21 KiB
Change Log
All notable changes to this project will be documented in this file. This project adheres to Semantic Versioning.
[0.10.3] - 2024-10-07
To upgrade replace the stalwart-mail
binary and then upgrade to the latest web-admin. Enterprise users wishing to use the new LLM-powered spam filter should also upgrade the spam filter rules.
Added
- AI-powered Spam filtering and Sieve scripting (Enterprise feature).
Changed
Fixed
- S3-compatible backends: Retry on
5xx
errors. - OIDC: Include
nonce
parameter inid_token
response.
[0.10.2] - 2024-10-02
To upgrade first upgrade the webadmin and then replace the stalwart-mail
binary. If you read these instructions too late, you can upgrade to the latest web-admin using curl -k -u admin:yourpass https://yourserver/api/update/webadmin
.
Added
- OpenID Connect server (#298).
- OpenID Connect backend support (Enterprise feature).
- OpenID Connect Dynamic Client Registration (#4)
- OAuth 2.0 Dynamic Client Registration Protocol (RFC7591) (#136)
- OAuth 2.0 Token Introspection (RFC7662).
- Contact form submission handling.
webadmin.path
setting to override unpack directory (#792).
Changed
Fixed
- Missing
LIST-STATUS
from RFC5819 in IMAP capability responses (#816). - Do not allow tenant domains to be deleted if they have members (#812).
- Tenant principal limits (#810).
[0.10.1] - 2024-09-26
To upgrade replace the stalwart-mail
binary.
Added
OAUTHBEARER
SASL support in all services (#627).
Changed
Fixed
- Fixed
migrate_directory
range scan (#784).
[0.10.0] - 2024-09-21
This version includes breaking changes to how accounts are stored. Please read UPGRADING.md for details.
Added
- Multi-tenancy (Enterprise feature).
- Branding (Enterprise feature).
- Roles and permissions.
- Full-text search re-indexing.
- Partial database backups (#497).
Changed
Fixed
- IMAP
IDLE
support for command pipelining, aka the Apple Mail iOS 18 bug (#765). - Case insensitive INBOX
fileinto
(#763). - Properly decode undelete account name (#761).
[0.9.4] - 2024-09-09
To upgrade replace the stalwart-mail
binary and then upgrade to the latest web-admin.
Added
- Support for global Sieve scripts that can be used by users to filter their incoming mail.
- Allow localhost to override HTTP access controls to prevent lockouts.
Changed
- Sieve runtime error default log level is now
debug
.
Fixed
- Ignore INBOX case on Sieve's
fileinto
(#725) - Local keys parsing and retrieval issues.
- Lookup reload does not include database settings.
- Account count is incorrect.
[0.9.3] - 2024-08-29
To upgrade replace the stalwart-mail
binary and then upgrade to the latest web-admin.
Added
- Dashboard (Enterprise feature)
- Alerts (Enterprise feature)
- SYN Flood (session "loitering") attack protection (#482)
- Mailbox brute force protection (#688)
- Mail from is allowed (
session.mail.is-allowed
) expression (#609)
Changed
authentication.fail2ban
setting renamed toserver.fail2ban.authentication
.- Added elapsed times to message filtering events.
Fixed
- Include queueId in MTA Hooks (#708)
- Do not insert empty keywords in FTS index.
[0.9.2] - 2024-08-21
To upgrade replace the stalwart-mail
binary and then upgrade to the latest web-admin.
Added
- Message delivery history (Enterprise feature)
- Live tracing and logging (Enterprise feature)
- SQL Read Replicas (Enterprise feature)
- Distributed S3 Blob Store (Enterprise feature)
Changed
Fixed
- Autodiscover request parser issues.
- Do not create tables when using SQL as an external directory (fixes #291)
- Do not hardcode logger id (fixes #348)
- Include
Forwarded-For IP
address inhttp.request-url
event (fixes #682)
[0.9.1] - 2024-08-08
To upgrade replace the stalwart-mail
binary and then upgrade to the latest web-admin.
Added
- Metrics support (closes #478)
- OpenTelemetry Push Exporter
- Prometheus Pull Exporter (closes #275)
- HTTP endpoint access controls (closes #266 #329 #542)
- Add
options
setting to PostgreSQL driver (closes #662) - Add
isActive
property to defaults on Sieve/get JMAP method (closes #624)
Changed
- Perform
must-match-sender
checks after sender rewriting (closes #394) - Only perform email ingest duplicate check on the target mailbox (closes #632)
Fixed
- Properly parse
Forwarded
andX-Forwarded-For
headers (fixes #669) - Resolve DKIM macros when generating DNS records (fixes #666)
- Fixed
is_local_domain
Sieve function (fixes #622)
[0.9.0] - 2024-08-01
To upgrade replace the stalwart-mail
binary and then upgrade to the latest web-admin. This version includes breaking changes to the Webhooks configuration and produces a slightly different log output, read UPGRADING.md for details.
Added
- Improved and faster tracing and logging.
- Customizable event logging levels.
Changed
Fixed
- ManageSieve: Return capabilities after successful
STARTTLS
- Do not provide
{auth_authen}
Milter macro unless the user is authenticated
[0.8.5] - 2024-07-07
To upgrade replace the stalwart-mail
binary.
Added
- Restore deleted e-mails (Enterprise Edition only)
- Kubernetes (K8S) livenessProbe and readinessProbe endpoints.
Changed
- Avoid sending reports for DMARC/delivery reports (#173)
Fixed
- Refresh old FoundationDB read transactions (#520)
- Subscribing shared mailboxes doesn't work (#251)
[0.8.4] - 2024-07-03
To upgrade replace the stalwart-mail
binary.
Added
Changed
Fixed
- Fix TOTP validation order.
- Increase Jemalloc page size on armv7 builds.
[0.8.3] - 2024-07-01
To upgrade replace the stalwart-mail
binary and then upgrade to the latest web-admin.
Added
- Two-factor authentication with Time-based One-Time Passwords (#436)
- Application passwords (#479).
- Option to disable user accounts.
Changed
- DANE success on EndEntity match regardless of TrustAnchor validation.
Fixed
- Fix ManageSieve GETSCRIPT response: Add missing CRLF (#563)
- Do not return CAPABILITIES after ManageSieve AUTH=PLAIN SASL exchange (#548)
- POP3 QUIT must write a response (#568)
[0.8.2] - 2024-06-22
To upgrade replace the stalwart-mail
binary and then upgrade to the latest web-admin and spam filter versions.
Added
- Webhooks support (#480)
- MTA Hooks (like milter but over HTTP)
- Manually train and test spam classifier (#473 #264 #257 #471)
- Allow configuring default mailbox names, roles and subscriptions (#125 #290 #458 #498)
- Include
robots.txt
(#542)
Changed
- Milter support on all SMTP stages (#183)
- Do not announce
STARTTLS
if the listener does not support it.
Fixed
- Incoming reports stored in the wrong subspace (#543)
- Return
OK
after a successful ManageSieve SASL authentication flow (#187) - Case-insensitive search in settings API (#487)
- Fix
session.rcpt.script
default variable name (#502)
[0.8.1] - 2024-05-23
To upgrade replace the stalwart-mail
binary and then upgrade to the latest web-admin and spam filter versions.
Added
- POP3 support.
- DKIM signature length exploit protection.
- Faster email deletion.
- Junk/Trash folder auto-expunge and changelog auto-expiry (#403)
- IP allowlists.
- HTTP Strict Transport Security option.
- Add TLS Reporting DNS entry (#464).
Changed
- Use separate account for master user.
- Include server hostname in SMTP greetings (#448).
Fixed
- IP addresses trigger
R_SUSPICIOUS_URL
false positive (#461 #419). - JMAP identities should not return null signatures.
- Include authentication headers and check queue quotas on Sieve message forwards.
- ARC seal using just one signature.
- Remove technical subdomains from MTA-STS policies and TLS records (#429).
[0.8.0] - 2024-05-13
This version uses a different database layout which is incompatible with previous versions. Please read the UPGRADING.md file for more information on how to upgrade from previous versions.
Added
- Clustering support with node auto-discovery and partition-tolerant failure detection.
- Autoconfig and MS Autodiscover support (#336)
- New variables
retry_num
,notify_num
,last_error
addlast_status
available in queue expressions. - Performance improvements, in particular for FoundationDB.
- Improved full-text indexing with lower disk space usage.
- MTA-STS policy management.
- TLSA Records generation for DANE (#397)
- Queued message visualization from the web-admin.
- Master user support.
Changed
- Make
certificate.*
local keys by default. - Removed
server.run-as.*
settings. - Add Microsoft Office Macro types to bad mime types (#391)
Fixed
- mySQL TLS support (#415)
- Resolve file macros after dropping root privileges.
- Updated order of SPF Records (#395).
- Avoid duplicate accountIds when using case insensitive external directories (#399)
authenticated_as
variable not usable for must-match-sender (#372)- Remove
StandardOutput
,StandardError
in service (#390) - SMTP
AUTH=LOGIN
compatibility issues with Microsoft Outlook (#400)
[0.7.3] - 2024-05-01
To upgrade replace the stalwart-mail
binary and then upgrade to the latest web-admin version.
Added
- Full database export and import functionality
- Add --help and --version command line arguments (#365)
- Allow catch-all addresses when validating must match sender
Changed
- Add
groupOfUniqueNames
to the list of LDAP object classes
Fixed
- Trim spaces in DNS-01 ACME secrets (#382)
- Allow only one journald tracer (#375)
authenticated_as
variable not usable for must-match-sender (#372)- Fixed
BOGUS_ENCRYPTED_AND_TEXT
spam filter rule - Fixed parsing of IPv6 DNS server addresses
[0.7.2] - 2024-04-17
To upgrade replace the stalwart-mail
binary and then upgrade to the latest web-admin version.
Added
- Support for
DNS-01
andHTTP-01
ACME challenges (#226) - Configurable external resources (#355)
Changed
Fixed
- Startup failure when Elasticsearch is down/starting up (#334)
- URL decode path elements in REST API.
[0.7.1] - 2024-04-12
To upgrade replace the stalwart-mail
binary.
Added
- Make initial admin password configurable via env (#311)
Changed
- WebAdmin download URL.
Fixed
- Remove ASN.1 DER structure from DKIM ED25519 public keys.
- Filter out invalid timestamps on log entries.
[0.7.0] - 2024-04-09
This version uses a different database layout and introduces multiple breaking changes in the configuration files. Please read the UPGRADING.md file for more information on how to upgrade from previous versions.
Added
- Web-based administration interface.
- REST API for management and configuration.
- Automatic RSA and ED25519 DKIM key generation.
- Support for compressing binaries in the blob store (#227).
- Improved performance accessing IMAP mailboxes with a large number of messages.
- Support for custom DNS resolvers.
- Support for multiple loggers with different levels and outputs.
Changed
Fixed
- Store quotas as
u64
rather thanu32
. - Second IDLE connections disconnects the first one (#280).
- Use relaxed DNS parsing, allowing underscores in DNS labels (#172).
- Escape regexes within
matches()
expressions (#155). - ManageSieve LOGOUT should reply with
OK
instead ofBYE
.
[0.6.0] - 2024-02-14
This version introduces breaking changes in the configuration file. Please read the UPGRADING.md file for more information on how to upgrade from previous versions.
Added
- Distributed and fault-tolerant SMTP message queues.
- Distributed rate-limiting and fail2ban.
- Expressions in configuration files.
Changed
Fixed
- Do not include
STATUS
in IMAPNOOP
responses (#234). - Allow multiple SMTP
HELO
commands. - Redirect OAuth using a
301
instead of a307
code.
[0.5.3] - 2024-01-14
Please read the UPGRADING.md file for more information on how to upgrade from previous versions.
Added
- Built-in fail2ban and IP address/mask blocking (#164).
- CLI: Read URL and credentials from environment variables (#88).
- mySQL driver: Add
max-allowed-packet
setting (#201).
Changed
- Unified storage settings for all services (read the UPGRADING.md for details)
Fixed
- IMAP retrieval of auto-encrypted emails (#203).
- mySQL driver: Parse
timeout.wait
property as duration (#202). X-Forwarded-For
header on JMAP Rate-Limit does not work (#208).- Use timeouts in install script (#138).
[0.5.2] - 2024-01-07
Please read the UPGRADING.md file for more information on how to upgrade from previous versions.
Added
- ACME support for automatic TLS certificate generation and renewal (#160).
- TLS certificate hot-reloading.
- HAProxy protocol support (#36).
Changed
Fixed
- IMAP command
SEARCH <seqnum>
is using UIDs rather than sequence numbers. - IMAP responses to
APPEND
andEXPUNGE
should includeHIGHESTMODSEQ
whenCONDSTORE
is enabled.
[0.5.1] - 2024-01-02
Added
- SMTP smuggling protection: Sanitization of outgoing messages that do not use
CRLF
as line endings. - SMTP sender validation for authenticated users: Added the
session.auth.must-match-sender
configuration option to enforce that the sender address used in theMAIL FROM
command matches the authenticated user or any of their associated e-mail addresses.
Changed
Fixed
- Invalid DKIM signatures for empty message bodies.
- IMAP command
SEARCH BEFORE
is not properly parsed. - IMAP command
FETCH
fails to parse single arguments without parentheses. - IMAP command
ENABLE QRESYNC
should also enableCONDSTORE
extension. - IMAP response to
ENABLE
command does not include enabled capabilities list. - IMAP response to
FETCH ENVELOPE
should not returnNIL
when theFrom
header is missing.
[0.5.0] - 2023-12-27
This version requires a database migration and introduces breaking changes in the configuration file. Please read the UPGRADING.md file for more information.
Added
- Performance enhancements:
- Messages are parsed only once and their offsets stored in the database, which avoids having to parse them on every
FETCH
request. - Background full-text indexing.
- Optimization of database access functions.
- Messages are parsed only once and their offsets stored in the database, which avoids having to parse them on every
- Storage layer improvements:
- In addition to
FoundationDB
andSQLite
, now it is also possible to useRocksDB
,PostgreSQL
andmySQL
as a storage backend. - Blobs can now be stored in any of the supported data stores, it is no longer limited to the file system or S3/MinIO.
- Full-text searching con now be done internally or delegated to
ElasticSearch
. - Spam databases can now be stored in any of the supported data stores or
Redis
. It is no longer necessary to have an SQL server to use the spam filter.
- In addition to
- Internal directory:
- User account, groups and mailing lists can now be managed directly from Stalwart without the need of an external LDAP or SQL directory.
- HTTP API to manage users, groups, domains and mailing lists.
- IMAP4rev1
Recent
flag support, which improves compatibility with old IMAP clients. - LDAP bind authentication, to support some LDAP servers such as
lldap
which do not expose the userPassword attribute. - Messages marked a spam by the spam filter can now be automatically moved to the account's
Junk Mail
folder. - Automatic creation of JMAP identities.
Changed
Fixed
- Spamhaus DNSBL return codes.
- CLI tool reports authentication errors rather than a parsing error.
[0.4.2] - 2023-11-01
Added
- JMAP for Quotas support (RFC9425)
- JMAP Blob Management Extension support (RFC9404)
- Spam Filter - Empty header rules.
Changed
Fixed
- Daylight savings time support for crontabs.
- JMAP
oldState
doesn’t reflect in*/changes
(#56)
[0.4.1] - 2023-10-26
Added
Changed
Fixed
- Dockerfile entrypoint script.
bayes_is_balanced
function.
[0.4.0] - 2023-10-25
This version introduces some breaking changes in the configuration file. Please read the UPGRADING.md file for more information.
Added
- Built-in Spam and Phishing filter.
- Scheduled queries on some directory types.
- In-memory maps and lists containing glob or regex patterns.
- Remote retrieval of in-memory list/maps with fallback mechanisms.
- Macros and support for including files from TOML config files.
Changed
config.toml
is now split in multiple TOML files for better organization.- BREAKING: Configuration key prefix
jmap.sieve
(JMAP Sieve Interpreter) has been renamed tosieve.untrusted
. - BREAKING: Configuration key prefix
sieve
(SMTP Sieve Interpreter) has been renamed tosieve.trusted
.
Fixed
[0.3.10] - 2023-10-17
Added
- Option to allow invalid certificates on outbound SMTP connections.
- Option to disable ansi colors on
stdout
.
Changed
- SMTP reject messages are now logged as
info
rather thandebug
.
Fixed
[0.3.9] - 2023-10-07
Added
- Support for reading environment variables from the configuration file using the
!ENV_VAR_NAME
special keyword. - Option to disable ANSI color codes in logs.
Changed
- Querying directories from a Sieve script is now done using the
query()
method fromeval
. Your scripts will need to be updated, please refer to the new syntax.
Fixed
- IPrev lookups of IPv4 mapped to IPv6 addresses.
[0.3.8] - 2023-09-19
Added
- Journal logging support
- IMAP support for UTF8 APPEND
Changed
- Replaced
rpgp
withsequoia-pgp
due to rpgp bug.
Fixed
- Fix: IMAP folders that contain a & can't be used (#90)
- Fix: Ignore empty lines in IMAP requests
[0.3.7] - 2023-09-05
Added
- Option to disable IMAP All Messages folder (#68).
- Option to allow unencrypted SMTP AUTH (#72)
- Support for
rcpt-domain
key inrcpt.relay
SMTP rule evaluation.
Changed
Fixed
- SMTP strategy
Ipv6thenIpv4
returns only IPv6 addresses (#70) - Invalid IMAP
FETCH
responses for non-UTF-8 messages (#70) - Allow
STATUS
andACL
IMAP operations on virtual mailboxes. - IMAP
SELECT QRESYNC
without specifying a UID causes panic (#67) - Milter
DATA
command is sent after headers which causes ClamAV to hang. - Sieve
redirect
of unmodified messages does not work.
[0.3.6] - 2023-08-29
Added
- Arithmetic and logical expression evaluation in Sieve scripts.
- Support for storing query results in Sieve variables.
- Results of SPF, DKIM, ARC, DMARC and IPREV checks available as environment variables in Sieve scripts.
- Configurable protocol flags for Milter filters.
- Fall-back to plain text when
STARTTLS
fails andstarttls
is set tooptional
.
Changed
Fixed
- Do not panic when
hash = 0
in reports. (#60) - JMAP Session resource returns
EmailSubmission
capabilities using arrays rather than objects. - ManageSieve
PUTSCRIPT
should replace existing scripts.
[0.3.5] - 2023-08-18
Added
- TCP listener option
nodelay
.
Changed
Fixed
- SMTP: Allow disabling
STARTTLS
. - JMAP: Support for
OPTIONS
HTTP method.
[0.3.4] - 2023-08-09
Added
- JMAP: Support for setting custom HTTP response headers (#52)
Changed
Fixed
- SMTP: Missing envelope keys in rewrite rules (#25)
- SMTP: Remove CRLF from Milter headers
- JMAP/IMAP: Successful authentication requests should not count when rate limiting
- IMAP: Case insensitive Inbox selection
- IMAP: Automatically create Inbox for group accounts
[0.3.3] - 2023-08-02
Added
- Encryption at rest with S/MIME or OpenPGP.
- Support for referencing context variables from dynamic values.
Changed
Fixed
- Support for PKCS8v1 ED25519 keys (#20).
- Automatic retry for import/export blob downloads (#14)
[0.3.2] - 2023-07-28
Added
- Sender and recipient address rewriting using regular expressions and sieve scripts.
- Subaddressing and catch-all addresses using regular expressions (#10).
- Dynamic variables in SMTP rules.
Changed
- Added CLI to Docker container (#19).
Fixed
- Workaround for a bug in
sqlx
that caused SQL time-outs (#15). - Support for ED25519 certificates in PEM files (#20).
- Better handling of concurrent IMAP UID map modifications (#17).
- LDAP domain lookups from SMTP rules.
[0.3.1] - 2023-07-22
Added
- Milter filter support.
- Match IP address type using /0 mask (#16).
Changed
Fixed
- Support for OpenLDAP password hashing schemes between curly brackets (#8).
- Add CA certificates to Docker runtime (#5).
[0.3.0] - 2023-07-16
Added
- LDAP and SQL authentication.
- subaddressing and catch-all addresses.
- S3-compatible storage.
Changed
- Merged the
stalwart-jmap
,stalwart-imap
andstalwart-smtp
repositories intostalwart-mail
. - Removed clustering module and replaced it with a FoundationDB backend option.
- Integrated Stalwart SMTP into Stalwart JMAP.
- Rewritten JMAP protocol parser.
- Rewritten store backend.
- Rewritten IMAP server to have direct access to the message store (no more IMAP proxy).
- Replaced
actix
withhyper
.