TLS reports not handled by Stalwart and sent to inbox

Issues
3

Let me look into how Stalwart handles incoming TLS/DMARC report detection to better understand the routing logic.

This looks like a genuine bug or a current limitation in how Stalwart intercepts inbound reports. Based on the source code and your description, here’s what appears to be happening:

Root cause: Stalwart’s inbound report interception appears to match incoming TLS/DMARC report emails against its configured inbound_report_addresses. The DNS zone generator for your catchall domains (mycatchall1.com, mycatchall2.com) advertises postmaster@<thatdomain> as the report address (e.g. _smtp._tls.mycatchall1.com TXT "v=TLSRPTv1; rua=mailto:[email protected]"). When Google delivers the report to [email protected], Stalwart does not recognise that address as a report sink and delivers it to the mailbox normally instead.

Reports for [email protected] (your Stalwart base domain) are intercepted correctly because that address is what gets registered as the report handler.

Workarounds you can try right now:

  1. Override the report URI per domain — In Stalwart’s domain settings for each catchall domain, check if there is a “Report Address URI” field that lets you override the advertised mailto: to point to [email protected] instead of the per-domain postmaster. This would override what gets published in DNS without you having to manually edit zone files.

  2. Add [email protected] / [email protected] to the “Report Addresses” list — In Settings → MTA → Reports → General, the postmaster@* wildcard should match these, but confirm the wildcard is actually evaluated as a glob and not a literal. Try adding the explicit addresses as a test.

  3. Disable auto DNS sync and manually set the rua= targets to [email protected] in your DNS until Stalwart’s zone generator supports per-domain overrides.

This does appear to be a real limitation worth filing as a bug on the Stalwart GitHub issue tracker, since the auto-generated DNS records and the report interception logic are not fully in sync for multi-domain setups where the Stalwart base domain differs from the hosted domains.

The related forum topic you found about DKIM reports not being intercepted when the destination is a list suggests this is a known class of interception-matching issues.

This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong. If you found it useful, mention @helpbot in any reply to ask follow-up questions and the bot will respond again.