stalwart

v0.16.6 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 14d Communication & Email

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

caldav carddav imap jmap mail pop3

+4 more

rust server smtp webdav

Affected surfaces

auth rbac breaking_upgrade

Summary

AI summary

Broad release touches Sieve, https://github.com/stalwartlabs/stalwart/blob/main/UPGRADING/v0_16.md, MTA, and https://datatracker.ietf.org/doc/html/draft-ietf-jmap-filenode-14.

Changes in this release

Type	Severity	Summary	CVE
Feature
Feature	Medium	Added 58 new DNS provider integrations. Added 58 new DNS provider integrations. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	Log DNS record types and values in DNS updater. Log DNS record types and values in DNS updater. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	Allow User Sieve scripts to access `orcpt`. Allow User Sieve scripts to access `orcpt`. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	Log message rejections or discards by spam classifier in MTA. Log message rejections or discards by spam classifier in MTA. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Feature	Medium	Allow internal TLDs and special characters in e-mail addresses. Allow internal TLDs and special characters in e-mail addresses. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Feature	Medium	Perform case insensitive matching during WebSocket upgrade. Perform case insensitive matching during WebSocket upgrade. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Feature	Low	Accept password hashes with `$` or `{` prefixes as secure secrets. Accept password hashes with `$` or `{` prefixes as secure secrets. Source: granite4.1:30b@2026-05-20-audit Confidence: low	—
Dependency	Medium	Bump JMAP File Storage to draft-ietf-jmap-filenode-14. Bump JMAP File Storage to draft-ietf-jmap-filenode-14. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix
Bugfix	Medium	`acl-principal-prop-set` REPORT enforced wrong privilege in DAV. `acl-principal-prop-set` REPORT enforced wrong privilege in DAV. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	`Thread/get` did not filter by per-mailbox ACLs on shared accounts in JMAP. `Thread/get` did not filter by per-mailbox ACLs on shared accounts in JMAP. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	`UID FETCH N:` could miss messages moved into a SELECTed mailbox by another connection in IMAP. `UID FETCH N:` could miss messages moved into a SELECTed mailbox by another connection in IMAP. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Skip `v=spf1 a -all` records for apex domains in DNS updater. Skip `v=spf1 a -all` records for apex domains in DNS updater. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	RFC2136 TSIG regression related to multiplexer fixed in DNS updater. RFC2136 TSIG regression related to multiplexer fixed in DNS updater. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Chunk `TXT` records when they exceed 255 characters for Route53 in DNS updater. Chunk `TXT` records when they exceed 255 characters for Route53 in DNS updater. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Update `defaultCertificateId` when renewing a certificate that is currently set as default in ACME. Update `defaultCertificateId` when renewing a certificate that is currently set as default in ACME. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Perform `DNS-01` authorizations sequentially to avoid race conditions in some DNS providers in ACME. Perform `DNS-01` authorizations sequentially to avoid race conditions in some DNS providers in ACME. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Synchronize accounts when expanding mailing list recipients in LDAP. Synchronize accounts when expanding mailing list recipients in LDAP. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Orphaned ACL entries for deleted accounts cause JMAP session errors fixed. Orphaned ACL entries for deleted accounts cause JMAP session errors fixed. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	`replace` action adds an extra `From` header fixed in Sieve. `replace` action adds an extra `From` header fixed in Sieve. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—

Full changelog

[0.16.6] - 2026-05-20

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

Added 58 new DNS provider integrations (see dns-update crate for details).
DNS updater: Log DNS record types and values.
Sieve: Allow User Sieve scripts to access orcpt.
MTA: Log when messages are rejected or discarded by the spam classifier.

Changed

Bump JMAP File Storage to draft-ietf-jmap-filenode-14.
Accept password hashes with $ or { prefixes as secure secrets.

Fixed

DAV: acl-principal-prop-set REPORT enforced the wrong privilege.
JMAP: Thread/get did not filter by per-mailbox ACLs on shared accounts.
IMAP: UID FETCH N:* could miss messages moved into a SELECTed mailbox by another connection.
DNS updater:
- Skip v=spf1 a -all records for apex domains.
- RFC2136 TSIG: regression related to multiplexer.
- Route53: Chunk TXT records when they exceed 255 characters.
ACME:
- Update defaultCertificateId when renewing a certificate that is currently set as default.
- Perform DNS-01 authorizations sequentially to avoid race conditions in some DNS providers.
Allow internal TLDs and special characters in e-mail addresses.
Websocket: Perform case insensitive matching during upgrade.
LDAP: Synchronize accounts when expanding mailing list recipients.
Sieve: replace action adds an extra From header.
ACL: Orphaned ACL entries for deleted accounts cause JMAP session errors.

Check binary attestation here

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track stalwart

Get notified when new releases ship.

About stalwart

All-in-one Mail & Collaboration server. Secure, scalable and fluent in every protocol (IMAP, JMAP, SMTP, CalDAV, CardDAV, WebDAV).

All releases →