title description
stalwart-mail Helm Chart for Stalwart Mail Server - Secure & Modern All-in-One Mail Server (IMAP, JMAP, SMTP)


Version: 0.0.24 Type: application AppVersion: 0.11.4

Helm Chart for Stalwart Mail Server - Secure & Modern All-in-One Mail Server (IMAP, JMAP, SMTP)


Name Email Url
WrenIX https://wrenix.eu

= Alpha


We stop working on this Helm-Chart. There are still many breaking change like:

We hope that stalward mail-server becomes more stable.



Helm must be installed and setup to your kubernetes cluster to use the charts. Refer to Helm's documentation to get started. Once Helm has been set up correctly, fetch the charts as follows:

helm pull oci://codeberg.org/wrenix/helm-charts/stalwart-mail

You can install a chart release using the following command:

helm install stalwart-mail-release oci://codeberg.org/wrenix/helm-charts/stalwart-mail --values values.yaml

To uninstall a chart release use helm's delete command:

helm uninstall stalwart-mail-release



Key Type Default Description
config.auth.dkim.sign list [{"if":"listener != 'smtp'","then":"['rsa', 'ed25519']"},{"else":false}] auth rule for signing with dkim
config.auth.dkim.verify string "relaxed" verify of dkim signature (relaxed, strict, disable)


Key Type Default Description
config.authentication.fallback-admin.secret string "%{env:FALLBACK_ADMIN_SECRET}%" password for fallback authentfication (use env for store in secrets of kubernetes)
config.authentication.fallback-admin.user string "admin" username for fallback authentfication
secrets.env.FALLBACK_ADMIN_SECRET string "supersecret" password for fallback authentfication (env)

Other Values

Key Type Default Description
affinity object {}
autoscaling.enabled bool false
autoscaling.maxReplicas int 100
autoscaling.minReplicas int 1
autoscaling.targetCPUUtilizationPercentage int 80
certificate.certmanager.dnsNames[0] string "chart-example.local"
certificate.certmanager.enabled bool true
certificate.certmanager.issuerRef.group string "cert-manager.io"
certificate.certmanager.issuerRef.kind string "ClusterIssuer"
certificate.certmanager.issuerRef.name string "letsencrypt-prod"
certificate.secretName string nil not needed if certmanager is used
config.directory.internal.store string "rocksdb"
config.directory.internal.type string "internal"
config.metrics.prometheus.auth.secret string "%{env:METRICS_SECRET}%"
config.metrics.prometheus.auth.username string "%{env:METRICS_USERNAME}%"
config.metrics.prometheus.enable bool true
config.server.allowed-ip."" string ""
config.server.listener.http.bind[0] string "[::]:80"
config.server.listener.http.protocol string "http"
config.server.listener.https.bind[0] string "[::]:443"
config.server.listener.https.protocol string "http"
config.server.listener.https.tls.implicit bool true
config.server.listener.imap.bind[0] string "[::]:143"
config.server.listener.imap.protocol string "imap"
config.server.listener.imaptls.bind[0] string "[::]:993"
config.server.listener.imaptls.protocol string "imap"
config.server.listener.imaptls.tls.implicit bool true
config.server.listener.pop3.bind[0] string "[::]:110"
config.server.listener.pop3.protocol string "pop3"
config.server.listener.pop3s.bind[0] string "[::]:995"
config.server.listener.pop3s.protocol string "pop3"
config.server.listener.pop3s.tls.implicit bool true
config.server.listener.sieve.bind[0] string "[::]:4190"
config.server.listener.sieve.protocol string "managesieve"
config.server.listener.smtp.bind[0] string "[::]:25"
config.server.listener.smtp.protocol string "smtp"
config.server.listener.submission.bind[0] string "[::]:587"
config.server.listener.submission.protocol string "smtp"
config.server.listener.submissions.bind[0] string "[::]:465"
config.server.listener.submissions.protocol string "smtp"
config.server.listener.submissions.tls.implicit bool true
config.storage.blob string "rocksdb"
config.storage.data string "rocksdb"
config.storage.directory string "internal"
config.storage.fts string "rocksdb"
config.storage.lookup string "rocksdb"
config.store.rocksdb.compression string "lz4"
config.store.rocksdb.path string "/data"
config.store.rocksdb.type string "rocksdb"
config.tracer.otel.enable bool false
config.tracer.otel.endpoint string ""
config.tracer.otel.headers list [] headers for usage with http (e.g. 'Authorization: <place_auth_here>')
config.tracer.otel.level string "info"
config.tracer.otel.transport string "grpc" grpc or http
config.tracer.otel.type string "open-telemetry"
config.tracer.stdout.ansi bool false
config.tracer.stdout.enable bool true
config.tracer.stdout.level string "info"
config.tracer.stdout.type string "stdout"
env list []
fullnameOverride string ""
global.image.pullPolicy string nil if set it will overwrite all pullPolicy
global.image.registry string nil if set it will overwrite all registry entries
image.pullPolicy string "IfNotPresent"
image.registry string "docker.io"
image.repository string "stalwartlabs/mail-server"
image.tag string "" Overrides the image tag whose default is the chart appVersion.
imagePullSecrets list []
ingress.annotations object {}
ingress.className string ""
ingress.enabled bool false
ingress.hosts[0].host string "chart-example.local"
ingress.hosts[0].paths[0].path string "/"
ingress.hosts[0].paths[0].pathType string "ImplementationSpecific"
ingress.tls list []
livenessProbe.httpGet.path string "/healthz/live"
livenessProbe.httpGet.port string "http"
nameOverride string ""
nodeSelector object {}
persistence.accessMode string "ReadWriteOnce" accessMode
persistence.annotations object {}
persistence.enabled bool true Enable persistence using Persistent Volume Claims ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
persistence.existingClaim string nil A manually managed Persistent Volume and Claim Requires persistence.enabled: true If defined, PVC must be created manually before volume will be bound
persistence.hostPath string nil Do not create an PVC, direct use hostPath in Pod
persistence.size string "10Gi" size
persistence.storageClass string nil Persistent Volume Storage Class If defined, storageClassName: If set to "-", storageClassName: "", which disables dynamic provisioning If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner. (gp2 on AWS, standard on GKE, AWS & OpenStack)
podAnnotations object {}
podLabels object {}
podSecurityContext object {}
prometheus.servicemonitor.enabled bool false
prometheus.servicemonitor.labels object {}
readinessProbe.httpGet.path string "/healthz/ready"
readinessProbe.httpGet.port string "http"
replicaCount int 1
resources object {}
secrets.env.METRICS_SECRET string "scrape_metrics_password"
secrets.env.METRICS_USERNAME string "scrape_metrics_user"
securityContext object {}
service.annotations object {}
service.ipFamilies[0] string "IPv4"
service.ipFamilyPolicy string "SingleStack" other option is RequireDualStack
service.ports.http int 80
service.ports.https int 443
service.ports.imap int 143
service.ports.imaptls int 993
service.ports.pop3 int 110
service.ports.pop3s int 995
service.ports.sieve int 4190
service.ports.smtp int 25
service.ports.submission int 587
service.ports.submissions int 465
service.type string "ClusterIP"
serviceAccount.annotations object {}
serviceAccount.automount bool true
serviceAccount.create bool false
serviceAccount.name string ""
tolerations list []
traefik.enabled bool false
traefik.ports.https.entrypoint string "websecure"
traefik.ports.https.match string nil
traefik.ports.https.passthroughTLS bool true
traefik.ports.https.proxyProtocol bool true
traefik.ports.imaptls.entrypoint string "imaps"
traefik.ports.imaptls.match string nil
traefik.ports.imaptls.passthroughTLS bool true
traefik.ports.imaptls.proxyProtocol bool true
traefik.ports.pop3s.entrypoint string "pop3s"
traefik.ports.pop3s.match string nil
traefik.ports.pop3s.passthroughTLS bool true
traefik.ports.pop3s.proxyProtocol bool true
traefik.ports.sieve.entrypoint string "sieve"
traefik.ports.sieve.match string nil
traefik.ports.sieve.passthroughTLS bool true
traefik.ports.sieve.proxyProtocol bool true
traefik.ports.smtp.entrypoint string "smtp"
traefik.ports.smtp.match string nil
traefik.ports.smtp.proxyProtocol bool true
traefik.ports.submissions.entrypoint string "smtps"
traefik.ports.submissions.match string nil
traefik.ports.submissions.passthroughTLS bool true
traefik.ports.submissions.proxyProtocol bool true
volumeMounts list []
volumes list []

