Mail Client Settings

Configuration for connecting mail clients (Thunderbird, iOS Mail, etc.) to the Stalwart mail server via the Traefik reverse proxy.

Quick Reference

Setting	Value
Server	`mail.electricmonk.io`
Username	Your Authentik username
Password	Your Authentik password (or app password)

Incoming Mail — IMAP

Setting	Value
Protocol	IMAP
Server	`mail.electricmonk.io`
Port	`993`
Connection security	SSL/TLS
Authentication	Normal password

TLS is terminated by Traefik using the wildcard cert for *.electricmonk.io. Stalwart sees plain-text IMAP internally but the client connection is encrypted end-to-end.

Outgoing Mail — SMTP

Setting	Value
Protocol	SMTP
Server	`mail.electricmonk.io`
Port	`465`
Connection security	SSL/TLS
Authentication	Normal password

Port 465 is implicit TLS (SMTPS) — the TLS handshake happens immediately. Traefik terminates TLS and forwards to Stalwart's submission listener on port 587. Do not use port 587 with STARTTLS — Traefik is not configured for that.

Thunderbird Specific Setup

Add Account → Enter name, email, password
Thunderbird may try autoconfig — if it fails, click Manual config
Enter the settings above
Authentication method: Normal password
Click Re-test then Done

If autoconfig is working

Stalwart serves autoconfig at https://autoconfig.electricmonk.io/ and autodiscover at https://autodiscover.electricmonk.io/. If these are configured in Stalwart's database, Thunderbird will pick up settings automatically.

Web Interface

Stalwart's built-in web UI (webmail + admin) is available at:

https://mail.electricmonk.io/

Architecture — How TLS Works

Client (TLS) ──→ Traefik (terminates TLS) ──→ Stalwart (plain text + PROXY protocol v2)

External Port	Traefik entryPoint	TLS	Backend (Stalwart)
25 (SMTP)	`smtp`	None (plain TCP)	`:25` — inbound MTA
465 (SMTPS)	`smtps`	Terminated	`:587` — submission
993 (IMAPS)	`imaps`	Terminated	`:143` — IMAP
443 (HTTPS)	`websecure`	Terminated	`:8080` — HTTP/JMAP

All TCP routes use PROXY protocol v2 so Stalwart sees the real client IP.

Authentication

Users authenticate against the Authentik LDAP outpost (directory.authentik in Stalwart config). The directory is configured at:

ldap://ak-outpost-stalwart-ldap.electricmonk.svc.cluster.local

Stalwart uses bind authentication with lookup — it searches for the user by cn (username) or mail (email), then binds as that user to verify the password.

App Passwords

If needed, app passwords can be created through Authentik's API using the manage-app-passwords.sh script in apps/stalwart/scripts/. These are useful for clients that don't support OIDC or for automation.

Troubleshooting

Zero logs from Stalwart

Check that the pod is running and not crash-looping:

# Quick status
kubectl -n electricmonk get pods -l app=stalwart

# Full log check
./apps/stalwart/scripts/test-mailflow.sh logs

Common causes of zero logs:

Init container failed — config injection didn't complete, main container never starts
Pod stuck in Init — check kubectl describe pod for init container errors
CrashLoopBackOff — bad config, check previous logs with --previous
Log level too low — currently set to info in configmap; try debug temporarily:
```
tracer.log.level = "debug"
```

Connection refused on TCP ports

Check Traefik entrypoints are listening: kubectl -n kube-system get svc traefik
Verify the IngressRouteTCP resources exist: kubectl -n electricmonk get ingressroutetcp
Check Stalwart service endpoints: kubectl -n electricmonk get endpoints stalwart

Auth failures

Verify the LDAP outpost pod is running: kubectl -n electricmonk get pods | grep ldap

Test LDAP bind directly from inside the cluster:

kubectl -n electricmonk exec -it deploy/stalwart -- \
  ldapsearch -H ldap://ak-outpost-stalwart-ldap.electricmonk.svc.cluster.local \
  -D "<bind-dn>" -w "<bind-password>" -b "DC=ldap,DC=goauthentik,DC=io" "(cn=<username>)"

Check Stalwart logs for LDAP errors: ./apps/stalwart/scripts/test-mailflow.sh logs