Stalwart is an all-in-one mail and collaboration server designed for organizations seeking a secure, modern alternative to fragmented email solutions. It replaces legacy stacks of separate MTA, spam filter, calendar, and contact systems with a single, memory-safe Rust binary that supports industry-standard protocols including JMAP, IMAP4rev2, SMTP, CalDAV, CardDAV, and WebDAV. Built for scalability and security, it’s ideal for enterprises, self-hosting enthusiasts, and privacy-focused teams.
Stalwart integrates advanced email authentication (DMARC, DKIM, SPF, ARC), TLS security via DANE and MTA-STS, multi-tenant support, and pluggable storage backends (RocksDB, PostgreSQL, S3, Redis). It supports Kubernetes, Docker, and cluster coordination via Kafka or NATS, enabling deployment from small setups to large-scale distributed environments with high availability and fault tolerance.
What You Get
- JMAP for Mail & Calendars & Contacts - Full implementation of JMAP (RFC 8621, RFC 9610, RFC 9670) for modern email, calendar, and contact management with WebSocket, blob management, and sharing extensions.
- IMAP4rev2 & ManageSieve - Standards-compliant IMAP server with RFC 9051 support, including Sieve scripting for server-side email filtering and rule-based automation.
- SMTP with Built-in Email Authentication - SMTP server with native DMARC, DKIM, SPF, and ARC validation; DANE, MTA-STS, and TLS-RPT for transport security and reporting.
- CalDAV & CardDAV Support - Full calendaring and contact synchronization via RFC 4791 and RFC 6352, enabling seamless integration with Apple Calendar, Thunderbird, and other clients.
- WebDAV File Storage - Unified file storage with RFC 4918 support, allowing users to store, share, and sync files alongside emails and calendars.
- LLM-Driven Spam & Phishing Filter - AI-powered spam classification with collaborative filtering, Pyzor integration, homographic URL detection, sender reputation monitoring, and spam traps.
- ACME TLS Certificate Automation - Automatic SSL/TLS certificate provisioning via Let’s Encrypt using TLS-ALPN-01, DNS-01, or HTTP-01 challenges without manual intervention.
- Multi-Tenancy & Role-Based Access Control - Isolated domains and tenants with ACLs, OAuth 2.0, OpenID Connect, LDAP, and two-factor authentication (TOTP) for enterprise-grade access management.
- Pluggable Storage Backends - Support for RocksDB, PostgreSQL, MySQL, SQLite, S3, Azure Blob, and Redis, enabling flexible data persistence and scalability options.
- OpenTelemetry & Prometheus Monitoring - Real-time metrics, distributed tracing, and log aggregation with OpenTelemetry and Prometheus for observability and alerting.
- Web-Based Admin Dashboard - GUI for managing users, domains, mailing lists, SMTP queues, DMARC/TLS reports, logs, and configuration with self-service password reset and key management.
- Autoconfig & Autodiscover - Automatic client configuration for Thunderbird, Outlook, and mobile devices via IETF autoconfig and Microsoft autodiscover standards.
Common Use Cases
- Running a private email service for a small business - A company replaces Microsoft 365 with Stalwart to host email, calendars, and contacts on-premises with full data control, using JMAP for modern clients and WebDAV for file sharing.
- Deploying a secure, spam-resistant mail server for a non-profit - An organization uses Stalwart’s built-in phishing protection, DMARC enforcement, and ACME TLS to protect donors and volunteers from email fraud without third-party services.
- Building a collaborative workspace with integrated calendar and file storage - A team uses Stalwart’s CalDAV, CardDAV, and WebDAV to create a unified communication hub, replacing Google Workspace with a self-hosted, privacy-focused alternative.
- Scaling a high-volume email infrastructure with fault tolerance - An ISP deploys Stalwart in a Kubernetes cluster with Redis sharding and Kafka coordination to handle 50,000+ users with zero downtime during hardware failures.
Under The Hood
Architecture
- Modular Rust workspace with distinct crates for each protocol (IMAP, SMTP, JMAP, DAV) and storage layers, ensuring clear separation of concerns
- Protocol handlers decoupled from storage backends via trait-based abstractions, enabling pluggable persistence without protocol modifications
- Dependency injection implemented through Rust’s type system, with services injected via constructor parameters for testability and flexibility
- Event-driven core with async/await patterns that trigger domain events for spam filtering, logging, and directory synchronization
- Extensible plugin system using feature flags to conditionally compile enterprise integrations while keeping the core lightweight
- Clear layering between protocol parsing, business logic, and data models, with shared types ensuring consistency across components
Tech Stack
- Rust-based monorepo with comprehensive support for email and calendar protocols through dedicated protocol crates
- Multi-backend storage support with feature-gated compilation for SQLite, PostgreSQL, RocksDB, S3, and MySQL
- Dockerized build pipeline leveraging cargo-chef for optimized layer caching and cross-platform compilation
- Single-binary deployment exposing IMAP, SMTP, POP3, CalDAV, and CardDAV endpoints with native TLS
- CI/CD pipeline designed for reproducible builds with dynamic feature flag configurations for cloud integrations
- Production-optimized build system using LTO, stripping, and target-specific linker flags for performance and size efficiency
Code Quality
- Extensive integration and system-level tests simulating real-world SMTP, IMAP, and JMAP interactions with mock network and DNS behaviors
- Strong code organization with modular crates that isolate protocols, services, and test utilities for focused development and maintenance
- Robust configuration-driven testing with dynamic templating and environment-aware setups to validate authentication, storage, and network behaviors
- Comprehensive type safety and protocol-specific error handling using Rust’s strong type system, avoiding panics in favor of structured responses
- Consistent idiomatic Rust patterns across the codebase with clear boundaries between parsing, logic, and testing layers
- Automated test infrastructure that selectively compiles storage backends and protocol modules to ensure broad configuration coverage
What Makes It Unique
- Native JMAP implementation with granular, unified handlers for email, calendar, contacts, and files—eliminating dependency on legacy protocols
- Distributed pub/sub system with node-aware routing and automatic retry logic to maintain consistency in clustered deployments
- Built-in push notification manager with persistent subscriptions, automatic verification, and intelligent backoff for mobile and web clients
- Unified OAuth2 authentication with fine-grained permission scopes tied directly to feature access and data operations
- Real-time telemetry and live metrics endpoints with token-based streaming, providing observability without external dependencies
- Seamless integration of KV storage, blob storage, and pubsub into a single coherent data plane with atomic cross-domain operations