Introduction
Bulwark is a modern, open-source webmail client built with Next.js and the JMAP protocol for Stalwart Mail Server. It provides email, calendar, contacts, and cloud files in one interface with modern security and customization features.
Why Bulwark?
Most webmail clients are either outdated, slow, or lack modern features. Bulwark was created to fill this gap by providing:
- Modern UI/UX - A clean, responsive interface built with cutting-edge web technologies
- JMAP Protocol - Leveraging the modern JMAP standard instead of legacy IMAP for superior performance
- Stalwart Integration - First-class support for Stalwart Mail Server, including Sieve filters, vacation responder, account security management, JMAP FileNode storage, and runtime branding options
- Open Source - Fully open-source under the AGPL v3 license
Key Features
- Multi-account support - Manage up to 5 email accounts with instant switching, per-account state preservation, default account selection, and unified inbox across all accounts
- Full email management - Tiptap rich text composer with inline images and resizing, plain text mode, threaded conversation view (with disable toggle), draft auto-save and editing, archive modes (direct, by year, year/month), TNEF (
winmail.dat) extraction, embeddedmessage/rfc822unwrapping, color tag labels with multi-tag support, hover actions, answered/forwarded status icons, reply-to addresses, auto-select reply identity, sub-addressing (plus addressing), email export/import, newsletter unsubscribe (RFC 2369), and printable viewer - Calendar (RFC 8984) - Month, week, day, agenda, and task views, drag-to-reschedule, click-drag and double-click creation, edge-resize with 15-minute snap, recurring events with scoped edit/delete and client-side expansion, iMIP invitations on create/update (RFC 5545/6047) with RSVP trust assessment, inline calendar invitation banner in email viewer, iCal/webcal subscriptions with editing and batch import, CalDAV discovery with multi-account home resolution, auto-generated birthday calendar from contacts, virtual locations as first-class fields, task management with due dates and priority, week numbers, hover preview, notification sounds with sound picker
- Contacts (RFC 9553/9610) - Multiple address books with drag-and-drop, contact groups with member management, vCard import/export with duplicate detection, autocomplete in composer, A-Z grouping with sticky section headers, revamped detail view with filters, photo, print, duplicate detection and contact activity (recent emails and upcoming events), right-click context menu, address book rename, trusted senders stored in a dedicated JMAP address book
- Files - JMAP FileNode browser with grid/list views, streamed WebDAV PUT upload, folder upload via drag-and-drop, dynamic server-configured upload limits, preview for images/text/audio/video, clipboard cut/copy/paste/duplicate, favorites, and recent files
- Filters & Templates - Server-side Sieve filters (RFC 9661) with visual rule builder, expanded visual view, raw editor with syntax validation, vacation responder with date-range scheduling, and reusable email templates with placeholder auto-fill
- Identity - Multiple sender identities with per-identity signatures, automatic identity sync, identity badges in viewer/list, sub-addressing helper
- S/MIME - Manage certificates, sign, encrypt, decrypt, and verify; legacy 3DES and password-based encryption (PBE) support; per-account key isolation; signer auto-import on verify
- Authentication - OAuth2/OIDC with PKCE (Keycloak, Authentik, or built-in), OAuth-only mode, OAuth app passwords, non-interactive SSO for embedded iframe deployments, TOTP two-factor authentication, encrypted Remember-me sessions (AES-256-GCM)
- Admin & Extensibility - Stalwart admin dashboard via JMAP
x:methods (Stalwart 0.16+), API keys management, IP allowlist for app passwords, dedicated policy sections, schema-driven plugin configuration UI, plugin render and intercept hooks,onAvatarResolvehook, plugin i18n API, calendar event action slots, composer-sidebar plugin slot, manifest-declaredframeOriginsmerged into the host CSP, plugin sandboxing with dangerous-pattern detection and admin approval, theme upload as ZIP bundles with admin enforcement, and an extension marketplace (configured viaEXTENSION_DIRECTORY_URL) for browsing and installing plugins/themes - Bundled plugins - Jitsi Meet for calendar video conferencing
- Themes & branding - Dark and light themes with intelligent HTML email color transformation, "always light" email option, custom favicon, sidebar logos, login logos, login company name and links, dynamic PWA manifest with configurable name, description, icons, theme color, and background color
- Progressive Web App - Service worker, install prompt with don't-ask-again option, configurable manifest, dynamic icons (192/512 + maskable variants)
- Interface - Three-pane responsive layout with resizable columns, full keyboard navigation, drag-and-drop email organization and tag assignment, interactive guided tour, right-click context menus, toast notifications with undo, customizable toolbar position, pinnable sidebar apps with drag-and-drop reordering and mobile visibility toggle, encrypted settings sync across devices, storage quota display, WCAG AA contrast, reduced-motion support, focus trap, and screen reader live regions
- Internationalization - 15 languages (English, French, Japanese, Spanish, Italian, German, Dutch, Portuguese, Russian, Korean, Polish, Latvian, Simplified Chinese, Ukrainian, Czech) with auto-detection and configurable locale URL prefix via
NEXT_PUBLIC_LOCALE_PREFIX - Custom JMAP endpoints - Optionally let users specify a JMAP server URL on the login form (
ALLOW_CUSTOM_JMAP_ENDPOINT) - Operations - Real-time push via JMAP EventSource, structured logging (
textorjson) with category-based levels, automatic update check on startup, health check endpoint, demo mode with fixture data, release (main) and development (dev) Docker images on GHCR, native ARM runners - Security hardening - DOMPurify HTML sanitization, external content blocked by default with trusted senders, SPF/DKIM/DMARC indicators, enforced CSP with per-request nonce, SSRF redirect validation, IP spoofing prevention, sandboxed PDF iframe
Tech Stack
| Technology | Purpose |
|---|---|
| Next.js 16 | React framework |
| TypeScript | Type safety |
| Tailwind CSS v4 | Styling |
| Zustand | State management |
| JMAP | Mail protocol (RFC 8620) |
| next-intl | Internationalization |
| Lucide React | Icon library |
| Stalwart | Mail server |
Getting Help
- GitHub Repository - Source code and issue tracker
- Stalwart Documentation - Mail server setup and configuration
- JMAP Specification - Protocol documentation