Self-Host Your Email: Stalwart on Raspberry Pi with a Pangolin VPS Proxy

Self-hosted Applications
,
1

Self-Host Your Email: Stalwart on Raspberry Pi with a Pangolin VPS Proxy

A guide to creating a private, self-hosted email server! This post will walk you through setting up the powerful Stalwart Mail Server on a low-cost Raspberry Pi at home. To make it securely accessible from anywhere, we’ll use Pangolin on a Virtual Private Server (VPS) to create a secure tunnel, bypassing the need for complex firewall rules or a static home IP address.

Part 1: Setting Up Stalwart Mail Server on Your Raspberry Pi

First, we’ll get the mail server software running on your Pi.

Step 1.1: Install Docker & Pull Stalwart

Stalwart runs in a clean, isolated environment called a Docker container.

  1. Install Docker on your Raspberry Pi if you haven’t already. The easiest way is to run their official script:

    curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh

  2. Add your user to the Docker group to avoid typing sudo for every Docker command:

    sudo usermod -aG docker ${USER}

    You’ll need to log out and log back in for this change to take effect.

  3. Pull the Stalwart Docker image from the internet. This downloads the software.

    docker pull stalwartlabs/stalwart:latest

Step 1.2: Create a Home for Your Mail Data

You need a dedicated folder on your Raspberry Pi to store all your emails and configuration files.

mkdir /var/lib/stalwart

Step 1.3: Run Stalwart for the First Time

Now, we’ll start the Stalwart container.

  1. Run the following command. Note that we are NOT exposing the ports with -p flags yet. Pangolin will handle that for us later.

    docker run -d -ti \
             -v /var/lib/stalwart:/opt/stalwart \
             --name stalwart stalwartlabs/stalwart:latest
    • -d: Runs the container in the background.
    • -v: Links the /var/lib/stalwart directory on your Pi to the /opt/stalwart directory inside the container.
    • --name stalwart: Gives the container a memorable name.

  2. Get your admin password. Stalwart generates a one-time password for you.

    docker logs stalwart

    Look for a line that says:
    🔑 Your administrator account is 'admin' with password 'xxxxxxxxxx'.
    Copy this password! You’ll need it in the next step.

Step 1.4: First-Time Login & Setup

  1. Find your Raspberry Pi’s local IP address. You can use the command ip a and look for the inet address under the eth0 (wired) or wlan0 (Wi-Fi) section. It will look something like 192.168.1.123.

  2. From another computer on the same network, open a web browser and go to:
    http://<YOUR_PI_IP_ADDRESS>:8080/login

  3. Log in with the username admin and the password you copied.

  4. Configure Storage: For now, the default RocksDB is perfectly fine. You can skip the Settings > Storage section.

Step 1.5: Configure Your Domain & Network

This is the most critical part of the setup.

  1. Navigate to Settings > Server > Network.
  2. Set the Server Hostname to what your public mail server will be. For example, mail.yourdomain.com.
  3. Click Save changes.
  4. Navigate to Management > Directory > Domains.
  5. Click Add Domain and enter your main domain name (e.g., yourdomain.com).
  6. Crucially, do NOT set up TLS or ACME (Let’s Encrypt) inside Stalwart. Your Pangolin VPS will handle all the SSL/TLS certificates for you.

Step 1.6: Add Your First Email Account

  1. Go to Management > Directory > Accounts.
  2. Click Add Account and create your first email address (e.g., myname@yourdomain.com). Set a strong password.

Step 1.7: Restart the Container

Apply all the changes by restarting the Stalwart container.

docker restart stalwart

Your mail server is now running on your Pi! Next, we’ll make it accessible to the world.

Setup screencast

Part 2: Building the Secure Tunnel with Pangolin

Now we switch to your VPS and Pangolin dashboard.

Step 2.1: Connect Your Raspberry Pi to Pangolin

  1. In your Pangolin web dashboard, go to Sites and click Add Site.
  2. Give it a name, like Raspberry Pi Home.
  3. Click Create Site. Pangolin will generate a newt command.
  4. On your Raspberry Pi, run the newt command that Pangolin gave you. This creates the secure tunnel from your Pi to the VPS.

Step 2.2: Expose the Stalwart Web Admin Panel

Let’s make the admin panel accessible through your domain.

  1. In Pangolin, go to Resources and click Add Resource.
  2. Fill out the form:
    • Name: Stalwart Admin
    • Site: Select Raspberry Pi Home.
    • Resource Type: HTTP Resource.
    • HTTP Settings > Sub-domain: stalwart (or whatever you prefer). This will be accessible at stalwart.yourdomain.com.
  3. Click Create Resource.
  4. On the next page, under Target Configuration:
    • Method: http
    • Host: Your Raspberry Pi’s local IP address (e.g., 192.168.1.123).
    • Port: 8080
  5. Click Add Target and then Save Targets.

You can now access your Stalwart admin panel at https://stalwart.yourdomain.com!

Step 2.3: Expose Your Mail Ports (IMAP & SMTP)

These ports allow your email clients (like on your phone or computer) to connect. We will use the secure versions of these protocols.

  1. Expose Secure IMAP (Port 993):

    • In Pangolin, go to Resources and click Add Resource.
    • Name: Stalwart IMAPS
    • Site: Raspberry Pi Home
    • Resource Type: TCP & UDP Resource
    • Forwarded Port on Server: 993 (for incoming connections)
    • Protocol: TCP
    • Click Create Resource.
    • Under Target Configuration:
      • Host: Your Raspberry Pi’s local IP address.
      • Port: 993
    • Click Add Target and Save Targets.

  2. Expose Secure SMTP (Port 465):

    • Go to Resources and click Add Resource again.
    • Name: Stalwart SMTPS
    • Site: Raspberry Pi Home
    • Resource Type: TCP & UDP Resource
    • Forwarded Port on Server: 465
    • Protocol: TCP
    • Click Create Resource.
    • Under Target Configuration:
      • Host: Your Raspberry Pi’s local IP address.
      • Port: 465
    • Click Add Target and Save Targets.

Part 3: Finalizing DNS and Testing

The final step is to tell the world’s email servers how to find you.

Step 3.1: Set Up Your DNS Records

  1. Go back to your Stalwart admin panel (Management > Directory > Domains and click on your domain). Stalwart shows you the exact DNS records you need.
  2. Log in to your domain registrar (where you bought yourdomain.com).
  3. Add the records provided by Stalwart. The most important one is the MX record. It should point to the hostname you set up earlier:
    • Type: MX
    • Name: @ or yourdomain.com
    • Value/Points to: mail.yourdomain.com
    • Priority: 10
  4. Add the TXT records for SPF, DKIM, and DMARC. These are vital for preventing your emails from being marked as spam. Just copy and paste them exactly as Stalwart shows them.
  5. Finally, ensure you have an A record that points mail.yourdomain.com to your VPS IP address.
    • Type: A
    • Name: mail
    • Value: YOUR_VPS_IP_ADDRESS

Step 3.2: Configure Your Email Client

Now for the moment of truth! Open your favorite email client (Thunderbird, Apple Mail, Outlook) and add a new account.

  • Incoming Server (IMAP):
    • Server: mail.yourdomain.com
    • Port: 993
    • Connection Security: SSL/TLS
  • Outgoing Server (SMTP):
    • Server: mail.yourdomain.com
    • Port: 465
    • Connection Security: SSL/TLS
  • Username: Your full email address (myname@yourdomain.com)
  • Password: The password you set for the account in Stalwart.

Your client should connect, and you can now send and receive emails from your very own private server!

2 Likes
2

Thanks, I’m trying to achieve something similar with Mailcow but unsuccessfully at the moment.

Edit : I think I’m getting closer in understanding what’s going on. Here’s the traffic dashboard showing an error :

Screenshot 2025-07-26 at 23.08.49
Screenshot 2025-07-26 at 23.08.491316×1416 120 KB

1 Like
3

you have to define those ports in your compose file as well as traefik file.

4

Thanks! It’s working now! I’m slowly getting better at understanding how it works.

1 Like
5

please do post the guide here. if you succeeded. i won’t be able to test all the apps. would be thankful to you. :folded_hands:

6

I’ll sure do! Last (I think) hurdle is the certificates. Connection is working on port 993 but client complains that the connection couldn’t be verified.

1 Like
7

Progress was made, certificates are working. I had to extract from pangolin using a dumper and copying to mailcow VM.

Next hurdle is delivering mail. Hotmail is closing connection on me.

I suspect I’ll have to open outgress port on VPS..

1 Like
8

Yes you have to open all the respective mail ports on the VPS

9

Do I have to install a mail relay on the VPS or Mailcow in my home lab will send thru the VPS and not thru my residential ISP?

2 Likes
10

This is exactly my question.

1 Like
11

I will explain in regard to Stalwart
To answer you directly: Yes, you will need to set up a mail relay on the VPS.

By default, Stalwart will try to send emails directly from your home lab, through your residential ISP. The Pangolin tunnel setup we’ve discussed only handles incoming traffic to your services (like webmail or when your phone connects to IMAP). It does not automatically route outgoing server-to-server mail traffic.

The Solution: How to Use the VPS as a Mail Relay

solution is to configure Stalwart to not send mail directly to the internet, but instead to hand off all outgoing mail to a relay service running on your VPS. The VPS has a trusted, static IP address and can send mail without issues.

Here’s how the traffic flows:

  1. Stalwart Prepares an Email: Your Stalwart instance in your home lab has an email to send.
  2. Send via Tunnel: Instead of connecting to the recipient’s server on the internet, you configure Stalwart to use your VPS as a “smarthost” or “relay.” It sends the email through the Pangolin/Newt tunnel to the relay service on your VPS.
  3. VPS Delivers the Email: The relay service on your VPS receives the email from your home lab and then sends it out to the final destination (e.g., a Gmail server).

This way, the rest of the world only ever sees your trusted VPS IP address sending the email, not your untrusted home IP.

What You Need to Do

  1. On the VPS: Install a simple, send-only SMTP relay. Postfix is the most common and well-documented tool for this. You would configure it to accept mail from your tunnel’s internal IP address and relay it to the internet.
  2. In Stalwart: Find the settings for an “SMTP Relay,” “Smarthost,” or “Relay Host” and point it to the internal IP address and port of the Postfix service on your VPS.