📬 Self-hosted relay

Fialka Mailbox

Self-hosted encrypted store-and-forward over Tor — owner-controlled, zero server-side decryption.

Self-hosted: Download & Install

Run your own Mailbox server on Linux / Raspberry Pi / VPS. Choose key protection mode: TPM 2.0, Passphrase, or legacy plaintext.

One-line installer (Linux / RPi):

curl -fsSL https://raw.githubusercontent.com/FialkaApp/fialka-mailbox/main/deploy/install.sh | sudo bash

Docs: README · Security policy: SECURITY.md

Two Mutually Exclusive Operating Modes

📱

User Mode

The phone functions as a standard messaging client.

  • Creates a Fialka account (BIP-39 seed)
  • Generates a deterministic .onion address
  • Sends and receives E2E encrypted P2P messages
  • Receives offline messages via a Mailbox
  • Only ONE User Mode per device
🖥️

Mailbox Mode

The phone becomes a storage and message transport service.

  • Exposes a permanent .onion Hidden Service
  • Stores encrypted blobs (zero decryption)
  • Auto-purges after 7-day TTL
  • Cannot send or receive chat messages
  • Requires 2 devices to use alongside User Mode
⚠️ Important constraint: User Mode and Mailbox Mode are mutually exclusive on the same device. You need 2 phones (or a spare phone / Raspberry Pi as the Mailbox).

Three Sharing Models

1️⃣

Personal Mailbox

Used solely by the owner's User-mode phone. Each user account has one Personal Mailbox. Accessible only by the owner — "my Mailbox for when I'm offline".

2️⃣

Private Mailbox (whitelist)

Shared with a restricted group — family, friends, colleagues. The owner alone manages the whitelist and permissions. Only authorized users can deposit messages. Granular control: add/remove access anytime.

3️⃣

Public Mailbox

Accepts messages from all Fialka users. No whitelist, no authentication. Useful for bots, open services, and community relays.

Delivery Modes & Privacy

Mode Description Privacy
0 — Direct P2P.onion to .onion directly★★★★★
1 — PersonalYour own device (old phone, RPi)★★★★★
2 — Private NodeFriend hosts for trusted group (whitelist)★★★★☆
3 — Public NodeCommunity volunteers, auto-selected (default)★★★☆☆

Security Guarantees

ZERO server-side decryption

Blobs are completely opaque to the Mailbox — it stores encrypted bytes it cannot read.

Raw blob storage

No metadata extraction — no recipient, no timing, no actual size, no content type.

7-day max TTL

All undelivered blobs are automatically purged after 7 days.

Stats only

Mailbox only tracks cumulative counters (totalDeposited, totalFetched) — no message-level analytics.

Adaptive polling

10s base interval, 5s after messages received, 60s backoff on network error.

Full UI configuration

Mode, TTL, whitelist — all configurable in Settings.

Push Notifications (opt-in)

Phone A → sendMessage() → Tor Hidden Service → Phone B
                                                  ↓ (if offline)
                                          Fialka Mailbox stores ciphertext
                                                  ↓
                                          UnifiedPush + ntfy.sh
                                                  ↓
                                          Phone B wakes up → connects to Mailbox
                                          → retrieves + decrypts messages
                                          "New message received"
                                          (ZERO content, ZERO metadata)

UnifiedPush + ntfy.sh are used as a zero-content wake-up signal only. Push notifications carry no message content or sender metadata whatsoever.

Real-World Use Case

📱 Your main phone runs User Mode — normal Fialka messaging.

🔌 Old spare phone or tablet stays plugged in permanently at home on power + WiFi — running Mailbox Mode.

📬 While you're offline, contacts send you messages → stored as encrypted blobs in your home Mailbox.

🔄 When you come back online, your main phone connects to the Mailbox and retrieves all pending messages.

Configure via: Settings → Mailbox → Personal Mailbox → enter your Mailbox .onion address