stalwart

v0.16.5 Breaking

This release includes breaking changes for platform teams planning a safe upgrade.

Published 23d Communication & Email

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

caldav carddav imap jmap mail pop3

+4 more

rust server smtp webdav

Affected surfaces

deps auth

ReleasePort's take

Moderate signal

editorial:auto 13d

The `is_ip_in_cidr` expression function was added for CIDR matching in v0.16.5.

Why it matters: Use the new `is_ip_in_cidr` function to simplify IP‑range checks; test any rule changes before deploying.

Summary

AI summary

Added CIDR matching function is_ip_in_cidr.

Changes in this release

Type	Severity	Summary	CVE
Feature
Feature	Medium	`is_ip_in_cidr` expression function added for CIDR matching. `is_ip_in_cidr` expression function added for CIDR matching. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	ACME: Includes apex domains when requesting certificates for subdomains. ACME: Includes apex domains when requesting certificates for subdomains. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	ACME: Uses public suffix list to determine zone name when no origin is provided. ACME: Uses public suffix list to determine zone name when no origin is provided. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	MTA: Allows rescheduling recipients with permanent failures. MTA: Allows rescheduling recipients with permanent failures. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	MTA: Processes reports using original `RCPT` before rewriting. MTA: Processes reports using original `RCPT` before rewriting. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	iCalendar/JSCalendar (via `calcard` crate): Supports STATUS:CANCELLED mapping from VTODO to JSCalendar. iCalendar/JSCalendar (via `calcard` crate): Supports STATUS:CANCELLED mapping from VTODO to JSCalendar. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	DNS update (via `dns-update` crate): Fixes changeset error resolution for Route53. DNS update (via `dns-update` crate): Fixes changeset error resolution for Route53. Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	HTTP: Uses permissive CORS headers for `.well-known` endpoints. HTTP: Uses permissive CORS headers for `.well-known` endpoints. Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	DNS update (via `dns-update` crate): Fixes FQDN handling for MX and SRV records on OVH and Google Cloud DNS. DNS update (via `dns-update` crate): Fixes FQDN handling for MX and SRV records on OVH and Google Cloud DNS. Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	DNS update (via `dns-update` crate): Uses empty subname for apex records on deSEC instead of @. DNS update (via `dns-update` crate): Uses empty subname for apex records on deSEC instead of @. Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	DNS update (via `dns-update` crate): Wraps TXT record content in double quotes for Cloudflare to suppress dashboard warnings. DNS update (via `dns-update` crate): Wraps TXT record content in double quotes for Cloudflare to suppress dashboard warnings. Source: llm_adapter@2026-05-21 Confidence: low	—
Performance	Medium	Network: Attempts binding to IPv4 when IPv6 binding fails with `EAFNOSUPPORT` error. Network: Attempts binding to IPv4 when IPv6 binding fails with `EAFNOSUPPORT` error. Source: llm_adapter@2026-05-21 Confidence: high	—
Deprecation	Medium	RFC2136 SIG(0) support deprecated as it is no longer supported by `hickory`. RFC2136 SIG(0) support deprecated as it is no longer supported by `hickory`. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix
Bugfix	Medium	JMAP: Patching ids containing digits in JSON Pointers fixed. JMAP: Patching ids containing digits in JSON Pointers fixed. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	JMAP: Patching nested objects with `null` values fixed. JMAP: Patching nested objects with `null` values fixed. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	External directories: SQL returns `Failed` instead of `Error` when query returns no results. External directories: SQL returns `Failed` instead of `Error` when query returns no results. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	External directories: LDAP impersonation works when user has not logged in before. External directories: LDAP impersonation works when user has not logged in before. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Bootstrap: Times out after 30 seconds when probing the data store. Bootstrap: Times out after 30 seconds when probing the data store. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Autodiscover v2 endpoint now reachable. Autodiscover v2 endpoint now reachable. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	iCalendar/JSCalendar (via `calcard` crate): Fixed duration parsing for zero duration PT0S. iCalendar/JSCalendar (via `calcard` crate): Fixed duration parsing for zero duration PT0S. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	DNS update resolves changeset errors for Route53 updates. DNS update resolves changeset errors for Route53 updates. Source: granite4.1:30b@2026-05-24-audit Confidence: low	—

Full changelog

[0.16.5] - 2026-05-11

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

is_ip_in_cidr expression function for CIDR matching.

Changed

Bump mail-auth to 0.9 (which bumps hickory-resolver to 0.26).
Deprecated RFC2136 SIG(0) support as it is no longer supported by hickory.

Fixed

JMAP:
- Patching ids containing digits in JSON Pointers fails.
- Patching nested objects with null values fails.
External directories:
- SQL: Return Failed instead of Error when the query returns no results.
- LDAP: Impersonation fails when the user has not logged in before.
Network: Attempt binding to IPv4 when binding to IPv6 fails with EAFNOSUPPORT error.
Bootstrap: Timeout after 30 seconds when probing the data store.
HTTP: Use permissive CORS headers for .well-known endpoints.
ACME:
- Include apex domains when requesting certificates for subdomains.
- Use the public suffix list to determine the zone name when no origin is provided.
MTA:
- Allow rescheduling recipients with permanent failures.
- Process reports using original RCPT before rewriting.
Autodiscover v2 endpoint unreachable.
DNS update (via dns-update crate):
- OVH + Google Cloud DNS: Fix FQDN handling for MX and SRV records.
- Route53: Fix changeset error resolution.
- deSEC: Use empty subname for apex records instead of @, which the API rejects.
- Cloudflare: Wrap TXT record content in double quotes (RFC 1035) to suppress dashboard warnings.
iCalendar/JSCalendar (via calcard crate):
- Support STATUS:CANCELLED mapping from VTODO to JSCalendar.
- Fixed duration parsing for zero duration PT0S.

Check binary attestation here

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track stalwart

Get notified when new releases ship.

About stalwart

All-in-one Mail & Collaboration server. Secure, scalable and fluent in every protocol (IMAP, JMAP, SMTP, CalDAV, CardDAV, WebDAV).

All releases →