v0.13.4

[0.13.4] - 2025-09-30

If you are upgrading from v0.11.x or v0.12.x, this version includes breaking changes to the message queue and MTA configuration. Please read the UPGRADING.md file for more information on how to upgrade from previous versions.

Added

Changed

• JMAP: Protocol layer rewrite for zero-copy deserialization and architectural improvements.

Fixed

• IMAP: Unbounded memory allocation in request parser (CVE-2025-61600 ).
• IMAP: Wrong permission checked for GETACL.
• JMAP: References to previous method fail when there are no results (#1507).
• JMAP: Enforce quota checks on Blob/copy.
• JMAP: Mailbox/get fails without accountId argument (#1936).
• JMAP: Do not return invalidProperties when email update doesn't contain changes (#1139)
• iTIP: Include date properties in REPLY (#2102).
• OIDC: Do not set username field if it is the same as the email field.
• Telemetry: Fix calculateMetrics housekeeper task (#2155).
• Directory: Always use rsplit to extract the domain part from email addresses.

---

Check binary attestation at here

v0.13.3

[0.13.3] - 2025-09-10

If you are upgrading from v0.11.x or v0.12.x, this version includes breaking changes to the message queue and MTA configuration. Please read the UPGRADING.md file for more information on how to upgrade from previous versions.

Added

• CLI: Health checks (contributed by @Codekloeppler)

Changed

• WebDAV: Assisted discovery v2

Fixed

• iTIP: Do not send a REPLY when deleting an event that was not accepted.
• iTIP: Include event details in REPLY messages (#2102).
• iTIP: Add organizer to iMIP replies if missing to deal with MS Exchange 2010 bug.
• OIDC: Do not overwrite locally defined aliases (#2065).
• HTTP: Scan ban should only be triggered by HTTP parse errors.
• HTTP: Skip scanner fail2ban checks when the proxy client IP can't be parsed (#2121).
• JMAP: Do not allow roles to be removed from system mailboxes (#1977).
• JMAP WS: Fix panic when using invalid server url.
• SMTP: Do no send EHLO twice when STARTTLS is unavailable (#2050).
• IMAP: Allow ENABLE UTF8 in IMAPrev1.
• IMAP: Include administer permission in ACL responses.
• IMAP: Add owner rights to ACL get responses.
• IMAP: Do not auto-train Bayes when moving messages from Junk to Trash.
• IMAP/ManageSieve: Increase maximum quoted argument size (#2039).
• CalDAV: Limit recurrence expansions in calendar reports (CVE-2025-59045).
• WebDAV: Do not fix percent encoding on WebDAV FS (#2036).

---

Check binary attestation at here

v0.13.2

[0.13.2] - 2025-07-28

If you are upgrading from v0.11.x or v0.12.x, this version includes breaking changes to the message queue and MTA configuration. Please read the UPGRADING.md file for more information on how to upgrade from previous versions.

Added

• ACME: DeSEC cloud DNS provider support (contributed by @Tyr3al).
• ACME: OVH cloud DNS provider support (contributed by @srachner).
• CalDAV Scheduling: Catalan language support (contributed by @jolupa) (#1873).
• MTA: Allow to send e-mails as group, while member of that group (#485).
• OIDC: Allow local access tokens to be used with third-party OIDC backends (#1311 stalwartlabs/webadmin#52).

Changed

• IMAP: Return OK when moving/copying non-existent messages (#670).
• IMAP: Copy flags when copying/moving messages between accounts.

Fixed

• MTA: Do not convert e-mail local parts to lowercase (#1916).
• Sieve: fileinto should override spam filter (#1917).
• JMAP: Incorrect accountId used in email set and import methods (#1777).
• WebDAV: Always return MULTISTATUS when calendar-query yields no results.
• LDAP: Only set account name if not returned in LDAP query (#1471).
• Enterprise: Invalidate logo cache when changes are made (#1856).
• Enterprise: Fix tenant quota update API.

---

Check binary attestation at here

v0.13.1

[0.13.1] - 2025-07-16

If you are upgrading from v0.11.x or v0.12.x, this version includes breaking changes to the message queue and MTA configuration. Please read the UPGRADING.md file for more information on how to upgrade from previous versions.

Added

• ACME: DigitalOcean cloud DNS provider support (#1667).

Changed

Fixed

• Migration: Old queue events not deleted causing high CPU usage in some deployments (#1833).
• MTA: mta-sts setting parsing issue (#1830).
• JMAP: sortOrder should not be null (#1831).
• Allow invalid TOML when parsing database settings (#1822).

---

Check binary attestation at here

v0.13.0

[0.13.0] - 2025-07-15

If you are upgrading from v0.11.x or v0.12.x, this version includes breaking changes to the message queue and MTA configuration. Please read the UPGRADING.md file for more information on how to upgrade from previous versions.

Added

• MTA queue enhancements (#1246 #1035 #457).
• Danish locale support (contributed by @Fadil2k) (#1772).
• DKIM support for stalwart-cli (contributed by @rmsc) (#1804).

Changed

• Invalidate access token caches in a cluster using pub/sub (#1741).
• Allow updating secrets for all directory types.

Fixed

• WebDAV: Return all shared resources in calendar-home-set and addressbook-home-set (#1796).
• WebDAV ACL: Fix write permission and multiget reports (#1768).
• CalDAV Scheduling: Include DTSTART/DTEND properties in iMIP CANCEL messages (#1775).
• HTTP: Do not include WWW-Authenticate headers in API responses (#1795).
• API: Allow API keys to be used with external directories (#1815).
• IMAP: Fix issue creating subfolders under INBOX for group shared folder (#1817).
• IMAP: Custom Name for Shared Folders ignored (#1620).
• LDAP: local placeholder should return username when its not an email address (#1784).

---

Check binary attestation at here

v0.12.5

[0.12.5] - 2025-06-25

If you are upgrading from v0.11.x, this version includes breaking changes to the database layout and requires a migration. Please read the UPGRADING.md file for more information on how to upgrade from previous versions.

Added

• Calendar Scheduling Extensions to CalDAV - RFC6368 (#1514)
• Calendar E-Mail Notifications (#1514)
• Limited i18n support for calendaring events.
• Assisted CalDAV/CardDAV shared resource discovery (#1691).

Changed

• JMAP: Allow unauthenticated access to JMAP session object.

Fixed

• WebDAV: Return NOTFOUND error instead of MULTISTATUS on empty PROPFIND responses (#1657).
• WebDAV: Update account name when refreshing DAV caches (#1694).
• JMAP: Do not include email address in identity names (#1688).
• IMAP: Normalize INBOX name when creating/renaming folders (#1636).
• LDAP: Request secret-changed attribute in LDAP queries (#1409).
• Branding: Unable to change logos (#1652).
• Antispam: Skip card-is-ham override when sender does not pass DMARC (#1648).
• FoundationDB: Renew old/expired FDB read transactions after the 1007 error code is received rather than estimating expiration time.

---

Check binary attestation at here

v0.12.4

[0.12.4] - 2025-06-03

If you are upgrading from v0.11.x, this version includes breaking changes to the database layout and requires a migration. Please read the UPGRADING.md file for more information on how to upgrade from previous versions.

Added

• LDAP authentication enhancements (#1269 #1471 #795 #1496).
• MTA: Return Queue IDs during message acceptance (#927).

Changed

• LDAP: bind.auth.enable is now bind.auth.method, read the updated LDAP documentation for more information.

Fixed

• DNS: hickory-resolver bug hitting 100% CPU usage when resolving DNSSEC records.
• IMAP: Return the message UID in the destination mailbox if the message already exists (#1201).
• MTA: TLS reports being issued for sent TLS reports (infinite loop) (#1301).
• WebDAV: Return CTag on /dav/cal/account resources to force iOS synchronize.
• CardDAV: Strict vCard parsing (#1607).
• WebDAV: Dead property updates (#1611).
• WebDAV: Use last change id in CTag.

---

Check binary attestation at here

v0.12.3

[0.12.3] - 2025-05-30

If you are upgrading from v0.11.x, this version includes breaking changes to the database layout and requires a migration. Please read the UPGRADING.md file for more information on how to upgrade from previous versions.

Added

• Store vanished IMAP UIDs and WebDAV paths in the changelog.

Changed

Fixed

• XML CDATA injection (credits to @andreymal for the report).
• Macro references are replaced with their content when writing config file (#1595).
• Double nested CalDAV and CardDAV property tags (#1591).
• Allow empty properties in PROPPATCH requests (#1580).

---

Check binary attestation at here

v0.12.2

[0.12.2] - 2025-05-27

If you are upgrading from v0.11.x, this version includes breaking changes to the database layout and requires a migration. Please read the UPGRADING.md file for more information on how to upgrade from previous versions.

Added

• CardDAV: Legacy vCard 2.1 and 3.0 serialization support.
• WebDAV: Add SRV Records to help DAV autodiscovery (closes #1565).

Changed

Fixed

• Report list attempts to deserialize empty values (#1562)
• Refresh expired FoundationDB transactions while retrieving large blobs (#1555).

---

Check binary attestation at here

v0.12.1

[0.12.1] - 2025-05-26

If you are upgrading from v0.11.x, this version includes breaking changes to the database layout and requires a migration. Please read the UPGRADING.md file for more information on how to upgrade from previous versions.

Added

Changed

Fixed

• Migration tool to generate the correct next id (#1561).
• Failed to parse setting dav.lock.max-timeout (closes #1559).
• Failed to build OpenTelemetry span exporter: no http client specified (#1571).

---

Check binary attestation at here