Stalwart Mail Server on Cloudron - Secure & Modern All-in-One Mail Server (IMAP, JMAP, POP3, SMTP)

• Main Page: https://stalw.art/
• Git: https://github.com/stalwartlabs/mail-server
• Licence: AGPL v3 & SELv1 for some features
• Docker: Yes
• Documentation: https://stalw.art/docs/install/docker
• Demo: link

---

• Summary: Stalwart Mail Server is an open-source mail server solution with SMTP, JMAP, IMAP4, and POP3 support and a wide range of modern features. It is written in Rust and aims to be secure, fast, robust and scalable.

---

• Notes: Modern Mail server implementation with security features like Encryption at rest with S/MIME or OpenPGP

---

Key features:

• JMAP, IMAP4, POP3 and ManageSieve server:
  • JMAP server with Sieve Scripts, WebSocket, Blob Management and Quotas extensions.
  • IMAP4rev2 and IMAP4rev1 server with support for numerous extensions.
  • POP3 server with extensions, STLS and SASL support.
  • ManageSieve server for managing Sieve scripts.
• SMTP server:
  • Built-in DMARC, DKIM, SPF and ARC support for message authentication.
  • Strong transport security through DANE, MTA-STS and SMTP TLS reporting.
  • Inbound throttling and filtering with granular configuration rules, sieve scripting, MTA hooks and milter integration.
  • Distributed virtual queues with delayed delivery, priority delivery, quotas, routing rules and throttling support.
  • Envelope rewriting and message modification.
• Built-in Spam and Phishing filter:
  • Comprehensive set of filtering rules on par with popular solutions.
  • LLM-driven spam filtering and message analysis.
  • Statistical spam classifier with automatic training capabilities.
  • DNS Blocklists (DNSBLs) checking of IP addresses, domains, and hashes.
  • Collaborative digest-based spam filtering with Pyzor.
  • Phishing protection against homographic URL attacks, sender spoofing and other techniques.
  • Trusted reply tracking to recognize and prioritize genuine e-mail replies.
  • Sender reputation monitoring by IP address, ASN, domain and email address.
  • Greylisting to temporarily defer unknown senders.
  • Spam traps to set up decoy email addresses that catch and analyze spam.
• Flexible and scalable:
  • Pluggable storage backends with RocksDB, FoundationDB, PostgreSQL, mySQL, SQLite, S3-Compatible, Redis and ElasticSearch support.
  • Clustering support with node autodiscovery and partition-tolerant failure detection.
  • Full-text search available in 17 languages.
  • Sieve scripting language with support for all registered extensions.
  • Email aliases, mailing lists, subaddressing and catch-all addresses support.
  • Automatic account configuration and discovery with autoconfig and autodiscover.
  • Multi-tenancy support with domain and tenant isolation.
  • Disk quotas per user and tenant.
• Secure and robust:
  • Encryption at rest with S/MIME or OpenPGP.
  • Automatic TLS certificate provisioning with ACME using TLS-ALPN-01, DNS-01 or HTTP-01 challenges.
  • Automated blocking of IP addresses that attack, abuse or scan the server for exploits.
  • Rate limiting.
  • Security audited (read the report).
  • Memory safe (thanks to Rust).
• Authentication and Authorization:
  • OpenID Connect authentication.
  • OAuth 2.0 authorization with authorization code and device authorization flows.
  • LDAP, OIDC, SQL or built-in authentication backend support.
  • Two-factor authentication with Time-based One-Time Passwords (2FA-TOTP)
  • Application passwords (App Passwords).
  • Roles and permissions.
  • Access Control Lists (ACLs).
• Observability:
  • Logging and tracing with OpenTelemetry, journald, log files and console support.
  • Metrics with OpenTelemetry and Prometheus integration.
  • Webhooks for event-driven automation.
  • Alerts with email and webhook notifications.
  • Live tracing and metrics.
• Web-based administration:
  • Dashboard with real-time statistics and monitoring.
  • Account, domain, group and mailing list management.
  • SMTP queue management for messages and outbound DMARC and TLS reports.
  • Report visualization interface for received DMARC, TLS-RPT and Failure (ARF) reports.
  • Configuration of every aspect of the mail server.
  • Log viewer with search and filtering capabilities.
  • Self-service portal for password reset and encryption-at-rest key management.

---

• Screenshots:

@avatar1024 said in Nextcloud Talk high-performance back-end:

I'm just wondering in light of the Jitsi situation (i.e. hard to update), whether it might be worth reviving this thread starting with the package @doodlemania2 made? Or if any other video call app might be simpler to package and maintain on Cloudron (e.g. @Kubernetes made an initial package for MiroTalk but I've got no clue how it compares with Jitsi or NC talk)

For everyone who wants to host it themselves without too much hassle, I have been successfully using this build on a standalone server for some months now: https://github.com/sunweaver/nextcloud-high-performance-backend-setup

Looks like they have expanded the documentation for self-hosting: https://help.ente.io/self-hosting/

This is now called Spacebar https://github.com/spacebarchat

I spun up a test instance and it looks really polished and fast. I'm not a developer but seems to be fairly simple with few dependencies. Written in rust, PostgreSQL support.

Absolute extensive feature list, including encryption at rest, E-Mail delivery debugging, telemetry and much more.

Most if not all things can be configured in the GUI after setup. The biggest Problem at that point really is locking down the server against improper use, which is something cloudron already does pretty well. I'd love to see this in the App Store.

Currently attempting to package this. Frontend and backend are loading but not connecting to each other yet. Will have to investigate when I have a little time.

@girish I know we have talked about this before, you said that a lot of these are hardcoded (Like the app offline page). But it would be nice to be able to modify these without having them overwritten on updates.

@scooke said in What's coming in Cloudron 9:

@potemkin_ai For fwiw, I immediately distrust companies passing off other's tech as their own. I'm not sure to what degree you refer to when you ask for whitelabeling. If you sell services someone and they understand you are using Cloudron (who in turn is using other available software), and the whitelabeling you mean refers to them paying to be able to put their Company Name where they need it (because Cloudron licencing and tech has made that possible)... is one thing. But, it's another to present yourself as though whatever-makes-it-run has been made by your own hands and not by the Cloudron team, and customers buy your web service because it's made by your own hands, and they still get to put their own company name on it because you allow them too... that's sneaky. Deceptive. Companies that do this are not trustworthy.

Let me emphasize that I'm using the 3rd person "you", and not specifically you @potemkin_ai, especially since I don't know your approach. I'm just sharing my own personal perspective as consumer.

Adding to what @humptydumpty explained, consider the following scenario as a use case:

You are responsible for IT administration in a small organization, so you set up various services via a cloudron instance. But now you have to explain to people you are onboarding (in addition to all the stuff and how it works) what cloudron is (good luck with that) and what it has to do with the cloud you are using.

Whitelabeling solves this by not adding extra terms to user facing interfaces (i.e. log in with Cloudron).

@ntnsndr You can add 'hide_login_form' => true, to the config file

@osobo Pretty sure that's hardcoded. But you can simply bypass the screen by running occ config:app:set --value=0 user_oidc allow_multiple_user_backends in the terminal

I could use some help with this packaging attempt (just ignore the messy code). I can not get encryption working for some reason. This may have something to do with my current matrix installation so I'd be interested in someone else's expertise and experience

Looks like it's just a regular laravel application. Should be fairly easy to package.

I'm looking to enhance the security of an application by adding an additional layer of access control. Currently, I have a LAMP stack with Adminer installed for database management. To prevent unauthorized access, I keep Adminer disabled most of the time. However, I would like to set it up so that Adminer can only be accessed when I am connected through a VPN. This would ensure that even if the service is running, it remains secure from public access unless I'm using the VPN.

I found it to be pretty easy to get my IPs whitelisted after receiving fresh ones from Hetzner. Just write the admins every time an email fails to pass and let them know you just purchased it

Cloudflare has extremely competitive pricing. But they don't support a lot of TLDs and can be criticized for centralizing the web. That being said I'm pretty happy with it.

@robi I'm running this via docker compose on a raspberry pi at home now. Was surprisingly uncomplicated to set up, but I'd rather have it on my Cloudron. @girish can you open me an account on the git? I'd like to experiment with creating a build for this at some point.

@girish Correct. My workflow is usually the following with any app that comes pre setup with an admin account:

1 Login via OIDC/LDAP with user account (to create it in the database)
2 Logout
3 Login with Admin account
4 Make user account admin account
5 Logout
6 Login with OIDC/LDAP
7 Deactivate/Delete admin account

@madrush yes you can bypass the login form completely: https://forum.cloudron.io/post/105215

@jadudm Fair and not a problem. I'm just a little bit disappointed by the lack of communication. If it won't get packaged for a while then a short note would have been sufficient instead of letting people like me guessing whats planned next.

@girish personally I would enjoy the option to limit the E-Mail manager to the groups they are part of. For example some clients use so little resources like only a website with E-Mail that it doesn’t make sense to give them a dedicated server but instead put a few on the same.

Now it would be nice if they could configure their own emails without being able to see let alone change the configuration of others.