Here is a practical breakdown of backup options for a clustered Stalwart setup, covering all three of your failure scenarios.
Configuration backup (covers scenario a and b)
The primary tool for this is stalwart-cli snapshot. It walks the live server and exports all configuration objects (accounts, domains, DKIM signatures, TLS certs, system settings, blob/data/search store config, etc.) as an NDJSON plan that can be re-applied to a fresh server with stalwart-cli apply. A typical invocation:
stalwart-cli snapshot \
Tenant Domain Directory DkimSignature AcmeProvider Certificate DnsServer Role \
Account \
SystemSettings DataRetention BlobStore InMemoryStore SearchStore \
--allow-unresolved PublicKey \
--output "backup-$(date +%Y-%m-%d).ndjson"
The docs explicitly list these use cases for snapshot plans:
- Cross-environment migration (snapshot one server, apply to another – covers moving VM providers)
- Disaster-recovery rehearsals (snapshot regularly, apply to a clean server to prove restorability – covers ransomware/corruption)
- Configuration backup (commit to a private repo; secrets are automatically stripped, so you handle those separately via a secrets manager)
Reference: Exporting server state (snapshot)
Mail data backup (the actual emails, attachments, etc.)
This is the part that depends heavily on your storage backend choice. Stalwart separates storage into:
- Data store (email metadata, mailbox structure, flags, calendars) – recommended backend for clusters: FoundationDB or PostgreSQL
- Blob store (raw email content, attachments, Sieve scripts) – recommended for clusters: S3-compatible storage (MinIO, GarageHQ, AWS S3, Azure Blob)
Because these are standard, well-understood systems, their own backup/replication tooling applies:
- FoundationDB has built-in backup and DR tools
- PostgreSQL has
pg_dump, streaming replication, point-in-time recovery (PITR)
- S3/MinIO/GarageHQ support versioning and cross-site replication natively
For scenario b (ransomware/corruption), S3 object versioning or point-in-time restore on PostgreSQL/FoundationDB are the right mitigations at the data layer. The snapshot covers the config layer.
Reference: Storage backends for clustered deployments
Per-user mailbox recovery (scenario c)
Stalwart Enterprise has a built-in deleted item archive: emails deleted (even after expunge from Trash/Junk) are retained for a configurable period (archiveDeletedItemsFor on the DataRetention object, e.g. "30d"). Recovery is available through the WebUI (account view) or via the JMAP API/CLI (x:ArchivedItem/set). This is account-scoped, so admins can recover mail for any user.
For deeper per-user restores (e.g., restoring from a point-in-time backup of the data store), you would restore the underlying data store (PostgreSQL/FoundationDB) to that snapshot and use IMAP (imapAppend permission) to re-inject messages, as there is no Stalwart-native per-user mailbox import tool documented.
Reference: Storage overview – Un-deleting emails
Summary: Use stalwart-cli snapshot for config-layer backup/migration, use your data/blob store’s native backup tools for mail data, and use the Enterprise archived-items feature for per-user PEBCAK recovery. The snapshot + S3 versioning combination covers all three of your stated failure scenarios cleanly.
This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong.