Release history
Maddy Mail Server releases
All-in-one mail server that implements SMTP (both MTA and MX) and IMAP. Replaces Postfix, Dovecot, OpenDKIM, OpenSPF, OpenDMARC with single daemon.
All releases
7 shown
v0.9.4
Breaking risk
Breaking changes
- Removed special handling for maddyctl symlink; maddy executable no longer changes behavior when called as maddyctl.
- Removed defaulting to 'maddy run' when no command is explicitly specified.
Full changelog
IMPORTANT
Special handling for maddyctl symlink is removed. maddy executable
will no longer change behavior if called as maddyctl.
Default to 'maddy run' if no command is explicitly specified
has been removed as well. The warning about its deprecation was here
since 0.6 (4 years ago).
The reason for removal is inconsistency in --log flag handling
caused by related hacks in CLI setup code.
Minor additions
- smtp: add LOGIN SASL auth directive (thanks Sean van Osnabrugge!)
Bug fixes
-
log: Refactor to define proper loggers tree
This in turn should fix numerous inconsistencies in how
logger is configured. -
Fixed limiters group configuration (thanks Denis Girko!)
Per-destination limits are now initialized correctly and work.
-
storage/imapsql: Upgrade go-imap-sql to fix SQLITE_BUSY issues
This will fix a lot of "database is locked" errors for imapsql use
with SQLite. -
storage/imapsql: Fix handling of serialization errors
If "database is locked" still happens, clients will receive proper
temporary error codes instead of 5xx
v0.9.3
Security relevant
patches GHSA-5835-4gvc-32pc
Security fixes
- CVE-2026-40193 (GHSA-5835-4gvc-32pc) — LDAP injection vulnerability allowing extraction of password hashes and authorization information
Full changelog
This release includes the fix for the LDAP injection vulnerability
in auth.ldap module (advisory GHSA-5835-4gvc-32pc, CVE-2026-40193).
All users using auth.ldap are advised to upgrade, as this vulnerability
can be used to extract LDAP directory information, including password
hashes and other authorization information.
Thanks @ RealHurrison and @Ghost1032 for detailed report!
Fixes
- auth/ldap: Fix GHSA-5835-4gvc-32pc
- module: Break dependency cycles when loading config correctly (Thanks @balejk)
v0.9.2
Bug fix
Fixed panic in rspamd when TLS client settings are unspecified.
Full changelog
Fixes
- rspamd: fix panic on unspecified tls_client by @oidq in https://github.com/foxcpp/maddy/pull/830
Full Changelog: https://github.com/foxcpp/maddy/compare/v0.9.1...v0.9.2
v0.9.1
Breaking risk
Breaking changes
- rspamd integration is broken in v0.9.1; requires upgrading to v0.9.2 or later
Full changelog
⚠️ rspamd integration is broken in 0.9.1, use 0.9.2.
Important changes
- libdns: Deprecate libdns providers not updated for libdns 1.x
0.9.1 is (probably) the last release to support the following libdns
providers for ACME DNS challenge:
- vultr
- namedotcom
- leaseweb
0.9.1 is also the last release to supprt libdns.gandi with API
tokens, 0.10.0 will require using new Bearer-type tokens
for authentication.
See https://github.com/foxcpp/maddy/issues/807 for details.
Fixes
- openmetrics: Fix initialization code (thanks @cxvqo!)
- auth/ldap, check/rspamd: Fix tls_client directive definition.
- endpoint/imap: Unbreak proxy_protocol
v0.9.0
New feature
Notable features
- Per-response code scoring for check/dnsbl
- Dovecot SASL protocol compatibility update for Dovecot 2.4
Full changelog
New features
- Implement no-downtime config reloading
maddy now can reload configuration on SIGUSR2. This is
done by internally restarting the server - starting the new
one with new configuration while gracefully shutting down the
old one while preserving all listener sockets. Therefore
there is no moment when the server is not ready to accept
connections.
- check/dnsbl: Implement per-response code scoring
Now you can adjust DNSBL scores based on response (IP address)
returned. See check.dnsbl documentation for example.
Minor improvements
- auth/dovecot_sasl: Update protocol to be compatible with Dovecot 2.4 (#808).
- sql_query/sql_table: Transparently support transpiled SQLite driver (fixes default config
compatibility while transpiling). - check/rspamd: Make "reject" and "soft reject" have configurable actions (thanks @cxvqo!).
v0.8.2
Bug fix
Notable features
- --no-specialuse flag for imap-acct create
- GCore DNS support in ACME client
- maddy_queue_length metric
Full changelog
Minor changes
- cli: Add --no-specialuse flag for imap-acct create
- Add support for GCore DNS in ACME client (thanks @prologic)
- Slightly improve debug logging for complex authentication pipelines
- aarch64 release artifacts images are now available (thanks @nurmukhametov)
- target/queue: Implement maddy_queue_length metric (thanks @spiarh)
- target/smtp, target/remote: Reduce StaleKeyLifetimeSec to 4 minutes (thanks @cfbraun)
Fixes
- auth/sasl: Add missing usernameForAuth call
- endpoint/smtp: Drop duplicate RunEarlyChecks call
- endpoint/smtp: Fix auth_map being ignored
- target/smtp: Make
tls_clientconfiguration work intarget.smtpblock (thanks Mark Lipscombe) - endpoint/smtp: Correctly announce SASL LOGIN capabilty (thanks @mlipscombe)
- target/smtp: Fix default value for tls_client
- Fix numerous documentation typos (thanks @spiarh, @d3vw, @hcl).
Build attestation
Release artifacts built via GitHub Actions run https://github.com/foxcpp/maddy/actions/runs/20999176455/attempts/1
SLSA Build Attestation for x86_64 linux-musl build: https://github.com/foxcpp/maddy/attestations/16625748
SLSA Build Attestation for aarch64 linux-musl build: https://github.com/foxcpp/maddy/attestations/16625729
SLSA Build Attestation for Docker image: https://github.com/foxcpp/maddy/attestations/16625850