feat: add Mailpit SMTP relay and migrate all services

- Add Mailpit service to NET stack with web UI at mailpit.pivoine.art
- Configure Mailpit to relay all emails through IONOS SMTP
- Migrate all 11+ services to use Mailpit instead of direct IONOS SMTP:
  * SEXY: Directus API
  * UTIL: Joplin, Mattermost, Vaultwarden, Tandoor, Linkwarden
  * DEV: Gitea, n8n, Asciinema
  * AI: Open WebUI
  * NET: Netdata (via msmtp)
- Centralize SMTP credentials in mailpit-relay.yaml
- Simplify service configs (no auth/TLS for internal SMTP)
- Enable email monitoring via Mailpit web UI with Basic Auth

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

net/compose.yaml

@@ -223,6 +223,43 @@ services:
       - 'traefik.http.services.${NET_COMPOSE_PROJECT_NAME}-umami-web-secure.loadbalancer.server.port=3000'
       - 'traefik.docker.network=${NETWORK_NAME}'
 
+  # Mailpit - SMTP server with web UI
+  mailpit:
+    image: ${NET_MAILPIT_IMAGE:-axllent/mailpit:latest}
+    container_name: ${NET_COMPOSE_PROJECT_NAME}_mailpit
+    restart: unless-stopped
+    environment:
+      TZ: ${TIMEZONE:-Europe/Berlin}
+      # SMTP relay configuration for IONOS
+      MP_SMTP_AUTH_ACCEPT_ANY: 1
+      MP_SMTP_AUTH_ALLOW_INSECURE: 1
+      MP_MAX_MESSAGES: 5000
+      # SMTP relay to IONOS
+      MP_SMTP_RELAY_CONFIG: /config/relay.yaml
+    volumes:
+      - mailpit_data:/data
+      - ./mailpit-relay.yaml:/config/relay.yaml:ro
+    networks:
+      - compose_network
+    labels:
+      - 'traefik.enable=${NET_TRAEFIK_ENABLED}'
+      # HTTP to HTTPS redirect
+      - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-mailpit-redirect-web-secure.redirectscheme.scheme=https'
+      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web.middlewares=${NET_COMPOSE_PROJECT_NAME}-mailpit-redirect-web-secure'
+      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web.rule=Host(`${NET_MAILPIT_TRAEFIK_HOST}`)'
+      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web.entrypoints=web'
+      # HTTPS router with auth
+      - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-mailpit-auth.basicauth.users=${AUTH_USERS}'
+      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web-secure.rule=Host(`${NET_MAILPIT_TRAEFIK_HOST}`)'
+      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web-secure.tls.certresolver=resolver'
+      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web-secure.entrypoints=web-secure'
+      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web-secure.middlewares=${NET_COMPOSE_PROJECT_NAME}-mailpit-auth,security-headers@file'
+      # Service
+      - 'traefik.http.services.${NET_COMPOSE_PROJECT_NAME}-mailpit-web-secure.loadbalancer.server.port=8025'
+      - 'traefik.docker.network=${NETWORK_NAME}'
+      # Watchtower
+      - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}'
+
 volumes:
   letsencrypt_data:
     name: ${NET_COMPOSE_PROJECT_NAME}_letsencrypt_data
@@ -232,6 +269,8 @@ volumes:
     name: ${NET_COMPOSE_PROJECT_NAME}_netdata_lib
   netdata_cache:
     name: ${NET_COMPOSE_PROJECT_NAME}_netdata_cache
+  mailpit_data:
+    name: ${NET_COMPOSE_PROJECT_NAME}_mailpit_data
 
 networks:
   compose_network:

net/mailpit-relay.yaml

@@ -0,0 +1,11 @@
+# Mailpit SMTP Relay Configuration
+# Relays all outbound emails through IONOS SMTP
+
+# Default relay for all emails
+relay:
+  host: ${EMAIL_SMTP_HOST}
+  port: ${EMAIL_SMTP_PORT}
+  username: ${EMAIL_SMTP_USER}
+  password: ${EMAIL_SMTP_PASSWORD}
+  starttls: true
+  auth: plain

net/msmtprc

@@ -2,19 +2,15 @@
 
 # Set default values for all accounts
 defaults
-auth           on
-tls            on
-tls_trust_file /etc/ssl/certs/ca-certificates.crt
+auth           off
+tls            off
 logfile        /var/log/msmtp.log
 
-# IONOS SMTP account
-account        ionos
-host           smtp.ionos.de
-port           465
-tls_starttls   off
+# Mailpit SMTP relay account
+account        mailpit
+host           net_mailpit
+port           1025
 from           hi@pivoine.art
-user           hi@pivoine.art
-password       jaquoment
 
 # Set default account
-account default : ionos
+account default : mailpit