We're excited to announce the release of Stalwart Mail Server version 0.9.3! Whether you're using the Community or Enterprise version of Stalwart Mail Server, this update brings powerful new features to enhance your email infrastructure's security, performance, and monitoring capabilities. Let's dive into what's new:

Comprehensive Dashboard​

A major highlight of this release for Enterprise users is the introduction of the new Dashboard feature. This tool provides real-time insights into your server's operations, allowing you to monitor critical metrics and trends at a glance. The Dashboard is divided into five distinct sections: Overview, Network, Delivery, Security, and Performance. The Overview dashboard offers a comprehensive summary of general mail server statistics, giving you a quick snapshot of the server's health and activity. The Network dashboard focuses on the number of total and active connections, enabling you to monitor network traffic and identify potential issues with server load. The Delivery dashboard provides detailed information on mail flow, including queued messages and the number of messages sent and received, ensuring that your mail delivery processes are running smoothly. The Security dashboard is dedicated to tracking your server’s defenses, presenting statistics on banned IPs, blocked requests, and spam filtering effectiveness. Finally, the Performance dashboard allows you to monitor key performance indicators such as memory usage, database latency, and DNS latency, helping you optimize the server's performance and address any bottlenecks.

Customizable Alerts​

Also new to the Enterprise version is the Alerts feature, which ensures that you are always in the loop when important metrics reach critical thresholds. Whether it's a spike in memory usage, an increase in queued messages, or any other significant change, Alerts can notify you via email or webhooks the moment these events occur.

Alerts are highly configurable, allowing you to set up complex conditions that trigger notifications only when specific combinations of metrics are met. For example, you could set an alert for when server memory usage exceeds a certain amount and the message queue count rises above a defined level, helping you to react swiftly and prevent potential disruptions.

Security Enhancements​

Security remains a top priority in this release, and version 0.9.3 introduces two new features that enhance the defenses of both the Community and Enterprise versions.

RCPT Brute Force Protection​

Enhance your server's security with our new RCPT brute force protection. This feature automatically bans IP addresses attempting to discover valid email recipients through brute force attacks—a common tactic used by spammers. By implementing this protection, Stalwart Mail Server adds another layer of defense to your email infrastructure, helping to maintain the integrity of your user list and prevent potential security breaches.

Loitering Connection Protection​

Defend against SYN Flood attacks with our loitering connection protection. This smart feature blocks IP addresses that repeatedly keep connections open without meaningful activity, helping to prevent resource exhaustion attacks. By identifying and mitigating these potential threats, Stalwart Mail Server ensures that your server resources are used efficiently and remain available for legitimate email traffic.

Conclusion​

Stalwart Mail Server version 0.9.3 is a significant step forward in our commitment to providing a secure, efficient, and easy-to-manage mail server solution. Whether you are leveraging the powerful new monitoring and alerting tools in the Enterprise version or benefiting from the enhanced security features available across both versions, this update offers valuable enhancements that will help you better manage and protect your mail server.

We encourage all users to upgrade to version 0.9.3 and take advantage of these exciting new features. As always, we remain dedicated to improving Stalwart Mail Server and providing you with the best possible tools to manage your email infrastructure.

Thank you for your continued support, and we look forward to bringing you more updates and features in the future!

We are thrilled to announce the release of Stalwart Mail Server version 0.9.1, which comes packed with significant enhancements to our telemetry capabilities. This release marks a major milestone in our ongoing efforts to provide robust and efficient monitoring and logging solutions, ensuring our users can achieve optimal server performance and reliability.

Enhanced Tracing​

In previous versions of Stalwart, tracing and logging provided valuable insights but lacked the detail and comprehensiveness needed for thorough monitoring. With version 0.9.1, we have completely rewritten the tracing and logging layer, resulting in a faster and more detailed system. The new implementation leverages a lock-free data structure, enabling Stalwart to record thousands of events per second without impacting server performance. This major upgrade ensures that every significant event is captured, providing a comprehensive view of the server's operations.

Stalwart now generates over 600 different types of events, significantly expanding the granularity and depth of our telemetry data. These events can be sent to OpenTelemetry or Webhooks, offering flexibility in how they are processed and analyzed. Additionally, events can be recorded in log files, sent to journald, or written directly to the console, providing multiple avenues for accessing and utilizing this detailed information.

Comprehensive Metrics​

The highlight of Stalwart Mail Server version 0.9.1 is the introduction of support for hundreds of different metrics. This enhancement enables administrators to gain deeper insights into the server's performance and health. Metrics can be exported to OpenTelemetry using a push mechanism, allowing for real-time monitoring and analysis. Alternatively, they can be collected using Prometheus via a pull method, integrating seamlessly with existing monitoring infrastructures.

This robust metrics support ensures that users can monitor a wide range of server parameters, from resource usage to request handling, enabling proactive maintenance and troubleshooting. By providing comprehensive metrics, Stalwart Mail Server empowers administrators to make informed decisions, optimize performance, and maintain high levels of reliability.

HTTP Access Controls​

In addition to these telemetry improvements, Stalwart Mail Server version 0.9.1 introduces a highly requested feature: HTTP endpoint access controls. This new capability allows administrators to limit access to HTTP endpoints based on various criteria, such as remote IP or IP range, HTTP method, listener ID, and more. This fine-grained control enhances security and ensures that only authorized users can access specific server functionalities.

The introduction of HTTP endpoint access controls responds directly to user feedback, demonstrating our commitment to continually enhancing the server based on real-world needs and experiences. This feature provides an additional layer of security and customization, making Stalwart Mail Server more versatile and robust.

Conclusion​

Stalwart Mail Server version 0.9.1 represents a significant leap forward in our telemetry capabilities, offering faster, more detailed tracing and logging, comprehensive metrics support, and new HTTP endpoint access controls. These improvements underscore our dedication to providing a powerful, efficient, and secure mail server solution.

Upgrade to version 0.9.1 today and experience the next level of telemetry with Stalwart Mail Server!

We are excited to announce a partnership between Stalwart Labs and Nextcloud, bringing together our state-of-the-art Stalwart Mail Server with the comprehensive Nextcloud suite. This collaboration marks a significant step forward in enhancing productivity, security, and user experience for our customers.

What This Means for You​

Nextcloud will now also offer a version bundled with Stalwart Mail Server, providing users with a powerful, efficient, and secure email solution seamlessly integrated within the Nextcloud environment. This integration is designed to provide a cohesive and streamlined experience, allowing users to manage their email, files, and collaborative projects all in one place.

Key Benefits​

• Enhanced Productivity: With Stalwart Mail Server bundled into Nextcloud, users can effortlessly access their email and other Nextcloud apps, such as files, calendars, and tasks. This unified approach reduces the time and effort spent on managing multiple platforms.
• Robust Security: Both Stalwart Labs and Nextcloud prioritize security. Our mail server brings industry-leading security features, including encryption and advanced threat detection, ensuring your communications remain safe and confidential.
• Seamless Collaboration: Nextcloud is known for its powerful collaboration tools. Integrating Stalwart Mail Server enhances these capabilities, allowing for better coordination and communication within teams.
• User-Friendly Interface: Our combined efforts focus on delivering an intuitive and user-friendly interface, making it easier for users to navigate and utilize the full potential of the integrated suite.

About Stalwart Mail Server​

Stalwart Mail Server is a highly reliable and secure email server designed for modern businesses. With features such as spam filtering, encryption, and high availability, it provides an unparalleled email experience. Our server is built to handle the demands of any organization, ensuring your communications are always fast, reliable, and secure.

About Nextcloud​

Nextcloud is the leading open-source software suite for file sharing and collaboration. It offers a wide range of tools for managing and sharing files, calendars, contacts, and more, all while maintaining the highest standards of security and privacy. Nextcloud is trusted by millions of users worldwide, from small businesses to large enterprises.

Looking Ahead​

This partnership is just the beginning. We are committed to continuously improving and expanding our integrated solutions to meet the evolving needs of our users. Stay tuned for more updates and enhancements as we work together to bring you the best in productivity and security.

We invite you to explore the new integrated experience and see firsthand how Stalwart Mail Server and Nextcloud can transform the way you work. For more information, please visit our website or contact our team.

Thank you for your continued trust and support.

We are happy to announce the release of Stalwart Mail Server 0.8.3! This latest version introduces two powerful security features: Two-Factor Authentication (2FA) with TOTP codes and Application Passwords. These additions are designed to enhance the security of your email accounts, providing robust protection against unauthorized access.

Two-Factor Authentication​

Two-Factor Authentication (2FA) is a security measure that requires users to provide two forms of identification before gaining access to their accounts. With the introduction of TOTP (Time-based One-Time Password) codes in Stalwart Mail Server 0.8.3, users can now benefit from this extra layer of security. TOTP codes are time-sensitive, one-time passwords generated by an authenticator app, such as Google Authenticator or Authy.

When 2FA is enabled, users must enter their regular password and a TOTP code generated by their authenticator app. This ensures that even if an attacker obtains the user's password, they would still need the TOTP code to access the account, significantly reducing the risk of unauthorized access. The TOTP codes are easy to set up and use, making them a convenient yet highly effective security measure.

Application Passwords​

Alongside 2FA, Stalwart Mail Server 0.8.3 introduces Application Passwords. These are unique, randomly generated passwords that allow users to access their email accounts on devices or applications that do not support the OAUTHBEARER SASL mechanism. Application Passwords are particularly useful for older mail clients, third-party applications, and automated scripts that need access to email accounts but cannot handle the interactive authentication required by 2FA.

By generating an Application Password, users can maintain access to their email accounts on all their devices and applications while still benefiting from the enhanced security of 2FA. These passwords are managed through the self-service portal, where users can create, view, and revoke them as needed.

Improved Security, Enhanced Usability​

The addition of Two-Factor Authentication with TOTP codes and Application Passwords in Stalwart Mail Server 0.8.3 represents a significant step forward in email account security. These features provide robust protection against unauthorized access, ensuring that your email communications remain secure. At the same time, they offer flexibility and ease of use, making it simple for users to secure their accounts without compromising on convenience.

We are committed to continuously improving the security and functionality of Stalwart Mail Server. We encourage all users to upgrade to version 0.8.3 and take advantage of these powerful new security features. As always, we welcome your feedback and look forward to hearing how these enhancements benefit you.

Stay secure, stay connected.

We are happy to announce the release of Stalwart Mail Server version 0.8.2, an update that brings powerful new features designed to enhance the flexibility and responsiveness of your email infrastructure. The highlight of this release is the introduction of Webhooks and MTA Hooks, two significant additions that offer greater control and automation for email processing.

Webhooks: Real-Time Notifications for Your Email System​

Webhooks provide a modern way to receive real-time notifications about various events in your email system. By setting up HTTP callbacks, you can automatically trigger actions or receive alerts when specific events occur. This feature is invaluable for maintaining the health and security of your email operations.

With Stalwart Mail Server's Webhooks, you can be notified about a range of events, including:

• Message Receipt and Delivery: Stay informed when emails are received by or delivered from your server, allowing you to track email flow in real-time.
• User Authentication: Receive alerts for successful logins, authentication failures, or attempts by banned users, helping you monitor and secure user access.
• Account Quota Management: Get notified when an account exceeds its quota, enabling proactive management of storage limits and user activities.
• DMARC and TLS Reports: Keep track of email security by receiving notifications for incoming DMARC reports and TLS reports, ensuring you stay updated on your email authentication status.

By leveraging Webhooks, you can enhance the automation and responsiveness of your email infrastructure, making it easier to manage and monitor various aspects of email activity and security.

MTA Hooks: A Modern Replacement for Milter​

Stalwart Mail Server version 0.8.2 also introduces MTA Hooks, an exciting new protocol developed by Stalwart Labs to replace the traditional milter protocol. MTA Hooks offers a more flexible and straightforward way to handle email processing at various stages of the SMTP transaction.

What are MTA Hooks?​

MTA Hooks is an HTTP-based protocol that uses POST requests to submit a JSON payload containing details about the SMTP transaction. It supports comprehensive coverage of SMTP stages, from the initial connection to final message delivery. By using JSON, MTA Hooks provides a clear and human-readable format, making it easier to implement and debug.

Benefits of MTA Hooks​

• Enhanced Flexibility: MTA Hooks can be invoked at any stage of the SMTP transaction, allowing for precise control over email processing.
• Ease of Integration: Using standard HTTP and JSON makes it simpler to integrate MTA Hooks into your existing infrastructure.
• Real-Time Processing: MTA Hooks enables real-time processing and modification of email transactions, ensuring immediate response to critical events.

Standardization Efforts​

Stalwart Labs is actively working to have MTA Hooks standardized as an IETF RFC, aiming to establish it as a new industry standard for email processing. This effort underscores our commitment to innovation and leadership in the email infrastructure space.

Looking Ahead​

We invite you to upgrade to Stalwart Mail Server version 0.8.2 and experience the benefits of Webhooks and MTA Hooks. These new features are designed to provide you with greater control, automation, and real-time capabilities, making your email infrastructure more robust and responsive.

We are pleased to announce that Stalwart Mail Server is not vulnerable to the recently disclosed CVE-2024-34055 exploit, which affects Cyrus IMAP versions before 3.8.3 and 3.10.x before 3.10.0-rc1. This vulnerability allows authenticated attackers to cause unbounded memory allocation, potentially leading to a server crash through an Out-Of-Memory (OOM) condition.

Understanding the CVE-2024-34055 Exploit​

The CVE-2024-34055 exploit leverages a specific weakness in the Cyrus IMAP server. By sending numerous LITERALs in a single command, an attacker can trigger excessive memory allocation. The vulnerability can be demonstrated with the following example:

A2 SEARCH BODY {1048576}
+ Ready for 1048576 bytes.
[1048576 bytes chunk] BODY {1048576}
+ Ready for 1048576 bytes.
[1048576 bytes chunk] BODY {1048576}
...
+ Ready for 1048576 bytes.
[1048576 bytes chunk] BODY {1048576}
<cyrus crashes with oom>

In this scenario, the server is repeatedly asked to allocate large chunks of memory, eventually leading to an OOM crash.

Why Stalwart is Secure​

Stalwart Mail Server is designed with security and robustness in mind, and it is not susceptible to the type of attacks outlined in CVE-2024-34055. Here’s why:

• Strict Parsers: Stalwart’s parsers are highly strict when reading input from the network. This strictness ensures that any malformed or malicious commands are promptly identified and handled without leading to excessive resource allocation.
• Extensive Fuzzing and Testing: All parsers in Stalwart have undergone rigorous fuzzing and testing. Fuzzing is a testing technique that involves providing invalid, unexpected, or random data inputs to the software to identify vulnerabilities. This meticulous testing regime ensures that Stalwart can robustly handle a wide range of inputs without compromising on stability or security.
• Written in Rust: Stalwart is developed using the Rust programming language, which offers inherent safety features. Rust’s ownership model and type system prevent many common vulnerabilities associated with memory management that are prevalent in languages like C. This makes Stalwart inherently less susceptible to memory-related exploits compared to other mail servers such as Cyrus and Dovecot.

Conclusion​

At Stalwart, we prioritize security and reliability. Our commitment to using secure coding practices, comprehensive testing, and leveraging the advantages of Rust ensures that Stalwart Mail Server remains resilient against the latest threats. We encourage our users to continue enjoying the peace of mind that comes with knowing their mail server is robust against vulnerabilities like CVE-2024-34055.

For more information or support, please contact our team or visit our website. Stay secure with Stalwart!

Email security is a critical aspect of digital communication, especially given the rising sophistication of cyber threats. DomainKeys Identified Mail (DKIM) and Authenticated Received Chain (ARC) are standards designed to ensure the authenticity and integrity of emails. However, as discovered by analysts at Zone.eu, vulnerabilities in the DKIM standard could undermine these protections, affecting billions of users worldwide.

Introduction to DKIM and ARC​

DKIM provides an email authentication method that allows an organization to take responsibility for a message in transit. The standard uses cryptographic signatures to verify that an email has not been altered since it was originally sent. ARC, on the other hand, is an email authentication system designed to provide a way to preserve email authentication results across subsequent intermediaries that might modify the message, thus extending the benefits of DKIM.

The Exploit Revealed​

The vulnerability uncovered by Zone.eu revolves around the DKIM's "l=" parameter, which specifies the exact number of octets in the body of the email that are signed. This can be exploited by attackers who can append additional content to the message without affecting the validity of the DKIM signature. This oversight can lead emails with forged content to still appear as authenticated, deceiving both email systems and end-users, especially when visual trust indicators like BIMI are employed.

Stalwart’s Response to the Exploit​

Recognizing the gravity of this exploit, Stalwart Mail Server has taken decisive steps to mitigate this risk and reinforce the security of email communications for its users. Initially, in Stalwart's implementation of DKIM and ARC, the option to set a signature length was disabled by default, which was a preventive measure against potential misuse. To further strengthen security in light of the new findings, Stalwart has now entirely removed the ability to specify signature lengths in both DKIM signatures and ARC seals. This change ensures that users cannot accidentally enable this feature, which could lead to vulnerabilities.

Furthermore, Stalwart has enhanced its validation processes. Both DKIM signatures and ARC seals are now verified in strict mode exclusively. Stalwart will not validate any signatures or seals that include a length parameter (the "l=" tag). Instead, these will receive a neutral result, meaning they neither pass nor fail the verification process but are flagged for potential risk. This approach aligns with best practices recommended in the wake of the exploit's discovery and is designed to prevent similar types of vulnerabilities from being exploited.

Conclusion​

Stalwart Mail Server's response illustrates a proactive and security-conscious approach, ensuring that our users remain protected against emerging threats. By eliminating the option to specify signature lengths and enforcing strict validation standards, Stalwart continues to be at the forefront of safeguarding email communications against evolving cyber threats.

We extend our thanks to the researchers at Zone.eu for their diligence in uncovering this significant security concern, thereby contributing to the broader effort of enhancing email security across the globe.

We are excited to announce the release of Stalwart Mail Server v0.8.0, a significant update that introduces powerful new features and enhancements designed to improve performance, scalability, and ease of use. This release marks a major step forward in our commitment to providing a robust and highly available email server solution for businesses and organizations of all sizes.

Enhanced Clustering Capabilities​

A major highlight of this release is the introduction of advanced clustering support, a feature aimed at enterprises needing high availability and fault tolerance in their email services. The new clustering functionality includes node auto-discovery, which simplifies the scaling process by automatically detecting and integrating new nodes into the existing cluster. Additionally, the partition-tolerant failure detection system ensures that the system remains operational even when network partitions occur. These features collectively enhance the resilience of the mail server, ensuring continuous service availability and reliability.

Simplified Email Client Configuration​

Stalwart v0.8.0 also brings support for Autoconfig and Autodiscover protocols, which are essential for streamlining the user experience. These protocols automate the configuration process for email clients, eliminating the need for manual setup and reducing the potential for errors. By supporting these standards, Stalwart makes it easier for users to connect their email clients to the server, promoting a seamless integration with a variety of platforms.

Performance and Storage Optimizations​

We have implemented significant performance improvements, particularly in our integration with FoundationDB, enhancing the speed and efficiency of our database interactions. This version also introduces improved full-text indexing, which now uses less disk space without compromising search capabilities. These optimizations ensure that Stalwart Mail Server can handle larger volumes of data more efficiently, making it ideal for organizations with high email traffic.

Security and Administration Enhancements​

Stalwart v0.8.0 enhances security measures by automatically publishing MTA-STS policies and generating TLSA records for DANE, providing an additional layer of security by enabling encrypted email transport. These features help in preventing man-in-the-middle attacks and ensure that email communications are secured at transit.

Furthermore, this release includes a new feature in the web-admin panel that allows administrators to visualize queued messages. This tool is invaluable for monitoring and managing email flow, providing insights into the server's operational status and helping to quickly address delivery issues.

Looking Forward​

The release of Stalwart Mail Server v0.8.0 with its focus on clustering, autoconfiguration, and performance improvements demonstrates our ongoing commitment to developing cutting-edge technology that meets the needs of our users. We believe these enhancements will make a significant difference in how businesses and organizations manage their email infrastructures.

We invite you to download and experience the new features of Stalwart Mail Server v0.8.0. As always, we look forward to your feedback, which is crucial in helping us continue to improve and evolve our product to better serve you.

Today we announce the release of Stalwart Mail Server version 0.7.2, which now includes support for both DNS-01 and HTTP-01 ACME challenge types. This update marks a significant enhancement in our server's capabilities, addressing one of the most frequent requests from our user community—the inclusion of DNS-01 support for improved domain validation flexibility.

What is ACME?​

The Automated Certificate Management Environment (ACME) protocol is a cornerstone in the world of secure communications. ACME automates the process of certificate issuance, renewal, and revocation, thereby simplifying the management of SSL/TLS certificates. This protocol is not only designed to streamline administrative tasks but also to bolster security measures through rigorous validation mechanisms.

Challenge Types​

Prior to version 0.7.2, Stalwart Mail Server supported only the TLS-ALPN-01 challenge, which utilizes the TLS Application Layer Protocol Negotiation extension for domain validation. This method, while robust, requires port 443 to be open and can limit flexibility for some users and environments.

Recognizing the diverse needs of our users, we have expanded our support to include two additional types of challenges: DNS-01 and HTTP-01. These new features are designed to offer more versatility in how users manage domain validation and certificate issuance.

DNS-01 Challenge​

The DNS-01 challenge validates domain ownership by creating a DNS TXT record. This method is particularly valuable for those needing to issue wildcard certificates, as it allows for the validation of the domain and all its subdomains collectively. It is an ideal choice for users who prefer or require managing their certificates at the DNS level, especially in scenarios where direct web traffic control is not feasible.

HTTP-01 Challenge​

In contrast, the HTTP-01 challenge involves responding to HTTP requests made by the ACME server. This method proves the control over a domain by placing a specific file on the server to be accessed via a standard web path. It is best suited for environments where port 80 is open and accessible. The simplicity of HTTP-01 makes it an attractive option for many administrators, providing an efficient path to compliance without the need for complex DNS configurations.

Benefits​

By integrating DNS-01 and HTTP-01 challenges into Stalwart Mail Server 0.7.2, we are offering our users the flexibility to choose the validation method that best fits their technical requirements and security policies. Whether operating behind a TLS reverse proxy, managing multiple subdomains with a single certificate, or simply seeking a straightforward setup, the expanded challenge options cater to a wider range of use cases.

We are committed to continually improving Stalwart Mail Server to meet the evolving needs of our customers. The inclusion of these new ACME challenges is a direct response to community feedback, and we are excited to see how our users will leverage these new capabilities to enhance their server security and certificate management processes.

Stay tuned for more updates as we keep enhancing our mail server solutions. For detailed information on configuring and using the new challenge types in Stalwart Mail Server 0.7.2, please refer to our updated documentation.

We look forward to your feedback on these new features and to supporting you in your journey to a more secure and efficient server environment!

We're thrilled to announce the release of Stalwart Mail Server version 0.7.0, a significant update that brings a wealth of features and improvements to enhance the performance and manageability of your email services. This release marks a pivotal moment in our journey to provide an email server solution that combines ease of use with robust performance, ensuring that your email infrastructure is both secure and efficient.

Introducing Web-Based Administration​

At the heart of version 0.7.0 is the introduction of a new, web-based administration tool. Developed in Rust, this single-page application (SPA) represents a monumental shift in how you interact with Stalwart Mail Server. Gone are the days of relying on SSH connections or command-line interfaces for routine administration tasks. Now, every aspect of your mail server can be managed from the convenience of a web browser.

The new web administration tool is designed to streamline and simplify the management of your mail server, offering a wide array of features:

• Complete Control Over Accounts and Domains: Easily manage user accounts, domains, groups, and mailing lists, all from a user-friendly interface.
• Advanced Queue Management: Monitor and manage your SMTP queues with ease, including messages and outbound DMARC and TLS reports, ensuring timely delivery and compliance.
• Insightful Report Visualization: Gain valuable insights into your email security with a dedicated interface for visualizing received DMARC, TLS-RPT, and Failure (ARF) reports.
• Full Configuration Flexibility: Adjust and fine-tune every aspect of your mail server settings directly from the webadmin, tailored to meet your specific requirements.
• Enhanced Log Viewing and Searching: Navigate through logs effortlessly with advanced search and filtering capabilities, making it easier to pinpoint issues or monitor activity.
• Self-Service Portal for Users: Empower your users with a self-service portal for password resets and managing encryption-at-rest keys, enhancing security and convenience.

This transformative approach to mail server management not only elevates the administration experience but also significantly reduces the complexity and time required to manage your email infrastructure.

Enhanced Performance and Efficiency​

Beyond management improvements, Stalwart Mail Server 0.7.0 introduces significant performance enhancements to ensure swift and efficient email delivery. A major focus has been placed on optimizing mailbox retrieval speeds to accommodate IMAP clients, particularly those without client-side caching, ensuring that large mailboxes are displayed promptly. This version also integrates automatic compression for messages and binaries stored in the blob store using LZ4, a move that conservatively manages storage space while improving access and transfer speeds. These enhancements collectively ensure that Stalwart Mail Server 0.7.0 delivers unparalleled performance, making it faster and more efficient than ever before.

Embracing the Future​

With the release of version 0.7.0, Stalwart Mail Server sets a new standard for email server solutions. The introduction of a web-based administration tool and significant performance improvements underscore our commitment to innovation and excellence. We invite you to experience the future of email server management and performance with Stalwart Mail Server 0.7.0.

This Valentine's Day, we're not just celebrating love and companionship; we're also celebrating the groundbreaking advancements in the Stalwart Mail Server with the release of version 0.6.0. In a world where reliability and flexibility in mail server management are more critical than ever, Stalwart Mail Server takes a significant leap forward with the introduction of distributed SMTP queues and the integration of expressions in configuration files. Let's delve into how these features transform your mail server experience, making it more robust, efficient, and customizable than ever before.

Distributed SMTP Queues: A Heartbeat of Reliability​

The latest iteration of Stalwart Mail Server introduces a feature that's set to be the cornerstone of reliability and fault tolerance—distributed SMTP queues. Gone are the days when your SMTP queue was confined to the local hard drive, a vulnerability that could lead to data loss or downtime in the event of a server crash. With version 0.6.0, Stalwart Mail Server stores your SMTP queues in the database, a move that not only enhances fault tolerance but also paves the way for queue load distribution across multiple servers in a cluster.

Imagine your mail server as the heart of your organization's communication. Just as the heart's reliability is critical to the body's overall function, so is your SMTP queue's reliability to your organization's communication flow. Distributed SMTP queues ensure that if one server in the cluster experiences issues, the heartbeat of your communication doesn't skip a beat. This feature allows other servers in the cluster to pick up the load, ensuring uninterrupted mail flow and significantly reducing the risk of data loss.

This approach allows for a more balanced and efficient handling of email traffic, making your mail server cluster more resilient to individual failures and capable of handling higher volumes of email more effectively.

Expressions: A Language of Flexibility​

The second headline feature of version 0.6.0 is the support for expressions in configuration files. This addition opens up a new realm of flexibility, allowing you to define complex, dynamic criteria for evaluating and handling email messages based on various attributes, such as recipient, sender, remote IP addresses, and other variables.

With expressions, configuring your Stalwart Mail Server becomes akin to coding the DNA of your mail server's behavior. Whether it's routing, filtering, or processing rules, expressions enable you to tailor the mail server's operations to meet your specific needs with precision and adaptability. Consider a scenario where you want to apply specific actions only to emails from a certain domain or IP range, or perhaps to messages that meet a combination of criteria. With expressions, these complex conditions can be easily defined and integrated into your server's configuration, making it smarter and more aligned with your organizational policies.

Celebrate With Us​

As we release Stalwart Mail Server version 0.6.0 this Valentine's Day, we invite you to celebrate not just a day of love but also a milestone in mail server technology. With distributed SMTP queues and expressions in configuration files, we're not just sending you a token of our affection—we're equipping you with the tools to make your mail server environment more resilient, efficient, and tailored to your needs.

So here's to love, to innovation, and to a future where your mail server's reliability and flexibility are the foundation of your organization's communication success. Happy Valentine's Day, and welcome to the new era of Stalwart Mail Server.

We are excited to announce a significant update to Stalwart Mail Server - the introduction of an integrated fail2ban-like system in our latest version, 0.5.3. This new feature marks an important advancement in our ongoing commitment to providing robust security measures for our users.

Understanding Fail2Ban​

Before diving into the specifics of our new feature, let's revisit what Fail2Ban is. Commonly used in the world of server security, Fail2Ban is an intrusion prevention software that protects servers from brute-force attacks. It operates by monitoring server logs for suspicious activities, like repeated password failures, and responds by blocking the offending IP addresses, typically by updating firewall rules.

Tailored Security​

In Stalwart Mail Server version 0.5.3, we've embraced the core philosophy of Fail2Ban but adapted it to better suit the unique environment of our mail server. Our integrated fail2ban system is designed to enhance security without relying on external Fail2Ban software. It's a part of Stalwart Mail Server, built directly into its architecture.

One key difference in our approach is how we handle the banning of IP addresses. Unlike traditional Fail2Ban that alters firewall rules, our system immediately drops further connections from any banned IP address. This swift action effectively cuts off malicious attempts at their source, ensuring immediate protection.

Fully Integrated​

Another significant aspect of our fail2ban system is its integration across all mail server services. Whether it be JMAP, IMAP, SMTP, or ManageSieve, authentication failures in any of these services contribute to the ban threshold. This comprehensive coverage ensures that the security of one service is not compromised at the expense of another.

Advanced Tracking Beyond IP Addresses​

A standout feature of our fail2ban system is its ability to track authentication failures not only by IP address but also by login name. This is particularly vital in defending against distributed brute-force attacks, where attackers might use numerous IP addresses to target a single account. Our system intelligently identifies such patterns and, after a certain number of failed attempts, blocks further authentication efforts for that account, regardless of the IP used. This means that an attacker cannot simply hop IP addresses to bypass security measures.

Conclusion​

The introduction of this integrated fail2ban system in version 0.5.3 is a testament to our dedication to providing top-tier security for our users. This advanced security feature is meticulously designed to address and neutralize a wide array of cyber threats, especially sophisticated brute-force attacks.

We are proud to bring this new level of security to Stalwart Mail Server. This update reflects our ongoing commitment to adapting and evolving in the face of emerging cyber threats. With the integration of our fail2ban system, Stalwart Mail Server version 0.5.3 stands as a more secure, reliable, and resilient solution for your email server needs.

Stay tuned for more updates and features as we continue to enhance and refine Stalwart Mail Server. Your security is our priority, and we are dedicated to providing you with the best tools to protect it.

ACME (Automatic Certificate Management Environment) represents a breakthrough in managing TLS (Transport Layer Security) certificates. This protocol automates the process of obtaining, installing, and renewing TLS/SSL certificates, which are crucial for securing network communications. TLS certificates provide authentication and encryption, ensuring that data transferred between users and servers remains private and secure.

ACME's ability to automate these tasks greatly simplifies certificate management, particularly for services like mail servers that require ongoing security maintenance. The protocol interacts with Certificate Authorities (CAs) such as Let's Encrypt to automate the verification of domain ownership and the issuance of certificates, significantly reducing manual effort and the risk of human error.

We are thrilled to announce the release of Stalwart Mail Server 0.5.2, which brings two significant advancements: the integration of the ACME protocol for automatic TLS certificate deployment and support for the HAProxy Protocol. These features mark a substantial step forward in our commitment to enhancing the security and efficiency of Stalwart Mail Server.

The Power of ACME​

The integration of ACME into Stalwart Mail Server simplifies the complexities of TLS certificate management. It ensures that the certificates are always up-to-date, thereby enhancing the overall security of your communications. With ACME, the server automatically verifies domain ownership, obtains the necessary certificates, and handles renewals, all without manual intervention. This automation is not only a boon for security but also significantly reduces the administrative burden and the risk of service interruptions due to expired certificates.

Embracing the Proxy Protocol​

The Proxy Protocol is another crucial feature in this release. When running servers behind load balancers or reverse proxies, such as Caddy, HAProxy, or Traefik, the server traditionally only sees the IP address of the proxy, not the actual client. This limitation can impact security and logging functions. By supporting the Proxy Protocol, Stalwart Mail Server 0.5.2 can now accurately identify the original client's IP address and connection details. This capability is essential for maintaining robust security measures and precise logging. It ensures that even in environments where Stalwart is behind a proxy, it retains full visibility over client connections.

Conclusion​

In conclusion, Stalwart Mail Server 0.5.2 is a significant update, offering both ACME for simplified and automated TLS certificate management and the Proxy Protocol for enhanced functionality behind proxy environments. These features underscore our dedication to providing a secure, efficient, and user-friendly mail server solution. We look forward to seeing how our users leverage these new capabilities in their Stalwart Mail Server deployments.

In the world of email security, a recent concern has arisen known as SMTP Smuggling, a vulnerability that can be exploited to spoof emails. This blog post will explain what SMTP smuggling is and how Stalwart Mail Server is designed to be immune to this vulnerability. We'll also discuss a new feature we've implemented to protect other servers that might be vulnerable.

Understanding SMTP Smuggling​

SMTP smuggling is an exploitation technique that manipulates SMTP conversations to send spoofed emails from arbitrary addresses. It leverages interpretation differences in the SMTP protocol to bypass security checks like SPF alignment. The technique was identified as effective against multiple email providers and could have significant implications for email security.

Traditionally, the end of data in an SMTP conversation is indicated by a sequence <CR><LF>.<CR><LF> (CR LF stands for Carriage Return and Line Feed, standard text delimiters). However, if an SMTP server improperly interprets this sequence, it can be tricked into starting a new email within the content of an existing email, allowing attackers to inject malicious content and spoof emails that bypass SPF alignment checks.

Research has shown that even large organizations with sophisticated IT infrastructure are not immune to SMTP smuggling attacks. Notable entities such as Ebay, PayPal, Amazon, and even Microsoft, through their use of services like Microsoft Exchange Online, have experienced challenges due to non-compliance with certain RFC specifications. This underscores the importance of adhering to established protocols and standards in email communications. Compliance with these specifications is crucial for ensuring the security and integrity of email systems.

This vulnerability has led to calls for increased vigilance and improved email server configurations to prevent such exploits. For a detailed understanding of SMTP smuggling, please refer to the full article on SEC Consult's blog.

How Stalwart is Protected​

Stalwart Mail Server is designed with robust security measures that inherently protect it from SMTP smuggling attacks. Stalwart only accepts <CR><LF>.<CR><LF> as the terminating sequence for a DATA command. This strict adherence to protocol specifications prevents the ambiguity that can lead to smuggling attacks. Furthermore, when sending outgoing messages, Stalwart Mail Server utilizes the BDAT command whenever available. The BDAT command is not susceptible to SMTP smuggling issues, as it specifies the exact amount of data being sent, leaving no room for misinterpretation.

Protecting other Servers​

While Stalwart Mail Server itself is not vulnerable to SMTP smuggling, we recognize that other servers might be. To help protect the broader email ecosystem, we have introduced in version 0.5.1 a feature to sanitize outgoing messages that might attempt to exploit this bug in other servers. This feature involves applying the transparency procedure described in RFC5321 to outgoing messages even when these messages do not use CRLF as line terminators, which prevents the exploitation of SMTP smuggling vulnerabilities in other servers.

MECSA Compliance​

In our ongoing efforts to enhance email security, we are proud to announce that Stalwart Mail Server 0.5.1 is now compliant with the My Email Communications Security Assessment (MECSA) set by the European Union. MECSA compliance signifies a robust level of security in email communication, and one of the key features in achieving this compliance is the implementation of SMTP sender validation for authenticated users.

SMTP sender validation ensures that authenticated users can only issue MAIL FROM commands that match their login name or any of the email addresses associated with their accounts. Previously, implementing this level of validation required the creation of a Sieve script. However, with our latest update, this functionality is now a straightforward boolean entry in the system settings, defaulting to true for maximum security.

Conclusion​

In summary, Stalwart Mail Server's architecture and its strict adherence to SMTP protocol specifications inherently protect it against SMTP smuggling attacks. Furthermore, our commitment to the security of the email infrastructure extends beyond our server. The new feature to sanitize outgoing messages and our MECSA compliance demonstrate our proactive approach to safeguarding against vulnerabilities and contributing to a more secure email environment

Stay up to date with the latest in email security and Stalwart Mail Server's features by following our blog and updates.

We are excited to announce the release of Stalwart Mail Server v0.5.0. As we approach the end of the year, this significant update marks a major advancement in our journey to provide a robust, efficient, and versatile mail server solution. This latest version incorporates a range of performance enhancements, storage layer improvements, and new features, designed to elevate your email server experience.

Performance Enhancements​

In the realm of performance, Stalwart v0.5.0 introduces multiple improvements in how messages are handled and stored. Messages are now parsed only once, with their offsets stored in the database. This approach eliminates the need for parsing messages on every FETCH request, significantly boosting server efficiency and response time. Moreover, the server now performs full-text indexing in the background, seamlessly enhancing search capabilities. We have also optimized our database access functions, ensuring smoother and faster interactions with the underlying data store.

Storage Layer Improvements​

Stalwart v0.5.0 expands the options for storage backends. In addition to FoundationDB and SQLite, users can now choose RocksDB, PostgreSQL, or MySQL as their storage backend, offering flexibility to suit different operational needs. Blob storage has also been made more versatile, allowing blobs to be stored in any of the supported data stores, not just limited to the file system or S3/MinIO. This update provides more integrated data management solutions. Full-text search capabilities have been enhanced, with options to conduct searches internally or delegate them to ElasticSearch. Additionally, spam databases can now be stored in any of the supported data stores or Redis, removing the requirement for an SQL server for spam filter usage.

Internal Directory​

With the introduction of an internal directory in Stalwart v0.5.0, user account, group, and mailing list management can now be conducted directly within Stalwart, eliminating the dependency on external LDAP or SQL directories. This feature is complemented by the addition of an HTTP API, offering a more accessible and programmable interface for managing users, groups, domains, and mailing lists.

Additional Features​

Enhancing compatibility with older IMAP clients, Stalwart v0.5.0 now supports the IMAP4rev1 Recent flag, ensuring a smoother user experience. The server also accommodates LDAP bind authentication, catering to LDAP servers like lldap that do not expose the userPassword attribute. Another significant improvement is the automated handling of spam – messages marked as spam by the filter can now be automatically moved to the user's Junk Mail folder.

Conclusion​

As we release Stalwart Mail Server v0.5.0, we also want to take a moment to wish everyone a Happy New Year. This new version is a testament to our continuous efforts to evolve and adapt to the needs of our users. We believe that Stalwart v0.5.0 will not only meet but exceed your expectations, whether you're setting up a new mail server or upgrading an existing one.

For more details, visit our website, and don't forget to join our Discord community to share your experiences, get support, and connect with other Stalwart users.

Here's to a new year filled with success, innovation, and secure email communications!

In today's digital age, the safety and authenticity of your emails are paramount. With that in mind, we're happy to announce the release of the Spam and Phishing filter in Stalwart Mail Server v0.4.0. This release is packed with features that not only enhance your email security but also ensure a seamless communication experience.

Here's a deep dive into what's new:

• Comprehensive Filtering Rules: We've crafted a set of rules that stand shoulder-to-shoulder with the best solutions out there.
• Statistical Spam Classifier: Empower your server with a classifier that constantly learns, adapts, and keeps spam at bay.
• DNS Blocklists (DNSBLs): Safeguard your users' inboxes from notorious spammers through meticulous checks on IP addresses, domains, and hashes.
• Collaborative Digest-Based Filtering: By integrating digest-based spam filtering, we ensure even greater accuracy in weeding out unwanted emails.
• Phishing Protection: Defend against cunning phishing tactics, from homographic URL attacks to deceptive sender spoofing.
• Trusted Replies Tracking: By recognizing and prioritizing genuine replies, we ensure your genuine conversations remain uninterrupted.
• Sender Reputation: An automated system that assesses sender credibility based on their IP, ASN, domain, and email address.
• Greylisting: An added shield against spam, by temporarily holding back unfamiliar senders.
• Spam Traps: Crafty decoy email addresses that help us catch and scrutinize spam, ensuring your users' inboxes remain clutter-free.
• Built-in & Ready to Roll: No dependency on third-party software. Unbox and deploy – it's that simple!

Comparative Analysis​

While we have immense respect for both RSpamd and SpamAssassin, it's essential to highlight some distinctions. RSpamd stands out for its speed and standalone capabilities but necessitates additional configuration and maintenance. Meanwhile, SpamAssassin, built on Perl, might not deliver the same speed as RSpamd due to its heavy reliance on regular expressions.

Stalwart Mail Server's spam and phishing filter offers a level of protection equivalent to both RSpamd and SpamAssassin with one notable advantage: speed. Since the message remains within the server during the entire filtering process, it's considerably quicker. Furthermore, while third-party solutions re-execute checks for DMARC, DKIM, SPF, and ARC, Stalwart has already performed these, making our built-in filter more efficient and streamlined.

In essence, with Stalwart Mail Server, you receive a blend of speed, efficiency, and top-tier protection.

Conclusion​

In essence, with Stalwart Mail Server v0.4.0, you're not just getting an email server, but a comprehensive, fast, and efficient email security solution.

We're committed to continuous innovation and ensuring that your communication remains genuine, secure, and spam-free. Upgrade to Stalwart Mail Server v0.4.0 and experience the difference today!

We are thrilled to announce that Stalwart Mail Server has undergone a comprehensive security audit conducted by Radically Open Security. As a part of their assessment, a crystal-box penetration test was performed to ensure the robustness and security of the mail server.

How Was The Security Audit Conducted?​

• Automated Scanning: Radically Open Security employs state-of-the-art automated tools and scanners to root out common vulnerabilities, coding flaws, or misconfigurations within the codebase. These tools are invaluable in identifying potential problem areas that might necessitate a more in-depth manual analysis. They also confirm that the code adheres strictly to secure coding practices.

• Manual Code Review: Building upon the insights provided by automated scanning, a manual code review was carried out. This process aims to spot complex security issues, logical flaws, and ensures that secure coding practices are consistently met. This meticulous step involves confirming the proper implementation of essential components such as input validation, authentication, authorization, and data protection mechanisms.

What Were the Results?​

We are proud to share that the audit concluded with no vulnerabilities or unsafe code identified in Stalwart Mail Server. Such an outcome underscores our commitment to offering a safe and secure open-source mail server solution to our users.

For those who would like a deep dive into the audit's findings, the full report is accessible here.

Continuous Improvement​

Though the audit did not unearth any vulnerabilities, Radically Open Security did make a constructive recommendation: They advised against storing directory or OAuth secrets in the configuration file. We took this feedback to heart, and we're excited to introduce Stalwart Mail Server version 0.3.9. Released today, this latest version allows reading configuration settings from environment variables. It’s a step further towards ensuring that our users can trust Stalwart, not just for its capabilities, but also for its steadfast focus on security.

Looking ahead​

We extend our heartfelt gratitude to the team at Radically Open Security for their comprehensive evaluation and invaluable feedback. We're committed to constantly refining and improving our product, with the security and trust of our users being paramount. With this recent audit, we hope to have taken another significant step towards that goal.

Stay secure!

Today we are announcing the latest release of Stalwart Mail Server: version 0.3.6. This update includes multiple enhancements to the Sieve filtering language, including the ability to evaluate arithmetical and logical expressions, and fetch data from SQL or LDAP databases to Sieve variables.

Arithmetical and Logical Expressions​

Stalwart Mail Server now incorporates the ability to evaluate arithmetical and logical operations within Sieve scripts. For instance, the following Sieve script rejects a mail if it satisfies a particular condition:

if test eval "score + ((awl_score / awl_count) - score) * awl_factor > 2.25" {
    reject "Your message is SPAM.";
    stop;
}

Whether you're aiming to refine your filtering mechanisms or just add some mathematical magic to your scripts, this feature is sure to come in handy.

To learn more about expressions in Sieve scripts, check out the Arithmetical and Logical Expressions section in the documentation.

Fetching Data from Databases​

Using Sieve scripts, you can now query SQL or LDAP databases and store the results as Sieve variables. This is done using the query command with the optional :set argument.

Consider this example:

query :use "sql" :set ["awl_score", "awl_count"] "SELECT score, count FROM awl WHERE sender = ? AND ip = ?" ["${env.from}", "%{env.remote_ip}"];

The above Sieve script fetches the score and count columns from the awl table in an SQL database and stores them as the Sieve variables awl_score and awl_count respectively.

To learn more about fetching data from SQL or LDAP queries, check out the query extension documentation.

Conclusion​

These features allow for more advanced filtering mechanisms and more powerful Sieve scripts. We hope you enjoy them!

In the digital age where privacy and data protection are paramount, we continually strive to enhance the security features offered by Stalwart Mail Server. Today, we're thrilled to announce our latest upgrade – Encryption at Rest!

Understanding Encryption at Rest​

Encryption at Rest is designed to protect your data when it's stored, or 'at rest,' on your server. This new feature introduces the ability to automatically encrypt plain-text email messages with OpenPGP (Pretty Good Privacy) or S/MIME (Secure/Multipurpose Internet Mail Extensions) before being written to disk. It provides the option to use either AES256 or AES128 encryption for PGP and AES256-CBC or AES128-CBC for S/MIME.

Why It Matters​

With Encryption at Rest, your data remains secure even in the event of a physical storage breach. The encrypted data stored on your mail server is inaccessible without the unique decryption keys. Even system administrators don't have the capacity to decrypt these messages, reinforcing the privacy of your communications.

How it Works​

Encryption at rest in Stalwart Mail Server is easy to enable and use. All it requires is for users to upload their S/MIME certificate or PGP public key using a user-friendly web interface. These keys are utilized to automatically encrypt plain-text messages before they are written to disk.

Comparative Look​

What sets Stalwart Mail Server's implementation apart is its unique approach to key management. Unlike some other mail servers, Stalwart Mail Server does not store the private key on the server or in the database. This means that even the system administrators or anyone with access to the database won't be able to decrypt your messages.

Take for instance, Dovecot's mail-crypt plugin. While it's a powerful tool for ensuring the security of email storage, its design requires the private key to be stored in the database. This effectively means that your emails can still be decrypted by someone with the right access. In contrast, Stalwart Mail Server provides an extra layer of security by allowing the user to retain sole possession of their private keys.

Looking Ahead​

At Stalwart Labs, we're committed to your data protection and privacy. Encryption at Rest is a significant addition to our email security arsenal, and we're excited for you to start using it. For detailed information on Encryption at Rest and instructions on its use, please visit our updated documentation and FAQ.

Stay tuned for more updates, and happy mailing!

Stalwart Mail Server continues its tradition of constant innovation and advancement with the release of version 0.3.2. Address rewriting has always been a highly requested feature, and we've delivered in a big way. The 0.3.2 update introduces sender and recipient address rewriting using both regular expressions and Sieve scripts. This means you now have the ability to manipulate and manage email addresses like never before, providing unparalleled flexibility in routing your emails.

But that's not all. We've also included support for subaddressing and catch-all addresses using regular expressions. This feature allows you to handle email addressing in more unique and sophisticated ways, aiding in spam management, and simplifying email routing to non-standard addresses.

Lastly, we've introduced dynamic variables in configuration rules. This allows you to use variables within settings that are resolved at runtime, further enhancing the flexibility and control you have over your mail server configuration.

This release is all about providing you with more control, adaptability, and management options for your email. We're incredibly excited to see how you will leverage these features to optimize your mail server. Upgrade to Stalwart Mail Server 0.3.2 and revolutionize the way you manage email addresses.