Your question
Dear Stalwart Labs Support Team,
We have been conducting evaluation of Stalwart Mail Server.
Our environment consists of:
• Stalwart Mail Server v0.15.5 on Rocky Linux
• 389 Directory Server (LDAP) for authentication
• Roundcube Webmail (Kolab calendar plugin)
• 18 user accounts
• Apple Mail, Thunderbird, Android (DAVx⁵), iPad clients
During our evaluation we encountered the following issues and would appreciate your technical insight and guidance.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
ISSUE 1 — Mailing List / Group Email Delivery with LDAP
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Problem:
We have LDAP groups (objectClass: groupOfUniqueNames) with
member emails stored as uniqueMember attributes. When sending
email to the group address (e.g. [email protected])
the Stalwart API returns “notFound” and mail is not delivered
to group members.
What we tried:
• Set directory.ldap.attributes.groups = “uniqueMember”
• Set directory.ldap.filter.list = “(objectClass=groupOfUniqueNames)”
• Added multiple mail attributes on the LDAP group entry
• Created internal mailing list via Web Admin API
• Attempted composite directory (ldap + internal) — auth failed
Current behaviour:
Stalwart resolves the group email via LDAP SEARCH correctly
(ldapsearch returns the group with all members) but the
Stalwart principal API returns {“error”: “notFound”} for
the group email address.
Question:
Is LDAP group expansion (groupOfUniqueNames → multiple
delivery targets) supported in v0.15.5? If yes, what is
the correct configuration? If not, is this planned for
a future release?
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
ISSUE 2 — Two-Factor Authentication (2FA) with LDAP
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Problem:
2FA cannot be configured via the Web Admin UI when using
an LDAP directory. The self-service portal and Web Admin
2FA management are only available for the internal directory.
Additional limitation:
Even if 2FA is manually enabled by adding OTP Auth URL
to LDAP account secrets, it is only usable with mail
clients that support OAUTHBEARER or XOAUTH2. Standard
IMAP clients (Apple Mail, Thunderbird) use basic
authentication and would require entering a new TOTP
code on every mail check — which is impractical.
Question:
Is there a supported method to enable 2FA for LDAP users
that works with standard IMAP clients? Are there plans
to support 2FA management via Web Admin for LDAP
directory in a future release?
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
ISSUE 3 — ActiveSync (EAS) Not Supported
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Observation:
Stalwart does not support Microsoft ActiveSync (EAS)
protocol. This means:
• No push email to mobile devices (iOS/Android)
• No OTA calendar/contacts sync via native iOS Mail
• No remote device wipe via mail server
• No MDM policy enforcement
Workaround we implemented:
DAVx⁵ app on Android for CalDAV/CardDAV sync.
iOS native CalDAV/CardDAV accounts for calendar and
contacts sync.
Question:
Are there plans to support ActiveSync or a similar
push protocol
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
ISSUE 4 — Calendar Sharing (Boss/PA Model)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Problem:
No calendar sharing option available
Question:
Is calendar sharing by stalwart?
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
ISSUE 5 — Roundcube Calendar vs CalDAV Sync
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Observation:
The Kolab calendar plugin for Roundcube uses a database
driver (MySQL) and does not sync with Stalwart’s native
CalDAV store. Events created in Roundcube are stored in
MySQL and are not visible to CalDAV clients (Apple
Calendar, Android DAVx⁵, Thunderbird) and vice versa.
Question:
Is there a recommended CalDAV-capable calendar plugin
for Roundcube that works with Stalwart’s CalDAV store?
Or is there a plan to provide a native Stalwart webmail
with full CalDAV integration?
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
ISSUE 6 — Role-Based Administration (RBAC)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Observation:
The Web Admin only supports all-or-nothing admin access.
There is no way to create a helpdesk role (password
reset only), read-only auditor role, or compliance
officer role with access to mail logs only.
Question:
Are there plans to support role-based administration
in a future release?
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
ISSUE 7 — No Message Recall / Unsend
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Observation:
Stalwart does not support message recall or unsend
functionality. Once an email is sent — whether to an
internal or external recipient — it cannot be recalled
or retracted by the sender or administrator.
Enterprise mail platforms such as Microsoft Exchange
and Google Workspace support message recall for
internal recipients. This is a frequently requested
feature by end users.
Question:
Is message recall planned for a future release?
Is it possible to implement via Sieve scripting
or any other existing mechanism?
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
ISSUE 8 — No Scheduled Send
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Observation:
Stalwart does not support scheduled email delivery
(compose now, send later). This feature is available
in Outlook, Gmail and most enterprise mail clients.
It is not available in Roundcube webmail or via IMAP
on Apple Mail, Thunderbird, or mobile clients when
connected to Stalwart.
Question:
Is scheduled send planned for a future release?
Could this be implemented via Sieve or JMAP?
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
ISSUE 9 — Mail Journaling Limitations
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Observation:
We successfully implemented mail journaling using a
system-level Sieve script that BCC copies all messages
to a dedicated journal mailbox ([email protected]).
However this implementation has the following limitations:
-
Single mailbox destination — all mail (inbound and
outbound from all users) goes into one shared mailbox.
There is no per-user or per-domain journal segregation. -
Not tamper-proof — an administrator can disable the
Sieve script at any time. There is no audit trail
for changes to the journaling configuration itself. -
No metadata enrichment — the journal copy does not
include delivery metadata (sender IP, relay path,
authentication method) that would be required for
compliance purposes. -
Not a Legal Hold — the journal mailbox can be
accessed and deleted by any admin. There is no
immutable storage or hold mechanism.
Question:
Is there a plan to implement native mail journaling
with per-user segregation, tamper-proof storage, and
compliance metadata? Is Legal Hold on the roadmap?
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
ISSUE 10 — AI-Powered Features Clarification
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Observation:
The Enterprise compare page lists AI-powered features
We would like to understand these better.
Questions:
- Are the AI features active in our current v0.15.5
Enterprise trial license? - Does the LLM spam classifier require additional
configuration or is it enabled by default? - Do AI-powered Sieve scripts require an external
API key (OpenAI/Anthropic) or is a pre-trained
model included with the Enterprise license? - What is the approximate resource impact (CPU/RAM)
of enabling LLM classification on an 18-user setup?
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
ISSUE 11 — No Room & Resource Booking
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Observation:
Stalwart does not support room and resource booking.
Enterprise mail platforms such as Microsoft Exchange
and Google Workspace allow administrators to create
bookable resources (meeting rooms, projectors, vehicles,
equipment) that users can reserve directly when
scheduling calendar events.
Specifically what is missing:
• No resource mailbox / resource calendar type
• No auto-accept / auto-decline for resource conflicts
• No room availability lookup when scheduling meetings
• No resource capacity or policy enforcement
• No resource directory for users to browse
Question:
Is room and resource booking planned for a future
release?
We would greatly appreciate your technical guidance
on the above issues and your roadmap for the features
mentioned.
License Reference : softcell.in
Subscription Ref : 1656
Stalwart Version : 0.15.5
OS : Rocky Linux
Directory : 389 LDAP
Users : 18 mailboxes
Clients tested : Apple Mail, Thunderbird, Android,
iPad, Roundcube Webmail
Thank you for your time and continued support.
I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I’d prefer a human-only reply, I’ll add the no-ai tag to my topic.
on