Skip to content

stalwart

Communication & Email

Secure, scalable mail and collaboration server supporting IMAP, JMAP, SMTP, CalDAV, CardDAV, WebDAV and more

Track releases GitHub Website
Rust Latest v0.16.7 · 5d ago Security brief →

Features

  • Full email protocol support (IMAP4rev2, POP3, SMTP with DMARC/DKIM/SPF/ARC, JMAP extensions)
  • Collaboration services: CalDAV scheduling, CardDAV contacts, WebDAV file storage with fine‑grained ACLs
  • Advanced spam and phishing protection (LLM analysis, statistical classifier, DNSBL checks, greylisting, traps)

Recent releases

View all 10 releases →
Review required
v0.16.7 Mixed
Auth RBAC

RateLimit headers + MTA spamtest

Open
Upgrade now
v0.16.6 Mixed
Auth RBAC Breaking upgrade

DNS providers, JMAP draft‑14, DAV ACL fix

Open
Review required
v0.16.5 Breaking risk
Dependencies Auth

CIDR matching function

Open
v0.16.4 Bug fix
⚠ Upgrade required
  • If upgrading from v0.15.x and below, read the UPGRADING/v0_16.md documentation for migration steps.
Full changelog

[0.16.4] - 2026-05-05

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

Changed

Fixed

  • Live tracing in community and OSS versions.
  • Timezone changes from the AccountSettings object return invalidProperties.
  • mail-parser panic with certain messages containing corrupted attachments.
  • Pagination by anchor for queued messages, tasks and metrics.
  • Spam filter: Use original instead of rewritten RCPT on checks.
  • JMAP:
    • References in nested objects not resolved.
    • AddressBook/query fetches wrong resources.
  • Import tool fails to restore registry entries.
  • FDB: Allow multiple FoundationDB instances in the same process.
  • Autoconfig: Return %EMAILADDRESS% when no email address is provided.
  • Quota: Include Sieve scripts in quota recalculations.

Check binary attestation here

View release on GitHub
v0.16.3 Breaking risk
⚠ Upgrade required
  • For upgrades from v0.15.x and below, consult the UPGRADING/v0_16.md documentation for detailed migration steps.
  • Replace existing binary or run `docker pull` when upgrading from any v0.16.x version.
Breaking changes
  • Removed `STALWART_HTTPS_PORT` environment variable; use `STALWART_PUBLIC_URL` instead.
  • App Password format changed: prefix now `app_` (space removed).
Full changelog

[0.16.3] - 2026-04-30

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

Changed

  • Replaced STALWART_HTTPS_PORT with STALWART_PUBLIC_URL.
  • App Passwords now begin with app_ instead of app to avoid issues with some clients that do not support spaces in passwords.

Fixed

  • Directory:
    • Invalidate caches when group memberships change on an external directory.
    • OIDC: errors instead of "failed to decode token".
    • OIDC: Recovery admin access.
    • User impersonation.
  • Tasks:
    • Delete locked tasks.
    • Queue pagination by anchor.
  • Log viewer: All events show as INFO.
  • Registry: Allow changing object variants.
  • Node id renewal.
  • DNS Updater: Fix Route53 serialization format.

Check binary attestation here

View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

About

Stars
13,034
Forks
772
Languages
Rust Python HTML
View on GitHub Homepage Documentation

Community & Support

Discord Community

Similar tools

Maddy Mail Server
Haraka
webmail
postal
cypht

Open source alternatives

Posthorn

Beta — feedback welcome: [email protected]