Running Stalwart behind Caddy

[RonnyLam]

I have managed to get Stalwart to run behind Caddy. There are only a couple of things you have to do.

This is my Caddyfile, yours might differ of course:

www.domain.tld {
	redir https://domain.tld{uri}
	}

domain.tld {
	# Set this path to your site's directory.
	root * /usr/share/caddy

	# Enable the static file server.
	file_server
	}

mail.domain.tld {
	reverse_proxy 127.0.0.1:8080
	}

After succesfully starting Caddy you can copy the certificate files to your Stalwart dir:

mkdir -p /opt/stalwart-mail/cert/
cp /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/domain.tld/domain.tld.crt /opt/stalwart-mail/cert/domain.tld.pem
cp /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/domain.tld/domain.tld.key /opt/stalwart-mail/cert/domain.tld.priv.pem
chown -R stalwart-mail:stalwart-mail /opt/stalwart-mail/cert/

Put the following in root's crontab,it needs to be root because of ownership of different files...

0 3 * * * cat /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/domain.tld/domain.tld.crt > /opt/stalwart-mail/cert/domain.tld.pem
0 3 * * * cat /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/domain.tld/domain.tld.key > /opt/stalwart-mail/cert/domain.tld.priv.pem

add the following to your config.toml:

##remove https
##change http from [::]:8080 to 127.0.0.1:8080
server.tls.certificate = "default"
certificate.default.cert = "%{file:/opt/stalwart-mail/cert/domain.tld.pem}%"
certificate.default.default = true
certificate.default.private-key = "%{file:/opt/stalwart-mail/cert/domain.tld.priv.pem}%"

Now you can safely (re)start Stalwart and finish configuration in Webmin.

[RonnyLam]

The reason I created this setup is that in this way you can have both mail and http running at the root-domain. www is redirected to the root and webmin is running behind mail.domain.tld. Now you can start a small VM for every venture or cool idea that you think of.

[ghost]

Thank you! I finally got it running with this config

[rajalah71]

Could you also tell to which ports your router/firewall points to? 443 for caddy and the rest for stalwart? Or all to caddy? I am still a little confused.

[RonnyLam]

80 and 443 are going to Caddy,
Caddy reverse proxies to 8080,
25, 143, 465, 587, 993 and 995 to Stalwart

[rajalah71]

Thanks!

[jjj333-p]

TL;DR I kept doing stupid things

Basically if you change connection/ports config even through the web console you have to restart stalwart. Also if you're already logged into Thunderbird you'll need to log out and back in again.

---

heya, following this just made it go from complaining about self signed certs to just refusing to connect now

when i go to the cert page of stalwart i see that it just verbatim put in the file path, not what was in it. is this what is supposed to happen?

i just copied over mail.pain.agency which is the mail domain of my server. should i have copied over the cert from the normal domain (pain.agency)?

[jjj333-p]

oh im stupid i didnt replace the placeholder

[jjj333-p]

now it seems to alternate between displaying this and saying my cert is for the wrong domain. should i have done for pain.agency (vanity domain) instead of mail.pain.agency?

[jjj333-p]

disabling implicit tls on smtp seems to have fixed that however it still cant fetch emails over imap. thunderturd just says connection refused, and the stalwart admin console will start just throwing 502s and if i reload it wont load until after thunderbird stops trying to connect. is this an internal bug?

[jjj333-p]

thunderbird seems to indicate it cant find tls for imap, whether or not i set imap to have implicit tls. but it sees it for smtp, im so confused

[jjj333-p]

turns out i had set it back to listen to imap on port 993 but you have to restart stalwart for that to work.

[jjj333-p]

Is there any good way to get caddy to foward the real ip to stalwart to log?

[jjj333-p]

is that a setting in stalwart or in caddy? ive attempted setting

        header_up X-Forwarded-For {remote_host}
        header_up X-Real-IP {remote_host}

and neither of these seemed to get picked up by stalwart, even with this option selected under server > http

[mdecimus]

You need to configure the soruce IP address(es) of your reverse proxy here.

[bminer]

Not for Caddy, though, right? Caddy doesn't support Proxy Protocol. Does Stalwart still pick up the X-Forwarded-* headers sent by Caddy?

[mdecimus]

@bminer Apparently it does, see this thread. We're still waiting for someone to contribute a working configuration with the proxy protocol.

[bminer]

Cool! I just used the server.http.use-x-forwarded = true setting, but I suppose I could've used Proxy Protocol. In any case, I think Stalwart still needs to share the TLS certificate from Caddy anyway to do STARTTLS on port 25, so I'm happy with my config.

[ColonelThirtyTwo]

Does Stalwart automatically reload the certificate if the underlying file changes? The docs suggest it doesn't and that it needs an extra command to reload them, which is missing from this solution.

[RonnyLam]

I have created a little script with a test that does it all. Put it daily in root's crontab and you are done.

#!/bin/bash
caddyPub=/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/dosba.nl/domain.tld.crt
caddyPriv=/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/dosba.nl/domain.tld.key
stalwartPub=/opt/stalwart-mail/cert/domain.tld.pem
stalwartPriv=/opt/stalwart-mail/cert/domain.tld.priv.pem

if [ "$stalwartPub" -ot "$caddyPub" ]; then
	cat "$caddyPub" > "$stalwartPub"
	cat "$caddyPriv" > "$stalwartPriv"
	systemctl restart stalwart-mail.service
fi

[jjj333-p]

why would you do that instead of a .path and .service file? (linked files are for prosody, i have to set up the ones for stalwart still...)

[RonnyLam]

You're right, cron is old-style and even not in the default install of some distro's. I prefer your solution.

[bminer]

Also, you can do /opt/stalwart-mail/bin/stalwart-cli server reload-certificates instead of restarting the whole server.

[pepa65]

Or if you have curl installed but not stalwart-cli, you can do:
curl -s -u $CREDENTIALS "https://$MX/api/reload/certificate" (where CREDENTIALS is $ADMIN:$PASSWORD and MX is your domain).

[oneleaftea]

Curious about this caddy setup... Were you able to get JMAP to work on this?

I had initially had pretty much the same setup as you (except with reference to a docker container instead of local IP), but JMAP didn't work. I had to modify my Caddyfile with a few key changes (8080 to 443 with transport http and and proxy protocol wrapper)... otherwise, a JMAP session could connect but it would return the internal http url on 8080 instead of being over a secure connection and would fail to find any mailboxes.

I solved it with Proxy Protocol, but not Layer 4 (I still forward ports 25, 587, 993, and 4190 for non-HTTPS connections). This is based on docker network at 172.18.0.0/16 and a container id named stalwart

{
    servers {
        listener_wrappers {
            proxy_protocol {
                timeout 5s
                allow 127.0.0.0/8 ::1/128 172.18.0.0/16
                fallback_policy ignore
            }
            tls
        }
    }
}

# Mail server - for WebDAV/JMAP services
mail.<my domain> {
    # Proxy all HTTP traffic to Stalwart's HTTP/CardDAV/JMAP service
    reverse_proxy https://stalwart:443 {
        transport http {
            tls_insecure_skip_verify
        }
    }
}

I put the same trusted domains in the proxy of my global network in Stalwart, and JMAP is now working perfectly.

I wanted to offer this as a solution with limited proxy protocol support (which Caddy has out-of-the-box) as long as you are willing to deal with the IMAP/SMTP/ManageSieve ports outside of the reverse proxy.

However, if you were able to get JMAP working without doing this, I am curious if I am missing another solution.

[pepa65]

I use header_up Host {http.reverse_proxy.upstream.hostport} under reverse_proxy 127.0.0.1:8080. (But can't verify if it helps for JMAP, as I don't use it.)

[oneleaftea]

I use header_up Host {http.reverse_proxy.upstream.hostport} under reverse_proxy 127.0.0.1:8080. (But can't verify if it helps for JMAP, as I don't use it.)

I actually tried that before I went with my global proxy protocol but couldn’t get it to work. I might mess around with it more as I am not exactly happy with my setup. I also might try inserting HAProxy between Stalwart and the JMAP block only.

[pepa65]

I run the same way, with Caddy taking care of the SSL certificate. But I've automated the renewal of the certificates into the Stalwart directory differently, instead of your daily copy I have added this to my Caddyfile:

{
    email [email protected]
    # Requires github.com/mholt/caddy-events-exec
    events {
        on cert_obtained exec /PATH/TO/cpcerts
    }
}

And cpcerts:

#!/usr/bin/env bash

bin=stalwart  # Or stalwart-mail, depending on your install
dom=$HOSTNAME  # Or whatever your stalwart domain is!

dir=/root/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory
cp $dir/$dom/$dom.crt $dir/$dom/$dom.key /opt/$bin/
chown $bin:$bin /opt/$bin/$dom.*

This requires a caddy binary with mholt/caddy-events-exec which can be downloaded from here after selecting that module on the page: https://caddyserver.com/download