind address | 0.0.0.0 |
Listens on all interfaces (filtered by the allow-list below) |
| Allowed IPs / CIDRs | loopback + private ranges | 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 so it isn’t an open relay; add your subnet, or clear to allow all |
| Require AUTH | false |
Require username/password from senders (SMTP authentication) |
| Max connections | 100 |
Concurrent connection cap |
| Connection timeout | 60s |
Per-command timeout |
STARTTLS
Section titled “STARTTLS”The listener offers STARTTLS out of the box: if you haven’t configured a shared TLS certificate, it uses an auto-generated self-signed one (the same cert the HTTPS API and dashboard use). Configure or upload a CA-issued shared cert to replace it so senders trust it. By default AUTH is only offered after STARTTLS, so credentials are never sent in the clear.
Access control
Section titled “Access control”The SMTP listener is closed by default to anything outside loopback and private ranges, so a fresh install is never an open relay. Add your sender subnets under Settings → Connections, or clear the list to allow all (not recommended on a public interface). Denied connections are logged with their source IP. See Security for the full model.