Stalwart: Difference between revisions

(18 intermediate revisions by 2 users not shown)

Line 2:

== Setup ==

The following example enables the Stalwart mail server for the domain ''example.org'', listening on mail delivery SMTP/Submission ~~ports~~ (<code>25, 465</code>) ~~and~~ IMAPS ~~port~~ (<code>993</code>) for mail clients to connect to. Mailboxes for the accounts <code>postmaster@example.org</code> and <code>user1@example.org</code> get created if they don't exist yet.{{file|/etc/nixos/configuration.nix|nix|3=services.stalwart-mail = {

The following example enables the Stalwart mail server for the domain ''example.org'', listening on mail delivery SMTP/Submission (<code>25, 465</code>), IMAPS (<code>993</code>) and JMAP ports (8080/443) for mail clients to connect to. Mailboxes for the accounts <code>postmaster@example.org</code> and <code>user1@example.org</code> get created if they don't exist yet.

{{file|/etc/nixos/configuration.nix|nix|3=environment.etc = {

"stalwart/mail-pw1".text = "foobar";

"stalwart/mail-pw2".text = "foobar";

"stalwart/admin-pw".text = "foobar";

"stalwart/acme-secret".text = "secret123";

};

services.stalwart-mail = {

enable = true;

package = pkgs.stalwart-mail;

Line 8:

Line 17:

settings = {

server = {

hostname = "example.org";

hostname = "mx1.example.org";

tls = {

enable = true;

Line 23:

Line 32:

};

imaps = {

bind = "[::]:993";

protocol = "imap";

bind = "[::]:~~993~~";

};

jmap = {

bind = "[::]:8080";

url = "https://mail.example.org";

protocol = "jmap";

};

management = {

Line 40:

Line 54:

challenge = "dns-01";

contact = "user1@example.org";

domains = [ "example.org" ];

domains = [ "example.org" "mx1.example.org" ];

provider = "cloudflare";

secret = "~~****~~";

secret = "%{file:/etc/stalwart/acme-secret}%";

};

session.auth = {

Line 56:

Line 70:

principals = [

{

class = "~~admin~~";

class = "individual";

name = "User 1";

secret = "~~foobar~~";

secret = "%{file:/etc/stalwart/mail-pw1}%";

email = [ "user1@example.org" ];

}

Line 64:

Line 78:

class = "individual";

name = "postmaster";

secret = "~~foobar~~";

secret = "%{file:/etc/stalwart/mail-pw1}%";

email = [ "postmaster@example.org" ];

}

];

};

authentication.fallback-admin = {

user = "admin";

secret = "%{file:/etc/stalwart/admin-pw}%";

};

Line 77:

Line 95:

"webadmin.example.org" = {

extraConfig = ''

reverse_proxy http://127.0.01:8080

reverse_proxy http://127.0.0.1:8080

'';

serverAliases = [

Line 83:

Line 101:

"autoconfig.example.org"

"autodiscover.example.org"

"mail.example.org"

];

};

};}}TLS key generation is done using DNS-01 challenge through Cloudflare domain provider, see dns-update library for [https://github.com/stalwartlabs/dns-update further providers] or configure [https://stalw.art/docs/server/tls/certificates manual certificates].

};}}

TLS key generation is done using DNS-01 challenge through Cloudflare domain provider, see dns-update library for [https://github.com/stalwartlabs/dns-update further providers] or configure [https://stalw.art/docs/server/tls/certificates manual certificates].

== Configuration ==

=== DNS records ===

Before adding required records to the example domain <code>example.org</code>, we need to register the domain on the Stalwart server.<syntaxhighlight lang="shell">

stalwart-cli --url https://webadmin.example.org domain create example.org

</syntaxhighlight>Authenticate using the fallback-admin password.

Review the list of which DNS records are required including their values for the mail server to work at https://webadmin.example.org/manage/directory/domains/tuxtux.com.co/view. Especially following records are essential:

* Record type: A, Name: example.org

* Record type: AAAA, Name: example.org

* Record type: CNAME, Name: autoconfig Value: example.org

* Record type: CNAME, Name: autodiscover, Value: example.org

* Record type: CNAME, Name: mail, Value: example.org

* Record type: CNAME, Name: mta-sts, Value: example.org

* Record type: CNAME, Name: mail, Value: example.org

* Record type: CNAME, Name: webadmin, Value: example.org

* Record type: MX, Name: example.org, Value: mx1.example.org

* Record type: SRV, Name: _imaps._tcp

* Record type: SRV, Name: _submissions._tcp

* Record type: TLSA, Name: _25._tcp.example.org., Value: Only the one starting with "3 1 1" required

* Record type: TLSA, Name: _25._tcp.mx1.example.org., Value: Only the one starting with "3 1 1" required

* Record type: TXT, Name: 202409e._domainkey

* Record type: TXT, Name: 202409r._domainkey

* Record type: TXT, Name: _dmarc

* Record type: TXT, Name: mx1

* Record type: TXT, Name: _smtp._tls

* Record type: TXT, Name: example.org

=== DNSSEC ===

Line 99:

Line 147:

_25._tcp.mx1.example.org. 10800 IN RRSIG TLSA 13 5 10800 20230601000000 20230511000000 39688 example.org. He9VYZ35xTC3fNo8GJa6swPrZodSnjjIWPG6Th2YbsOEKTV1E8eGtJ2A +eyBd9jgG+B3cA/jw8EJHmpvy/buCw==

==~~= Administrative web frontend ===~~

== Tips and tricks ==

~~{{Note|The module is not yet part of the latest NixOS stable release~~ and ~~will be available with version 24.11.}}Add following listener to enable the administrative web frontend.{{file|/etc/nixos/configuration.nix|nix|3=services.stalwart-mail = {~~

~~enable~~ = ~~true;~~

~~settings.server.listener~~ = {

~~"management" = {~~

~~bind = [ "[::]:8080" ];~~

~~protocol = "http";~~

};

~~};}}It will be accessible on http://localhost:8080 and authentication is done with the one of the credentials specified above (normal inbox user or administrative role).~~

~~Please note that this example snippet is for testing purpose and without further~~ configuration ~~the management web interface will run unencrypted on all interfaces which is unsecure.~~

=== Test mail server ===

You can use several online tools to test your mail server configuration:

~~== Tips~~ and ~~tricks ==~~

* [https://en.internet.nl/test-mail en.internet.nl/test-mail]: Test your mail server configuration for validity and security.

* [https://www.mail-tester.com mail-tester.com]: Send a mail to this service and get a rating about the "spaminess" of your mail server.

* Send a mail to the echo server <code>echo@univie.ac.at</code>. You should receive a response containing your message in several seconds.

=== Unsecure setup for testing environments ===

The following minimal configuration example is unsecure and for testing purpose only. It will run the Stalwart mail server on <code>localhost</code>, listening on port <code>143</code> (IMAP) and <code>587</code> (Submission). Users <code>alice</code> and <code>bob</code> are configured with the password <code>foobar</code>.{{file|/etc/nixos/configuration.nix|nix|3=services.stalwart-mail = {

enable = true;

~~# Use newer, latest version in NixOS 24.05~~

~~package = pkgs.stalwart-mail;~~

settings = {

server = {

@@ Line 2: / Line 2: @@
 == Setup ==
-The following example enables the Stalwart mail server for the domain ''example.org'', listening on mail delivery SMTP/Submission ports (<code>25, 465</code>) and IMAPS port (<code>993</code>) for mail clients to connect to. Mailboxes for the accounts <code>postmaster@example.org</code> and <code>user1@example.org</code> get created if they don't exist yet.{{file|/etc/nixos/configuration.nix|nix|3=services.stalwart-mail = {
+The following example enables the Stalwart mail server for the domain ''example.org'', listening on mail delivery SMTP/Submission (<code>25, 465</code>), IMAPS (<code>993</code>) and JMAP ports (8080/443) for mail clients to connect to. Mailboxes for the accounts <code>postmaster@example.org</code> and <code>user1@example.org</code> get created if they don't exist yet.
+{{file|/etc/nixos/configuration.nix|nix|3=environment.etc = {
+  "stalwart/mail-pw1".text = "foobar";
+  "stalwart/mail-pw2".text = "foobar";
+  "stalwart/admin-pw".text = "foobar";
+  "stalwart/acme-secret".text = "secret123";
+};
+services.stalwart-mail = {
    enable = true;
    package = pkgs.stalwart-mail;
@@ Line 8: / Line 17: @@
    settings = {
      server = {
-       hostname = "example.org";
+       hostname = "mx1.example.org";
        tls = {
          enable = true;
@@ Line 23: / Line 32: @@
          };
          imaps = {
+          bind = "[::]:993";
            protocol = "imap";
-           bind = "[::]:993";
+        };
+        jmap = {
+           bind = "[::]:8080";
+          url = "https://mail.example.org";
+          protocol = "jmap";
          };
          management = {
@@ Line 40: / Line 54: @@
        challenge = "dns-01";
        contact = "user1@example.org";
-       domains = [ "example.org" ];
+       domains = [ "example.org" "mx1.example.org" ];
        provider = "cloudflare";
-       secret = "****";
+       secret = "%{file:/etc/stalwart/acme-secret}%";
      };
      session.auth = {
@@ Line 56: / Line 70: @@
        principals = [
          {
-           class = "admin";
+           class = "individual";
            name = "User 1";
-           secret = "foobar";
+           secret = "%{file:/etc/stalwart/mail-pw1}%";
            email = [ "user1@example.org" ];
          }
@@ Line 64: / Line 78: @@
            class = "individual";
            name = "postmaster";
-           secret = "foobar";
+           secret = "%{file:/etc/stalwart/mail-pw1}%";
            email = [ "postmaster@example.org" ];
          }
        ];
+    };
+    authentication.fallback-admin = {
+      user = "admin";
+      secret = "%{file:/etc/stalwart/admin-pw}%";
      };
    };
@@ Line 77: / Line 95: @@
      "webadmin.example.org" = {
        extraConfig = ''
-         reverse_proxy http://127.0.01:8080
+         reverse_proxy http://127.0.0.1:8080
        '';
        serverAliases = [
@@ Line 83: / Line 101: @@
          "autoconfig.example.org"
          "autodiscover.example.org"
+        "mail.example.org"
        ];
      };
    };
-};}}TLS key generation is done using DNS-01 challenge through Cloudflare domain provider, see dns-update library for [https://github.com/stalwartlabs/dns-update further providers] or configure [https://stalw.art/docs/server/tls/certificates manual certificates].
+};}}
+TLS key generation is done using DNS-01 challenge through Cloudflare domain provider, see dns-update library for [https://github.com/stalwartlabs/dns-update further providers] or configure [https://stalw.art/docs/server/tls/certificates manual certificates].
 == Configuration ==
+=== DNS records ===
+Before adding required records to the example domain <code>example.org</code>, we need to register the domain on the Stalwart server.<syntaxhighlight lang="shell">
+stalwart-cli --url https://webadmin.example.org domain create example.org
+</syntaxhighlight>Authenticate using the fallback-admin password.
+Review the list of which DNS records are required including their values for the mail server to work at https://webadmin.example.org/manage/directory/domains/tuxtux.com.co/view. Especially following records are essential:
+* Record type: A, Name: example.org
+* Record type: AAAA, Name: example.org
+* Record type: CNAME, Name: autoconfig Value: example.org
+* Record type: CNAME, Name: autodiscover, Value: example.org
+* Record type: CNAME, Name: mail, Value: example.org
+* Record type: CNAME, Name: mta-sts, Value: example.org
+* Record type: CNAME, Name: mail, Value: example.org
+* Record type: CNAME, Name: webadmin, Value: example.org
+* Record type: MX, Name: example.org, Value: mx1.example.org
+* Record type: SRV, Name: _imaps._tcp
+* Record type: SRV, Name: _submissions._tcp
+* Record type: TLSA, Name: _25._tcp.example.org., Value: Only the one starting with "3 1 1" required
+* Record type: TLSA, Name: _25._tcp.mx1.example.org., Value: Only the one starting with "3 1 1" required
+* Record type: TXT, Name: 202409e._domainkey
+* Record type: TXT, Name: 202409r._domainkey
+* Record type: TXT, Name: _dmarc
+* Record type: TXT, Name: mx1
+* Record type: TXT, Name: _smtp._tls
+* Record type: TXT, Name: example.org
 === DNSSEC ===
@@ Line 99: / Line 147: @@
   _25._tcp.mx1.example.org. 10800 IN RRSIG	TLSA 13 5 10800 20230601000000 20230511000000 39688 example.org. He9VYZ35xTC3fNo8GJa6swPrZodSnjjIWPG6Th2YbsOEKTV1E8eGtJ2A +eyBd9jgG+B3cA/jw8EJHmpvy/buCw==
-=== Administrative web frontend ===
+== Tips and tricks ==
-{{Note|The module is not yet part of the latest NixOS stable release and will be available with version 24.11.}}Add following listener to enable the administrative web frontend.{{file|/etc/nixos/configuration.nix|nix|3=services.stalwart-mail = {
-  enable = true;
-  settings.server.listener = {
-    "management" = {
-      bind = [ "[::]:8080" ];
-      protocol = "http";
-    };
-  };
-};}}It will be accessible on http://localhost:8080 and authentication is done with the one of the credentials specified above (normal inbox user or administrative role).
-Please note that this example snippet is for testing purpose and without further configuration the management web interface will run unencrypted on all interfaces which is unsecure.
+=== Test mail server ===
+You can use several online tools to test your mail server configuration:
-== Tips and tricks ==
+* [https://en.internet.nl/test-mail en.internet.nl/test-mail]: Test your mail server configuration for validity and security.
+* [https://www.mail-tester.com mail-tester.com]: Send a mail to this service and get a rating about the "spaminess" of your mail server.
+* Send a mail to the echo server <code>echo@univie.ac.at</code>. You should receive a response containing your message in several seconds.
 === Unsecure setup for testing environments ===
 The following minimal configuration example is unsecure and for testing purpose only. It will run the Stalwart mail server on <code>localhost</code>, listening on port <code>143</code> (IMAP) and <code>587</code> (Submission). Users <code>alice</code> and <code>bob</code> are configured with the password <code>foobar</code>.{{file|/etc/nixos/configuration.nix|nix|3=services.stalwart-mail = {
    enable = true;
-  # Use newer, latest version in NixOS 24.05
-  package = pkgs.stalwart-mail;
    settings = {
      server = {