This release adds 3 notable features for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Topics
+4 more
ReleasePort's take
Light signalReleasePort Layer 1 v1.6.4 introduces an interactive multi‑step web setup wizard that replaces manual .env.local edits, adding OAuth/OIDC configuration, session secret generation, branding uploads, and a review step.
Why it matters: Plan to run the new wizard during initial deployment; it eliminates ad‑hoc env file changes and consolidates admin config into immutable ADMIN_CONFIG_DIR for production stability.
Summary
AI summaryWeb Setup Wizard adds an interactive multi-step configuration flow replacing manual .env.local edits.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Feature | Medium |
First-launch web setup wizard probes JMAP server, configures OAuth/OIDC, generates session secret, accepts branding uploads, provisions initial admin password. First-launch web setup wizard probes JMAP server, configures OAuth/OIDC, generates session secret, accepts branding uploads, provisions initial admin password. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Admin storage split into ADMIN_CONFIG_DIR (operator-authored, mountable read-only after setup) and ADMIN_STATE_DIR (runtime audit log and login timestamps). Admin storage split into ADMIN_CONFIG_DIR (operator-authored, mountable read-only after setup) and ADMIN_STATE_DIR (runtime audit log and login timestamps). Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Web setup wizard includes multi-step flow: Server, Auth, Security, Logging, Branding, Review, Admin. Web setup wizard includes multi-step flow: Server, Auth, Security, Logging, Branding, Review, Admin. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Admin config/state directory split with optional ADMIN_CONFIG_READONLY for immutable deployments. Admin config/state directory split with optional ADMIN_CONFIG_READONLY for immutable deployments. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Web setup wizard branding step allows file uploads. Web setup wizard branding step allows file uploads. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Redesigned review step with grouped summary and advanced toggle for full config. Redesigned review step with grouped summary and advanced toggle for full config. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Explicit confirmation required when JMAP probe finds no session. Explicit confirmation required when JMAP probe finds no session. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
From-header override in composer with catch-all auto-reply; replies to owned alias pre-fill alias as sender. From-header override in composer with catch-all auto-reply; replies to owned alias pre-fill alias as sender. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Drag attachments out of viewer to local file system. Drag attachments out of viewer to local file system. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
Reading Pane at Bottom mail layout added. Reading Pane at Bottom mail layout added. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
Configurable signature position – above or below quoted text, searchable from email behavior settings. Configurable signature position – above or below quoted text, searchable from email behavior settings. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
Show avatar in Focused list for compact density and above. Show avatar in Focused list for compact density and above. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
Align Focused list preview with other layout previews. Align Focused list preview with other layout previews. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Performance | Medium |
Prefetch initial email data on login. Prefetch initial email data on login. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Performance | Medium |
Parallelize login round-trips and drop redundant JMAP re-verify in auth. Parallelize login round-trips and drop redundant JMAP re-verify in auth. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Skip upstream JMAP reverify for trusted URLs. Skip upstream JMAP reverify for trusted URLs. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Show account identity in switcher header instead of sending alias. Show account identity in switcher header instead of sending alias. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Fall back to primary identity signature on reply in compose. Fall back to primary identity signature on reply in compose. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Drop redundant first-login banner about removing ADMIN_PASSWORD. Drop redundant first-login banner about removing ADMIN_PASSWORD. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Consistent notice cards for server probe results. Consistent notice cards for server probe results. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Other | Medium |
Add missing translation keys across 15 locales. Add missing translation keys across 15 locales. Source: llm_adapter@2026-05-21 Confidence: low |
— |
Full changelog
1.6.4 (2026-05-11)
New: Web Setup Wizard
First-launch web setup wizard. New installs no longer need to hand-edit .env.local - point a browser at the container and the wizard probes the JMAP server(s), configures OAuth/OIDC, generates the session secret, accepts branding uploads, and provisions the initial admin password. Admin storage is now split into ADMIN_CONFIG_DIR (operator-authored, mountable read-only after setup) and ADMIN_STATE_DIR (runtime audit log and login timestamps); the legacy ADMIN_DATA_DIR keeps working for existing installs.
Features
- Setup: Web setup wizard with multi-step flow: Server, Auth, Security, Logging, Branding, Review, Admin
- Setup: Admin config/state directory split with optional
ADMIN_CONFIG_READONLYfor immutable deployments (#226) - Setup: File uploads on the wizard branding step
- Setup: Redesigned review step with grouped summary and an advanced toggle for the full config
- Setup: Require explicit confirmation when JMAP probe finds no session
- Mail: Drag attachments out of the viewer to the local file system (#267)
- Mail: Reading Pane at Bottom mail layout (#262)
- Mail: Configurable signature position – above or below quoted text (#266)
- Mail: Signature position is now searchable from the email behavior settings
- Mail: Show avatar in Focused list for compact density and above
- Mail: Align Focused list preview with other layout previews
- Compose: From-header override in the composer with catch-all auto-reply, replies to an alias on a domain you own pre-fill the alias as the sender even when it isn't a configured identity (#246)
Performance
- Mail: Prefetch initial email data on login
- Auth: Parallelize login round-trips and drop redundant JMAP re-verify
Fixes
- Auth: Skip upstream JMAP reverify for trusted URLs (#237)
- Auth: Show account identity in the switcher header instead of the sending alias
- Compose: Fall back to the primary identity signature on reply
- Setup: Drop redundant first-login banner about removing
ADMIN_PASSWORD(#222) - UI: Consistent notice cards for server probe results
i18n
- Add missing translation keys across 15 locales
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About webmail
Webmail built for the 21st Century. A modern, self-hosted email client for Stalwart Mail Server powered by the JMAP protocol. Email, calendar, contacts and files. Fast, private, and open source.
Related context
Earlier breaking changes
- v1.7.0 Server‑managed plugin bundles must be Ed25519‑signed and admin‑approved before loading.
- v1.7.0 Bundle hash is now full SHA-256; legacy hashes auto-migrated.
- v1.7.0 Server-managed bundles require Ed25519 signature verification.
- v1.7.0 Plugins run in sandboxed iframe with postMessage RPC bridge.
Beta — feedback welcome: [email protected]