I checked my repo to see which Stalwart version I was running and if I could update, and I was surprised to find that the Arch package has been deleted due to FOSS licensing concerns[1], the most severe of which seems to be that Stalwart can no longer build without proprietary code[2]. Other smaller issues include the fact that the web admin interface isn't included in the source distribution, but is downloaded from GitHub on first run, and _also_ seems to contain proprietary code[3].
These issues, which would be showstoppers for a real free software project, and pretty easy to fix if you were the rightsholder of the code, were promised to be fixed "in a few weeks" in September last year, and "in a few months" in January this year, however they're still not fixed, which means I can't upgrade - not that I probably want to anymore. I truly believe in free software, so I find the idea of using "open source" as an empty marketing bullet-point for at least eight months to be fairly distasteful. Might be time to switch to Maddy.
I want to clarify that Stalwart can absolutely be compiled without any proprietary code. All you need to do is omit the Enterprise feature flag during compilation [0], and what you get is a 100% AGPL-3.0 build. The Arch package removal wasn’t because the software suddenly became non-free, but rather due to a packaging requirement: Arch needs a clean separation of the Enterprise code from the source tree, and that’s something we haven’t done yet (it will be implemented as a script). The delay isn’t due to any unwillingness to comply, it’s simply been a matter of prioritization. Over the past few months, the focus was on delivering major features like WebDAV support. That said, I'm still fully committed to resolving the packaging issue because we want Stalwart back in Arch as much as you do.
It’s also worth noting that only about 5% of the codebase is Enterprise, and that small slice helps fund ongoing development and expansion of the team [1]. As much as I'd love to be completely sponsor-funded, the reality is that open source projects still need to cover real-world costs. For what it's worth, Stalwart has received two NLNet grants [2] [3] to support open protocol work, which hopefully reinforces our commitment to open source.
So while the optics of this situation may look rough from the outside, I promise it’s not some “open source in name only” kind of thing. It’s just one of those painful balance acts between building features, maintaining packages, and paying the bills.
And hey, if you're heading back to Maddy, no hard feelings. But the door’s always open if you want to give Stalwart another shot down the road.
As I understand, the AGPLv3 requires the corresponding source code to be provided under the same license, so the Arch guys wanting an AGPLv3 source package isn't just a niche Arch-specific concern or a "packaging issue," but a licensing requirement that can't be ignored or delayed.
> All you need to do is omit the Enterprise feature flag during compilation, and what you get is a 100% AGPL-3.0 build.
Maybe I'm misunderstanding, but my interpretation of this issue[1] is that Stalwart contains AGPLv3 licensed functions that call into the SEL licensed `has_tenant_access` function, among others, and that the affected functions are not conditionally compiled out of the AGPLv3 binaries. @afontenot says on that issue that they don't believe it's "possible to use Stalwart under the AGPL at present." Are they wrong and can that issue be closed?
I am also concerned about the webadmin. A free software program that downloads proprietary code on first start isn't free software in practice, and since there aren't two separate SEL and AGPLv3 licensed builds of the webadmin on GitHub, that must be the case.
> So while the optics of this situation may look rough from the outside, I promise it’s not some “open source in name only” kind of thing. It’s just one of those painful balance acts between building features, maintaining packages, and paying the bills.
I get it, but it's disappointing that AGPLv3 compliance is so low in the list of priorities that this licensing issue has been known about but not solved in 8 months, all while receiving grants intended for free software projects. That balancing act must have included the consideration that the free software community is regularly burnt by rug-pulls (Redis) and trust isn't easily won back once its lost.
> And hey, if you're heading back to Maddy, no hard feelings. But the door’s always open if you want to give Stalwart another shot down the road.
I might. Sorry if I've been harsh, but it's only because Stalwart is a very cool project. A FOSS all-in-one mail server written in a safe language is exactly what email needs, and since learning about it, I've been worried that it's too good to be true. Please don't let it be. I don't think it will gain the momentum to replace Postfix if it can't be packaged in Linux distros due to licensing issues.
I really like where Stalwart is going, but I am quite hesitant to use it when basically all commits are authored by a single person. What would happen if he abandons the project or disappears?
Why not? If it goes away, it would take years until it rots and becomes unusable. And given that it uses open standard, it would be pretty simple to take a backup (which you should be doing regularly anyways) and move somewhere else.
This is interesting because Stalwart has a built-in clustering feature and can use distributed databases as its storage layer, so you get high-availability options out of the box. I've struggled with doing similar HA on Dovecot, never quite being true HA (for the open source version of Dovecot) for a while and never found a good other open source option.
I’ve always found stalwart interesting but have been a bit sceptical due to the main developer being quite anonymous. It seems that there is a company behind it as well "Stalwart Labs" but I cannot find information about it either, no linkedin and no people. I might just be used to openess as in devs not being anonymous though.
I understand your perspective, many open source communities are built on transparency, and it's natural to want to know the people behind a project.
That said, I personally value privacy highly, which is actually one of the main reasons I started Stalwart Mail Server. I don't maintain a personal presence on LinkedIn or other social media platforms, not because I'm trying to be anonymous, but because I prefer to focus on the work rather than promoting myself. I’ve found that platforms like LinkedIn are more noise than signal for me, especially with constant recruiter spam.
While I may not be putting my personal life on display, I’m committed to transparency where it matters most: through the project’s code, documentation, and community engagement. I hope that helps clarify things!
I feel you as I also value my privacy however i believe there is a difference between anonymity and privacy: a completely unknown entity and a person which personal life is not on the internet. There is a lot of trust involved especially with something as important as an email server which is extremely important for businesses.
It's this and the project being maintained by a solo developer (unless it's a pseudonym for multiple people :D) that makes me not want to personally rely on it.
I'm not only here to complain though, it's an awesome project and I find it really impressive for someone to build a mailserver (and other features) from scratch. Thank you for investing time in open source implementations of protocols that run the world.
Follow up questions: What are the thoughts about enterprise and business support? I see that it exists but I believe there is a lot of trust involved ^^. Will there be more developers, open source, knowing the people behind the project and or support people? Do you have any customers today?
Thanks for follow-up. You're absolutely right that there's a distinction between privacy and anonymity. However I just want to clarify that my decision to keep a low personal profile online stems from a deep belief in privacy, not secrecy.
To give you more context about the project: Stalwart Labs was indeed started and is currently led by a single developer: myself. I have over 30 years of experience working with email technologies and have previously founded three email-related companies.
That said, I’m not working entirely alone. While I’m the core developer and founder, there are others involved in Stalwart Labs today handling support, sales, and maintaining smaller parts of the codebase (mostly changes required by clients). My plan is to continue leading development myself until the project reaches version 1.0, which I hope will happen later this year. After that milestone, the goal is to gradually expand the development team, particularly to support work on a Rust-based webmail and calendar interface that will complement the mail server.
Stalwart’s development has been largely self-funded, aside from two NLNet grants. I’ve been growing the team organically and intentionally. While I have been approached by two VC firms, I’ve chosen to decline their offers. Not just to avoid external pressure (and stress), but also because some proposed directions conflicted with promises I’ve made to the community. For example, there have been suggestions to move some open-source features behind a paywall, which I’m against and promised the community never to do.
As for enterprise support, yes, Stalwart Labs offers an enterprise license that includes premium support services. And regarding adoption, I'm happy to say that there are currently a few hundred enterprise clients using Stalwart in production. While I would need the clients' permissions to share their names, I can say that Mozilla Thunderbird is one of them. They’ve publicly announced their upcoming launch of thundermail.com, which is powered by Stalwart.
I hope that gives you more clarity and confidence in the project. Thanks.
It most definitely gives me clarity and confidence in the project! I'm very happy to hear rejections from VC funding. A few hundred enterprise clients is not a small amount at all for a bootstrapped project.
Unsolicited advice from an anonymous entity online ;): Put this information on the website! It hopefully removes any trust issues that people might have (I believe I'm not the only one), it did for me!
I wish you all the best on your endeavors, I'm excited to see what you bring in the future <3
For better or worse there's an immense amount of anonymous developers behind major projects that you likely rely on a daily basis. I wish more core projects had a policy of no anonymous people in the core team at least, but it is what it is...
I applaud the technical achievement, but I fear this is the kind of feature creep that kills projects. There were quite a few open source "groupware" projects that are now close to forgotten because what people really needed was a [email server] that integrated nicely with their existing [files,office,ticketing...], but the "groupware" options were too tightly bundled and hard to integrate.
Swap the brackets for any feature and you'll probably find a "suite" that did that thing the best, but ultimately failed because it wasn't the best at everything else too.
Nextcloud already has calendar, contacts and especially files covered quite well, but it can't be configured to use external providers for those. Anyone who wants a complete self-hosted solution (everything from federated file shares to web forms, collaborative editing, appointments, tasks...) will definitely want to stick with Nextcloud, so they'll have to turn off all these new features.
I just worry that with time, this will become another "all in one" suite that does one or even a few things reeeally well (email), but is too annoying to properly integrate with everything else.
Yes, Nextcloud is also in danger of becoming that, but they've done a very good job of moving things into optional extensions and giving you plenty of integration options for plugging in external software. It's very good at being the hub that other things plug into, but you can't have two hubs...
What is the reason to pick Stalwart over Nextcloud? Nextcloud also has calendars, contacts, files, and integrated mail client. And a reasonably sized ecosystem of apps.
While I am happy for areas of competition - since they lead to choice - I also like it when there are partnerships....Nextcloud either acquired or partners with RoundCube, and separately also partners with collabora for the Office suite offering....so might be great if Nextcloud and Stalwart had some sort of partnership for mutual benefit.
These issues, which would be showstoppers for a real free software project, and pretty easy to fix if you were the rightsholder of the code, were promised to be fixed "in a few weeks" in September last year, and "in a few months" in January this year, however they're still not fixed, which means I can't upgrade - not that I probably want to anymore. I truly believe in free software, so I find the idea of using "open source" as an empty marketing bullet-point for at least eight months to be fairly distasteful. Might be time to switch to Maddy.
[1]: https://gitlab.archlinux.org/archlinux/packaging/packages/st... [2]: https://github.com/stalwartlabs/stalwart/issues/783 [3]: https://gitlab.archlinux.org/archlinux/packaging/packages/st...