Docs
Helm-Charts
stalwart-mail

stalwart-mail

stalwart-mail

Version: 0.4.7 Type: application AppVersion: 0.15.4

Helm Chart for Stalwart Mail Server - Secure & Modern All-in-One Mail Server (IMAP, JMAP, SMTP)

Maintainers

NameEmailUrl
WrenIXhttps://wrenix.eu

Alpha

Current stalwart is not stable and we are also not stable.

We have current known issues:

  • cluster setup is not fully supported (so please keep replicas=1), see more in issue for cluster
  • toml interpreter of stalwart and golang (helm) are different, so we remove all .0 in the rendering to be compatible with stalwart-toml

Usage

Helm must be installed and setup to your kubernetes cluster to use the charts. Refer to Helm’s documentation to get started. Once Helm has been set up correctly, fetch the charts as follows:

helm pull oci://codeberg.org/wrenix/helm-charts/stalwart-mail

You can install a chart release using the following command:

helm install stalwart-mail-release oci://codeberg.org/wrenix/helm-charts/stalwart-mail --values values.yaml

To uninstall a chart release use helm’s delete command:

helm uninstall stalwart-mail-release

Requirements

RepositoryNameVersion
https://nats-io.github.io/k8s/helm/charts/nats2.12.3

Values

Backup

KeyTypeDefaultDescription
backup.enabledbooltrueenable a init of statefulset to create a backup on /data

DKIM

KeyTypeDefaultDescription
config.auth.dkim.signlist[{"if":"listener != 'smtp' && is_local_domain('', sender_domain)","then":"['rsa-' + sender_domain, 'ed25519-' + sender_domain]"},{"else":false}]auth rule for signing with dkim
config.auth.dkim.verifystring"relaxed"verify of dkim signature (relaxed, strict, disable)

Authentification

KeyTypeDefaultDescription
config.authentication.fallback-admin.secretstring"%{env:FALLBACK_ADMIN_SECRET}%"password for fallback authentfication (use env for store in secrets of kubernetes)
config.authentication.fallback-admin.userstring"admin"username for fallback authentfication
secrets.env.FALLBACK_ADMIN_SECRETstring"supersecret"password for fallback authentfication (env)

Cluster

KeyTypeDefaultDescription
config.cluster.node-idstring"%{env:POD_INDEX}%"configure stalwart to set correct node-id based on statefulset id
nats.configobject{}NATS configure
nats.enabledboolfalsedeploy a NATS and configure stalwart to use it as coordinator
replicaCountint1replicas
updateStrategyobject{}updateStrategy

Observability

KeyTypeDefaultDescription
config.metrics.prometheus.auth.secretstring"%{env:METRICS_SECRET}%"basic auth metrics password in stalwart-mail
config.metrics.prometheus.auth.usernamestring"%{env:METRICS_USERNAME}%"basic auth metrics username in stalwart-mail
config.metrics.prometheus.enablebooltrueenable prometheus in stalwart-mail
grafana.dashboards.annotationsobject{}label of configmap
grafana.dashboards.enabledboolfalsedeploy grafana dashboard in configmap
grafana.dashboards.labelsobject{"grafana_dashboard":"1"}label of configmap
nats.promExporter.enabledboolfalsedeploy prometheus exporter to NATS (in coordinator setup)
nats.promExporter.podMonitor.enabledboolfalsedeploy pod monitor for NATS prometheus exporter (in coordinator setup)
prometheus.servicemonitor.enabledboolfalsedeploy servicemonitor
prometheus.servicemonitor.labelsobject{}label of servicemonitor
secrets.env.METRICS_SECRETstring"scrape_metrics_password"basic auth metrics password in secret for stalwart-mail
secrets.env.METRICS_USERNAMEstring"scrape_metrics_user"basic auth metrics username in secret for stalwart-mail

Twake Webmail Client

KeyTypeDefaultDescription
twake.enabledboolfalsedeploy a
twake.image.pullPolicystring"IfNotPresent"This sets the pull policy for images. (could be overwritten by global.image.pullPolicy)
twake.image.registrystring"ghcr.io"image registry (could be overwritten by global.image.registry)
twake.image.repositorystring"linagora/tmail-web"image repository
twake.image.tagstring"v0.23.1"image tag
twake.volumeMountslist[]Additional volumeMounts on the output Deployment definition.
twake.volumeslist[]Additional volumes on the output Deployment definition.

Other Values

KeyTypeDefaultDescription
affinityobject{}
autoscaling.enabledboolfalse
autoscaling.maxReplicasint100
autoscaling.minReplicasint1
autoscaling.targetCPUUtilizationPercentageint80
certificate.certmanager.dnsNames[0]string"chart-example.local"
certificate.certmanager.enabledbooltrue
certificate.certmanager.issuerRef.groupstring"cert-manager.io"
certificate.certmanager.issuerRef.kindstring"ClusterIssuer"
certificate.certmanager.issuerRef.namestring"letsencrypt-prod"
certificate.secretNamestringnilnot needed if certmanager is used
config.certificate.default.certstring"%{file:/opt/stalwart/etc/certs/tls.crt}%"
config.certificate.default.defaultbooltrue
config.certificate.default.private-keystring"%{file:/opt/stalwart/etc/certs/tls.key}%"
config.config.local-keyslist["store.*","directory.*","tracer.*","!server.blocked-ip.*","server.*","authentication.fallback-admin.*","cluster.*","config.local-keys.*","storage.data","storage.blob","storage.lookup","storage.fts","storage.directory","certificate.*","server.allowed-ip.*","metrics.prometheus.*","auth.dkim.sign.*","auth.dkim.verify","http.use-x-forwarded","report.domain"]values configure here (and not per database)
config.directory.internal.storestring"rocksdb"
config.directory.internal.typestring"internal"
config.http.use-x-forwardedbooltrue
config.server.allowed-ip.“10.42.0.1/16”string""
config.server.listener.http.bind[0]string"[::]:80"
config.server.listener.http.protocolstring"http"
config.server.listener.https.bind[0]string"[::]:443"
config.server.listener.https.protocolstring"http"
config.server.listener.https.tls.implicitbooltrue
config.server.listener.imap.bind[0]string"[::]:143"
config.server.listener.imap.protocolstring"imap"
config.server.listener.imaptls.bind[0]string"[::]:993"
config.server.listener.imaptls.protocolstring"imap"
config.server.listener.imaptls.tls.implicitbooltrue
config.server.listener.pop3.bind[0]string"[::]:110"
config.server.listener.pop3.protocolstring"pop3"
config.server.listener.pop3s.bind[0]string"[::]:995"
config.server.listener.pop3s.protocolstring"pop3"
config.server.listener.pop3s.tls.implicitbooltrue
config.server.listener.sieve.bind[0]string"[::]:4190"
config.server.listener.sieve.protocolstring"managesieve"
config.server.listener.smtp.bind[0]string"[::]:25"
config.server.listener.smtp.protocolstring"smtp"
config.server.listener.submission.bind[0]string"[::]:587"
config.server.listener.submission.protocolstring"smtp"
config.server.listener.submissions.bind[0]string"[::]:465"
config.server.listener.submissions.protocolstring"smtp"
config.server.listener.submissions.tls.implicitbooltrue
config.storage.blobstring"rocksdb"
config.storage.datastring"rocksdb"
config.storage.directorystring"internal"
config.storage.ftsstring"rocksdb"
config.storage.lookupstring"rocksdb"
config.store.rocksdb.compressionstring"lz4"
config.store.rocksdb.pathstring"/data"
config.store.rocksdb.typestring"rocksdb"
config.tracer.otel.enableboolfalse
config.tracer.otel.endpointstring"https://127.0.0.1/otel"
config.tracer.otel.headerslist[]headers for usage with http (e.g. ‘Authorization: <place_auth_here>’)
config.tracer.otel.levelstring"info"
config.tracer.otel.transportstring"grpc"grpc or http
config.tracer.otel.typestring"open-telemetry"
config.tracer.stdout.ansiboolfalse
config.tracer.stdout.enablebooltrue
config.tracer.stdout.levelstring"info"
config.tracer.stdout.typestring"stdout"
envlist[]
envFromlist[]
fullnameOverridestring""
global.image.pullPolicystringnilif set it will overwrite all pullPolicy
global.image.registrystringnilif set it will overwrite all registry entries
image.pullPolicystring"IfNotPresent"This sets the pull policy for images. (could be overwritten by global.image.pullPolicy)
image.registrystring"ghcr.io"image registry (could be overwritten by global.image.registry)
image.repositorystring"stalwartlabs/stalwart"image repository
image.tagstring""image tag - Overrides the image tag whose default is the chart appVersion.
imagePullSecretslist[]
ingress.annotationsobject{}
ingress.classNamestring""
ingress.enabledboolfalse
ingress.hosts[0].hoststring"admin.chart-example.local"
ingress.hosts[0].paths[0].pathstring"/"
ingress.hosts[0].paths[0].pathTypestring"ImplementationSpecific"
ingress.hosts[1].hoststring"chart-example.local"
ingress.hosts[1].paths[0].pathstring"/"
ingress.hosts[1].paths[0].pathTypestring"ImplementationSpecific"
ingress.tlslist[]
livenessProbe.httpGet.httpHeaders[0]object{"name":"X-Forwarded-For","value":"127.0.0.1"}send fake X-Forwarded-For for not generate warnings
livenessProbe.httpGet.pathstring"/healthz/live"
livenessProbe.httpGet.portstring"http"
livenessProbe.initialDelaySecondsint5
livenessProbe.periodSecondsint10
nameOverridestring""
nodeSelectorobject{}
persistence.accessModestring"ReadWriteOnce"accessMode
persistence.annotationsobject{}
persistence.enabledbooltrueEnable persistence using Persistent Volume Claims ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
persistence.existingClaimstringnilA manually managed Persistent Volume and Claim Requires persistence.enabled: true If defined, PVC must be created manually before volume will be bound
persistence.hostPathstringnilDo not create an PVC, direct use hostPath in Pod
persistence.sizestring"10Gi"size
persistence.storageClassstringnilPersistent Volume Storage Class If defined, storageClassName: If set to “-”, storageClassName: “”, which disables dynamic provisioning If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner. (gp2 on AWS, standard on GKE, AWS & OpenStack)
podAnnotationsobject{}
podLabelsobject{}
podSecurityContextobject{}
readinessProbe.httpGet.httpHeaders[0]object{"name":"X-Forwarded-For","value":"127.0.0.1"}send fake X-Forwarded-For for not generate warnings
readinessProbe.httpGet.pathstring"/healthz/ready"
readinessProbe.httpGet.portstring"http"
readinessProbe.initialDelaySecondsint30
readinessProbe.periodSecondsint10
resourcesobject{}
secrets.createbooltrueenables env secret creation from secrets.env values NOTE: The env variables below should be manually passed in the pod if disabled.
securityContextobject{}
service.annotationsobject{}
service.externalTrafficPolicystringnil
service.ipFamilies[0]string"IPv4"
service.ipFamilyPolicystring"SingleStack"other option is RequireDualStack
service.ports.httpint80
service.ports.httpsint443
service.ports.imapint143
service.ports.imaptlsint993
service.ports.pop3int110
service.ports.pop3sint995
service.ports.sieveint4190
service.ports.smtpint25
service.ports.submissionint587
service.ports.submissionsint465
service.typestring"ClusterIP"
serviceAccount.annotationsobject{}Annotations to add to the service account
serviceAccount.automountbooltrueAutomatically mount a ServiceAccount’s API credentials?
serviceAccount.createboolfalseSpecifies whether a service account should be created
serviceAccount.namestring""The name of the service account to use. If not set and create is true, a name is generated using the fullname template
tolerationslist[]
traefik.enabledboolfalse
traefik.ports.https.entrypointstring"websecure"
traefik.ports.https.matchstringnil
traefik.ports.https.passthroughTLSbooltrue
traefik.ports.https.proxyProtocolbooltrue
traefik.ports.imaptls.entrypointstring"imaps"
traefik.ports.imaptls.matchstringnil
traefik.ports.imaptls.passthroughTLSbooltrue
traefik.ports.imaptls.proxyProtocolbooltrue
traefik.ports.pop3s.entrypointstring"pop3s"
traefik.ports.pop3s.matchstringnil
traefik.ports.pop3s.passthroughTLSbooltrue
traefik.ports.pop3s.proxyProtocolbooltrue
traefik.ports.sieve.entrypointstring"sieve"
traefik.ports.sieve.matchstringnil
traefik.ports.sieve.passthroughTLSbooltrue
traefik.ports.sieve.proxyProtocolbooltrue
traefik.ports.smtp.entrypointstring"smtp"
traefik.ports.smtp.matchstringnil
traefik.ports.smtp.proxyProtocolbooltrue
traefik.ports.submissions.entrypointstring"smtps"
traefik.ports.submissions.matchstringnil
traefik.ports.submissions.passthroughTLSbooltrue
traefik.ports.submissions.proxyProtocolbooltrue
twake.affinityobject{}
twake.config.dashboard.apps[0].appLinkstring`“https://{{ (.Values.ingress.hostsfirst).host }}"`
twake.config.dashboard.apps[0].namestring"Administration"
twake.config.dashboard.apps[0].publicIconUristring`“https://{{ (.Values.ingress.hostsfirst).host }}/apple-touch-icon.png”`
twake.config.env.APP_GRID_AVAILABLEstring"supported"
twake.config.env.DOMAIN_REDIRECT_URLstring`“https://{{ (.Values.twake.ingress.hostsfirst).host }}"`
twake.config.env.FORWARD_WARNING_MESSAGEstring""
twake.config.env.OIDC_SCOPES[0]string"openid"
twake.config.env.OIDC_SCOPES[1]string"profile"
twake.config.env.OIDC_SCOPES[2]string"email"
twake.config.env.OIDC_SCOPES[3]string"offline_access"
twake.config.env.PLATFORMstring"other"
twake.config.env.SERVER_URLstring`“https://{{ (.Values.ingress.hostsfirst).host }}/"`
twake.config.env.WEB_OIDC_CLIENT_IDstring"teammail-web"
twake.config.env.WS_ECHO_PINGbooltrue
twake.ingress.annotationsobject{}
twake.ingress.classNamestring""
twake.ingress.enabledboolfalse
twake.ingress.hosts[0].hoststring"chart-example.local"
twake.ingress.hosts[0].paths[0].pathstring"/"
twake.ingress.hosts[0].paths[0].pathTypestring"ImplementationSpecific"
twake.ingress.tlslist[]
twake.livenessProbe.httpGet.pathstring"/"
twake.livenessProbe.httpGet.portstring"http"
twake.livenessProbe.initialDelaySecondsint5
twake.livenessProbe.periodSecondsint10
twake.nodeSelectorobject{}
twake.podAnnotationsobject{}
twake.podLabelsobject{}
twake.podSecurityContextobject{}
twake.readinessProbe.httpGet.pathstring"/"
twake.readinessProbe.httpGet.portstring"http"
twake.readinessProbe.initialDelaySecondsint30
twake.readinessProbe.periodSecondsint10
twake.resourcesobject{}
twake.securityContextobject{}
twake.service.annotationsobject{}
twake.service.ipFamilies[0]string"IPv4"
twake.service.ipFamilyPolicystring"SingleStack"other option is RequireDualStack
twake.service.typestring"ClusterIP"
twake.tolerationslist[]
volumeMountslist[]Additional volumeMounts on the output Deployment definition.
volumeslist[]Additional volumes on the output Deployment definition.

Autogenerated from chart metadata using helm-docs

speedtest-exporter