How to set a separate HTTP/JMAP base URL different from the SMTP hostname

Questions
1

Your question

I’m running Stalwart behind a reverse proxy (Caddy + Cloudflare) with smtp. for SMTP/IMAP (DNS-only, no Cloudflare proxy) and mail. for the admin panel and JMAP (proxied through Cloudflare).
The problem is that Stalwart is using smtp. (the default hostname) as the base URL for JMAP endpoints and OIDC redirects. When Bulwark(https://bulwarkmail.org) tries to complete OAuth login, it gets redirected to smtp. which can’t serve HTTPS since it bypasses Cloudflare, causing the flow to fail.
I need Stalwart to use https://mail. as the base URL for HTTP/JMAP/OIDC while keeping smtp. as the SMTP greeting hostname. I’ve looked through the admin panel but can’t find a separate field for this — only the default hostname under Network → General which affects SMTP greetings. The config is stored in PostgreSQL in an obfuscated format so editing it directly doesn’t seem feasible.
Is there a setting in the admin panel or config to set a separate public base URL for HTTP/JMAP/OIDC endpoints? And if not, is there perhaps a different recommended way to set up SSO with Bulwark in this kind of split-hostname setup?

I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I’d prefer a human-only reply, I’ll add the no-ai tag to my topic.

on

2

This is exactly your scenario, and there is a dedicated solution: the STALWART_PUBLIC_URL environment variable.

By default, Stalwart builds its OAuth, OIDC, and JMAP discovery URLs from defaultHostname (i.e. smtp.<your domain>). Setting the STALWART_PUBLIC_URL environment variable overrides just those published URLs without changing the SMTP greeting hostname:

STALWART_PUBLIC_URL=https://mail.<your domain>

Set this in whatever process manager or container environment runs Stalwart (e.g. a systemd Environment= line, a Docker/Compose environment: entry, etc.). Once set:

  • JMAP, OAuth, and OIDC discovery documents will advertise https://mail.<your domain> as the base URL, so Bulwark’s OAuth redirect will point to your Cloudflare-proxied hostname.
  • defaultHostname (smtp.<your domain>) continues to appear in SMTP EHLO banners and outgoing message headers, unchanged.

Note that STALWART_PUBLIC_URL only affects published URLs; it does not change any internal listener bindings.

Full details are in the Environment Variables documentation.

This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong.