Mailbox section now explains adding the mailbox as an Exchange
account on iPhone/Android (built-in apps, not the Outlook app) and
points Windows Outlook users at the CalDAV Synchronizer add-in.
Apple profile header comment updated — EAS now exists via the zpush
gateway, but the .mobileconfig stays the preferred Apple path.
'dezky mail (…)' in the customer's account list is the same white-label
leak as 'Stalwart Calendar' one layer up — partner tenants must see THEIR
domain, not the platform brand. Every user-visible label in the
.mobileconfig (account descriptions, payload names, organization) now
derives from the address's own domain.
Unsigned .mobileconfig installs trip macOS warnings ('unknown developer')
and an extra System Settings hunt. The route now wraps the profile in
PKCS#7 SignedData (node-forge, SHA-256, full chain embedded) using the
portal's own cert-manager LE certificate mounted read-only into the pod
(PROFILE_SIGN_CERT/KEY). Publicly-trusted chain → Apple shows Verified.
Dev (no env) and any signing failure fall back to unsigned — the
download must never break over the badge. Signature round-trip verified
with openssl smime.
DAV was internal-only (the node's :443 is Traefik's). New mail-dav
Ingress routes /.well-known/caldav, /.well-known/carddav and /dav on
mail.dezky.eu through to Stalwart — with the HTTPS-redirect middleware
(safe for DAV's GET/PROPFIND; kept OFF the autodiscover Ingress whose
POSTs don't survive redirects). The _caldavs/_carddavs SRV records are
now legitimate, so the Domains page surfaces them, and the Apple
.mobileconfig gains CalDAV + CardDAV payloads: one install sets up Mail,
Calendar and Contacts on Mac/iPhone. Stalwart's STALWART_PUBLIC_URL is
set to https://mail.dezky.eu on the host (discovery documents).
Apple Mail ignores RFC 6186 SRV autodiscovery and 'Microsoft Exchange'
needs EWS/EAS that Stalwart doesn't speak — so custom-domain users were
stuck typing IMAP/SMTP servers manually. New session-gated portal route
generates an Apple configuration profile (IMAP 993 + SMTP 465 on the
runtime mail host, username = address, NO password embedded — profiles
are plaintext, Apple prompts at install). 'Add to Apple Mail' buttons on
the three credential screens (invite result, mailbox created, password
reset). CalDAV/CardDAV payloads join when DAV is reachable from outside
(the node's :443 belongs to Traefik for now).
Ronni Baslund