Wraps Stalwart in EAS so iOS/Android native Mail/Calendar 'Exchange'
accounts get two-way mail+calendar+contacts sync (BackendCombined:
IMAP + CalDAV /dav/cal/%l/ + CardDAV, credentials pass through).
- services/zpush: Z-Push 2.6.4 (AGPLv3, see LICENSE-NOTES.md) on
php:8.2-apache-bookworm (trixie dropped libc-client); PHP 8 sysv
sprintf fatal sed-patched; autodiscover dispatcher answers
mobilesync schema, proxies outlook schema to Stalwart unchanged
- prod: zpush Deployment (replicas:1, Recreate — file sync state),
/Microsoft-Server-ActiveSync Ingress on mail.dezky.eu (no redirect,
POST-heavy), autodiscover.dezky.eu repointed to the dispatcher,
selectorless stalwart-imaps/-smtps Services (host-Stalwart is
implicit-TLS only: 993/465, no plain 143/587 — verified on node1)
- CI: build+deploy zpush like the other apps
EAS tops out at 14.1: covers native mobile clients, NOT the Outlook
mobile app (needs 16.1) and not new Outlook for Windows (no EAS).
DAV was internal-only (the node's :443 is Traefik's). New mail-dav
Ingress routes /.well-known/caldav, /.well-known/carddav and /dav on
mail.dezky.eu through to Stalwart — with the HTTPS-redirect middleware
(safe for DAV's GET/PROPFIND; kept OFF the autodiscover Ingress whose
POSTs don't survive redirects). The _caldavs/_carddavs SRV records are
now legitimate, so the Domains page surfaces them, and the Apple
.mobileconfig gains CalDAV + CardDAV payloads: one install sets up Mail,
Calendar and Contacts on Mac/iPhone. Stalwart's STALWART_PUBLIC_URL is
set to https://mail.dezky.eu on the host (discovery documents).
The deploy failed creating the selectorless stalwart-http Service's
Endpoints: since the CVE-2021-25740 hardening the namespaced 'admin' role
no longer grants write on legacy Endpoints. Explicit endpoints +
endpointslices rules on the ci-deployer role (already applied live);
manifest comment touch retriggers the infra apply.
Outlook autodiscovers via POST https://autodiscover.<domain>/autodiscover/
autodiscover.xml and Thunderbird via autoconfig.<domain>/mail/
config-v1.1.xml — Stalwart serves both (verified, answers carry
mail.dezky.eu:993/465) but its HTTP listener wasn't reachable from
outside (the node's :443 is Traefik's). New exact-path-only Ingress
routes JUST those discovery endpoints to host-Stalwart via a selectorless
Service + Endpoints on the cni0 gateway; the admin/management surface
stays internal, and there's no HTTPS-redirect middleware because
Thunderbird probes plain HTTP and Outlook POSTs.
Domains page now also lists the autoconfig/autodiscover CNAMEs under the
autodiscovery slot (CNAME verified against the mail host; a bare A record
warns instead of failing). Customer-domain autodiscovery (per-domain
certs + automated Ingress) is a follow-up.
Ronni Baslund