simon.beck/talos
1
0
Fork 0
Code Issues 1 Pull requests 2 Projects Releases Packages Wiki Activity Actions

Update stalwartlabs/stalwart Docker tag to v0.16.6 #494

Open
renovate wants to merge 1 commit from renovate/stalwartlabs-stalwart-0.x into master
pull from: renovate/stalwartlabs-stalwart-0.x
merge into: simon.beck:master
Conversation 0 Commits 1 Files changed 1 +1 -1
renovate commented 2026-04-20 22:20:27 +00:00
Collaborator
Copy link

This PR contains the following updates:

Package Update Change
stalwartlabs/stalwart minor v0.15.5v0.16.6

Release Notes

stalwartlabs/stalwart (stalwartlabs/stalwart)

v0.16.6

Compare Source

[0.16.6] - 2026-05-20

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

  • Added 58 new DNS provider integrations (see dns-update crate for details).
  • DNS updater: Log DNS record types and values.
  • Sieve: Allow User Sieve scripts to access orcpt.
  • MTA: Log when messages are rejected or discarded by the spam classifier.

Changed

Fixed

  • DAV: acl-principal-prop-set REPORT enforced the wrong privilege.
  • JMAP: Thread/get did not filter by per-mailbox ACLs on shared accounts.
  • IMAP: UID FETCH N:* could miss messages moved into a SELECTed mailbox by another connection.
  • DNS updater:
    • Skip v=spf1 a -all records for apex domains.
    • RFC2136 TSIG: regression related to multiplexer.
    • Route53: Chunk TXT records when they exceed 255 characters.
  • ACME:
    • Update defaultCertificateId when renewing a certificate that is currently set as default.
    • Perform DNS-01 authorizations sequentially to avoid race conditions in some DNS providers.
  • Allow internal TLDs and special characters in e-mail addresses.
  • Websocket: Perform case insensitive matching during upgrade.
  • LDAP: Synchronize accounts when expanding mailing list recipients.
  • Sieve: replace action adds an extra From header.
  • ACL: Orphaned ACL entries for deleted accounts cause JMAP session errors.
Check binary attestation here

v0.16.5

Compare Source

[0.16.5] - 2026-05-11

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

  • is_ip_in_cidr expression function for CIDR matching.

Changed

  • Bump mail-auth to 0.9 (which bumps hickory-resolver to 0.26).
  • Deprecated RFC2136 SIG(0) support as it is no longer supported by hickory.

Fixed

  • JMAP:
    • Patching ids containing digits in JSON Pointers fails.
    • Patching nested objects with null values fails.
  • External directories:
    • SQL: Return Failed instead of Error when the query returns no results.
    • LDAP: Impersonation fails when the user has not logged in before.
  • Network: Attempt binding to IPv4 when binding to IPv6 fails with EAFNOSUPPORT error.
  • Bootstrap: Timeout after 30 seconds when probing the data store.
  • HTTP: Use permissive CORS headers for .well-known endpoints.
  • ACME:
    • Include apex domains when requesting certificates for subdomains.
    • Use the public suffix list to determine the zone name when no origin is provided.
  • MTA:
    • Allow rescheduling recipients with permanent failures.
    • Process reports using original RCPT before rewriting.
  • Autodiscover v2 endpoint unreachable.
  • DNS update (via dns-update crate):
    • OVH + Google Cloud DNS: Fix FQDN handling for MX and SRV records.
    • Route53: Fix changeset error resolution.
    • deSEC: Use empty subname for apex records instead of @, which the API rejects.
    • Cloudflare: Wrap TXT record content in double quotes (RFC 1035) to suppress dashboard warnings.
  • iCalendar/JSCalendar (via calcard crate):
    • Support STATUS:CANCELLED mapping from VTODO to JSCalendar.
    • Fixed duration parsing for zero duration PT0S.
Check binary attestation here

v0.16.4

Compare Source

[0.16.4] - 2026-05-05

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

Changed

Fixed

  • Live tracing in community and OSS versions.
  • Timezone changes from the AccountSettings object return invalidProperties.
  • mail-parser panic with certain messages containing corrupted attachments.
  • Pagination by anchor for queued messages, tasks and metrics.
  • Spam filter: Use original instead of rewritten RCPT on checks.
  • JMAP:
    • References in nested objects not resolved.
    • AddressBook/query fetches wrong resources.
  • Import tool fails to restore registry entries.
  • FDB: Allow multiple FoundationDB instances in the same process.
  • Autoconfig: Return %EMAILADDRESS% when no email address is provided.
  • Quota: Include Sieve scripts in quota recalculations.
Check binary attestation here

v0.16.3

Compare Source

[0.16.3] - 2026-04-30

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

Changed

  • Replaced STALWART_HTTPS_PORT with STALWART_PUBLIC_URL.
  • App Passwords now begin with app_ instead of app to avoid issues with some clients that do not support spaces in passwords.

Fixed

  • Directory:
    • Invalidate caches when group memberships change on an external directory.
    • OIDC: errors instead of "failed to decode token".
    • OIDC: Recovery admin access.
    • User impersonation.
  • Tasks:
    • Delete locked tasks.
    • Queue pagination by anchor.
  • Log viewer: All events show as INFO.
  • Registry: Allow changing object variants.
  • Node id renewal.
  • DNS Updater: Fix Route53 serialization format.
Check binary attestation here

v0.16.2

Compare Source

[0.16.2] - 2026-04-28

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

  • OIDC: Fallback to userinfo endpoint when JWT token does not contain an email claim.
  • S3: verifyAfterWrite option to verify that objects have persisted after writing.

Changed

  • Allow HTTP to be used for configuring the server.

Fixed

  • LDAP: Generate valid credentialId when there are password changes.
  • TLS: Disable cipher suited option disables wrong ciphers.
  • DNS Updater:
    • BunnyDNS: Use subdomain as name of record instead of FQDN.
    • RFC2136: Chunk TXT records.
  • Skip invalid entries in log files.
Check binary attestation here

v0.16.1

Compare Source

[0.16.1] - 2026-04-25

This version includes multiple breaking changes. If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

  • OIDC: Extract username from JWT token.
  • system('node_hostname') and system('node_role') expression variables to retrieve the local node hostname and cluster role respectively.

Changed

Fixed

  • JMAP:
    • Invalid receivedAt headers after importing (#​2939).
    • Sorting order issues when emails lack receivedAt headers.
  • IMAP: Fix BINARY fetch responses (#​2940).
  • WebDAV: Fix ACL validation for target folders.
  • ACME: Allow requesting apex domain certificates.
  • Hostname issues:
    • Accept RFC 6761 reserved TLDs during bootstrap.
    • Allow hostnames without TLDs in remote server settings.
  • Reverse proxy issues.
  • OSS builds.
  • DNS Updater:
    • RFC2136: TSIG secret not base64 decoded.
    • Google DNS: Chunk TXT records when they exceed 255 characters.
    • Cloudflare:
      • Fix CAA record updates.
      • Check zone subdomains when finding zones
Check binary attestation here

v0.16.0

Compare Source

[0.16.0] - 2026-04-20

This version includes multiple breaking changes. If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

  • Web UI rewritten from the ground up using the JMAP management API, featuring a refreshed design and addressing 76 enhancement requests and bug fixes.
  • CLI rewritten from the ground up to use the JMAP management API.
  • Security enhancements:
    • Password strength enforcement using the zxcvbn algorithm
    • Password expiration, rotation policies and IP address restrictions for user accounts
    • App Passwords with limited access (#​1609), labels (#​2255), IP address restrictions and expiration dates
    • API keys with limited access, labels, IP address restrictions and expiration dates
    • Auto-ban comments and details about the triggering event (#​1321)
    • Auto-ban expiration after a configurable time period (#​964)
  • DNS Management:
  • DKIM:
    • Automatic DKIM key generation, rotation and DNS management (#​368 #​961)
    • Store DKIM keys in the database (#​1264)
    • Ignore insecure signatures when verifying DKIM (#​1068 #​467)
  • ACME/TLS:
  • OIDC and OAuth:
    • JWT token validation without requesting userinfo from the OIDC provider.
    • Audience (aud) claim (#​2603) and scope validation support.
    • Groups support (#​1448)
    • RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients
  • LDAP:
  • Directory:
    • Masked email addresses for enhanced privacy (Enterprise)
    • Domain aliases (#​583)
    • E-mail alias descriptions and option to disable aliases (#​506)
    • Account archiving and un-deletion (#​2767) (Enterprise)
    • Per-domain directory backends (Enterprise)
  • Account configuration and discovery:
  • Sieve: Allow deactivating scripts without deleting them (#​1251).
  • Tracing: Enable events only mode (#​2276)
  • Clustering:
    • Automatic cluster node ID generation and management.
    • Unified cluster management (#​960)
    • Outbound MTA role (#​1692)

Changed

  • Replaced REST API with JMAP API (#​2262 #​959 #​1480)
  • Removed support for Authenticated Received Chain (ARC) sealing (learn more).
  • Directory: Removed smtp, imap and memory directory backends.
  • Use aws-lc for cryptographic operations instead of ring.
  • Use rustls-platform-verifier for TLS certificate verification instead of webpki (#​247).

Fixed

  • Directory:
    • Cannot remove built-in "admin" role from user once it was assigned (#​1467)
    • Delete associated records (#​963)
    • Updated Role permissions not applied (#​2038)
    • Recreated account cannot log in until server is restarted (#​1469)
    • Subaddressing does not work for groups (#​475)
    • New LDAP aliases are rejected (#​1318).
    • Validate account and group names (#​2209)
  • MTA:
    • RCPT TO stage settings improvements (#​2217 #​394)
    • Relay to IP addresses (#​838)
    • Duplicate delivery inverted check
    • SASL challenge responses include invalid Go ahead text
  • JMAP:
    • Fix inMailboxOtherThan query logic.
    • Fix hasAttachment search field (#​2778)
  • IMAP:
    • Increment argument max length to 8000 bytes
    • ACL: Add RIGHTS capability (#​2762)
    • ACL: Fix ACL SET permission override.
  • WebDAV:
    • Return 304 NOT_MODIFIED on If-None-Match
    • Use RFC 2616 instead of RFC 1123 for date formatting
    • Fix ACL container/item mismatch in reports.
    • CalDAV: Allow organized properties to be present in PUT requests if they are equal to the existing ones.
    • CalDAV: Enforce cumulative iCalendar instances cap in CalDAV free-busy REPORT handler
  • Configuration: Prefix parsing issues (#​2495)
  • OIDC: JWKS Exposes Symmetric Signing Key
  • SQLite: Fix thread pool exhaustion.
  • PostgreSQL: Use clean recycling method on connection pool
  • Meilisearch: Make id sorteable.
  • ACME: Fix wrong origin for subdomain updates (#​2360)
  • Spam filter: Skip invalid messages during training.
  • Calendar: Include minutes in localized invite templates (#​2828)
  • HTTP: Fix 204 CORS preflight responses
Check binary attestation here

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [stalwartlabs/stalwart](https://github.com/stalwartlabs/stalwart) | minor | `v0.15.5` → `v0.16.6` | --- ### Release Notes <details> <summary>stalwartlabs/stalwart (stalwartlabs/stalwart)</summary> ### [`v0.16.6`](https://github.com/stalwartlabs/stalwart/releases/tag/v0.16.6) [Compare Source](https://github.com/stalwartlabs/stalwart/compare/v0.16.5...v0.16.6) #### \[0.16.6] - 2026-05-20 If you are upgrading from v0.16.x, replace the binary (or run `docker pull`). If you are upgrading from v0.15.x and below, please read the [upgrading documentation](https://github.com/stalwartlabs/stalwart/blob/main/UPGRADING/v0_16.md) for more information on how to upgrade from previous versions. #### Added - Added 58 new DNS provider integrations (see [dns-update](https://github.com/stalwartlabs/dns-update/blob/main/CHANGELOG.md#dns-update-040) crate for details). - DNS updater: Log DNS record types and values. - Sieve: Allow User Sieve scripts to access `orcpt`. - MTA: Log when messages are rejected or discarded by the spam classifier. #### Changed - Bump JMAP File Storage to [draft-ietf-jmap-filenode-14](https://datatracker.ietf.org/doc/html/draft-ietf-jmap-filenode-14). - Accept password hashes with `$` or `{` prefixes as secure secrets. #### Fixed - DAV: `acl-principal-prop-set` REPORT enforced the wrong privilege. - JMAP: `Thread/get` did not filter by per-mailbox ACLs on shared accounts. - IMAP: `UID FETCH N:*` could miss messages moved into a SELECTed mailbox by another connection. - DNS updater: - Skip `v=spf1 a -all` records for apex domains. - RFC2136 TSIG: regression related to multiplexer. - Route53: Chunk `TXT` records when they exceed 255 characters. - ACME: - Update `defaultCertificateId` when renewing a certificate that is currently set as default. - Perform `DNS-01` authorizations sequentially to avoid race conditions in some DNS providers. - Allow internal TLDs and special characters in e-mail addresses. - Websocket: Perform case insensitive matching during upgrade. - LDAP: Synchronize accounts when expanding mailing list recipients. - Sieve: `replace` action adds an extra `From` header. - ACL: Orphaned ACL entries for deleted accounts cause JMAP session errors. <hr /> ##### Check binary attestation [here](https://github.com/stalwartlabs/stalwart/attestations/28096453) ### [`v0.16.5`](https://github.com/stalwartlabs/stalwart/releases/tag/v0.16.5) [Compare Source](https://github.com/stalwartlabs/stalwart/compare/v0.16.4...v0.16.5) #### \[0.16.5] - 2026-05-11 If you are upgrading from v0.16.x, replace the binary (or run `docker pull`). If you are upgrading from v0.15.x and below, please read the [upgrading documentation](https://github.com/stalwartlabs/stalwart/blob/main/UPGRADING/v0_16.md) for more information on how to upgrade from previous versions. #### Added - `is_ip_in_cidr` expression function for CIDR matching. #### Changed - Bump `mail-auth` to 0.9 (which bumps `hickory-resolver` to 0.26). - Deprecated RFC2136 SIG(0) support as it is no longer supported by `hickory`. #### Fixed - JMAP: - Patching ids containing digits in JSON Pointers fails. - Patching nested objects with `null` values fails. - External directories: - SQL: Return `Failed` instead of `Error` when the query returns no results. - LDAP: Impersonation fails when the user has not logged in before. - Network: Attempt binding to IPv4 when binding to IPv6 fails with `EAFNOSUPPORT` error. - Bootstrap: Timeout after 30 seconds when probing the data store. - HTTP: Use permissive CORS headers for `.well-known` endpoints. - ACME: - Include apex domains when requesting certificates for subdomains. - Use the public suffix list to determine the zone name when no origin is provided. - MTA: - Allow rescheduling recipients with permanent failures. - Process reports using original `RCPT` before rewriting. - Autodiscover v2 endpoint unreachable. - DNS update (via `dns-update` crate): - OVH + Google Cloud DNS: Fix FQDN handling for `MX` and `SRV` records. - Route53: Fix changeset error resolution. - deSEC: Use empty `subname` for apex records instead of `@`, which the API rejects. - Cloudflare: Wrap `TXT` record content in double quotes (RFC 1035) to suppress dashboard warnings. - iCalendar/JSCalendar (via `calcard` crate): - Support `STATUS:CANCELLED` mapping from `VTODO` to JSCalendar. - Fixed duration parsing for zero duration `PT0S`. <hr /> ##### Check binary attestation [here](https://github.com/stalwartlabs/stalwart/attestations/27125867) ### [`v0.16.4`](https://github.com/stalwartlabs/stalwart/releases/tag/v0.16.4) [Compare Source](https://github.com/stalwartlabs/stalwart/compare/v0.16.3...v0.16.4) #### \[0.16.4] - 2026-05-05 If you are upgrading from v0.16.x, replace the binary (or run `docker pull`). If you are upgrading from v0.15.x and below, please read the [upgrading documentation](https://github.com/stalwartlabs/stalwart/blob/main/UPGRADING/v0_16.md) for more information on how to upgrade from previous versions. #### Added #### Changed #### Fixed - Live tracing in community and OSS versions. - Timezone changes from the `AccountSettings` object return `invalidProperties`. - `mail-parser` panic with certain messages containing corrupted attachments. - Pagination by anchor for queued messages, tasks and metrics. - Spam filter: Use original instead of rewritten `RCPT` on checks. - JMAP: - References in nested objects not resolved. - `AddressBook/query` fetches wrong resources. - Import tool fails to restore registry entries. - FDB: Allow multiple FoundationDB instances in the same process. - Autoconfig: Return `%EMAILADDRESS%` when no email address is provided. - Quota: Include Sieve scripts in quota recalculations. <hr /> ##### Check binary attestation [here](https://github.com/stalwartlabs/stalwart/attestations/26459606) ### [`v0.16.3`](https://github.com/stalwartlabs/stalwart/releases/tag/v0.16.3) [Compare Source](https://github.com/stalwartlabs/stalwart/compare/v0.16.2...v0.16.3) #### \[0.16.3] - 2026-04-30 If you are upgrading from v0.16.x, replace the binary (or run `docker pull`). If you are upgrading from v0.15.x and below, please read the [upgrading documentation](https://github.com/stalwartlabs/stalwart/blob/main/UPGRADING/v0_16.md) for more information on how to upgrade from previous versions. #### Added #### Changed - Replaced `STALWART_HTTPS_PORT` with `STALWART_PUBLIC_URL`. - App Passwords now begin with `app_` instead of `app ` to avoid issues with some clients that do not support spaces in passwords. #### Fixed - Directory: - Invalidate caches when group memberships change on an external directory. - OIDC: errors instead of "failed to decode token". - OIDC: Recovery admin access. - User impersonation. - Tasks: - Delete locked tasks. - Queue pagination by anchor. - Log viewer: All events show as `INFO`. - Registry: Allow changing object variants. - Node id renewal. - DNS Updater: Fix Route53 serialization format. <hr /> ##### Check binary attestation [here](https://github.com/stalwartlabs/stalwart/attestations/26098731) ### [`v0.16.2`](https://github.com/stalwartlabs/stalwart/releases/tag/v0.16.2) [Compare Source](https://github.com/stalwartlabs/stalwart/compare/v0.16.1...v0.16.2) #### \[0.16.2] - 2026-04-28 If you are upgrading from v0.16.x, replace the binary (or run `docker pull`). If you are upgrading from v0.15.x and below, please read the [upgrading documentation](https://github.com/stalwartlabs/stalwart/blob/main/UPGRADING/v0_16.md) for more information on how to upgrade from previous versions. #### Added - OIDC: Fallback to `userinfo` endpoint when JWT token does not contain an email claim. - S3: `verifyAfterWrite` option to verify that objects have persisted after writing. #### Changed - Allow HTTP to be used for configuring the server. #### Fixed - LDAP: Generate valid `credentialId` when there are password changes. - TLS: Disable cipher suited option disables wrong ciphers. - DNS Updater: - BunnyDNS: Use subdomain as name of record instead of FQDN. - RFC2136: Chunk TXT records. - Skip invalid entries in log files. <hr /> ##### Check binary attestation [here](https://github.com/stalwartlabs/stalwart/attestations/25844634) ### [`v0.16.1`](https://github.com/stalwartlabs/stalwart/releases/tag/v0.16.1) [Compare Source](https://github.com/stalwartlabs/stalwart/compare/v0.16.0...v0.16.1) #### \[0.16.1] - 2026-04-25 This version includes **multiple breaking changes**. If you are upgrading from v0.15.x and below, please read the [upgrading documentation](https://github.com/stalwartlabs/stalwart/blob/main/UPGRADING/v0_16.md) for more information on how to upgrade from previous versions. #### Added - OIDC: Extract username from JWT token. - `system('node_hostname')` and `system('node_role')` expression variables to retrieve the local node hostname and cluster role respectively. #### Changed #### Fixed - JMAP: - Invalid `receivedAt` headers after importing ([#&#8203;2939](https://github.com/stalwartlabs/stalwart/issues/2939)). - Sorting order issues when emails lack `receivedAt` headers. - IMAP: Fix `BINARY` fetch responses ([#&#8203;2940](https://github.com/stalwartlabs/stalwart/issues/2940)). - WebDAV: Fix ACL validation for target folders. - ACME: Allow requesting apex domain certificates. - Hostname issues: - Accept RFC 6761 reserved TLDs during bootstrap. - Allow hostnames without TLDs in remote server settings. - Reverse proxy issues. - OSS builds. - DNS Updater: - RFC2136: TSIG secret not base64 decoded. - Google DNS: Chunk TXT records when they exceed 255 characters. - Cloudflare: - Fix `CAA` record updates. - Check zone subdomains when finding zones <hr /> ##### Check binary attestation [here](https://github.com/stalwartlabs/stalwart/attestations/25562510) ### [`v0.16.0`](https://github.com/stalwartlabs/stalwart/releases/tag/v0.16.0) [Compare Source](https://github.com/stalwartlabs/stalwart/compare/v0.15.5...v0.16.0) #### \[0.16.0] - 2026-04-20 This version includes **multiple breaking changes**. If you are upgrading from v0.15.x and below, please read the [upgrading documentation](https://github.com/stalwartlabs/stalwart/blob/main/UPGRADING/v0_16.md) for more information on how to upgrade from previous versions. #### Added - [Web UI](https://github.com/stalwartlabs/webui) rewritten from the ground up using the JMAP management API, featuring a refreshed design and addressing 76 enhancement requests and bug fixes. - [CLI](https://github.com/stalwartlabs/cli) rewritten from the ground up to use the JMAP management API. - Security enhancements: - Password strength enforcement using the `zxcvbn` algorithm - Password expiration, rotation policies and IP address restrictions for user accounts - App Passwords with limited access ([#&#8203;1609](https://github.com/stalwartlabs/stalwart/issues/1609)), labels ([#&#8203;2255](https://github.com/stalwartlabs/stalwart/issues/2255)), IP address restrictions and expiration dates - API keys with limited access, labels, IP address restrictions and expiration dates - Auto-ban comments and details about the triggering event ([#&#8203;1321](https://github.com/stalwartlabs/stalwart/issues/1321)) - Auto-ban expiration after a configurable time period ([#&#8203;964](https://github.com/stalwartlabs/stalwart/issues/964)) - DNS Management: - Automatic DNS management of `MX`, `TXT`, `CNAME`, `SRV`, `CAA` and `TLSA` records ([#&#8203;463](https://github.com/stalwartlabs/stalwart/issues/463) [#&#8203;1017](https://github.com/stalwartlabs/stalwart/issues/1017) [#&#8203;1419](https://github.com/stalwartlabs/stalwart/issues/1419) [#&#8203;2438](https://github.com/stalwartlabs/stalwart/issues/2438) [#&#8203;1370](https://github.com/stalwartlabs/stalwart/issues/1370) [#&#8203;1406](https://github.com/stalwartlabs/stalwart/issues/1406) [#&#8203;1371](https://github.com/stalwartlabs/stalwart/issues/1371)) - Automatic update of `TLSA` records when ACME certificates change ([#&#8203;1664](https://github.com/stalwartlabs/stalwart/issues/1664)) - RFC2136 `SIG(0)` support ([#&#8203;856](https://github.com/stalwartlabs/stalwart/issues/856)) - Route53 provider support (contributed by [@&#8203;jimmystewpot](https://github.com/jimmystewpot)) - Google Cloud DNS provider support (contributed by [@&#8203;jimmystewpot](https://github.com/jimmystewpot)) - Bunny provider support (contributed by [@&#8203;angeloanan](https://github.com/angeloanan)) - Porkbun provider support (contributed by [@&#8203;jeffesquivels](https://github.com/jeffesquivels)) - DNSimple provider support (contributed by [@&#8203;NelsonVides](https://github.com/NelsonVides)) - Spaceship provider support (contributed by [@&#8203;matserix](https://github.com/matserix)) - DKIM: - Automatic DKIM key generation, rotation and DNS management ([#&#8203;368](https://github.com/stalwartlabs/stalwart/issues/368) [#&#8203;961](https://github.com/stalwartlabs/stalwart/issues/961)) - Store DKIM keys in the database ([#&#8203;1264](https://github.com/stalwartlabs/stalwart/issues/1264)) - Ignore insecure signatures when verifying DKIM ([#&#8203;1068](https://github.com/stalwartlabs/stalwart/issues/1068) [#&#8203;467](https://github.com/stalwartlabs/stalwart/issues/467)) - ACME/TLS: - `DNS-PERSIST-01` ACME challenge support ([#&#8203;2837](https://github.com/stalwartlabs/stalwart/issues/2837)) - Renew certificates on demand, view certificate details ([#&#8203;675](https://github.com/stalwartlabs/stalwart/issues/675) [#&#8203;1162](https://github.com/stalwartlabs/stalwart/issues/1162) [#&#8203;2566](https://github.com/stalwartlabs/stalwart/issues/2566)) - `CAA` record support ([#&#8203;468](https://github.com/stalwartlabs/stalwart/issues/468)) with `accounturi` parameter ([#&#8203;1933](https://github.com/stalwartlabs/stalwart/issues/1933)) - `TLSA` records publishing restricted to `3 1 1` and `2 1 1` ([#&#8203;2193](https://github.com/stalwartlabs/stalwart/issues/2193)) - OIDC and OAuth: - JWT token validation without requesting userinfo from the OIDC provider. - Audience (`aud`) claim ([#&#8203;2603](https://github.com/stalwartlabs/stalwart/issues/2603)) and scope validation support. - Groups support ([#&#8203;1448](https://github.com/stalwartlabs/stalwart/issues/1448)) - RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients - LDAP: - Separate filter for groups ([#&#8203;1841](https://github.com/stalwartlabs/stalwart/issues/1841)) - Improve support for OpenLDAP schemas ([#&#8203;760](https://github.com/stalwartlabs/stalwart/issues/760)) - Improve and simplify LDAP settings ([#&#8203;2194](https://github.com/stalwartlabs/stalwart/issues/2194) [#&#8203;2174](https://github.com/stalwartlabs/stalwart/issues/2174)) - Directory: - Masked email addresses for enhanced privacy (*Enterprise*) - Domain aliases ([#&#8203;583](https://github.com/stalwartlabs/stalwart/issues/583)) - E-mail alias descriptions and option to disable aliases ([#&#8203;506](https://github.com/stalwartlabs/stalwart/issues/506)) - Account archiving and un-deletion ([#&#8203;2767](https://github.com/stalwartlabs/stalwart/issues/2767)) (*Enterprise*) - Per-domain directory backends (*Enterprise*) - Account configuration and discovery: - Automatic Configuration of Email, Calendar, and Contact Server Settings ([draft-mailmaint-uaautoconf-04](https://datatracker.ietf.org/doc/html/draft-eggert-mailmaint-uaautoconf-04)) ([#&#8203;2201](https://github.com/stalwartlabs/stalwart/issues/2201)) - MS Autodiscover V2 support ([#&#8203;679](https://github.com/stalwartlabs/stalwart/issues/679)) - Sieve: Allow deactivating scripts without deleting them ([#&#8203;1251](https://github.com/stalwartlabs/stalwart/issues/1251)). - Tracing: Enable events only mode ([#&#8203;2276](https://github.com/stalwartlabs/stalwart/issues/2276)) - Clustering: - Automatic cluster node ID generation and management. - Unified cluster management ([#&#8203;960](https://github.com/stalwartlabs/stalwart/issues/960)) - Outbound MTA role ([#&#8203;1692](https://github.com/stalwartlabs/stalwart/issues/1692)) #### Changed - Replaced REST API with JMAP API ([#&#8203;2262](https://github.com/stalwartlabs/stalwart/issues/2262) [#&#8203;959](https://github.com/stalwartlabs/stalwart/issues/959) [#&#8203;1480](https://github.com/stalwartlabs/stalwart/issues/1480)) - Removed support for Authenticated Received Chain (ARC) sealing ([learn more](https://mailarchive.ietf.org/arch/msg/dmarc/KvX3-H1SL0Gh3IDl7FuR2hoR87M/)). - Directory: Removed `smtp`, `imap` and `memory` directory backends. - Use `aws-lc` for cryptographic operations instead of `ring`. - Use `rustls-platform-verifier` for TLS certificate verification instead of `webpki` ([#&#8203;247](https://github.com/stalwartlabs/stalwart/issues/247)). #### Fixed - Directory: - Cannot remove built-in "admin" role from user once it was assigned ([#&#8203;1467](https://github.com/stalwartlabs/stalwart/issues/1467)) - Delete associated records ([#&#8203;963](https://github.com/stalwartlabs/stalwart/issues/963)) - Updated Role permissions not applied ([#&#8203;2038](https://github.com/stalwartlabs/stalwart/issues/2038)) - Recreated account cannot log in until server is restarted ([#&#8203;1469](https://github.com/stalwartlabs/stalwart/issues/1469)) - Subaddressing does not work for groups ([#&#8203;475](https://github.com/stalwartlabs/stalwart/issues/475)) - New LDAP aliases are rejected ([#&#8203;1318](https://github.com/stalwartlabs/stalwart/issues/1318)). - Validate account and group names ([#&#8203;2209](https://github.com/stalwartlabs/stalwart/issues/2209)) - MTA: - RCPT TO stage settings improvements ([#&#8203;2217](https://github.com/stalwartlabs/stalwart/issues/2217) [#&#8203;394](https://github.com/stalwartlabs/stalwart/issues/394)) - Relay to IP addresses ([#&#8203;838](https://github.com/stalwartlabs/stalwart/issues/838)) - Duplicate delivery inverted check - SASL challenge responses include invalid `Go ahead` text - JMAP: - Fix `inMailboxOtherThan` query logic. - Fix `hasAttachment` search field ([#&#8203;2778](https://github.com/stalwartlabs/stalwart/issues/2778)) - IMAP: - Increment argument max length to `8000` bytes - ACL: Add `RIGHTS` capability ([#&#8203;2762](https://github.com/stalwartlabs/stalwart/issues/2762)) - ACL: Fix `ACL SET` permission override. - WebDAV: - Return `304` `NOT_MODIFIED` on `If-None-Match` - Use RFC 2616 instead of RFC 1123 for date formatting - Fix ACL container/item mismatch in reports. - CalDAV: Allow organized properties to be present in `PUT` requests if they are equal to the existing ones. - CalDAV: Enforce cumulative iCalendar instances cap in CalDAV free-busy REPORT handler - Configuration: Prefix parsing issues ([#&#8203;2495](https://github.com/stalwartlabs/stalwart/issues/2495)) - OIDC: JWKS Exposes Symmetric Signing Key - SQLite: Fix thread pool exhaustion. - PostgreSQL: Use clean recycling method on connection pool - Meilisearch: Make `id` sorteable. - ACME: Fix wrong origin for subdomain updates ([#&#8203;2360](https://github.com/stalwartlabs/stalwart/issues/2360)) - Spam filter: Skip invalid messages during training. - Calendar: Include minutes in localized invite templates ([#&#8203;2828](https://github.com/stalwartlabs/stalwart/issues/2828)) - HTTP: Fix `204` CORS preflight responses <hr /> ##### Check binary attestation [here](https://github.com/stalwartlabs/stalwart/attestations/25009869) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMzQuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE4Ni4xIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbIm1haW50ZW5hbmNlIl19-->
renovate changed title from Update stalwartlabs/stalwart Docker tag to v0.16.0 to Update stalwartlabs/stalwart Docker tag to v0.16.1 2026-04-25 10:17:20 +00:00
renovate force-pushed renovate/stalwartlabs-stalwart-0.x from 110322b6f6 to ff76f986b4 2026-04-25 10:17:20 +00:00 Compare
renovate changed title from Update stalwartlabs/stalwart Docker tag to v0.16.1 to Update stalwartlabs/stalwart Docker tag to v0.16.2 2026-04-28 22:18:50 +00:00
renovate force-pushed renovate/stalwartlabs-stalwart-0.x from ff76f986b4 to 963ef5456e 2026-04-28 22:18:51 +00:00 Compare
renovate changed title from Update stalwartlabs/stalwart Docker tag to v0.16.2 to Update stalwartlabs/stalwart Docker tag to v0.16.3 2026-04-30 22:20:52 +00:00
renovate force-pushed renovate/stalwartlabs-stalwart-0.x from 963ef5456e to 57e6f76b32 2026-04-30 22:20:54 +00:00 Compare
renovate changed title from Update stalwartlabs/stalwart Docker tag to v0.16.3 to Update stalwartlabs/stalwart Docker tag to v0.16.4 2026-05-05 16:20:56 +00:00
renovate force-pushed renovate/stalwartlabs-stalwart-0.x from 57e6f76b32 to 8618edea41 2026-05-05 16:20:56 +00:00 Compare
renovate changed title from Update stalwartlabs/stalwart Docker tag to v0.16.4 to Update stalwartlabs/stalwart Docker tag to v0.16.5 2026-05-11 22:20:19 +00:00
renovate force-pushed renovate/stalwartlabs-stalwart-0.x from 8618edea41 to 3d5e9e7038 2026-05-11 22:20:20 +00:00 Compare
renovate changed title from Update stalwartlabs/stalwart Docker tag to v0.16.5 to Update stalwartlabs/stalwart Docker tag to v0.16.6 2026-05-20 10:20:56 +00:00
renovate force-pushed renovate/stalwartlabs-stalwart-0.x from 3d5e9e7038 to bef0c30f58 2026-05-20 10:20:58 +00:00 Compare
This pull request can be merged automatically.
This branch is out-of-date with the base branch
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin renovate/stalwartlabs-stalwart-0.x:renovate/stalwartlabs-stalwart-0.x
git switch renovate/stalwartlabs-stalwart-0.x

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch master
git merge --no-ff renovate/stalwartlabs-stalwart-0.x
git switch renovate/stalwartlabs-stalwart-0.x
git rebase master
git switch master
git merge --ff-only renovate/stalwartlabs-stalwart-0.x
git switch renovate/stalwartlabs-stalwart-0.x
git rebase master
git switch master
git merge --no-ff renovate/stalwartlabs-stalwart-0.x
git switch master
git merge --squash renovate/stalwartlabs-stalwart-0.x
git switch master
git merge --ff-only renovate/stalwartlabs-stalwart-0.x
git switch master
git merge renovate/stalwartlabs-stalwart-0.x
git push origin master
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
simon.beck/talos!494
No description provided.