What mail server does Jabali Panel use?

Jabali Panel manages Stalwart 0.16.0 — a single-binary mail server that provides SMTP submission, MTA, IMAP, and JMAP in one process. The panel provisions mailboxes, domain entries, and deliverability DNS records; Stalwart handles the actual mail transport and storage.

Which mail protocols and ports does Jabali Panel expose?

IMAP on port 993 (TLS), SMTP submission on port 465 (implicit TLS) and 587 (STARTTLS), and JMAP over HTTPS. Roundcube webmail is available at https:// /mail/ with one-click SSO from the panel.

How does Jabali Panel handle DKIM, SPF, and DMARC?

Jabali auto-generates DKIM keys and publishes them into the hosted DNS zone when a domain is added. The Mail Deliverability admin page shows DKIM, SPF, DMARC, and MTA-STS state for every domain at a glance. A Rotate DKIM button generates a new key, publishes the new DNS record, and retires the old key after a configurable grace period so in-flight signed mail still validates.

What is MTA-STS and does Jabali Panel configure it?

MTA-STS is a policy that instructs sending mail servers to use TLS when delivering to your domain. Jabali Panel configures per-domain MTA-STS policies — TXT record and policy file — automatically. Stalwart also ingests inbound TLS-RPT, MTA-STS-RPT, and DMARC aggregate reports, which are visible per-domain in the deliverability dashboard.

Do mail clients auto-configure with Jabali Panel?

Yes. Jabali serves Apple mobileconfig, Thunderbird autoconfig.xml, and Outlook autodiscover.xml automatically, so most mail clients detect the correct server hostname, port, and TLS settings without manual entry.

Can I set up forwarders, catch-alls, and autoresponders?

Yes. The Mail section of each hosted user provides: per-mailbox forwarders to one or more external addresses, vacation autoresponders with a start/end date window, catch-all routing (to a chosen mailbox, :drop, or :reject), per-domain outbound disclaimer injection, and IMAP shared folders with ACL management.

What operating system does Jabali Panel run on?

Jabali Panel supports Debian 13 (Trixie) only. The installer detects and rejects earlier Debian releases and Ubuntu.

Self-hosted mail server with Stalwart and Jabali Panel

Stalwart 0.16.0 SMTP + IMAP + JMAP in one binary, with per-domain DKIM, MTA-STS, Roundcube webmail, and auto-configured Apple / Thunderbird / Outlook clients.

Self-hosting mail in 2026 is a different game than it was a decade ago. Modern receivers (Gmail, Microsoft, Yahoo, Proton) demand TLS-everywhere, DKIM-signed mail, valid SPF, monitored DMARC, and MTA-STS policies. They reject or filter senders that don’t comply. Jabali Panel’s answer is Stalwart Mail 0.16.0 — a single-binary SMTP + IMAP + JMAP server — wrapped in panel-managed DNS provisioning, automated DKIM lifecycle, and a deliverability dashboard that surfaces everything in one place.

Why Stalwart

Stalwart is one process. SMTP submission, MTA, IMAP, JMAP, mailbox storage — all in the same binary. That replaces the traditional Postfix + Dovecot + (rmilter|opendkim|opendmarc) constellation, which is operationally a pain: every service has its own config syntax, its own log format, its own update cadence, and its own way to break the others.

A single process means a single config surface, a single set of logs, and a single thing to monitor. It also means JMAP is available — a modern JSON-over-HTTPS protocol for mail clients that the IMAP-and-SMTP world has been promising for years.

Stalwart 0.16.0 is AGPL-3.0, the same licence as the panel itself.

Ports

Port	Protocol	TLS
25	SMTP (MX)	STARTTLS
465	SMTP submission	implicit TLS
587	SMTP submission	STARTTLS
993	IMAP	implicit TLS
443	JMAP	over HTTPS

Roundcube webmail rides on :443 at https://<primary-mail-domain>/mail/. The panel offers one-click SSO into Roundcube via the same self-deleting jabali-sso-*.php shim that powers wp-admin SSO — a 43-character nonce, 60-second TTL, flock+unlink.

POP3 (:110 / :995) is opt-in. Most operators leave it off.

DKIM, SPF, DMARC, MTA-STS

Provisioning a domain in the panel triggers, in order:

Create the PowerDNS zone with the apex A record, www CNAME, and (when mail is enabled) the MX, mail A, SPF, DMARC, and MTA-STS records
Generate a DKIM keypair, store the private key in the panel database, publish the public key as a TXT record in the zone
Write the MTA-STS policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt and the _mta-sts.<domain> TXT record
Register the domain in Stalwart’s config so it accepts mail for it

The Mail Deliverability admin page (/jabali-admin/mail/deliverability) shows, for every hosted domain at a glance:

DKIM record present + key matches stored private key
SPF record present + only contains the expected mechanisms
DMARC policy + reporting addresses
MTA-STS mode (none / testing / enforce) + policy file reachable

Rotating DKIM

The Rotate DKIM button generates a fresh key, publishes the new DNS record, and retains the old key for a configurable grace period (default 7 days) so in-flight signed mail still validates against the old selector. After the grace period, the old key is dropped from the zone.

TLS-RPT, MTA-STS-RPT, DMARC aggregate

Stalwart ingests the inbound report streams and surfaces them per-domain in the deliverability dashboard. Aggregate DMARC reports get parsed into a “compliant / non-compliant / unknown” breakdown by sending IP, which is the only sane way to debug a mail-flow regression.

Client auto-configuration

Provisioning mail accounts is easier than provisioning clients. Jabali serves the three standard discovery formats:

Client	URL pattern
Apple Mail / iOS	`https://<panel-hostname>/.well-known/mobileconfig?email=<address>` (signed)
Thunderbird	`https://autoconfig.<domain>/mail/config-v1.1.xml`
Outlook	`https://autodiscover.<domain>/autodiscover/autodiscover.xml`

The Apple .mobileconfig profile is signed with the panel-hostname Let’s Encrypt cert so iOS doesn’t warn. The other two are XML responses generated from the panel’s database; clients fetch them automatically when the user types only an email address into the setup wizard.

Per-user mail features

For each hosted user, the Mail section provides:

Mailboxes — create, edit, delete, set quotas, force first-login password reset
Forwarders — per-mailbox forwarding to one or more external addresses, optionally retaining a local copy
Catch-all — domain-level routing to a chosen mailbox, :drop (silently discard), or :reject (553 to the sender)
Autoresponders — vacation messages with a start/end date window
Outbound disclaimers — per-domain text or HTML appended to outbound mail
Shared folders — IMAP shared folders with per-user ACLs for team mailboxes (sales@, support@, etc.)

All managed declaratively via the panel UI; Stalwart’s JMAP API is the actual surface the agent writes to, and the reconciler converges configured state into Stalwart on every change.

Try it

Spin up a Debian 13 VPS, run the installer, point an MX record at the panel hostname, then add your first hosted domain in the panel UI. By the time the page reload finishes, DKIM is published, MTA-STS is live, and you can create the first mailbox.

The installation guide covers DNS prep and reverse-DNS recommendations for outbound deliverability. The demo panel shows the deliverability dashboard live.