Skip to content

Stalwart Mail

Stalwart Mail is an all-in-one email server that runs in a single Docker container.

This automated deployment is based on the guide at https://stalw.art/docs/install/docker

Deploying Stalwart Mail with Netbird agent

Prerequisites

You will need to create a couple DNS records for your domain. These steps will be uniquie to your domain registrar, but it should be simple to:

  1. Create an A record with the name "mail" pointed to your server's IP address. (But you don't have to use the word "mail".)

After setting up the server, you will have to retun to your domain's DNS settings to apply the domain's email-related records.

1. Edit Inventory file

The host group for web proxies is [stalwart]. Place the following information under that group.

  • The server's IP address.
  • server_tag= - This could be "stalwart"
  • ansible_user= - The non-root user
  • ansible_become_pass="{{ stalwart_become_pass }}" - or change variable to the appropriate value in the Vault.
  • ansible_ssh_private_key_file="~/.ssh/id_ed25519_<server_tag>_<nonroot_user>" - The SSH key used to authenticate onto the server.

Example:

[stalwart]
203.0.113.74 server_tag=stalwart ansible_user=serveradmin ansible_become_pass="{{ stalwart_become_pass }}" ansible_ssh_private_key_file="~/.ssh/id_ed25519_stalwart_serveradmin"

2. Edit Ansible Vault variables

Edit the Ansible Vault file.

ansible-vault edit group_vars/all/vaulted_vars.yml

Include the password for the non-root user and also include your Netbird mananagement server URL and setup key.

# Stalwalt Mail server
stalwart_become_pass: <sudo password for non-root user>

# Netbird Agent Setup
nb_management_url: https://netbird.example.org
nb_setup_key: <setup_key>

3. Run Ansible playbook command

ansible-playbook lt_server_deploy.yml --ask-vault-pass --tags stalwart

Post-deployment setup

4. Connect to the Stalwart management interface

Usually, we want to block general access to an applicaiton's management interface from the Internet. But since port 443 is required to be open for SSL certificates, we'll continue to use it the standard way and lock down the admin account.

Log into your Stalwart Mail management interface by simply going to your email domain.

https://mail.example.org

Log in with the default credentials provided by the initial setup. The line should look like this: 

✅ Configuration file written to /opt/stalwart/etc/config.toml
🔑 Your administrator account is 'admin' with password 'w95Yuiu36E'.

Change default credentials

After loggin in, immediately change the admin password by clicking on the profile icon in the upper-right of the page, and selecting Account. Then go to Change Password, enter a new passphrase, click Change Password, and save it in your password manager. Finally, go to Two-factor Auth and set up MFA for this account.

Updating the containers

ansible-playbook lt_server_deploy.yml --ask-vault-pass --tags stalwart-update -vv

Configuring your email server

The rest of the initial setup largely follow Stalwart's guide at https://stalw.art/docs/install/platform/docker/. Here are the key items.

Choose where to store your data

In most cases, you can stick with the default storage settings if you don't use emai that much. However, your backup store requirements might necessitate choosing a different route. Either way, read Stalwart's guides and make a decision on this before you are production ready.

Configure your hostname and email domain

Hostname

Under Settings -> Server -> Network, enter the hostname including the subdomain you added to your DNS record. It should look like mail.example.org. Then click Save changes.

Email domain

Under Management -> Directory -> Domains, click on Create domain. Here you will enter just the domain and TLD like example.org and then click Save changes. You can also add more domains that are related to your organization here.

DNS

For each of the domains entered, click on the three dots on the right and select View DNS records. These are the entries you will need to add to your domain's DNS record (these steps are different per domain registrar). Most domain registrars allow importing a "zonefile". You can simply copy the contents of the zonefile box, save them to a text file, and then upload them to your registrar's DNS portal.

Enable TLS

In most cases, you will want to have Stalwart automatically obtain and renew the TLS certificate for the server. You can set this up by going to Settings -> Server -> TLS -> ACME Providers and clicking on Create ACME provider. Enter the following settings:

  • Directory ID - Enter letsencrypt.
  • Challenge Type - Select TLS-ALPN-01.
  • Contact Email - Enter your administrator email address.
  • Subject names - Enter your hostname, mail.example.org.

Make sure nothing else is enterd in the External Account Binding and Certificate sections and click Save changes.

Connecting email clients

Most email clients will automatically configure themselves with the right settings when prompted for a username and password to your email account.

Keep in mind that if the server's domain is not the same as the email domain, you'll have to configure your email server settings manually.