docs(mail): correct ActiveSync claims + honest client-compat copy

Stalwart never had ActiveSync built in — that now comes from the zpush gateway. SERVICES.md gains a zpush section with debug commands; website copy (da+en) states what actually works: IMAP everywhere, CalDAV/CardDAV, Exchange accounts in the phone's built-in apps, CalDAV Synchronizer for Outlook on Windows.
2026-06-12 11:12:23 +02:00
parent 7dd61e433f
commit 69e81757fd
4 changed files with 45 additions and 7 deletions
@@ -187,7 +187,7 @@ See `docs/AUTHENTIK-SETUP.md` for the exact steps.
 These choices were made deliberately after extensive license/architecture research:
- **Stalwart over Mailcow**: Modern Rust, ActiveSync built-in, JMAP support, single binary
+- **Stalwart over Mailcow**: Modern Rust, JMAP support, single binary. (ActiveSync is NOT built in — the Z-Push gateway in `services/zpush` provides EAS for mobile Exchange accounts.)
 - **OCIS over Nextcloud**: Apache 2.0 vs AGPL+trademark fees for whitelabel
 - **Zulip over Element/Mattermost/Rocket.Chat**: Only truly open-core-free chat option
 - **Authentik over Keycloak**: Better multi-tenancy, MIT license, simpler config
@@ -103,7 +103,7 @@ These choices are deliberate after extensive license/architecture research. See
 | Component | License | Why this one |
 |-----------|---------|--------------|
-| Stalwart Mail | Apache 2.0 | Modern Rust, ActiveSync built-in, JMAP support |
+| Stalwart Mail | Apache 2.0 | Modern Rust, JMAP support (EAS via Z-Push gateway) |
 | OCIS | Apache 2.0 | Cleaner license than Nextcloud (AGPL+trademark) |
 | Zulip | Apache 2.0 | Only truly open-core-free chat option |
 | Authentik | MIT | Better multi-tenancy than Keycloak |
@@ -36,7 +36,7 @@ export const COPY = {
      lede: 'Fem moduler. Ét login. Bygget til at virke sammen — ikke bare leve i samme browser.',
      soonLabel: 'kommer snart',
      cards: [
-        { name: 'Mail', tag: 'mail · kalender · kontakter', desc: 'Domæne-mail, kalender og kontakter med fuld kompatibilitet til Outlook og Apple Mail via IMAP, CalDAV og CardDAV.', soon: false },
+        { name: 'Mail', tag: 'mail · kalender · kontakter', desc: 'Domæne-mail, kalender og kontakter til Apple Mail, Outlook og mobilen — via IMAP, CalDAV, CardDAV og Exchange ActiveSync.', soon: false },
        { name: 'Drev', tag: 'filer · deling · versioner', desc: 'Filer i skyen med deling, versionering og indbygget redigering i Office-formater. Synk-klient til Mac, Windows og Linux.', soon: false },
        { name: 'Møder', tag: 'video · skærmdeling', desc: 'Videomøder i browseren. Ingen download. Skærmdeling, optagelse og baggrundsudviskning out-of-the-box.', soon: true },
        { name: 'Chat', tag: 'kanaler · tråde · søgning', desc: 'Team-chat med tråde, kanaler og fuld historiksøgning. Designet til at læses asynkront, ikke til at afbryde.', soon: true },
@@ -123,7 +123,7 @@ export const COPY = {
      heading: 'Det vi bliver spurgt om.',
      items: [
        ['Hvordan virker migration fra Microsoft 365?', 'Vi flytter mail, kalender, kontakter og OneDrive-filer i baggrunden, mens jeres team arbejder videre. Skifte-dagen er en DNS-opdatering. Typisk forløb er 2–4 uger for 50 brugere.'],
-        ['Kan jeg stadig bruge Outlook og Office?', 'Ja. Mail, kalender og kontakter virker via IMAP, CalDAV og CardDAV. Drev-filer åbnes med Office desktop via WebDAV. Vi anbefaler vores web- og mobil-apps som primært valg, men kravet er ikke at I skifter vaner.'],
+        ['Kan jeg stadig bruge Outlook og Office?', 'Ja. Mail virker i Outlook og alle IMAP-klienter. Kalender og kontakter synkroniserer via CalDAV/CardDAV — og som Exchange-konto i mobilens indbyggede apps. Outlook på Windows synkroniserer kalenderen via det gratis CalDAV Synchronizer-tilføjelsesprogram. Drev-filer åbnes med Office desktop via WebDAV. Vi anbefaler vores web- og mobil-apps som primært valg, men kravet er ikke at I skifter vaner.'],
        ['Hvor er data hosted?', 'Hos Hetzner i Tyskland. Tier III-certificerede datacentre, redundant strøm og netværk, ISO 27001-certificeret operatør. Ingen data forlader EU på noget tidspunkt — ikke for analytics, logs eller support.'],
        ['Hvad sker der hvis dezky lukker?', 'Hele stakken er open source. I kan eksportere alt og flytte til en anden dezky-partner. Vores forretningsmodel er drift, ikke gidseltagning.'],
        ['Hvad er jeres SLA?', '99,9 % uptime garanteret på alle planer. 99,95 % på Enterprise. Status-side med real-time data offentligt tilgængelig på status.dezky.eu.'],
@@ -546,7 +546,7 @@ export const COPY = {
      lede: 'Five modules. One login. Built to work together — not just live in the same browser.',
      soonLabel: 'coming soon',
      cards: [
-        { name: 'Mail', tag: 'mail · calendar · contacts', desc: 'Domain mail, calendar and contacts with full Outlook and Apple Mail compatibility via IMAP, CalDAV and CardDAV.', soon: false },
+        { name: 'Mail', tag: 'mail · calendar · contacts', desc: 'Domain mail, calendar and contacts for Apple Mail, Outlook and mobile — via IMAP, CalDAV, CardDAV and Exchange ActiveSync.', soon: false },
        { name: 'Drive', tag: 'files · sharing · versions', desc: 'Cloud files with sharing, versioning and built-in Office-format editing. Sync clients for Mac, Windows and Linux.', soon: false },
        { name: 'Meet', tag: 'video · screen share', desc: 'Video meetings in the browser. No download. Screen share, recording and background blur out of the box.', soon: true },
        { name: 'Chat', tag: 'channels · threads · search', desc: 'Team chat with threads, channels and full history search. Designed to be read async — not to interrupt.', soon: true },
@@ -633,7 +633,7 @@ export const COPY = {
      heading: 'What we get asked.',
      items: [
        ['How does migration from Microsoft 365 work?', 'We move mail, calendar, contacts and OneDrive files in the background while your team keeps working. Cutover day is a DNS update. Typical timeline is 2–4 weeks for 50 users.'],
-        ['Can I still use Outlook and Office?', 'Yes. Mail, calendar and contacts work via IMAP, CalDAV and CardDAV. Drive files open with Office desktop via WebDAV. We recommend our web and mobile apps, but we don\'t require you to change habits.'],
+        ['Can I still use Outlook and Office?', 'Yes. Mail works in Outlook and any IMAP client. Calendar and contacts sync via CalDAV/CardDAV — and as an Exchange account in the phone\'s built-in apps. Outlook on Windows syncs the calendar via the free CalDAV Synchronizer add-in. Drive files open with Office desktop via WebDAV. We recommend our web and mobile apps, but we don\'t require you to change habits.'],
        ['Where is data hosted?', 'With Hetzner in Germany. Tier III certified data centers, redundant power and network, ISO 27001 certified operator. No data leaves the EU at any time — not for analytics, logs or support.'],
        ['What happens if dezky shuts down?', 'The whole stack is open source. You can export everything and move to another dezky partner. Our business model is operations — not hostage-taking.'],
        ['What\'s your SLA?', '99.9% uptime guaranteed on all plans. 99.95% on Enterprise. Public real-time status page at status.dezky.eu.'],
@@ -119,7 +119,8 @@ See `docs/AUTHENTIK-SETUP.md` for OIDC configuration steps.
 **Image:** `stalwartlabs/mail-server:latest`
 **Container:** `dezky-stalwart`
 **URL:** https://mail.dezky.local
-**Purpose:** Mail server (SMTP/IMAP/JMAP/CalDAV/CardDAV/ActiveSync)
+**Purpose:** Mail server (SMTP/IMAP/JMAP/CalDAV/CardDAV — ActiveSync comes
 from the separate zpush gateway, see below)
 **Ports exposed:**
 - 25 (SMTP)
@@ -149,6 +150,43 @@ docker compose port stalwart 25
 ---
 ## Z-Push (EAS gateway)
 **Image:** built from `services/zpush` (Z-Push 2.6.4, AGPLv3 — see
 `services/zpush/LICENSE-NOTES.md`)
 **Container:** `dezky-zpush`
 **URL:** https://mail.dezky.local/Microsoft-Server-ActiveSync (+ EAS
 autodiscover on https://autodiscover.dezky.local)
 **Purpose:** Exchange ActiveSync gateway in front of Stalwart — "Exchange"
 accounts on iOS/Android native Mail/Calendar get two-way mail + calendar +
 contacts sync (IMAP + CalDAV + CardDAV fan-out via BackendCombined).
 **Protocol reality check:** EAS 14.1. Covers native mobile clients; NOT the
 Outlook mobile app (requires EAS 16.1) and not new Outlook for Windows (no
 EAS at all). Classic Outlook on Windows syncs calendars against `/dav` with
 the free Outlook CalDAV Synchronizer add-in instead.
 **Auth:** pure passthrough — the device's Basic credentials (mailbox
 password or app password) go straight to Stalwart. No secrets stored;
 `zpush_state` volume holds only resyncable device state.
 **Debug:**
 ```bash
 docker compose logs -f zpush
 # Unauthenticated probe (expect 401 with realm="ZPush")
 curl -k -i -X OPTIONS https://mail.dezky.local/Microsoft-Server-ActiveSync
 # Authenticated: advertised EAS versions in MS-ASProtocolVersions header
 curl -k -i -u user@tenant.tld:app-password -X OPTIONS \
  https://mail.dezky.local/Microsoft-Server-ActiveSync
 # Per-device sync state
 docker exec dezky-zpush php /usr/share/z-push/z-push-admin.php -a list
 ```
 ---
 ## OCIS
 **Image:** `owncloud/ocis:7.0`