-
Self-host email using Stalwart, Bind and Wireguard
Hey Mark, Thanks for the detailed response and cost breakdown—$7.42/month is quite reasonable, especially considering how important it is to maintain consistent SPF and rDNS for outbound mail. Outbound IP issue – solvedOn my external host, I’ve got a dedicated Docker host running WireGuard with the required ports exposed. Incoming mail worked fine after basic config, but sending was a problem. It turned out the outgoing packets were leaving via the machine’s primary IP, not the additional one I mapped specifically for inbound traffic to the Docker host. To fix it, I had to adjust the NAT rules on the host so that traffic from the WireGuard container (running on Unraid) would leave with the correct source IP. The key was to insert a higher-priority SNAT rule: sudo iptables -t nat -I POSTROUTING 1 -s 172.17.0.2 -o team0 -j SNAT --to-source <my-mapped-external-ip> Now outbound connections correctly use the designated external IP, and SPF + rDNS checks pass as expected. Container instability & ongoing attacksThings are mostly working now, but I'm seeing repeated attacks against the containers. Stalwart does a great job blocking them, but I’ve noticed that after running for a while, the web admin UI and IMAP access become unavailable—even though the container is still running. Example logs: 2025-06-03T15:41:50Z INFO Blocked IP address (security.ip-blocked) listenerId = "imaptls", localPort = 993, remoteIp = 83.7.37.137, remotePort = 57749 ... 2025-06-03T15:54:18Z INFO Blocked IP address (security.ip-blocked) listenerId = "https", localPort = 443, remoteIp = 83.7.37.137, remotePort = 58289 These flood in pretty consistently. Stalwart blocks them, but I’m wondering if the web/IMAP availability issues might be related (resource exhaustion or rate-limiting?). I’ll dig into the container logs more thoroughly, but it’s a strange one. Remaining tweaksStill need to configure the timezone and polish off some minor system settings. But overall I’m really impressed with the flexibility of this setup—and learned a ton along the way. Thanks again for sharing it!
-
Self-host email using Stalwart, Bind and Wireguard
Hi Mark, Just circling back after a bit more tinkering and a couple of coffee-fuelled debugging sessions. What went wrong (and how I fixed it)The culprit turned out to be a stray DNS entry in my WireGuard configuration. It stopped Stalwart’s admin UI from launching, which is why I kept hitting that 404 on /login. Removing the entry let the stack start cleanly. Because I’d already seen the v0.12 breaking changes, I went straight to stalwartlabs/stalwart:latest; the web interface is now behaving. How my deployment differs from yoursColo host with multiple public IPv4s – WireGuard runs in its own Docker container there. Inbound vs. outbound traffic – inbound mail and HTTPS hit the Unraid box exactly as in your guide, but outbound packets leave via the server’s primary IP instead of the WireGuard-mapped address. Still tweaking NAT rules to tidy that up. Odd container behaviourBoth Bind and Stalwart containers occasionally shut down and don’t auto-restart. I haven’t had time for a proper post-mortem, but Stalwart’s logs already show the first SMTP auth probes and directory-harvest attempts, so I suspect the crashes might be tied to those early attacks on the fresh install. First impressions of StalwartI really like the direction they’re heading—if the release cadence calms down, I could see myself ditching my current mail stack for this. The only piece I miss is a built-in webmail client (something Roundcube-ish), but I imagine that will appear once the new DAV stack matures. Terraform, or lack thereofI skipped Terraform because my infra is already managed elsewhere, but your repo still taught me a few neat tricks—especially around the WireGuard + AWS static-IP pattern. One open question: AWS costsCan you share a rough monthly figure for the EC2 instance that acts as the WireGuard “router”? I’m thinking along the lines of a t4g.nano/micro plus the Elastic IP fee (~US-$3) and whatever egress the mail flow generates, but I’d love to know what you’re actually seeing in practice. Thanks again for the excellent guide and the rapid updates—they saved me hours of head-scratching.
-
Self-host email using Stalwart, Bind and Wireguard
After some restarts i manage to run. The error above concluded. I have changed to lastest docker image but no luck. I need to check this deeper.
-
chmuri started following Self-host email using Stalwart, Bind and Wireguard
-
Self-host email using Stalwart, Bind and Wireguard
Hi Mark, I'm currently testing this solution and will get back with results soon. For now, I'm having an issue with the initial login at https://domain.com/login. I get the following error: { "type": "about:blank", "status": 404, "title": "Not Found", "detail": "The requested resource does not exist on this server." } I still need to double-check everything, but according to the official documentation, port 8080 is required for login. In your WireGuard setup, only port 443 is being forwarded. On the other hand, I do see some exposed ports in the Unraid WireGuard Docker container, but there's no routing to port 8080 inside the Stalwart container. If logging in via https://domain.com/login worked for you — please share the magic behind it 😊 Overall, the solution looks solid and it should work well. Great job on the documentation on your blog, by the way! It doesn’t look like WordPress — what engine are you using? Best regards!
-
Slower Speeds with IPFire Configuration on Virtual Machine with Directly Passed Through Network Cards
Hi everyone, I’d like to share my setup with IPFire on a virtual machine hosted on Unraid. Hopefully, someone here might have experience or ideas to help me with my issue. My configuration includes: A Unraid KVM machine with 8GB RAM and 4 CPUs, directly passed through Two Realtek RTL8111/8168/8211/8411 PCI Express Gigabit Ethernet Controller (rev 15) network cards, passed through by the Unraid virtualization system Symmetrical 1GB/s internet connection After configuring IPFire, everything seems to be working fine, but I’ve noticed that the upload and download speeds are lower than what I had with my previous standard router. I’ve tried toggling QoS / IPS on and off, but the speeds remain lower than expected. Has anyone had experience with a similar setup, running IPFire on a virtual machine with directly passed through network cards? Are there any specific settings I should try to improve speeds? I’m also wondering if the issue might be related to the Realtek network cards, or if it’s worth considering swapping them out for Intel cards? I’d appreciate any tips or experiences that could help me troubleshoot this problem. Thanks!
-
Error on reboot
Updated thanks @ljm42
chmuri
Members
-
Joined
-
Last visited