webmail releases

1.6.3 (2026-05-08)

Features

• Mail: Lift 5-account cap on HTTP/2
• Mail: Import .eml files via folder right-click menu

Fixes

• Mail: Trim leading whitespace from email list preview
• Mail: Fall back when only the truncation indicator remains in email preview
• Mail: Hide files/contacts nav items when JMAP server lacks support
• Viewer: Preserve emoji colors in dark mode
• Viewer: Prevent white-on-white in dark mode for nested bgcolor containers
• Viewer: Render plain-text-only emails as text, not HTML
• Viewer: Render HTML-only emails and redesign external content prompt
• Viewer: Pad Word/Outlook HTML email rendering
• Compose: Redesign quick reply to match sender/banner layout
• Compose: Disable StarterKit's bundled link/underline to avoid duplicate extensions
• Sharing: Request shareWith explicitly so calendar/address book shares survive a re-login (#257)
• UI: Strip leading punctuation when computing avatar initials
• Mobile: Hide email hover actions

i18n

• Add missing translation keys across 15 locales

1.6.2 (2026-05-06)

Features

• Plugins: Hot-reload and dev-folder loading for live plugin development
• Plugins: On-demand src/ bundling via esbuild
• Plugins: New http:fetch permission and httpOrigins manifest field
• Plugins: onBeforeEmailSend hook with fromEmail exposed on OutgoingEmail
• Plugins: Project EmailReadView for the email-banner slot and expose auth results
• Plugins: Ingest icon, banner, and screenshots from the source repo
• Plugins: Restrict plugin and theme install/uninstall to the admin dashboard
• Mail: Multi-server JMAP support
• Settings: Fulltext search across the settings sidebar
• Settings: Sub-result rows with highlight in settings search
• Settings: Surface plugin settings as search sub-results
• Settings: Remove experimental tags from themes, plugins, and sender favicons
• Viewer: Redesigned external-mail banner above attachments
• Calendar: Calendar invitation banner expands on row click
• Calendar: Calendar invitation banner is now collapsible

Fixes

• Admin: Collapse admin panel into a single tabbed page
• Plugins: Inline plugin configure panel to avoid dev-mode hang
• Plugins: Resolve PLUGIN_DEV_DIR plugins in admin config route
• Plugins: Add missing body type assertion in createPluginAPI fetch options
• Plugins: Propagate settingsSchema
• Settings: Highlight plugin and theme cards in search results
• Settings: Open plugin card on first click of a setting sub-result
• Settings: Drop ghost sub-results from account and language search
• Settings: Improve search highlight styling
• Viewer: Show notification banners above attachments
• Viewer: Rework S/MIME banner to match calendar invitation
• Viewer: Close PDF preview on Escape before email viewer
• Viewer: Render PDF previews via <object> with blob: in object-src CSP (#253)
• Calendar: Align invitation icon with sender avatar column
• Calendar: Fix invitation picker clipping (#250)
• Auth: Read activeAccountId from authStore in account selectors
• UI: Adjust toast item border radius and progress bar styles
• UI: Remove fly-in animation from context menu submenus
• i18n: Add missing Czech flag icon

i18n

• Add missing translation keys across 15 locales

1.6.1 (2026-05-04)

Features

• Updates: Update-available detection with non-dismissible notice and dev-reload refresh
• Plugins: New plugin hooks for compose, attachments, search, lifecycle, and routing
• Sharing: Share indicators for calendars and contacts, updated JMAP capabilities (#244)
• Mail: Auto-add recipients to trusted senders when replying
• Identity: Sanitize identity display name to prevent invalid From headers

Fixes

• Mobile: Synchronize mobile submenu view with browser history for better navigation
• Viewer: Update email viewer styles to improve overflow handling
• Auth: Ensure cookieSlot consistency during account updates in auth store
• Auth: Thread per-account cookie slot through OAuth flows
• Calendar: Square the colored left marker on calendar events
• About: Show git commit in About instead of "unknown"

i18n

• Update mailbox context menu translations across 12 locales

1.6.0 (2026-05-01)

Features

• Deployment: Subpath deployment support via NEXT_PUBLIC_BASE_PATH environment variable
• Mail: Image attachment thumbnails and preview chips
• Mobile: Reworked mobile mail viewer toolbar
• Mobile: Mobile-friendly settings panel
• Mobile: Mobile-friendly admin panel
• Mail: Redesigned expanded details panel
• Mailbox: Show full path in mailbox context menu header with intelligent path shortening

Fixes

• Viewer: Respect per-email dark mode toggle when "always show in light mode" is on
• Navigation: Scroll apps list in navigation rail to prevent overflow
• Context menu: Clamp submenu inside viewport
• Context menu: Prevent context menu from clipping below viewport
• Context menu: Prevent jump and animation on open
• Mail: Stop silently destroying emails when trash mailbox isn't found (#195)
• Mail: Preserve list scroll position when tagging an email
• Mail: Render below-header overflow popup outside clipped row
• Mail: Collapse below-header attachments to single row with overflow pill
• Push: Fix push preview JMAP query
• Tour: Navigate tour to mailbox when starting from another page
• i18n: Add useTranslations for "selected emails" and "cancel" on email list batch operations

i18n

• Translate SPF/DKIM/DMARC tooltips
• Add missing keys across 14 locales

1.5.4 (2026-05-01)

Features

• PWA: Web push notifications for new inbox mail (#233), with click-through to open the message
• Composer: Insert and edit tables in rich-text emails (#236)
• Mail: Configurable sub-addressing delimiter character (#239)
• i18n: Turkish localization
• i18n: Missing keys filled in across 15 locales

Fixes

• Mail: Set In-Reply-To and References headers on replies (#234)
• Mail: Persist htmlBody in drafts to preserve rich formatting (#236)
• Auth: Pin JMAP auth verification to the configured server URL (#237)
• Auth: Evict unrecoverable basic-auth accounts on reload
• Notifications: Scope new-mail notifications to genuine inbox deliveries
• Notifications: Extend PushVerification timeout and clean up leftover subscriptions
• Viewer: Smooth out body load to prevent flicker on first render
• Viewer: Prevent iframe flash when loading images or trusting the sender
• Viewer: Pad bare HTML emails like plain-text mails for consistent layout
• Viewer: Light-mode override now only affects body content
• Viewer: Detect <style> tag when applying padding
• Viewer: Drop iframe border-radius
• Calendar: Localize event start date in detail popover and event modal
• Dev: Include http protocol in connect-src for development mode CSP

1.5.3 (2026-04-28)

New: Help shape Bulwark Webmail. Each instance now sends a lightweight daily heartbeat (version, platform, bucketed account counts, feature toggles - never message data or PII) so we can see which platforms and features actually get used and prioritize fixes where they matter most. You're in control: opt out any time from Admin → Telemetry or by setting BULWARK_TELEMETRY=off. Full schema in the privacy notice.

Features

• Telemetry: Anonymous instance telemetry, on by default. Reports schema version, platform, bucketed account counts, and feature toggles only - disable from the admin UI, with BULWARK_TELEMETRY=off, or by clearing the endpoint
• Telemetry: Track unique logins (HMAC'd per instance, 90-day retention) so the heartbeat can report bucketed account totals without storing usernames
• Plugins: Theme API v2 with token compiler and skin slot
• Plugins: Extension preview page and detailed extension info API
• Calendar: Right-click context menu on empty calendar space
• Docker: Persistent named volume for telemetry data so the instance id and admin's consent choice survive container upgrades

Fixes

• Security: Block telemetry endpoint from pointing at internal/loopback hosts (validation + DNS-rebind re-check at fetch time)
• Security: Harden plugin config, TOTP token exchange, and branding file serving
• Mail: Batch shortcuts now act on the multi-selection when one is present (#228)

1.5.2 (2026-04-27)

Features

• Plugins: New composer-sidebar slot and ui:composer-sidebar permission — plugins can now render a panel on either side of the New Message dialog. See repos/subway-surfers for an example
• Plugins: Manifests can declare frameOrigins — a strictly-validated list of https://host origins the plugin needs to embed. The proxy reads the union from enabled plugins and merges it into the host CSP frame-src, so the host CSP no longer needs to know about specific embed providers
• Calendar/Contacts: JMAP sharing for calendars and address books
• i18n: Czech language support

Fixes

• Security: Validate URLs before outbound fetch
• Calendar: Prevent drag creation on touch events in the time grid
• Contacts: Emit RFC 9553 name kinds and decode QUOTED-PRINTABLE in vCard import (#224, #187)
• Mail: Hide preview line in compact density to match settings preview (#223)
• Proxy: Inline matcher for Next.js proxy and drop unnecessary Node.js runtime config
• i18n: Portuguese fixes for "ficheiro" and "contactos" variants

1.5.1 (2026-04-25)

Features

• Stalwart: OAuth auto-setup with dialog and validation for origin and issuer URLs
• Mail: Right-click context menu on the folders sidebar
• Mail: Replace folder prompt() calls with a proper modal dialog
• Calendar: Add 'Today' button to the desktop calendar toolbar
• Junk: Setting to show avatars in the Junk folder

Fixes

• Admin: Restore admin panel after Stalwart v0.16 REST API removal
• Viewer: Restore broken viewer toolbar actions and improve the mobile menu (#220)
• Folders: Stop flicker on background folder refresh
• Email: Preserve search/filter on batch move and archive
• Email: Preserve search/filter when moving emails via drag-drop
• i18n: Improve Korean flag

1.5.0 (2026-04-23)

Breaking Changes

• Self-service portal now needs Stalwart 0.16+: Stalwart dropped its self-service HTTP API in 0.16.0 and replaced it with JMAP. Bulwark Webmail only talks to the new JMAP endpoint, so the self-service portal (account settings, app passwords, API keys) requires Stalwart 0.16 or newer. STALWART_API_URL is deprecated, these actions go through the normal JMAP session.

Features

• Stalwart: Migrate Stalwart management API to JMAP x: methods for Stalwart 0.16
• Admin: Add API Keys management and IP allowlist for App Passwords
• Contacts: Revamp contact detail view with filters, photo, print, and duplicate actions
• Contacts: Add contact activity component showing recent emails and upcoming events
• Contacts: Add right-click context menu
• Contacts: Group contacts by first letter with sticky section headers, toggleable in settings
• Calendar: Support resizing events from the top edge
• Calendar: Add timezone-aware formatting for event start times and update utcEnd on duration change
• Calendar: Optimize layout of overlapping events
• Calendar: Add collapsible details to calendar invitation banner
• Email: Implement batch archiving and bulk moving of emails
• Email: Show full folder path in move/drop toast
• Settings: Reorganize settings into 6 groups with clearer tabs
• Navigation: Add account-addition button to the navigation rail
• Mobile: Streamline email viewer header layout
• Mobile: Pass isMobile through calendar views and time-grid interactions

Fixes

• Mailbox: Retry mailbox fetch on first login to handle lazy provisioning (#217)
• Mailbox: Use fresh state in archive handling to avoid stale mailbox data
• Mailbox: Improve error message on mailbox creation failure
• Auth: Skip checkAuth on route change when already authenticated
• Auth: Clean up unused imports and improve TOTP QR code rendering
• UI: Align hover styles and selection-toggle target with focused item
• UI: Read matchMedia synchronously on client to prevent layout flicker

Refactor

• Settings: Remove Stalwart API URL configuration (now derived via JMAP)

Chore

• i18n: Add missing translation keys
• Deps: Bump dependencies to latest compatible versions

1.4.14 (2026-04-16)

Thank you for your donations:

• You? Become a sponsor!

One-time

• @mkorthaus-private
• @boris22100

Monthly

• @pr0ton11

Features

• Email: Add unified mailbox across accounts and sidebar icons toggle
• Email: Enhance email deletion and spam handling with improved parameterization
• Sieve: Enhance external rule handling in parser and store (#201)
• Plugins: Add i18n API, render hooks, and new intercept hooks to plugin system
• PWA: Dynamic PWA manifest with configurable name, description, and icons
• PWA: Show app name and logo in install prompt
• i18n: Add Ukrainian language with flags and missing translation keys
• i18n: Configurable locale prefix via NEXT_PUBLIC_LOCALE_PREFIX
• API: Add apiFetch helper for mount-prefix-aware API calls

Fixes

• Calendar: Send iMIP invitation emails when creating or updating calendar events (#192)
• Calendar: RFC 5545/6047 compliance for outgoing iMIP calendar emails
• Calendar: Add calendarAddress and replyTo to participants for Stalwart compatibility (#189, #192)
• Calendar: Improve CalDAV task detection for external clients like Thunderbird (#84)
• Email: Hide ICS attachments from attachment list when invitation banner is shown
• Email: Send before storing in Sent via onSuccessUpdateEmail (#188)
• Email: Standardize tag naming and fix unknown keyword display (#184, #185)
• i18n: Skip intl middleware for paths already containing a locale prefix
• Docs: Document PWA and branding env vars in .env.example
• Docs: Use company consistently in .env.example branding comments

1.4.8 (2026-03-23)

Features

• Email: Add support for marking emails as answered or forwarded and display status icons in email list and thread views
• Email: Enhance identity selection by supporting sub-addressing (plus addressing) in email composer
• Settings: Add notification settings with sound picker, preview playback, and configurable alert sounds
• Settings: Add default mail program settings with localization support across all locales
• Auth: Implement path prefix handling for OAuth callbacks and login redirects, enabling reverse proxy deployments
• Validation: Add all multi-part TLDs for domain validation in favicon API (#81)

Fixes

• Calendar: Fix bugs in duration parsing, RFC compliance, and event handling across calendar components
• Calendar: Detect tasks created by external CalDAV clients such as Thunderbird
• Settings: Enhance account settings with username and authentication method display (#90)

1.4.5 (2026-03-20)

Features

• Calendar: Add prev/next navigation buttons and date label to desktop calendar toolbar
• Calendar: Add pending event preview functionality to calendar views and event modal
• Calendar: Add setting to show event start time in month view
• Contacts: Implement pagination for fetching contacts with maxObjectsInGet capability
• Email: Add attachment position setting in email settings
• Layout: Add mobile visibility toggle for sidebar apps
• Error: Add NotFound component to handle 404 errors and redirect unauthenticated users

Fixes

• Auth: Enhance account switching logic and clear stores on account change
• Auth: Improve account restoration logic and handle stale accounts
• Auth: Improve draft handling in email composer and enhance session cookie verification
• Calendar: Expand recurring events in CalendarEvent/query so individual occurrences are returned (#65)
• Calendar: Validate event start field when fetching calendar events
• Calendar: Auto-scroll agenda view to today's events and include today's date in groups
• Calendar: Correct JSX syntax in CalendarToolbar component
• Dependencies: Update flatted to 3.4.2
• DevOps: Use native ARM runners instead of QEMU for Docker builds
• DevOps: Enhance health check with detailed memory diagnostics and stable liveness probe

1.4.4 (2026-03-19)

Features

• Calendar: Implement CalDAV discovery API with automatic calendar home resolution for multi-account setups
• Calendar: Enhance calendar management settings with mailbox role reassignment controls
• Email: Add signature rendering utilities with HTML-to-text conversion and sanitization

Fixes

• Auth: Fix account session handling to update existing accounts instead of duplicating entries
• Auth: Fix logout redirects and unauthenticated home page rendering
• Calendar: Fix duplicate calendar edits and prevent double-save submissions in event modal
• Calendar: Remove stale calendar ID references in favor of CalDAV-discovered IDs
• Contacts: Improve RFC 9553 compliance for contact birthdays and address formatting
• Email: Fix email signature rendering for identity signatures
• Folders: Improve mailbox role management by clearing roles from all mailboxes before reassigning

1.4.3 (2026-03-19)

Features

• Auth: Implement multi-account support with up to 5 simultaneous accounts and instant switching
• Auth: Add account switcher component with connection status, default account selection, and per-account logout
• Auth: Support multi-account OAuth and basic auth with per-account session persistence
• Contacts: Enhance contacts sidebar with collapsible sections, bulk operations, and address book grouping
• Contacts: Add contact import functionality and keyword filtering
• Settings: Add per-account encrypted settings storage with server-side sync support

Fixes

• UI: Adjust popover alignment in sub-address helper component
• Settings: Improve error logging in settings sync functionality

1.4.2 (2026-03-19)

Features

• Calendar: Add task list view for calendar tasks with task details and management
• Calendar: Add shared calendar grouping with visual separation in sidebar
• Calendar: Support double-click to create events and improve modal date handling
• Contacts: Add address book directories with drag-and-drop and editor picker
• Email: Add email attachment support in sendEmail functionality
• Email: Implement draft editing functionality across email components
• Email: Implement unwrapping of embedded message/rfc822 attachments with enhanced HTML body validation
• Email: Add email export/import localization keys for multiple languages
• Contacts: Update gender handling to use speakToAs structure

Fixes

• Email: Resolve default sender to canonical identity on local-part login
• Email: Refactor overflow handling in EmailViewer to use hidden priorities and layout effects
• Email: Remove debugMode usage from EmailViewer component
• Calendar: Enhance IMIP invitation and cancellation handling for calendar events
• Calendar: Add time-based sorting for events in buildWeekSegments function
• Dependencies: Update dompurify to 3.3.3 and elliptic to 6.6.1, add undici override