[Bug]: Login session not stored, server returned 400

[Kabelkrant]

Description

My login session with Bulwark is not stored in my browser, both with Firefox and Chrome. Every time I come back, the session has been expired and I have to login again.

Bulwark is running in Docker, behind a NGINX reverse proxy.

The SESSION_SECRET environment variable is provided to the container, generated with openssl rand -base64 32.

The Firefox Console reports:
Failed to store session: server returned 400
and
Settings sync failed: Identity mismatch

There is only 1 cookie with the name DeviceId.

Steps to Reproduce

1. Go to Bulwark, check 'Remember me', and login.
2. Close the tab
3. Visit the Bulwark webmail URL again.
4. The login screen with the message 'Your session has expired. Please sign in again.' is presented

Expected Behavior

To go directly to the inbox.

Actual Behavior

The login screen with the message 'Your session has expired. Please sign in again.' is presented

Bulwark Version

1.5.3

Stalwart Mail Server Version

0.16.2

Browser

Firefox 150.0
Chrome 147.0.7727.119

Operating System

Windows 11

Screenshots / Screen Recording

No response

Relevant Logs or Error Output

Firefox developer tools console:

[ERROR] Failed to store session: server returned 400 [3718-6cf8e01f8fd92f9f.js:1:688](https://webmail.onderzone.nl/_next/static/chunks/3718-6cf8e01f8fd92f9f.js)
    NextJS 2

and

[SETTINGS_SYNC] Settings sync failed: Identity mismatch [3718-6cf8e01f8fd92f9f.js:1:1616](https://webmail.onderzone.nl/_next/static/chunks/3718-6cf8e01f8fd92f9f.js)
    NextJS 2

Docker log:

webmail  | ▲ Next.js 16.2.4
webmail  | - Local:         http://localhost:3000
webmail  | - Network:       http://0.0.0.0:3000
webmail  | ✓ Ready in 0ms
webmail  | Bulwark Webmail v1.5.3
webmail  | [INFO ] 2026-04-30T12:36:50.703Z Admin dashboard enabled (password loaded from admin.json)
webmail  | Admin dashboard initialized
webmail  | [INFO ] 2026-04-30T12:36:50.736Z telemetry: scheduler not started {"consent":"off"}

Additional Context

NGINX-config:

server {
  listen 80;
  listen [::]:80;
  listen 443 quic;
  listen 443 ssl;
  listen [::]:443 quic;
  listen [::]:443 ssl;
  http2 on;
  http3 off;
  ssl_certificate_key /etc/nginx/ssl-certificates/webmail.onderzone.nl.key;
  ssl_certificate /etc/nginx/ssl-certificates/webmail.onderzone.nl.crt;
  server_name webmail.onderzone.nl;
  root /home/onderzone-webmail/htdocs/webmail.onderzone.nl;

  access_log /home/onderzone-webmail/logs/nginx/access.log main;
  error_log /home/onderzone-webmail/logs/nginx/error.log;

  if ($scheme != "https") {
    rewrite ^ https://$host$request_uri permanent;
  }

  location @reverse_proxy {
        proxy_pass http://10.0.20.3:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
  }


  include /etc/nginx/global_settings;

  add_header Cache-Control no-transform;

  index index.html;

  location ^~ /.well-known {
    auth_basic off;
    allow all;
    try_files $uri @reverse_proxy;
  }

  location / {
    try_files $uri @reverse_proxy;
  }
}

docker-compose:

services:
  webmail:
    image: ghcr.io/bulwarkmail/webmail:latest
    container_name: webmail
    ports:
      - 3000:3000
    environment:
      JMAP_SERVER_URL: https://mail.onderzone.nl
    volumes:
      - ./settings:/app/data/settings
      - ./admin:/app/data/admin
    restart: unless-stopped
    env_file:
      - .env
networks: {}

.env:

APP_NAME=Onderzone Mail
FAVICON_URL=/branding/extern/webmail.svg
LOGIN_LOGO_LIGHT_URL=/branding/extern/webmail.svg
LOGIN_LOGO_DARK_URL=/branding/extern/webmail.svg
SESSION_SECRET=nEkmvLqTfWZYIZ**(....etc,redacted)**
SETTINGS_SYNC_ENABLED=true
STALWART_FEATURES=true
ADMIN_PASSWORD=**(redacted)**
BULWARK_TELEMETRY=off

[rathlinus]

Looks like a dns issue. Bulwark refuses to store the cookie if your jmap server resolves to a private ip adress, which it probably does, given your NGINX is on 10.0.20.3.

Can you check what this returns?:
docker exec webmail getent hosts mail.onderzone.nl

[Kabelkrant]

Yes, that's right, that's really clever of you to think about that.

All my servers have a public and private facing interface. There is a web server, docker server and stalwart server.

The Stalwart server is added to the hostfile of the Docker host to resolve to it's local adress. This is to keep the traffic internal.

root@telefoon:~# docker exec webmail getent hosts mail.onderzone.nl
10.0.20.4         mail.onderzone.nl  mail.onderzone.nl

Any advise what I should do instead?

[rathlinus]

You could make the container use public dns i think.

[rathlinus]

Try this in you config:

services:
  webmail:
    dns:
      - 1.1.1.1
      - 8.8.8.8

And this:

docker compose up -d --force-recreate webmail
docker exec webmail getent hosts mail.onderzone.nl

[Kabelkrant]

Yes, but it is intentional to use the hostfile.

All my servers have a public and private facing interface. I thought it was clever to route the traffic between Bulwark and Stalwart over this private network.

Is this a uncommon or unsupported use case?

[rathlinus]

It is not yet supported, i could add a flag like BULWARK_ALLOW_PRIVATE_JMAP

[Kabelkrant]

Works for me!

Are there any implications?

[chrilep]

I just added a CNAME for my external bulwark domain name as a CNAME to the internal Stalwart host.
Same for webmail (which is CNAMEd to the reverse proxy). From home i am 100% in my LAN this way.
DNS server is my router where the clients register at.

[rathlinus]

The body serverUrl is now ignored whenever JMAP_SERVER_URL is configured. That should fix it without changing anything from your side exept updating.

[rathlinus]

Please go ahead and try the beta container: docker pull ghcr.io/bulwarkmail/webmail-beta:sha-45a4db1

[Kabelkrant]

It does not work.

I switched to the beta container and added BULWARK_ALLOW_PRIVATE_JMAP=true to the environment.

Also tested it with a clear browser with no cookies, both Firefox and Chrome.

The error code in the Firefox Console log has changed, it is now 502 vs 400 before:

XHR
POST
https://webmail.onderzone.nl/api/auth/session?slot=0
[HTTP/2 502  32ms]

[ERROR] Failed to store session: server returned 502 [3718-6cf8e01f8fd92f9f.js:1:688](https://webmail.onderzone.nl/_next/static/chunks/3718-6cf8e01f8fd92f9f.js)
XHR
POST
https://webmail.onderzone.nl/api/auth/stalwart-context
[HTTP/2 502  32ms]

[SETTINGS_SYNC] Loading settings from server for renz@onderzone.nl [3718-6cf8e01f8fd92f9f.js:1:1523](https://webmail.onderzone.nl/_next/static/chunks/3718-6cf8e01f8fd92f9f.js)
XHR
GET
https://webmail.onderzone.nl/api/settings
[HTTP/2 403  22ms]

[SETTINGS_SYNC] Settings fetch failed: Identity mismatch [3718-6cf8e01f8fd92f9f.js:1:1523](https://webmail.onderzone.nl/_next/static/chunks/3718-6cf8e01f8fd92f9f.js)
[SETTINGS_SYNC] Settings sync enabled for renz@onderzone.nl [3718-6cf8e01f8fd92f9f.js:1:1523](https://webmail.onderzone.nl/_next/static/chunks/3718-6cf8e01f8fd92f9f.js)
GET
https://webmail.onderzone.nl/api/favicon?domain=awix.nl
[HTTP/2 404  19ms]

[SETTINGS_SYNC] Syncing settings to server... [3718-6cf8e01f8fd92f9f.js:1:1523](https://webmail.onderzone.nl/_next/static/chunks/3718-6cf8e01f8fd92f9f.js)
XHR
POST
https://webmail.onderzone.nl/api/settings
[HTTP/2 403  19ms]

[SETTINGS_SYNC] Settings sync failed: Identity mismatch

There is nothing in the Docker output:

webmail  | ▲ Next.js 16.2.4
webmail  | - Local:         http://localhost:3000
webmail  | - Network:       http://0.0.0.0:3000
webmail  | ✓ Ready in 0ms
webmail  | Bulwark Webmail v1.5.3
webmail  | [INFO ] 2026-04-30T14:03:31.268Z Admin dashboard enabled (password loaded from admin.json)
webmail  | Admin dashboard initialized
webmail  | [INFO ] 2026-04-30T14:03:31.303Z telemetry: scheduler not started {"consent":"off"}
webmail  | [INFO ] 2026-04-30T14:03:40.922Z Admin dashboard enabled (password loaded from admin.json)

[rathlinus]

i did not do it with the env variable, you can remove it. Please share the error from the network requests:

Open dev tools > Network > click on /api/auth/session?slot=0 and share the response

[Kabelkrant]

Yes:

POST: https://webmail.onderzone.nl/api/auth/session?slot=0

Request:

{
	"password": "(my password in plaintext)",
	"serverUrl": "https://mail.onderzone.nl",
	"slot": 0,
	"username": "renz@onderzone.nl"
}

Response:

{
	"error": "Failed to verify JMAP session"
}

and this one:

POST https://webmail.onderzone.nl/api/auth/stalwart-context

Request:

{
	"authHeader": "Basic cmVuekBvbm**************(redacted)**",
	"serverUrl": "https://mail.onderzone.nl",
	"slot": 0,
	"username": "renz@onderzone.nl"
}

Response:

{
	"error": "Failed to verify JMAP session"
}

... and then it just logs in, and shows my inbox.