Login possible as user but not admin v0.15.5 --> v0.16.4

Issue Description

I can login to my new Stalwart instance v0.16.4 with a ordinary user but not with the admin. I set a temporary password and the tried the old password but neither work. The ordinary user is not authorized to make changes to the database so I cannot update the password that way. I did not set STALWART_RECOVERY_ADMIN.

I do have the fallback admin info.

Expected Behavior

Able to login and administer Stalwart

Actual Behavior

warning: failed to refresh schema (authentication failed (HTTP 401)); using cached copy
error: authentication failed (HTTP 401)

Reproduction Steps

Start Stalwart with systemd, login via http://mail.example.tld/admin/login

Relevant Log Output

No logs available

Stalwart Version

v0.16.x

Installation Method

Binary (Linux)

Database Backend

RocksDB

Blob Storage

S3-compatible

Search Engine

Internal

Directory Backend

Internal

I have reviewed the documentation and FAQ and confirm that my issue is NOT addressed there.

on

I have searched this support forum (open and closed topics) and confirm this is not a duplicate.

on

I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I’d prefer a human-only reply, I’ll add the no-ai tag to my topic.

on

Since you’re locked out of the admin account and STALWART_RECOVERY_ADMIN was not set, here’s how to regain access:

Regaining Admin Access on a Binary (Linux) Install

The correct recovery path is to use Recovery Mode (STALWART_RECOVERY_MODE=1) combined with STALWART_RECOVERY_ADMIN. Here’s the step-by-step process:

1. Edit your Stalwart environment file. On a binary Linux install, this is /etc/stalwart/stalwart.env. Uncomment (or add) the STALWART_RECOVERY_ADMIN line:

   STALWART_RECOVERY_ADMIN=admin:yourTemporaryPassword
   

2. Restart Stalwart (without STALWART_RECOVERY_MODE=1, since your mail services are presumably running fine). According to the docs, STALWART_RECOVERY_ADMIN is honoured while the server is running normally, so you do not need to take mail services offline:

   sudo systemctl restart stalwart
   

3. Log in at https://mail.example.tld/admin using the admin username and the temporary password you set.

4. Reset/promote your real admin account through the WebUI once logged in.

5. Remove STALWART_RECOVERY_ADMIN from /etc/stalwart/stalwart.env and restart the service again. Leaving this backdoor credential in place permanently is discouraged.

If you also need to log in over plain HTTP (e.g., because HTTPS is an issue), set STALWART_RECOVERY_MODE=1 as well — this re-enables the HTTP listener on port 8080. Remove it immediately after you’re done.

Relevant docs: Recovery Mode and Linux install guide.

This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong. If you found it useful, mention @helpbot in any reply to ask follow-up questions and the bot will respond again.

There is no /etc/stalwart/stalwart.env file.

The /etc/stalwart/stalwart.env file is created automatically by the official install script (install.sh). If it’s missing, your binary was likely installed manually rather than via the script — so the file simply was never created.

Here’s what to do instead:

Option 1: Create the env file manually

Create /etc/stalwart/stalwart.env yourself with the following content:

STALWART_RECOVERY_ADMIN=admin:yourTemporaryPassword

Then check your systemd service unit (usually /etc/systemd/system/stalwart.service or /lib/systemd/system/stalwart.service) to see if it has an EnvironmentFile= directive pointing to that path. If it doesn’t, add one:

EnvironmentFile=/etc/stalwart/stalwart.env

Then reload systemd and restart:

sudo systemctl daemon-reload
sudo systemctl restart stalwart

Option 2: Set the variable directly in the systemd unit

Alternatively, add the environment variable directly in the [Service] section of the systemd unit:

Environment="STALWART_RECOVERY_ADMIN=admin:yourTemporaryPassword"

Run sudo systemctl daemon-reload && sudo systemctl restart stalwart, log in, fix your admin account, then remove the line and restart again.

Either way, once you’re back in the WebUI and have restored proper admin access, remove STALWART_RECOVERY_ADMIN from wherever you set it.

Docs reference: Linux install platform guide and Recovery Mode.

This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong. If you found it useful, mention @helpbot in any reply to ask follow-up questions and the bot will respond again.

This is an upgrade from v0.15.4 to v0.16.4 which is why there is no /etc/stalwart/stalwart.env

However, after reloading the systemctl daemon I receive this error;

/etc/systemd/system/stalwart.service:6: Unknown key 'EnvironmentFile' in section [Unit], ignoring.

The EnvironmentFile= directive must be in the [Service] section, not the [Unit] section. Open your service file and make sure the line is placed correctly:

[Unit]
Description=Stalwart Mail Server
# ... other Unit entries ...

[Service]
EnvironmentFile=/etc/stalwart/stalwart.env
ExecStart=/usr/local/bin/stalwart
# ... other Service entries ...

If editing the service file is awkward, the simpler approach is to skip the env file entirely and add the variable directly in [Service]:

[Service]
Environment="STALWART_RECOVERY_ADMIN=admin:yourTemporaryPassword"

Then:

sudo systemctl daemon-reload
sudo systemctl restart stalwart

Log in at https://mail.example.tld/admin with admin / yourTemporaryPassword, restore your real admin account in the WebUI, then remove that Environment= line and restart the service once more.

This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong. If you found it useful, mention @helpbot in any reply to ask follow-up questions and the bot will respond again.

That worked. Thanks Mr. bot.

Glad to hear you’re back in! A few things to make sure you’ve cleaned up:

1. Remove the Environment="STALWART_RECOVERY_ADMIN=..." line from your systemd unit (or the env file if you created one).
2. Run sudo systemctl daemon-reload && sudo systemctl restart stalwart to apply the removal.

Leaving that backdoor credential in place permanently is a security risk — it bypasses your normal directory authentication entirely.

This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong. If you found it useful, mention @helpbot in any reply to ask follow-up questions and the bot will respond again.