wayne/tailwart
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
vaguely official, slightly unfortunate
7 Commits 3 Branches 0 Tags 147 KiB
Shell 84.4%
Vim Snippet 9.6%
Dockerfile 6%
3a9819c3ee
Go to file
Wayne Hayes 3a9819c3ee docs: capture outbound-relay lessons (IPv6/AAAA trap, SMTP port block, sidecar ACL) 
LESSONS.md gains 8-12: container has no IPv6 (AAAA fails before A, no
fallback), host IPv6 != container IPv6, VPS blocks all outbound SMTP
ports (relay over tailnet), sidecar needs a source ACL grant to
initiate, and MtaRoute changes only take effect on restart.

CLAUDE.md and .env.example warn that the smarthost address must be an
IPv4 literal or tailnet IP, never a dual-stack hostname. acl-snippet
adds the tag:stalwart -> tag:mail outbound grant.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-11 22:43:21 +01:00
caddy Harden mail edge: PG-race healthcheck gate, :443 SNI fan-out, docs 2026-06-11 05:15:34 +01:00
config stalwart: migrate to v0.16 config model; fix stores, listeners, persistence 2026-06-10 23:36:46 -04:00
.env.example docs: capture outbound-relay lessons (IPv6/AAAA trap, SMTP port block, sidecar ACL) 2026-06-11 22:43:21 +01:00
.gitignore Harden mail edge: PG-race healthcheck gate, :443 SNI fan-out, docs 2026-06-11 05:15:34 +01:00
acl-snippet.hujson docs: capture outbound-relay lessons (IPv6/AAAA trap, SMTP port block, sidecar ACL) 2026-06-11 22:43:21 +01:00
CLAUDE.md docs: capture outbound-relay lessons (IPv6/AAAA trap, SMTP port block, sidecar ACL) 2026-06-11 22:43:21 +01:00
docker-compose.yml Harden mail edge: PG-race healthcheck gate, :443 SNI fan-out, docs 2026-06-11 05:15:34 +01:00
LESSONS.md docs: capture outbound-relay lessons (IPv6/AAAA trap, SMTP port block, sidecar ACL) 2026-06-11 22:43:21 +01:00
README.md caddy: build via caddyserver.com download URL, not local xcaddy 2026-06-03 22:39:33 -04:00

README.md

tailwart

Tailscale × Stalwart. A mailbox with no WAN presence, fronted by a layer-4 proxy that can live on another machine entirely.

A deliberately over-engineered playground: Stalwart mail server wired into Postgres + Redis + Garage S3 at once, deployed as a Tailscale sidecar, with a separate caddy-l4 edge that pipes the raw mail ports over the tailnet. For infinidim.net.

See CLAUDE.md for the architecture and the gotchas.

Layout

tailwart/
├── docker-compose.yml      # the mailbox: ts-stalwart sidecar + stalwart
├── config/config.toml      # Stalwart config — PG + Redis + S3 wiring (strawman)
├── caddy/                  # the edge: custom Caddy (caddy-l4) layer-4 mail proxy
│   ├── Dockerfile          #   pulls prebuilt caddy-l4 binary (caddyserver.com, no local build)
│   ├── caddy.json          #   :25/465/587/143/993 → stalwart over the tailnet
│   ├── docker-compose.yml  #   deploy on any public-IP, tailnet, tag:reverse-proxy host
│   └── README.md
├── acl-snippet.hujson      # tag:stalwart owner + grants to merge into your policy
├── .env.example            # operator surface — copy to .env
└── .gitignore

Quickstart

cp .env.example .env && $EDITOR .env        # fill secrets (see CLAUDE.md prereqs)

# 1. create the stalwart role/db in shared Postgres + the Garage bucket
#    (one-off; see CLAUDE.md "Prerequisites")
# 2. admin console: assign tag:stalwart to the OAuth client + paste acl-snippet
# 3. bring up the mailbox (tailnet-only)
docker compose up -d
# 4. bring up the edge (binds public mail ports; can be a different host)
cd caddy && docker compose up -d --build

Then point infinidim.net's MX at the edge host, add SPF/DKIM/DMARC, and finish configuration in Stalwart's web admin (mail.infinidim.net).

Status

Scaffold / strawman. The Stalwart config.toml keys need verifying against a pinned image version before first real boot — treat it as a starting shape, not a turnkey config.