Context: I use Stalwart at home locally to self-host my personal mails. There are no other users. I have multiple domains, and use catcha-all to have an e-mail for every single service ([email protected], etc)
Previously all my domains were added as an aliases with @domain1.com, @domain2.com. This allowed me two things:
Use it as a Catch-All for incoming mails, and mails were directly send to this mailbox, which means Mail Headers To: and Delivered-To were identical.
Catch All are now defined at domain level, not user level anymore. I can configure domain1.com to send all mails to [email protected] (for all domains the same recipient). This changes the Mail Headers. To: [email protected] & Delivered-To: [email protected]. Unsure, if this is noteworthy, or have any practically impacts.
I cannot send from any domain anymore. I get the following error message in Thunderbird:
Sending of the message failed.
An error occurred while sending mail. The mail server responded: You are not allowed to send from this address.. Please verify that your email address is correct in your account settings and try again.
Any way to restore the old behavior. I think #1 doesnât need to be restored, but I definitely want to send from any mail from my own domains.
I understand that topics in this category are triaged by a bot first but a human reply will follow up. If Iâd prefer a human-only reply, Iâll add the no-ai tag to my topic.
The âYou are not allowed to send from this addressâ error is caused by the mustMatchSender setting in the MTA AUTH Stage. Hereâs the full picture:
Issue #2 (canât send from arbitrary addresses) is the key one to fix. The mustMatchSender field on the MtaStageAuth singleton defaults to true, meaning the authenticated userâs email addresses must match the From: address being used. Since your secondary domain addresses (e.g. [email protected]) arenât registered as email aliases on your account, the check fails.
You have two ways to fix this:
Option A (recommended for your use case): Add all your domain addresses as email aliases on your account. In the WebUI, go to your user account and add @domain1.com, @domain2.com, etc. as alias addresses. This is the cleanest approach and keeps the security check intact.
Option B: Disable mustMatchSender. If you want to send from truly any address without registering aliases, you can set mustMatchSender to false. In the WebUI, go to Settings âș MTA âș Session âș AUTH Stage and set the mustMatchSender expression to {"else": "false"}. You can also do it via the CLI:
Note: Option B allows your authenticated account to use any From: address, which is fine for a personal single-user setup but would be a security risk on a multi-user server.
Issue #1 (Delivered-To header) is cosmetic for your setup. The catch-all now operates at the domain level via catchAllAddress on each Domain object, routing unknown recipients to your main mailbox. This is by design and shouldnât cause practical problems.
This feels for me also little bit unsecure. if i set mustMatchSender to false, sounds like any authentificated user can send from any mail-address (not just a selected account).
The behavior changed in 0.16: aliases are now specific addresses rather than whole-domain wildcards, so adding @domain as an alias no longer lets you send as any address in it. With mustMatchSender on (the default), the sender has to be the accountâs own address or one of its aliases.
If you only send from a handful of addresses, the clean fix is to add each as an alias on the account and leave mustMatchSender on. If you genuinely need open-ended âsend as anything on my domain,â you can set mustMatchSender to false, but as wrenix notes that lets any authenticated user send from any address. Alternatively you could create a custom expression that uses lookup stores to verify who is allowed to send from that domain.
Whatâs the problem adding whole-domain wildcards as an alias for incoming and outcoming? It worked so awesome in 0.15, and was my favorite feature in Stalwart⊠and now I cannot use it anymore.
Itâs not just a couple of âaliasesâ for me. I use one mail per service, f.ex. [email protected]. I got hundreds of these, and when I need to write an mail (support ticket), I also send from one of these. Adding an alias each time is not really a solution for me. I had to do this in Exchange, and it was annyoing.
This is a 0.16 change, aliases are now specific addresses rather than whole-domain wildcards, so adding @domain as an alias no longer grants send-as-anything. The send rejection you see is mustMatchSender (on by default): an authenticated account may only use its own address or an alias, otherwise 501 5.5.4. Setting mustMatchSender to false restores open sending, but then any authenticated user can send as any address, which is the security concern others raised.
Incoming catch-all still works, but itâs now domain-level via catchAllAddress, which is why Delivered-To changes to the catch-all mailbox. For sending from many per-service addresses on your own domain thereâs no single-account feature in 0.16 today; the options are mustMatchSender=false, per-address aliases, or a custom mustMatchSender expression backed by a lookup store.
. you repeat yourself 
.