[0.16.11] - 2026-06-25

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• Encryption-at-rest: Support for AES-256-GCM and ChaCha20-Poly1305 for S/MIME (#161).
• S3: Support for allowInvalidCerts option to allow connecting to S3 endpoints with invalid TLS certificates.
• Redis Sentinel support as an in-memory store and cluster coordinator backend (#2430).

Changed

Fixed

• DANE: Verify DNSSEC is supported by the resolver before attempting to validate TLSA records.
• TLS: Update search index when file-backed certificates are refreshed.
• JMAP: Principal/query returns broad results when a name or email filter cannot be resolved.
• Webhooks: event IDs collide for same event type emitted in the same second.

Check binary attestation here