User Tools

This is an old revision of the document!

Stalwart Mail Server

work in progress

Stalwart Step into the future with Stalwart, the open-source e-mail powerhouse blending modern features with unparalleled security, speed, and scalability.

I choose Stalwart because it's a new approach to serving mail. Instead of a bunch of interconnected tools, which are often a mess to setup, it's a one piece written from the ground up with a modern approach to email.

Please check this page to understand the choices done in this page. I assume that you are installing the email server on your external server, and not on the home server.

Installation

Gentoo ships with a reasonably recent release of Stalwart, but i prefer to have finer control over it, so i prefer to install on bare-metal manually. The project also offer a bare-metal install approach which (see here) which i don't like because it involve download and run an install.sh script, which is a no way for me.

I have downloaded the script (and i suggest you do the same) and inspected it, so the following instructions are directly taken from the install script, but adapted to my setup.

Note: we are installing on the external server, not on the home server!

As usual, first of all create the user: 

useradd -m stalwart

Then download the latest release from here for your architecture, be sure to download both the mail server and the cli executable: 

su - stalwart
mkdir bin etc logs
chmod -R 755 /home/stalwart
wget 'https://github.com/stalwartlabs/mail-server/releases/download/vX.Y.Z/stalwart-mail-x86_64-unknown-linux-gnu.tar.gz'
wget 'https://github.com/stalwartlabs/mail-server/releases/download/vX.Y.Z/stalwart-cli-x86_64-unknown-linux-gnu.tar.gz'
cd bin
tar xvf ../stalwart-mail-x86_64-unknown-linux-gnu.tar.gz
tar xvf ../stalwart-cli-x86_64-unknown-linux-gnu.tar.gz
chmod +x stalwart-mail stalwart-cli
setcap 'cap_net_bind_service=ep' stalwart-mail

The setcap is necessary to let stalwart open ports in the reserved range (<1024).

Well, it's time to initialize Stalwart: 

/home/stalwart/bin/stalwart-mail --init /home/stalwart
✅ Configuration file written to /home/stalwart/etc/config.toml
🔑 Your administrator account is 'admin' with password 'XxxXxXXxX'.
chmod 700 /home/stalwart/etc/config.toml

Note the chmod to ensure the config file is not readable by anybody

Take note of the password! You will never see it again.

Now, start the server for the first time: 

su - stalwart # ensure you are stalwart user!
/home/stalwart/bin/stalwart-mail --config=/home/stalwart/etc/config.toml

Open up your browser and go to http:<external-server-ip>:8080 and login with the credentials above, then immediately head to http:<external-server-ip>:8080/account/password and change the password to something you will remember.

Configuration

Autostart

The below stuff is outdated 

seradd -m -d /data/daemons/stalwart stalwart
mkdir /data/stalwart
chown stalwart:stalwart /data/stalwart
docker-compose.yml
name: stalwart
services:
  mail-server:
    tty: true
    stdin_open: true
    ports:
      - 2443:443
      - 10025:125 # port 25 seems to create troubles in podman...
      - 2080:8080
      - 2587:587
      - 2465:465
      - 2143:143
      - 2993:993
      - 4190:4190
      - 2110:110
      - 2995:995
    volumes:
      - /data/stalwart:/opt/stalwart-mail
    container_name: stalwart-mail
    image: stalwartlabs/mail-server:latest
    networks:
      - stalwart-net

networks:
  stalwart-net: {}

Note that i have used all ports above 1024 to avoid issues with root-only ports in rootless containers. 

podman compose pull
podman compose up

Note your admin usernamne and password like: 

[mail-server] | 🔑 Your administrator account is 'admin' with password 'xxxx'.

Change the SMTP port to 125 to match the above compose file

Configuration

From the web UI.

Set hostname to your main email server.

Stop uneeded services.

Create domain.

Configure DNS properly

Create account.

Open ports from remote to local: 

nft add rule wg prerouting iifname "enp1s0" dnat ip to tcp dport map { 25 : 10.100.0.1 . 10025 }
nft add rule wg prerouting iifname "enp1s0" dnat ip to tcp dport map { 587 : 10.100.0.1 . 2587 }
nft add rule wg prerouting iifname "enp1s0" dnat ip to tcp dport map { 465 : 10.100.0.1 . 2465 }
nft add rule wg prerouting iifname "enp1s0" dnat ip to tcp dport map { 143 : 10.100.0.1 . 2143 }
nft add rule wg prerouting iifname "enp1s0" dnat ip to tcp dport map { 993 : 10.100.0.1 . 2993 }
nft add rule wg prerouting iifname "enp1s0" dnat ip to tcp dport map { 4190 : 10.100.0.1 . 4190 }
nft add rule wg prerouting iifname "enp1s0" dnat ip to tcp dport map { 995 : 10.100.0.1 . 2995 }
nft add rule wg prerouting iifname "enp1s0" dnat ip to tcp dport map { 110 : 10.100.0.1 . 2110 }

Link certificates. Create a certificate in GUI with these values: 

%{file:/opt/stalwart-mail/etc/certs/fullchain.pem}%
%{file:/opt/stalwart-mail/etc/certs/privkey.pem}%

and copy the certs from /etc/letsencrypt/live/mydomain/[fullchain|privkey].pem to /data/stalwart/etc/certs (create folder and make files readable!)

This website uses technical cookies only. No information is shared with anybody or used in any way but provide the website in your browser.

More information