I tried to set up stalwart, but I didn't understand exactly what it wanted me to do. It's a webserver (for webmail and admin) and mail server in one, but I already run a webserver and I already have cert infra. So I couldn't figure out what dns settings to use and what ports to reverse proxy. And how to get it to play nice and share the certificate. Seems like stalwart has been designed as if it is the only thing running on a machine, with sparse documentation for any other setup. I tried getting help on the discord server but the tone seemed to be of a sort of "it's quite obvious, you should already know this". At that point, it's so much friction to reverse engineer it that it might just be easier to set up dovecot and postfix.
I have had similarly been unable to get as much help from their Discord as I had hoped.
That said, I'd give this another shot. What I discovered is that Stalwart is incredibly flexible and designed to be used in any configuration you want, and the documentation and examples are incredible, compared to most other projects. BTW, there is no webmail yet, but you are right that there is the admin that is served over HTTP/S, as well as MTA_STS, JMAP. The default listeners get you started and it's kind of out-of-the-scope of Stalwart in terms how you want your server to interact with those listeners. But whether you containerize it or setup a reverse proxy, the documentation has a lot of examples, including how to pick up the certificates, if not managed by Stalwart itself.
I landed on a Caddy for HTTPS and haproxy for proxy protocol on just JMAP, and the remaining TCP services directly binded to the host for the main mail services.
Traefik is another example that I had initially prepped and got working that also handled TCP connections with proxy protocol where needed. The Stalwart documentation was very helpful with that.
In short, I was impressed with how easy it was to integrate Stalwart into whatever setup I wanted, and how open the developer is to different setups. For instance, mox (while awesome in its own right) considers containerized setups to be not-recommended, and generally expects it to live on its own server. Stalwart is flexible, but the side effect is that it is overwhelming at first... but becomes quite elegant once you get the hang of it.
Did you use the documentation to figure out the proxying? I can't see a clear path of how to reconcile giving the responsibility of certs to another software, but still having stalwart use them for imap and smtp tls. And do you have the stalwart web interface running on www.yourdomain, or did you manage to get it working on a different subdomain? I don't see the config syntax in the docs for changing that
The documentation needs a lot of work, especially since a lot of it is outdated. But in short, if you setup a reverse proxy, the listeners in Stalwart will listen to anything forwarded to it, so you'll generally want to refer to the HTTP endpoints to map it to the right subdomain. https://stalw.art/docs/http/overview
For instance, you can simply point something like mailadmin.domain.com to Stalwart on port 8080 and it'll just work. In this case, whatever your mail server's host name (i.e. mail.domain.com or whatever) wouldn't really matter.
But then your reverse proxy can handle the other endpoints like /dav/, /.well-known/ on a different subdomain. And mta_sts.domain.com directly handling /.well-known/mta-sts.txt for instance.
For my stack, outside of Caddy's https handling, I kept things simple and exposed 25, 465, 587, 993, and 4190 (smtp, smtps, imaps, and ManageSieve) TCP services binded directly to the host.
But it leaves it to you to map things. For instance, if both Caddy and Stalwart are containerized, it's easy to get mixed up on where the bind-mounted or named volumes (depending on how you set it up) will end up placing them. But it does work... just so flexible that it's out-of-scope for Stalwart to document everything.
The installation instructions seem to agree with you:
1. curl this shell script
2. Run it as root.
Anytime you see that, you can assume the software wants to take over the whole box and isn't likely to make any attempt to play nicely with other services/software/users already running on the same host.
I feel like the developer is just as serious about containerized setup as letting it take over the whole box. I've run it both ways, and have found it works incredibly well in Docker and the documentation is very good at treating all setups equally.
