All notable changes to this project will be documented in this file. This project adheres to Semantic Versioning.
To upgrade replace the stalwart-mail
binary.
- Restore deleted e-mails (Enterprise Edition only)
- Kubernetes (K8S) livenessProbe and readinessProbe endpoints.
- Avoid sending reports for DMARC/delivery reports (#173)
- Refresh old FoundationDB read transactions (#520)
- Subscribing shared mailboxes doesn't work (#251)
To upgrade replace the stalwart-mail
binary.
- Fix TOTP validation order.
- Increase Jemalloc page size on armv7 builds.
To upgrade replace the stalwart-mail
binary and then upgrade to the latest web-admin.
- Two-factor authentication with Time-based One-Time Passwords (#436)
- Application passwords (#479).
- Option to disable user accounts.
- DANE success on EndEntity match regardless of TrustAnchor validation.
- Fix ManageSieve GETSCRIPT response: Add missing CRLF (#563)
- Do not return CAPABILITIES after ManageSieve AUTH=PLAIN SASL exchange (#548)
- POP3 QUIT must write a response (#568)
To upgrade replace the stalwart-mail
binary and then upgrade to the latest web-admin and spam filter versions.
- Webhooks support (#480)
- MTA Hooks (like milter but over HTTP)
- Manually train and test spam classifier (#473 #264 #257 #471)
- Allow configuring default mailbox names, roles and subscriptions (#125 #290 #458 #498)
- Include
robots.txt
(#542)
- Milter support on all SMTP stages (#183)
- Do not announce
STARTTLS
if the listener does not support it.
- Incoming reports stored in the wrong subspace (#543)
- Return
OK
after a successful ManageSieve SASL authentication flow (#187) - Case-insensitive search in settings API (#487)
- Fix
session.rcpt.script
default variable name (#502)
To upgrade replace the stalwart-mail
binary and then upgrade to the latest web-admin and spam filter versions.
- POP3 support.
- DKIM signature length exploit protection.
- Faster email deletion.
- Junk/Trash folder auto-expunge and changelog auto-expiry (#403)
- IP allowlists.
- HTTP Strict Transport Security option.
- Add TLS Reporting DNS entry (#464).
- Use separate account for master user.
- Include server hostname in SMTP greetings (#448).
- IP addresses trigger
R_SUSPICIOUS_URL
false positive (#461 #419). - JMAP identities should not return null signatures.
- Include authentication headers and check queue quotas on Sieve message forwards.
- ARC seal using just one signature.
- Remove technical subdomains from MTA-STS policies and TLS records (#429).
This version uses a different database layout which is incompatible with previous versions. Please read the UPGRADING.md file for more information on how to upgrade from previous versions.
- Clustering support with node auto-discovery and partition-tolerant failure detection.
- Autoconfig and MS Autodiscover support (#336)
- New variables
retry_num
,notify_num
,last_error
addlast_status
available in queue expressions. - Performance improvements, in particular for FoundationDB.
- Improved full-text indexing with lower disk space usage.
- MTA-STS policy management.
- TLSA Records generation for DANE (#397)
- Queued message visualization from the web-admin.
- Master user support.
- Make
certificate.*
local keys by default. - Removed
server.run-as.*
settings. - Add Microsoft Office Macro types to bad mime types (#391)
- mySQL TLS support (#415)
- Resolve file macros after dropping root privileges.
- Updated order of SPF Records (#395).
- Avoid duplicate accountIds when using case insensitive external directories (#399)
authenticated_as
variable not usable for must-match-sender (#372)- Remove
StandardOutput
,StandardError
in service (#390) - SMTP
AUTH=LOGIN
compatibility issues with Microsoft Outlook (#400)
To upgrade replace the stalwart-mail
binary and then upgrade to the latest web-admin version.
- Full database export and import functionality
- Add --help and --version command line arguments (#365)
- Allow catch-all addresses when validating must match sender
- Add
groupOfUniqueNames
to the list of LDAP object classes
- Trim spaces in DNS-01 ACME secrets (#382)
- Allow only one journald tracer (#375)
authenticated_as
variable not usable for must-match-sender (#372)- Fixed
BOGUS_ENCRYPTED_AND_TEXT
spam filter rule - Fixed parsing of IPv6 DNS server addresses
To upgrade replace the stalwart-mail
binary and then upgrade to the latest web-admin version.
- Support for
DNS-01
andHTTP-01
ACME challenges (#226) - Configurable external resources (#355)
- Startup failure when Elasticsearch is down/starting up (#334)
- URL decode path elements in REST API.
To upgrade replace the stalwart-mail
binary.
- Make initial admin password configurable via env (#311)
- WebAdmin download URL.
- Remove ASN.1 DER structure from DKIM ED25519 public keys.
- Filter out invalid timestamps on log entries.
This version uses a different database layout and introduces multiple breaking changes in the configuration files. Please read the UPGRADING.md file for more information on how to upgrade from previous versions.
- Web-based administration interface.
- REST API for management and configuration.
- Automatic RSA and ED25519 DKIM key generation.
- Support for compressing binaries in the blob store (#227).
- Improved performance accessing IMAP mailboxes with a large number of messages.
- Support for custom DNS resolvers.
- Support for multiple loggers with different levels and outputs.
- Store quotas as
u64
rather thanu32
. - Second IDLE connections disconnects the first one (#280).
- Use relaxed DNS parsing, allowing underscores in DNS labels (#172).
- Escape regexes within
matches()
expressions (#155). - ManageSieve LOGOUT should reply with
OK
instead ofBYE
.
This version introduces breaking changes in the configuration file. Please read the UPGRADING.md file for more information on how to upgrade from previous versions.
- Distributed and fault-tolerant SMTP message queues.
- Distributed rate-limiting and fail2ban.
- Expressions in configuration files.
- Do not include
STATUS
in IMAPNOOP
responses (#234). - Allow multiple SMTP
HELO
commands. - Redirect OAuth using a
301
instead of a307
code.
Please read the UPGRADING.md file for more information on how to upgrade from previous versions.
- Built-in fail2ban and IP address/mask blocking (#164).
- CLI: Read URL and credentials from environment variables (#88).
- mySQL driver: Add
max-allowed-packet
setting (#201).
- Unified storage settings for all services (read the UPGRADING.md for details)
- IMAP retrieval of auto-encrypted emails (#203).
- mySQL driver: Parse
timeout.wait
property as duration (#202). X-Forwarded-For
header on JMAP Rate-Limit does not work (#208).- Use timeouts in install script (#138).
Please read the UPGRADING.md file for more information on how to upgrade from previous versions.
- ACME support for automatic TLS certificate generation and renewal (#160).
- TLS certificate hot-reloading.
- HAProxy protocol support (#36).
- IMAP command
SEARCH <seqnum>
is using UIDs rather than sequence numbers. - IMAP responses to
APPEND
andEXPUNGE
should includeHIGHESTMODSEQ
whenCONDSTORE
is enabled.
- SMTP smuggling protection: Sanitization of outgoing messages that do not use
CRLF
as line endings. - SMTP sender validation for authenticated users: Added the
session.auth.must-match-sender
configuration option to enforce that the sender address used in theMAIL FROM
command matches the authenticated user or any of their associated e-mail addresses.
- Invalid DKIM signatures for empty message bodies.
- IMAP command
SEARCH BEFORE
is not properly parsed. - IMAP command
FETCH
fails to parse single arguments without parentheses. - IMAP command
ENABLE QRESYNC
should also enableCONDSTORE
extension. - IMAP response to
ENABLE
command does not include enabled capabilities list. - IMAP response to
FETCH ENVELOPE
should not returnNIL
when theFrom
header is missing.
This version requires a database migration and introduces breaking changes in the configuration file. Please read the UPGRADING.md file for more information.
- Performance enhancements:
- Messages are parsed only once and their offsets stored in the database, which avoids having to parse them on every
FETCH
request. - Background full-text indexing.
- Optimization of database access functions.
- Messages are parsed only once and their offsets stored in the database, which avoids having to parse them on every
- Storage layer improvements:
- In addition to
FoundationDB
andSQLite
, now it is also possible to useRocksDB
,PostgreSQL
andmySQL
as a storage backend. - Blobs can now be stored in any of the supported data stores, it is no longer limited to the file system or S3/MinIO.
- Full-text searching con now be done internally or delegated to
ElasticSearch
. - Spam databases can now be stored in any of the supported data stores or
Redis
. It is no longer necessary to have an SQL server to use the spam filter.
- In addition to
- Internal directory:
- User account, groups and mailing lists can now be managed directly from Stalwart without the need of an external LDAP or SQL directory.
- HTTP API to manage users, groups, domains and mailing lists.
- IMAP4rev1
Recent
flag support, which improves compatibility with old IMAP clients. - LDAP bind authentication, to support some LDAP servers such as
lldap
which do not expose the userPassword attribute. - Messages marked a spam by the spam filter can now be automatically moved to the account's
Junk Mail
folder. - Automatic creation of JMAP identities.
- Spamhaus DNSBL return codes.
- CLI tool reports authentication errors rather than a parsing error.
- JMAP for Quotas support (RFC9425)
- JMAP Blob Management Extension support (RFC9404)
- Spam Filter - Empty header rules.
- Daylight savings time support for crontabs.
- JMAP
oldState
doesn’t reflect in*/changes
(#56)
- Dockerfile entrypoint script.
bayes_is_balanced
function.
This version introduces some breaking changes in the configuration file. Please read the UPGRADING.md file for more information.
- Built-in Spam and Phishing filter.
- Scheduled queries on some directory types.
- In-memory maps and lists containing glob or regex patterns.
- Remote retrieval of in-memory list/maps with fallback mechanisms.
- Macros and support for including files from TOML config files.
config.toml
is now split in multiple TOML files for better organization.- BREAKING: Configuration key prefix
jmap.sieve
(JMAP Sieve Interpreter) has been renamed tosieve.untrusted
. - BREAKING: Configuration key prefix
sieve
(SMTP Sieve Interpreter) has been renamed tosieve.trusted
.
- Option to allow invalid certificates on outbound SMTP connections.
- Option to disable ansi colors on
stdout
.
- SMTP reject messages are now logged as
info
rather thandebug
.
- Support for reading environment variables from the configuration file using the
!ENV_VAR_NAME
special keyword. - Option to disable ANSI color codes in logs.
- Querying directories from a Sieve script is now done using the
query()
method fromeval
. Your scripts will need to be updated, please refer to the new syntax.
- IPrev lookups of IPv4 mapped to IPv6 addresses.
- Journal logging support
- IMAP support for UTF8 APPEND
- Replaced
rpgp
withsequoia-pgp
due to rpgp bug.
- Fix: IMAP folders that contain a & can't be used (#90)
- Fix: Ignore empty lines in IMAP requests
- Option to disable IMAP All Messages folder (#68).
- Option to allow unencrypted SMTP AUTH (#72)
- Support for
rcpt-domain
key inrcpt.relay
SMTP rule evaluation.
- SMTP strategy
Ipv6thenIpv4
returns only IPv6 addresses (#70) - Invalid IMAP
FETCH
responses for non-UTF-8 messages (#70) - Allow
STATUS
andACL
IMAP operations on virtual mailboxes. - IMAP
SELECT QRESYNC
without specifying a UID causes panic (#67) - Milter
DATA
command is sent after headers which causes ClamAV to hang. - Sieve
redirect
of unmodified messages does not work.
- Arithmetic and logical expression evaluation in Sieve scripts.
- Support for storing query results in Sieve variables.
- Results of SPF, DKIM, ARC, DMARC and IPREV checks available as environment variables in Sieve scripts.
- Configurable protocol flags for Milter filters.
- Fall-back to plain text when
STARTTLS
fails andstarttls
is set tooptional
.
- Do not panic when
hash = 0
in reports. (#60) - JMAP Session resource returns
EmailSubmission
capabilities using arrays rather than objects. - ManageSieve
PUTSCRIPT
should replace existing scripts.
- TCP listener option
nodelay
.
- SMTP: Allow disabling
STARTTLS
. - JMAP: Support for
OPTIONS
HTTP method.
- JMAP: Support for setting custom HTTP response headers (#52)
- SMTP: Missing envelope keys in rewrite rules (#25)
- SMTP: Remove CRLF from Milter headers
- JMAP/IMAP: Successful authentication requests should not count when rate limiting
- IMAP: Case insensitive Inbox selection
- IMAP: Automatically create Inbox for group accounts
- Encryption at rest with S/MIME or OpenPGP.
- Support for referencing context variables from dynamic values.
- Support for PKCS8v1 ED25519 keys (#20).
- Automatic retry for import/export blob downloads (#14)
- Sender and recipient address rewriting using regular expressions and sieve scripts.
- Subaddressing and catch-all addresses using regular expressions (#10).
- Dynamic variables in SMTP rules.
- Added CLI to Docker container (#19).
- Workaround for a bug in
sqlx
that caused SQL time-outs (#15). - Support for ED25519 certificates in PEM files (#20).
- Better handling of concurrent IMAP UID map modifications (#17).
- LDAP domain lookups from SMTP rules.
- Milter filter support.
- Match IP address type using /0 mask (#16).
- Support for OpenLDAP password hashing schemes between curly brackets (#8).
- Add CA certificates to Docker runtime (#5).
- LDAP and SQL authentication.
- subaddressing and catch-all addresses.
- S3-compatible storage.
- Merged the
stalwart-jmap
,stalwart-imap
andstalwart-smtp
repositories intostalwart-mail
. - Removed clustering module and replaced it with a FoundationDB backend option.
- Integrated Stalwart SMTP into Stalwart JMAP.
- Rewritten JMAP protocol parser.
- Rewritten store backend.
- Rewritten IMAP server to have direct access to the message store (no more IMAP proxy).
- Replaced
actix
withhyper
.