wildduck releases

1.48.1 (2026-05-11)

Bug Fixes

• build(deps-dev): bump fast-uri from 3.1.0 to 3.1.2 (#1066) (d1c065a)
• build(deps): bump follow-redirects from 1.15.11 to 1.16.0 (#1055) (0156abf)
• bump deps (#1067) (e76c480)
• fix slack and deploy workflows (#1059) (ebd5b61)
• ZMS-49-3: Parse negative literal size, fix literal handling, fix 0 byte literal handling, add tests (#1065) (54f42f3)
• ZMS-49: Various security and QoL fixes (#1056) (2bfaa31)
• ZMS-50: bump deps and fix utf-8 address parsing (#1061) (715ad37)
• ZMS-55: Add safeguards against deflate output zip bomb (#1062) (c223f42)
• ZMS-59: Fix bug: Audit not picking archived messages (#1064) (b844849)

1.48.0 (2026-04-09)

Features

• S/MIME at-rest encryption support (#1011) (f4784d5)

Bug Fixes

• add timeout to workflows (#1053) (bb9c54c)

1.47.2 (2026-04-09)

Bug Fixes

• bump deps and generate docs (#1050) (8bd42c1)
• fix release workflow (#1047) (caad657)

1.47.1 (2026-04-08)

Bug Fixes

• ZMS-43: Changing mailbox retention applies to past messages (#1038) (8c11c3b)

1.47.0 (2026-04-08)

Features

• ZMS-8: optimize redis fanout strategy for notifications (#992) (b069698)

Bug Fixes

• ZMS-45: Implement totp nonce system for safer totp checks (#1042) (2eba521)
• ZMS-8-2: add support for legacy wd_events channel parallel to new distributed fan-out strategy (#1044) (7bf6a9d)

1.46.26 (2026-03-30)

Bug Fixes

• Added Content-Disposition header to attachment download endpoint response headers (#1032) (2759a1b)
• bump deps (#1039) (a3d1d2f)
• ZMS-28: filters, return full http forwarding target (#1027) (39e0155)
• ZMS-31: Log updates stream if configured (#1028) (d90ae09)
• ZMS-40: marked.spam webhook add verificationResults to payload (#1029) (df2f69d)
• ZMS-44: Add require2faEnabled flag to user (#1035) (e30ba0c)

1.46.25 (2026-03-12)

Bug Fixes

• fix rfc-2231 regex (multi digit continuation), add tests (#1020) (420c1e2)
• variable typo fix (a4dafca)
• ZMS-16: implement message deduplication on MX receive (#1000) (6a836b8)
• ZMS-19: Improve gelf error logging (#1009) (bf916eb)
• ZMS-2: Make imapcommand error logs less critical and without stack trace (#1024) (82f9c1a)
• ZMS-26: On move fetch target mailbox's user only one (#1022) (c195fc4)
• ZMS-29: Various IMAP fixes (#1023) (dd3b927)
• ZMS-30: Update verification results return schema (#1025) (a0c0636)

1.46.24 (2026-03-06)

Bug Fixes

• #86c89t0yc: Remove --platform=${BUILDPLATFORM} from Dockerfile (#1004) (ad1c444)
• ZMS-23: messageHandler delAsync add subject to archived log (#1012) (1634f49)
• ZMS-24: small messages search fixes (#1014) (4b91116)
• ZMS-27: when creating thread use $literal for subject (#1017) (6efc5a4)

1.46.23 (2026-02-25)

Bug Fixes

• RFC5987-filename: ZMS-14: Allow RFC5987 encoded filenames (filename*=charset'language'text) (#993) (53e220a)
• ZMS-3: reduce race condition errors when uploading sub-chunk size attachments (#997) (524529e)

1.46.22 (2026-02-16)

Bug Fixes

• api-filters: ZMS-15: unify FilterAction and FilterActionUpdate joi schemas, allow actions to be nullable (#994) (17fcf3c)
• api-messages-search: ZMSA-80: fix messages search q param parsing for AND fulltext search (#995) (d3e9f63)
• api: ZMSA-74: fix api endpoints' input and output object types (#988) (ec1ed40)
• update test workflow, bump mongodb action version (#998) (fe2d4a5)

1.46.21 (2026-02-09)

Bug Fixes

• logging-autoreply: ZMSA-65: loggelf autoreply error in filterHandler.storeMessage (#983) (7b43049)
• logging-redis: ZMSA-78: Improve redis config, error logging and retry handling (#987) (86d2627)
• messages-search: ZMSA-80: fix SearchString import. Fix messages search q param parsing, add search tests for q param (#990) (312f9f7)
• ZMSA-64: on API outbound email sends add passwordType: master to envelope object (#978) (24ba575)

1.46.20 (2026-01-29)

Bug Fixes

• docs: update docs (#981) (d7f3658)
• imap-indexer: Revert "fix(rebuild): ZMSA-48: fix rebuilding of multipart parts (#942)" (#980) (545800d)

1.46.15 (2026-01-08)

Bug Fixes

• imap-connection: ZMS-106: fix notification locking issues (#949) (459bdae)
• pop3: fix pipelining race condition causing mpop "invalid reply" errors (#950) (ea86c9f)

1.46.14 (2026-01-06)

Bug Fixes

• advertise extended capabilities pre-auth (matches Gmail/Yahoo/Outlook behavior) (#943) (81f30cb)
• POP3-TLSSocket: ZMSA-57 fix bug: Possible EventEmitter memory leak detected. 11 timeout listeners added to [TLSSocket] (#939) (b9d8957)
• userHandler-asyncGetDeleted: ZMSA-52: user-handler create new asyncGetDeleted function to get deleted user by username, id, main address (#947) (f8e14f5)

1.46.13 (2025-12-16)

Bug Fixes

• crypto.createDecipher: ZMSA-47: dkim legacy decipher fixes (#935) (538b22e)
• pop3top: ZMSA-55: fix POP3 TOP -ERR write after end (#938) (42a7b4a)

1.46.12 (2025-12-09)

Bug Fixes

• workflows-deps: ZMSA-46: update release workflow and other workflows , update deps (#933) (cbf6dee)

1.46.11 (2025-12-04)

Bug Fixes

• gridstore-upload: ZMSA-17: fix gridstore upload deadlock (#918) (4ab6f8e)
• pop3-snicallback: ZMSA-43: fix critical SNICallback bug in POP3 server (#931) (5fa7139)
• tls-logging: ZMSA-40: where possible use _ip in gelf logs instead of _remoteAddress (#929) (25ce95f)

1.46.10 (2025-12-02)

Bug Fixes

• add config to allow use of SECLEVEL=0 to enable TLSv1 and TLSv1.1 support (#926) (2ebb072)
• api-docs: ZMSA-36: update docs (#925) (34c650d)
• authlog: ZMSA-34: authLog add protocol for better logging in user update and asp generate and delete (#924) (cf66a99)
• tls-sni-logging: ZMSA-38: imap and pop3 servers when tls errors log meta regardless of error (#928) (97149a8)
• ZMSA-27: addressregister add disabled field migration - don't run when testing application (#919) (94ee526)
• ZMSA-28: make migrations configurable (#922) (a58d037)
• ZMSA-33: request user information also return requirePasswordChange flag value (#923) (c42ad5c)

1.46.9 (2025-11-25)

Bug Fixes

• req_existingPassword: ZMSA-32: censor existingPassword in gelf logs (#917) (1d04818)
• ZMSA-29: POP3 TOP command calculate counters correctly and correctly update them (#914) (4442eb5)
• ZMSA-31: when updating password set requirePasswordChange false (#916) (551860c)

1.46.8 (2025-11-19)

Bug Fixes

• ZMSA-24: when updating user info and setting new password reset pwned checks (#912) (1e2bdcd)

1.46.7 (2025-11-19)

Bug Fixes

• ZMSA-17: improve filterHandler and messageHandler logging (#907) (03c4ffd)
• ZMSA-21 & ZMSA-22: fixes to pwned check and return pwned infor on get user api query (#909) (f494c83)
• ZMSA-24: unset lastPwnedCheck and passwordPwned when resetting user password (#911) (78fbe8a)

1.46.6 (2025-11-13)

Bug Fixes

• check password against hibp on hardfail too (#904) (34e6be8)
• fixed uncaught exception dest.on is not a fn (closes #858) (#905) (f8bae92)
• hibp-use-keepalive: ZMSA-12: use keepalive when querying HIBP database (#900) (1d42bc7)
• hibp: ZMSA-11: check user password in HIBP after successful password check (#901) (ca38ef2)
• messageHandler-logging: ZMSA-15: improve message-handler logging (#903) (5c508fe)
• threading: ZMS-281: refactor threading (#899) (81c746c)

1.46.5 (2025-11-03)

Bug Fixes

• ZMS-280: bump deps (#897) (79994f1)

1.46.4 (2025-10-31)

Bug Fixes

• threading: fix threading (#895) (52d5449)

1.46.3 (2025-10-27)

Bug Fixes

• addAsync-thread: ZMSA-2: message addAsync, if a message is referenced then use reference's thread (#889) (2e89a0e)
• addressregister-migration: ZMSA-6: improve addressregister migration script (#892) (de6ee9f)
• health: ZMSA-4: health endpoint also add WD API version (#890) (35ed9fc)
• imap-onAppend-logging: ZMSA-7: onappend logging - parsedHeader.from might not exist (#894) (27fcd73)
• threading: ZMSA-5: if referencing a deleted thread then recreate it (#893) (7b88109)

1.46.2 (2025-10-17)

Bug Fixes

• ZMSA-1: update release workflow, update deps, use updated deps, scope package (#887) (e3d3221)

1.46.1 (2025-10-14)

Bug Fixes

• imap-append: ZMS-276: imap append improve logging add new fields to logging (#884) (6e4b701)
• pluginhandler: ZMS-269: plugins - use wild-plugins, update options, allow for dynamic config (#886) (479e5bc)

1.46.0 (2025-10-07)

Features

• deps-node: ZMS-267: Bump Deps, Update API Docs, Remove support for node v16 and v18 (#867) (48ee3ea)

Bug Fixes

• addressregister: ZMS-268: add new addressregister endpoint to disable an entry or edit it (#873) (08e5070)
• fulltext-filter: ZMS-257: Add boolean logic to fulltext filter (#863) (06569f6)
• messages-search: ZMS-271: optimize user messages search query (#876) (63811c7)
• migrations: ZMS-274 Implement MongoDb Migrations in Wildduck (#879) (f71972d)
• pop3download-log: ZMS-263: POP3RETR OK also log transferred bytes' size (#872) (5411118)
• pwned-check: ZMS-264: Add feature to check password with PwnedPassword API on User Login (#864) (fb01977)
• search-apply: ZMS-275: search-apply allow to delete found messages (#881) (1dc422f)
• update api docs (#880) (a38a704)

1.45.13 (2025-09-11)

Bug Fixes

• domaincache: ZMS-266: domaincache add updates where necessary (#866) (eef9703)
• getmessages: ZMS-260: messages.js getMessages allow unseen request flag to be false (#861) (aab6608)
• messages-search: ZMS-265: messages.js search, allow to search for only seen messages (#865) (d0bd732)

1.45.12 (2025-08-22)

Bug Fixes

• domaincache-and-domainaliases: ZMS-259 add wildcard address check when adding domain to mongodb cache (#859) (4ce3eed)
• on-expunge: ZMS-255 for client compatibility in case no messages were deleted during expunge return no * 0 EXISTS (#853) (897b4b3)
• submit-addressregister: ZMS-256 when submitting draft for delivery update addressregister (#852) (b0eef8d)

1.45.11 (2025-08-01)

Bug Fixes

• add check for session existence before writing to session writeStream in message-handler (#843) (95bc33c)
• connection-management: implement connection management, POP3 timeout fixes, and comprehensive documentation (#835) (70aed51)
• docker-compose-wd-image: ZMS-250 use up-to-date wildduck image from GHCR (#842) (0ce50fd)
• docker-compose: ZMS-250 update docker-compose, remove CMD_ARGS, use APPCONF in environment variables instead (#841) (68e83e4)
• docs-attachments: ZMS-251 add missing fields in the response schema of attachments when fetching messages (#846) (765c46c)
• domaincache: ZMS-247 implement domain cache to store all used domains of users (#845) (4adfce0)
• logging: ZMS-216 add logs for debugging timeout issue (#823) (dc56afc)
• revert recent readme changes, keep only necessary info (#848) (0f1a55c)
• setup-script: ZMS-252 Install script updates (#847) (c209b3a)

1.45.10 (2025-07-22)

Bug Fixes

• addressregister-search: Make addressregister able to find addresses by domain ZMS-243 (#832) (5631bd4)
• addressregister-tests: add more addressregister tests ZMS-245 (#834) (213fcb8)
• docs-response-bimi: update getMessages endpoint - set the correct bimi response type ZMS-244 (#831) (60b374e)
• gridstore-downloadstream: In gridstore download stream ensure that start is never bigger than end ZMS-235 (#828) (3dfe218)
• imap-parser: Rewrite imap-parser, fix common issues ZMS-234 (#830) (3639d11)
• messages.js-tests: ZMS-228 add initial tests for messages.js endpoints (#838) (cc3d7b6)

1.45.9 (2025-06-12)

Bug Fixes

• (workflow): fix api.js, fix release artifacts publishing ZMS-241 (#826) (8c4af47)

1.45.8 (2025-06-11)

Bug Fixes

• deleteMany: Fix deleteMany callback is not a function. Create async versions of functions ZMS-232 (#821) (8ada099)
• deploy-zip: use runner.temp to store temporary files (#819) (7f5409f)
• pagination-paginatedField: check for correct mongopaging cursor ZMS-229 (#822) (3c9ecc7)
• ZMS-238 remove callback based deleteMany from attachment storage. (#824) (c3a3163)
• ZMS-239 parse datestring to isostring when logging request params (#825) (b026f07)