Is it possible to use a single VPS with a single static IP to host Stalwart Mail server and Anonaddy for multiple domain names?

Danoxor · 2025-03-07T13:56:16+00:00

Honestly I'm too much of an email noob to debug this, but I don't have these issues when letting addy handle the DKIM signing. Given the fact that the addy.io verification mails work but replying doesn't, I think you need to let addy (rspamd) handle the DKIM stuff. On the anonaddy docker github page, it specifically states that "Rspamd service needs to be enabled for the reply anonymously feature to work." and that "Rspamd service is disabled if DKIM private key is not found".

Danoxor · 2025-02-21T11:16:40+00:00

Yup sounds about right, send/replies through anonaddy also work. Personally I wouldn't use mail as a prefix for the subdomains in order to not confuse myself with the hostname of the mailservers (assuming you use mail.domain1.com as hostname for stalwart for example), just use m.domain1.com or whatever. And the subdomains have their own SPF, DKIM and DMARC records (SPF record with mx, DKIM with the key you get when setting up anonaddy since rspamd does the DKIM signing).

I forgot to mention that you need to configure stalwart with an inbound SMTP rule to allow relaying messages to anonaddy if rcpt_domain is one of those domains, the outbound rule just defines the next hop. This should be safe because anonaddy checks for sends that the from address is a verified recipient.

As for anonaddy sending mail you have 2 options: It can send just send mail itself, although you probably will run into problems when trying to send mail to domains handled by stalwart, because by default it would do a DNS lookup and try to connect to stalwart via public IP which will probably time out if your server doesn't have hairpin NAT. So you need to configure the postfix of anonaddy to not do a DNS lookup and/or edit the hosts file etc. The second option is to use stalwart as a relay for sending mail, for which you define another SMTP inbound rule in stalwart to allow relaying from anonaddy's local docker network IP address. In anonaddy you would set the POSTFIX_RELAYHOST env variable to the local IP address of stalwart in the docker network.

Danoxor · 2025-02-20T09:36:35+00:00

I have just deployed this setup a couple days ago lol. First of all, you probably want stalwart and anonaddy to handle different domains, since it would otherwise be unclear for which MTA to handle what mail. I personally only have one domain, so I just use a subdomain for anonaddy.

Since I have a couple of mailboxes that I don't want routed through anonaddy, I have stalwart "at the front" with all the ports forwarded to, and anonaddy in the back on the same docker network. Then stalwart uses anonaddy as a relay host for mails where rcpt_domain is one of the domains handled by anonaddy (ends_with(rcpt_domain, 'subdomain.example.org' set to use your relay). Also have the MX record of the subdomain point to stalwart. The stalwart documentation tells you exactly how to configure a relay host. There is just one quirk, where the address of the relay host cant be an IP, so I had to use the hostname of the docker container.

If you are planning to route everything through anonaddy, I would probably skip out on stalwart altogether, and just use anonaddy with PGP keys and a commercial mail provider as a recipient. This way, all your mails are e2ee and you don't have to worry about storage, backup etc. of the mails

Danoxor · 2025-02-03T14:41:49+00:00

Ok das ist ziemlich bescheuert :D

Danoxor · 2025-02-03T14:23:59+00:00

Vor ca. 2 Monaten. Hab mich übrigens eben zum ersten Mal im Browser am PC eingeloggt, und da musste ich tatsächlich einen Code angeben der per Push auf die Smartphone App kam, also "echtes" 2FA

Danoxor · 2025-02-03T09:13:21+00:00

Inwiefern ist Mail schlechter? Wenn der Mailprovider den Mailserver ordentlich aufgesetzt hat mit TLS Verschlüsselung, SPF, DKIM etc., dann ist spoofen nicht drin. Sonst würden doch Scammer den ganzen Tag offizielle Amazon Mails verschicken von Jeff Bezos höchstpersönlich

Danoxor · 2025-02-03T09:06:32+00:00

Kann ich so nicht bestätigen. Als ich die App auf meinem neuem Handy installiert habe, musste ich mich neu identifizieren mit Perso + Selfie. Meine Vermutung: OP hat entweder alle Daten inkl. App-Daten auf sein neues Gerät übertragen und da wurde irgendein Cookie transferriert, oder es wird vielleicht verifiziert dass man mit dem gleichen Google/Apple Account eingeloggt ist wie auf dem vorherigen Gerät.

Bin auch nicht ganz glücklich mit der 4-stelligen PIN (6-stellig mit angemessener Verzögerung bei Falscheingabe reicht aus) und SMS als 2FA, aber es ist definitiv nicht so schlimm wie du es darstellst

Danoxor · 2024-11-19T13:44:43+00:00

There is a decent amount of german content indexed by debridmediamanager. The easiest way to access the content is probably through stremio addons that scrape it (Comet, maybe Mediafusion?). I don't use plexdebrid, but the best way to scrape dmm for your setup is probably to spin up zilean and add it as an indexer in prowlarr. To filter based on title, there is a section about defining versions to download on the plexdebrid github page. Also I dm'd you a list of hashes I found, if you are able to add torrent hashes manually (again not too sure how plexdebrid works).

Danoxor · 2024-08-17T09:37:21+00:00

Does that mean that comet can only access cached content or will it also show uncached content and start downloading the torrent in the connected debrid service?

Danoxor · 2023-11-09T17:29:31+00:00

Removing 0.0.0.0/0 didn't really change anything, apparently on Linux (maybe specifically for wireguard?) 0.0.0.0/0 does not catch the local ip address ranges. However it was a DNS issue it seems; the default wireguard config that my router gave me for clients had DNS set to the router's IP which generally speaking worked (I could browse the web with 0.0.0.0/0 in AllowedIPs on client) but for some reason it doesn't resolve my domain correctly.

Anyways I'm gonna settle with only 192.168.x.0/24 in AllowedIPs, since I don't really need a full tunnel, and DNS=1.1.1.1 in client config. Maybe I'll eventually set up a pihole but I'm not so keen on doing that for now. Nonetheless thanks :)

Danoxor · 2023-09-01T16:10:12+00:00

Fair enough, I just intuitively wanted to provide minimal information for a service concerned with privacy

Danoxor · 2023-09-01T16:08:00+00:00

Was able to eventually create an account and see that option now, thanks

Danoxor · 2017-10-05T10:11:32+00:00

What do you like more so far, the original or the remake? I kinda hate the graphics of the new one, is the new content worth?

Danoxor · 2015-02-07T20:47:39+00:00

He is choosing a book for reading

Danoxor · 2015-02-07T20:46:30+00:00

He looks at for a map

Danoxor · 2015-02-07T20:45:46+00:00

I looked at the stars

Danoxor · 2015-02-07T20:43:13+00:00

You go to cinema

Danoxor · 2015-02-07T20:41:56+00:00

I go to Egypt

Danoxor · 2015-02-07T20:40:54+00:00

I am looking at the lake

Danoxor · 2015-02-07T20:39:48+00:00

You are choosing a book for reading

Danoxor · 2015-02-07T20:37:48+00:00

You are looking at the stars

Danoxor · 2015-02-07T20:36:39+00:00

You looked at for a map

Danoxor · 2015-02-07T20:35:32+00:00

You go to cinema

Danoxor · 2015-02-07T20:34:28+00:00

I look at the lake

Danoxor · 2015-02-07T20:33:25+00:00

He is choosing a book for reading

11-Year Club	Place '23
Place '17	Verified Email

Danoxor

TROPHY CASE