tailwart/caddy/README.md

# tailwart edge — layer-4 mail proxy

A custom Caddy (with the `caddy-l4` app) that pipes the public mail ports to the
Stalwart sidecar over the tailnet. Pure TCP pass-through with PROXY protocol —
Stalwart still terminates all the TLS. **Runs anywhere** with a public IP that's
on the tailnet and tagged `tag:reverse-proxy`; doesn't need to share a host with
the mailbox.

## Why layer 4 and not a normal Caddy vhost

Web apps reverse-proxy at layer 7 (route by Host/SNI, Caddy terminates TLS).
Mail can't: port 25 has no SNI (STARTTLS comes after connect), and you want one
global `:25` listener, not per-domain routing. So the edge is a dumb L4 pipe and
Stalwart owns the TLS. The novelty you spotted: this is the same `stream`-style
proxying nginx/Caddy can do for *any* TCP — it just usually isn't used for it.

## Build & run

```bash
docker compose up -d --build      # builds Dockerfile (xcaddy + caddy-l4), runs it
caddy list-modules | grep layer4  # (inside the image) proof the module loaded
```

The build fails loudly if `caddy-l4` isn't in the resulting binary.

## Edit the upstream

`caddy.json` dials `stalwart.tail7b1641.ts.net:<port>`. If your
`STALWART_MAGIC_NAME` / `TS_TAILNET` differ, update the five `dial` lines. (JSON
can't read `.env`; this is the one spot the MagicDNS name is hardcoded — same
trade-off as pgAdmin's `servers.json`.)

## The HTTP side (JMAP / autoconfig / admin) is separate

That part *is* ordinary layer 7. Don't put it here if this box already runs the
main Caddy on :443 — you'll collide. Instead add a vhost to the existing Caddy:

```caddyfile
mail.infinidim.net {
    reverse_proxy stalwart.tail7b1641.ts.net:8080
}
```

## Prerequisites on the host running this

- Joined to the tailnet, tagged `tag:reverse-proxy` (so the ACL lets it reach
  `tag:stalwart`).
- Public firewall opens for whichever mail ports you expose (`25` minimum).
- Nothing else bound to those ports.
Scaffold tailwart: Stalwart mailbox as a Tailscale sidecar Over-engineered play stack for infinidim.net — Stalwart wired into the shared Postgres + Redis + Garage S3 over the tailnet, with no WAN presence. Public mail ports are fronted by a separate caddy-l4 layer-4 proxy (caddy/) that can run on any tailnet host tagged tag:reverse-proxy — decoupled from the mailbox. - docker-compose.yml: ts-stalwart sidecar + stalwart, backends via MagicDNS - config/config.toml: PG (data/fts) + Redis (lookup) + S3 (blob) strawman - caddy/: xcaddy build with caddy-l4, JSON layer-4 mail proxy, own compose - acl-snippet.hujson: tag:stalwart owner + backend/edge grants - .env.example + gitignored .env (pulled from shared infra) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-03 22:25:38 -04:00			`# tailwart edge — layer-4 mail proxy`

			A custom Caddy (with the `caddy-l4` app) that pipes the public mail ports to the
			`Stalwart sidecar over the tailnet. Pure TCP pass-through with PROXY protocol —`
			`Stalwart still terminates all the TLS. Runs anywhere with a public IP that's`
			on the tailnet and tagged `tag:reverse-proxy`; doesn't need to share a host with
			`the mailbox.`

			`## Why layer 4 and not a normal Caddy vhost`

			`Web apps reverse-proxy at layer 7 (route by Host/SNI, Caddy terminates TLS).`
			`Mail can't: port 25 has no SNI (STARTTLS comes after connect), and you want one`
			global `:25` listener, not per-domain routing. So the edge is a dumb L4 pipe and
			Stalwart owns the TLS. The novelty you spotted: this is the same `stream`-style
			`proxying nginx/Caddy can do for any TCP — it just usually isn't used for it.`

			`## Build & run`

			```bash
			`docker compose up -d --build # builds Dockerfile (xcaddy + caddy-l4), runs it`
			`caddy list-modules \| grep layer4 # (inside the image) proof the module loaded`
			```

			The build fails loudly if `caddy-l4` isn't in the resulting binary.

			`## Edit the upstream`

			`caddy.json` dials `stalwart.tail7b1641.ts.net:<port>`. If your
			`STALWART_MAGIC_NAME` / `TS_TAILNET` differ, update the five `dial` lines. (JSON
			can't read `.env`; this is the one spot the MagicDNS name is hardcoded — same
			trade-off as pgAdmin's `servers.json`.)

			`## The HTTP side (JMAP / autoconfig / admin) is separate`

			`That part is ordinary layer 7. Don't put it here if this box already runs the`
			`main Caddy on :443 — you'll collide. Instead add a vhost to the existing Caddy:`

			```caddyfile
			`mail.infinidim.net {`
			`reverse_proxy stalwart.tail7b1641.ts.net:8080`
			`}`
			```

			`## Prerequisites on the host running this`

			- Joined to the tailnet, tagged `tag:reverse-proxy` (so the ACL lets it reach
			`tag:stalwart`).
			- Public firewall opens for whichever mail ports you expose (`25` minimum).
			`- Nothing else bound to those ports.`