[0.16.3] - 2026-04-30

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

Changed

• Replaced STALWART_HTTPS_PORT with STALWART_PUBLIC_URL.
• App Passwords now begin with app_ instead of app to avoid issues with some clients that do not support spaces in passwords.

Fixed

• Directory:
  • Invalidate caches when group memberships change on an external directory.
  • OIDC: errors instead of "failed to decode token".
  • OIDC: Recovery admin access.
  • User impersonation.
• Tasks:
  • Delete locked tasks.
  • Queue pagination by anchor.
• Log viewer: All events show as INFO.
• Registry: Allow changing object variants.
• Node id renewal.
• DNS Updater: Fix Route53 serialization format.

Check binary attestation here

[0.16.2] - 2026-04-28

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• OIDC: Fallback to userinfo endpoint when JWT token does not contain an email claim.
• S3: verifyAfterWrite option to verify that objects have persisted after writing.

Changed

• Allow HTTP to be used for configuring the server.

Fixed

• LDAP: Generate valid credentialId when there are password changes.
• TLS: Disable cipher suited option disables wrong ciphers.
• DNS Updater:
  • BunnyDNS: Use subdomain as name of record instead of FQDN.
  • RFC2136: Chunk TXT records.
• Skip invalid entries in log files.

Check binary attestation here

[0.16.1] - 2026-04-25

This version includes multiple breaking changes. If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• OIDC: Extract username from JWT token.
• system('node_hostname') and system('node_role') expression variables to retrieve the local node hostname and cluster role respectively.

Changed

Fixed

• JMAP:
  • Invalid receivedAt headers after importing (#2939).
  • Sorting order issues when emails lack receivedAt headers.
• IMAP: Fix BINARY fetch responses (#2940).
• WebDAV: Fix ACL validation for target folders.
• ACME: Allow requesting apex domain certificates.
• Hostname issues:
  • Accept RFC 6761 reserved TLDs during bootstrap.
  • Allow hostnames without TLDs in remote server settings.
• Reverse proxy issues.
• OSS builds.
• DNS Updater:
  • RFC2136: TSIG secret not base64 decoded.
  • Google DNS: Chunk TXT records when they exceed 255 characters.
  • Cloudflare:
    • Fix CAA record updates.
    • Check zone subdomains when finding zones

Check binary attestation here

[0.16.0] - 2026-04-20

This version includes multiple breaking changes. If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• Web UI rewritten from the ground up using the JMAP management API, featuring a refreshed design and addressing 76 enhancement requests and bug fixes.
• CLI rewritten from the ground up to use the JMAP management API.
• Security enhancements:
  • Password strength enforcement using the zxcvbn algorithm
  • Password expiration, rotation policies and IP address restrictions for user accounts
  • App Passwords with limited access (#1609), labels (#2255), IP address restrictions and expiration dates
  • API keys with limited access, labels, IP address restrictions and expiration dates
  • Auto-ban comments and details about the triggering event (#1321)
  • Auto-ban expiration after a configurable time period (#964)
• DNS Management:
  • Automatic DNS management of MX, TXT, CNAME, SRV, CAA and TLSA records (#463 #1017 #1419 #2438 #1370 #1406 #1371)
  • Automatic update of TLSA records when ACME certificates change (#1664)
  • RFC2136 SIG(0) support (#856)
  • Route53 provider support (contributed by @jimmystewpot)
  • Google Cloud DNS provider support (contributed by @jimmystewpot)
  • Bunny provider support (contributed by @angeloanan)
  • Porkbun provider support (contributed by @jeffesquivels)
  • DNSimple provider support (contributed by @NelsonVides)
  • Spaceship provider support (contributed by @matserix)
• DKIM:
  • Automatic DKIM key generation, rotation and DNS management (#368 #961)
  • Store DKIM keys in the database (#1264)
  • Ignore insecure signatures when verifying DKIM (#1068 #467)
• ACME/TLS:
  • DNS-PERSIST-01 ACME challenge support (#2837)
  • Renew certificates on demand, view certificate details (#675 #1162 #2566)
  • CAA record support (#468) with accounturi parameter (#1933)
  • TLSA records publishing restricted to 3 1 1 and 2 1 1 (#2193)
• OIDC and OAuth:
  • JWT token validation without requesting userinfo from the OIDC provider.
  • Audience (aud) claim (#2603) and scope validation support.
  • Groups support (#1448)
  • RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients
• LDAP:
  • Separate filter for groups (#1841)
  • Improve support for OpenLDAP schemas (#760)
  • Improve and simplify LDAP settings (#2194 #2174)
• Directory:
  • Masked email addresses for enhanced privacy (Enterprise)
  • Domain aliases (#583)
  • E-mail alias descriptions and option to disable aliases (#506)
  • Account archiving and un-deletion (#2767) (Enterprise)
  • Per-domain directory backends (Enterprise)
• Account configuration and discovery:
  • Automatic Configuration of Email, Calendar, and Contact Server Settings (draft-mailmaint-uaautoconf-04) (#2201)
  • MS Autodiscover V2 support (#679)
• Sieve: Allow deactivating scripts without deleting them (#1251).
• Tracing: Enable events only mode (#2276)
• Clustering:
  • Automatic cluster node ID generation and management.
  • Unified cluster management (#960)
  • Outbound MTA role (#1692)

Changed

• Replaced REST API with JMAP API (#2262 #959 #1480)
• Removed support for Authenticated Received Chain (ARC) sealing (learn more).
• Directory: Removed smtp, imap and memory directory backends.
• Use aws-lc for cryptographic operations instead of ring.
• Use rustls-platform-verifier for TLS certificate verification instead of webpki (#247).

Fixed

• Directory:
  • Cannot remove built-in "admin" role from user once it was assigned (#1467)
  • Delete associated records (#963)
  • Updated Role permissions not applied (#2038)
  • Recreated account cannot log in until server is restarted (#1469)
  • Subaddressing does not work for groups (#475)
  • New LDAP aliases are rejected (#1318).
  • Validate account and group names (#2209)
• MTA:
  • RCPT TO stage settings improvements (#2217 #394)
  • Relay to IP addresses (#838)
  • Duplicate delivery inverted check
  • SASL challenge responses include invalid Go ahead text
• JMAP:
  • Fix inMailboxOtherThan query logic.
  • Fix hasAttachment search field (#2778)
• IMAP:
  • Increment argument max length to 8000 bytes
  • ACL: Add RIGHTS capability (#2762)
  • ACL: Fix ACL SET permission override.
• WebDAV:
  • Return 304 NOT_MODIFIED on If-None-Match
  • Use RFC 2616 instead of RFC 1123 for date formatting
  • Fix ACL container/item mismatch in reports.
  • CalDAV: Allow organized properties to be present in PUT requests if they are equal to the existing ones.
  • CalDAV: Enforce cumulative iCalendar instances cap in CalDAV free-busy REPORT handler
• Configuration: Prefix parsing issues (#2495)
• OIDC: JWKS Exposes Symmetric Signing Key
• SQLite: Fix thread pool exhaustion.
• PostgreSQL: Use clean recycling method on connection pool
• Meilisearch: Make id sorteable.
• ACME: Fix wrong origin for subdomain updates (#2360)
• Spam filter: Skip invalid messages during training.
• Calendar: Include minutes in localized invite templates (#2828)
• HTTP: Fix 204 CORS preflight responses

Check binary attestation here