Stalwart | Stalwart Blog

Introducing the Stalwart Support Portal

Thu, 07 May 2026 00:00:00 GMT

For most of the project’s life, support has happened wherever the community already was: GitHub Discussions for users following the repository, Discord and Matrix for real-time chat, and Reddit for the wider conversation. That worked well when the project was small. It does not scale.

As Stalwart has grown, we have started receiving hundreds of questions per day across these channels combined. A meaningful share of them have already been answered, sometimes more than once, on a different platform. Tracking four parallel inboxes, deduplicating threads, and making sure no one is left waiting has become a job we can no longer do reliably. The result is the opposite of what a support channel should produce: slower answers, repeated work for the people helping out, and good information buried in chat scrollback where the next person with the same question will never find it.

There is a second reason, raised by users themselves. Several community members have told us they would rather not open a GitHub or Discord account just to ask a question. That is a fair concern, and we agree that asking for help should not require signing up to a third-party platform that the user otherwise has no use for.

What the support portal is

support.stalw.art is a Discourse instance that we operate ourselves. It is hosted at Hetzner in their Germany datacenters and is GDPR-compliant, so the data stays in the EU and under European data protection law.

Discourse is open source, it indexes well, and it is built around the idea that a question and its answer should be permanent and findable. Threads are easy to link to, replies have stable URLs, and the search is good enough that the next user with the same problem has a real chance of finding the existing answer before opening a new topic. Over time, this should turn the portal into a knowledge base that the project actually owns, rather than one scattered across platforms we do not control.

Registration is open. You can sign in with the account you already use:

GitHub
Google
Discord
LinkedIn

Or, if you would rather not link an external account, you can register with any valid email address and a password. The choice is yours, and the experience inside the portal is the same either way.

What happens to the existing channels

GitHub Discussions, Discord, Matrix, and Reddit are not going away. They remain useful for casual chat, announcements, and community conversation, and we will continue to read them. What is changing is where support questions are answered: from now on, the canonical place to ask is support.stalw.art, and that is where our team’s attention will be focused. If you ask a support question on one of the chat channels, expect to be pointed at the portal so that the answer ends up somewhere durable.

Enterprise support

Enterprise customers with priority support will shortly receive an email with instructions for accessing the Priority Support area on the portal. Priority Support tickets stay private to your organization and to our team, with the response-time commitments that come with your subscription. Nothing changes about the support entitlement itself; the portal is simply where it now lives.

Looking forward

Thank you to everyone who has helped one another across the old channels over the years. The portal is built on top of that work, and we are looking forward to seeing the conversation continue in a place where it can finally accumulate.

Stalwart v0.16: A New Foundation

Mon, 20 Apr 2026 00:00:00 GMT

A Brand-New WebUI

The WebUI has been rewritten from the ground up. It has a refreshed, modern look, and it resolves a backlog of 76 enhancement requests and bug fixes that had accumulated over the years. If there was something you had been missing, there is a very good chance it is now there.

The most requested addition is also the most consequential: the new WebUI can authenticate against external OIDC providers. Signing in with Keycloak, Authentik, Authelia, Zitadel, or any other standards-compliant identity provider is now a first-class flow, with full support for audience and scope validation, group claims, and PKCE (RFC 7636) for public clients. This has been one of the most frequent community asks, and it is finally here.

Unified Management via JMAP and a New CLI

In previous releases, Stalwart was managed through a REST API that lived alongside its native JMAP interface. In v0.16, the REST API is gone. Every configuration and management action is now a JMAP object, reachable through the same /jmap endpoint that already serves email, calendars, contacts, and files.

The benefits of this change are hard to overstate. JMAP (RFC 8620) is a well-specified, transport-efficient protocol with first-class support for batch operations, push notifications, and fine-grained change tracking. In practice, this means dozens of configuration changes can be applied in a single round-trip, any JMAP client library can drive the management surface, and a single authentication flow covers both mail access and administration. Centralizing configuration inside the datastore as JMAP objects also removes an entire category of operator confusion: there is no longer a split between “settings in a file” and “settings in the database”, and in clustered deployments the configuration is consistent across every node by definition.

Alongside the WebUI, we also shipped a brand-new CLI. The new stalwart-cli is built on top of the same JMAP management API and can configure and administer every aspect of Stalwart. It is designed for day-to-day administration, scripted deployments, and infrastructure-as-code workflows. The stalwart-cli apply subcommand takes a declarative plan file and idempotently reconciles the live server state to match it, creating what is missing, updating what has changed, and removing what the plan no longer declares. This fits naturally with Ansible, Terraform, NixOS, and similar tooling, and follows the same pattern used by projects like CockroachDB, Consul, Elasticsearch, and HashiCorp Vault, where infrastructure-as-code tools target an API rather than a configuration file.

The new CLI is also a very pleasant surface for AI agents. Because every operation maps to a well-defined JMAP object with a clear schema, agents can discover capabilities, plan changes, and apply them idempotently without any bespoke integration work.

Automated DNS Management

In previous releases, Stalwart only managed the TXT records required for the ACME DNS-01 challenge. In v0.16, it can take care of every DNS record a modern mail and collaboration server needs: MX, TXT, CNAME, SRV, CAA, and TLSA. The server computes the records your deployment should be publishing and keeps them in sync with your DNS provider automatically.

This covers most of the authentication and discovery story out of the box. SPF, DKIM, and DMARC records are managed alongside autoconfig and autodiscover SRV records, CAA records for certificate issuance authorization (including the accounturi parameter for account-scoped issuance), and TLSA records for DANE. The TLSA records are automatically refreshed when ACME certificates are renewed, so DANE-enabled domains no longer risk a validation gap during certificate rotation.

On the provider side, v0.16 ships support for Route53, Google Cloud DNS, Bunny, Porkbun, DNSimple, and Spaceship, and also supports RFC 2136 dynamic updates signed with SIG(0) for operators running their own authoritative DNS.

Automated DKIM Rotation

DKIM key rotation is one of those tasks that everyone knows they should be doing, and almost nobody actually does, because it is tedious and easy to get wrong. In v0.16, Stalwart takes over the entire workflow. It can generate DKIM keys automatically, rotate them on a schedule, and publish the matching TXT records through the new DNS management layer so that the published keys always match the keys the server is signing with. DKIM keys are now stored in the database alongside the rest of the configuration, which means rotation works naturally in clustered deployments without any manual coordination.

Masked Emails

Masked emails are disposable, per-service email addresses that route to a user’s real inbox. Instead of handing out a primary address to every newsletter, shop, or forum, a user can generate a unique masked address for each one. If a service leaks its database or starts sending unwanted mail, the corresponding masked address can be disabled individually, without affecting anything else and without touching the user’s real address. It is one of the most effective privacy tools available today, and it integrates cleanly with the rest of the directory in Stalwart.

This feature is part of the Enterprise edition.

Security Enhancements

Security gets a substantial upgrade in v0.16. User passwords can now be checked against the zxcvbn strength estimator at set-time, so weak credentials never make it into the system in the first place. Passwords can also be given explicit expiration and rotation policies, and user accounts can be restricted to specific IP ranges so that an account is only usable from expected networks.

App passwords and API keys receive the same treatment, and then some. Both can now be scoped to a specific set of permissions rather than inheriting the full privileges of the owning account, which means a token used by a single IMAP client or a single automation script can be limited to exactly what it needs. Both also support human-readable labels, expiration dates, and IP address restrictions, so long-lived credentials can be audited, rotated, and confined without having to revoke them entirely.

Taken together, these features make the credentials surface of a Stalwart deployment dramatically easier to reason about and lock down.

Other Highlights

There are many other additions worth calling out. On the account configuration front, v0.16 implements the new Automatic Configuration of Email, Calendar, and Contact Server Settings draft, which is shaping up to replace the fragmented autoconfig and autodiscover mechanisms clients use today, and adds MS Autodiscover V2 support for environments that still rely on it.

The directory layer gains domain aliases, alias descriptions, the ability to disable aliases without deleting them, and, for the Enterprise edition, account archiving and un-deletion and per-domain directory backends. The ACME layer picks up the new DNS-PERSIST-01 challenge, on-demand certificate renewal, and a certificate detail view. Sieve scripts can now be deactivated without being deleted. Clustering is cleaner, with automatic node ID generation, unified cluster management, and a new outbound MTA role for dedicated queue nodes.

On top of all of this, dozens of bug fixes land across the directory, MTA, JMAP, IMAP, WebDAV, CalDAV, OIDC, and storage backends. If you have been tracking an issue, there is a good chance it is resolved in v0.16.

Upgrading

Because of the scope of the architectural changes, v0.16 is a major upgrade with multiple breaking changes. Please do not upgrade a production deployment without first reading the upgrading documentation in full. We also strongly recommend spinning up a fresh v0.16 instance in a container or throwaway VM first, getting comfortable with the new WebUI and CLI, and exporting any settings you build there as an apply plan to replay against production after the migration.

If any questions come up along the way, a dedicated discussion thread for the v0.16 upgrade is open at https://github.com/stalwartlabs/stalwart/discussions/3004. We will be following it closely.

This release has been in the making for over three months, and it represents one of the largest single steps forward in Stalwart’s history. Thank you to everyone who filed bugs, contributed code, tested pre-releases, and kept the conversation going in issues and discussions: v0.16 is very much your release too. We cannot wait to hear what you build with it.

Marginal Gains: Major Impact

Tue, 16 Dec 2025 00:00:00 GMT

Rethinking Spam Classification

Stalwart v0.14 (and earlier) included a spam classifier which was a direct port of the classifier used by Rspamd. This classifier is grounded in Bayesian theory and uses more advanced methods to combine probabilities, including sparse bigrams (OSB) and the inverse chi-square distribution. This approach is well understood and robust, particularly when training data is limited. It produces reasonable results quickly and has a long track record in production systems.

However, it comes with a significant cost in distributed environments. Both Rspamd and Stalwart v0.14 relied on OSB-5, which generates a very large number of features per message. Each of these features was stored in Redis. Even with aggressive caching, training or classifying a single message could involve hundreds or even thousands of round trips to Redis. At scale, this becomes a bottleneck: latency increases, throughput drops, and horizontal scaling becomes inefficient.

For v0.15, we went back to first principles and redesigned the spam classifier from scratch, guided by more recent research. We evaluated several models and ultimately settled on a logistic regression classifier trained using the FTRL-Proximal (Follow the Regularized Leader) algorithm. This algorithm—famously used by Google for large-scale online learning—is particularly well suited to spam classification workloads where models must be updated continuously and efficiently.

One immediate benefit of this approach is that Stalwart can now support collaborative filtering out of the box. Multiple users can benefit from a single shared classifier trained on aggregated data, dramatically improving accuracy in environments with many accounts. At the same time, individual users can still maintain their own personal classifiers trained solely on their own messages.

The new classifier also adopts feature hashing (often called the hashing trick) to keep the feature space compact and predictable. This significantly reduces memory usage and improves cache locality. For very large deployments, cuckoo feature hashing is available to further reduce hash collisions. If you are interested in the theoretical background, the original feature hashing paper is available at Feature Hashing for Large Scale Multitask Learning and the cuckoo feature hashing paper at Cuckoo Feature Hashing: Dynamic Weight Sharing for Sparse Analytics.

With the default configuration of 2²⁰ features, the entire model fits in approximately 4 MB of memory and is loaded only once after each training cycle. The result is a classifier that is both faster and more accurate than the previous version, particularly in distributed deployments where network overhead matters.

We also evaluated RetVec (Resilient and Efficient Text Vectorizer), the embedding technique used by Gmail. RetVec excels at generating compact semantic representations of email content, but it is primarily designed to feed neural networks and deep learning models. For now, logistic regression offers a better balance of simplicity, performance, and operational transparency. That said, we plan to ship a pre-trained RetVec model alongside BERT in a future release.

A Faster, Simpler Search Layer

Search is another area where small architectural choices have outsized effects. In Stalwart v0.15, the search layer has been substantially rewritten.

For deployments using PostgreSQL or MySQL, Stalwart now leverages the built-in full-text search capabilities of the database instead of relying on a custom implementation. This reduces complexity, improves query planning, and allows the database to do what it already does well.

We have also added support for Meilisearch, a lightweight, fast search engine with excellent performance characteristics and simple operational semantics. Meilisearch offers low-latency full-text search, typo tolerance, and efficient indexing, making it a good fit for many Stalwart deployments.

For large installations backed by FoundationDB, we plan to significantly improve the built-in search functionality by embedding Seekstorm. Until that work is complete, we recommend pairing FoundationDB with an external search engine such as OpenSearch or Meilisearch to achieve the best performance.

Faster Database Access and Leaner Storage

Stalwart v0.15 includes a number of optimizations to the database access layer. We have reduced the number of reads and writes required to store and retrieve messages, particularly along hot paths such as IMAP and JMAP access. The result is noticeably faster message retrieval and improved overall responsiveness under load.

In parallel, we revisited how email metadata is stored and reduced some serialization overhead. This lowers disk usage and improves cache efficiency, which again compounds into better performance at scale.

Individually, these changes are modest. Collectively, they make the system feel tighter and more predictable under real-world workloads.

Meet Us at FOSDEM 2026

We are excited to announce that Stalwart will be present at FOSDEM 2026 in Brussels, Belgium.

Our talk, Stalwart: Can Open Source do Gmail-scale Email?, builds naturally on the marginal gains theme. While v0.15 focuses on incremental improvements, the talk zooms out to the other end of the spectrum: what it takes to design and operate a truly large-scale email system.

Using a 1,024-node cluster as a concrete example, we will explore how modern providers store and index petabytes of messages, survive hardware failures without data loss, and run spam and phishing filtering across billions of daily deliveries. We will walk through the architectural patterns behind distributed storage, large-scale spam filtering, MTA queue management, and load balancing for IMAP, JMAP, and SMTP.

We will also discuss cluster coordination, orchestration, autoscaling, and how to reason about failure before it happens. The goal is to give attendees a practical understanding of how planet-scale email systems are built, and how those same principles can be applied using open-source technology.

If you are attending FOSDEM, we would love to meet you, answer questions, and talk about where Stalwart is heading next.

Looking Ahead

Stalwart v0.15 is a release shaped by the philosophy of marginal gains. There are no new flashy features, but there are dozens of small improvements that add up to something meaningful: faster spam classification, better scalability, simpler search, leaner storage, and more predictable performance.

If you are already running Stalwart, we encourage you to try v0.15 and let us know how it performs in your environment. Your feedback continues to guide where we focus next.

The team is already working on future releases that build on this foundation. With the core systems now leaner and more robust, we can continue to add new capabilities without compromising performance or reliability.

As with cycling, progress comes from steady, thoughtful refinement. Stalwart v0.15 is one more step in that direction.

JMAP for Calendars, Contacts and Files now in Stalwart

Wed, 22 Oct 2025 00:00:00 GMT

A New Generation of Protocols

Over the past few years, the IETF has been redefining how email, calendars, and contacts are synchronized and shared. Building upon the success of JMAP for Mail, several new protocol extensions have been introduced:

JMAP for Calendars - A modern replacement for CalDAV and CalDAV Scheduling.
JMAP for Contacts – A powerful alternative to CardDAV.
JMAP for File Storage – A replacement for WebDAV-based file storage.
JMAP Sharing – A modern successor to WebDAV ACL.
JSCalendar - A clean, JSON-based evolution of iCalendar.
JSContact – A modernized, JSON-native successor to vCard.

Together, these standards offer a cohesive and elegant ecosystem that replaces decades of fragmented WebDAV-based technologies.

Limitations of Yesterday’s Technology

WebDAV and its descendants — CalDAV, CardDAV, and related extensions — have served the Internet well. They are robust, widely adopted, and battle-tested. Yet, their XML-based design is notoriously verbose, inconsistent, and difficult to implement correctly. Information is scattered across HTTP headers, XML payloads, and even embedded iCalendar data, creating endless compatibility and interoperability challenges between clients and servers.

Similarly, iCalendar and vCard, while expressive and versatile, have accumulated decades of technical debt. They contain countless properties and parameters—many rarely used, some obsolete, and others inconsistently implemented across versions. This clutter has made both formats unwieldy and error-prone, often requiring complex parsing logic to handle edge cases.

JMAP: A Modern Solution for Modern Needs

The JMAP protocol was originally developed as a more efficient, modern replacement for IMAP and SMTP submissions. Its strengths lie in simplicity, clarity, and network efficiency — all built on top of JSON over HTTPS.

Now, with the introduction of JMAP for Calendars, Contacts, Files, and Sharing, the same design philosophy extends beyond email to the entire collaboration stack. These protocols deliver what DAV always aimed for but never quite achieved: a clean, uniform, and easily implementable API for all personal and group data — mail, calendars, contacts, files, and shared resources.

Meanwhile, JSCalendar and JSContact reimagine iCalendar and vCard as elegant JSON-based formats. They strip away decades of accumulated cruft, unify representations, and offer a clear, unambiguous, and expressive data model. Both are human-readable, developer-friendly, and efficient to parse — a perfect fit for modern applications.

Together, JMAP and these new data models make calendaring, contact management, and file sharing not only easier to implement but also faster and more reliable.

Why This Matters

This release represents more than new features — it marks a shift in how groupware protocols are designed and implemented. For the first time, developers and organizations can build on a single, coherent, JSON-based framework for mail, contacts, calendars, and shared resources.

We believe this will revolutionize calendaring and collaboration. Implementations will become easier, interoperability issues will decrease, and innovation will accelerate. The simplicity and predictability of JMAP empower both clients and servers to focus on features and user experience, not protocol gymnastics.

Client Support and Ecosystem

As Stalwart is the first complete JMAP server to support these new protocols, client support is still emerging. However, we’re excited to share that several projects are already working to adopt these new standards. Mailtemi and OpenCloud are actively developing client-side implementations for JMAP Calendars, Contacts, and File Storage. The ecosystem is growing, and we expect rapid adoption as developers experience the elegance and power of JMAP firsthand.

A Word of Thanks

We would like to express our sincere gratitude to NLNet for supporting the development of these features through the NGI Zero grant program. Their commitment to open standards and privacy-respecting technology continues to make projects like Stalwart possible.

Looking Ahead to 1.0.0

After four years of dedicated development, we’re proud to announce that Stalwart is now feature complete. With this milestone, all the core capabilities of a modern mail and collaboration server are fully implemented.

That said, our work is far from over. We are now focusing on finalizing the database schema, improving performance, and addressing the hundreds of enhancement requests on GitHub. Our goal is to deliver a stable 1.0.0 release within the next few months — one that sets a new standard for open, efficient, and modern communication servers.

Stalwart is now the most complete, elegant, and forward-looking JMAP collaboration platform available.

And this is only the beginning.

Security at the Core: Stalwart completes Second Security Audit

Tue, 07 Oct 2025 00:00:00 GMT

Comprehensive Assessment

The audit, conducted between September 9 and September 25, 2025, focused on version v0.13.2 of Stalwart mail and collaboration server. The goal was clear: rigorously evaluate the security posture of the platform, identify potential vulnerabilities, and ensure our defenses are as strong as possible.

The penetration test followed a “crystal-box” methodology, combining source code review with targeted exploitation attempts. This included testing against the latest OWASP Top 10 risks, analyzing protocol implementations, and probing external interfaces — the most exposed and therefore most critical components of the system.

Findings

The audit uncovered a total of seven security issues: two high-severity vulnerabilities and five low-severity issues. All but one minor issue were promptly addressed.

The most significant findings involved Denial-of-Service (DoS) vulnerabilities:

CVE-2025-59045 — Memory Exhaustion via CalDAV REPORT: A crafted CalDAV request could trigger unbounded memory usage, potentially crashing the server.
CVE-2025-61600 — Unbounded Buffer Growth in IMAP Parser: A flaw in the IMAP protocol parser could allow an attacker — even without authentication — to cause memory exhaustion.

Both of these high-severity vulnerabilities were resolved within four hours of disclosure, underscoring our team’s rapid response capability and deep focus on platform resilience. Patches were released in versions v0.13.3 and v0.13.4, and the issues have been assigned CVE-2025-59045 and CVE-2025-61600, respectively.

Among the lower-severity findings were issues related to RFC compliance in email parsing, permission checks, and quota enforcement. These were addressed swiftly as well, with most fixes included in v0.13.4. One low-severity race condition related to disk quotas (TOCTOU) remains partially mitigated; however, its practical impact is limited due to built-in concurrency controls.

For those who would like a deep dive into the audit’s findings, the full report is accessible here.

Our Commitment to Security

The final report praised Stalwart’s codebase as robust, well-architected, and cleanly compartmentalized, with memory safety ensured by Rust and attacker-aware design principles evident throughout. At the same time, the audit highlighted that our “build everything in-house” philosophy — while a strength — requires careful attention to detail, particularly in protocol parsing and input handling.

Security is never a one-time checkbox — it’s an ongoing process. That’s why regular audits like this one are an integral part of how we develop Stalwart. As our platform evolves, so does our approach to safeguarding it.

We’re proud of how quickly and effectively our team responded to the findings of this audit, and we remain committed to maintaining transparency and trust with our users and the broader open-source community.

Stalwart Joins GitHub's Open Source Secure Fund

Mon, 11 Aug 2025 00:00:00 GMT

About GitHub’s OSSF

GitHub launched the Open Source Secure Fund in November 2024 as a comprehensive initiative to strengthen security across the software supply chain. The program represents a strategic approach to open source security that goes far beyond simple financial support. Instead of merely providing funding, the initiative creates a structured pathway for maintainers to develop deep security expertise while building lasting connections within a community of security-focused developers.

The fund operates on a model that combines immediate intensive training with long-term support and accountability. Each session consists of a three-week sprint, delivered by security experts from GitHub and their partners through the GitHub Security Lab. However, the relationship extends far beyond these initial weeks, with participants receiving ongoing support and resources throughout a full twelve-month engagement period.

What makes this program particularly valuable is its emphasis on community building and ongoing support. Participants gain access to a specialized security-focused community and regular office hours with the GitHub Security Lab throughout the entire twelve-month period. This extended engagement ensures that the security improvements initiated during the sprint continue to evolve and mature over time.

Our Experience

The training component of our participation concluded six weeks ago, and we can confidently say it provided valuable insights that have already begun to shape Stalwart’s security posture. The comprehensive nature of the program allowed us to step back and evaluate our security practices from multiple perspectives, leading to concrete improvements in our security infrastructure.

One of the most significant outcomes of our participation has been the development of a comprehensive Incident Response Plan specifically tailored to Stalwart’s architecture and user base. This plan establishes clear protocols for identifying, containing, and resolving security incidents while maintaining transparency with our community. Having a well-defined incident response strategy is crucial for any mail server software, given the sensitive nature of email communications and the potential impact of security breaches.

Additionally, we’ve substantially enhanced our existing Security Policy, incorporating lessons learned from the GitHub training and feedback from security experts. This updated policy provides clearer guidelines for security researchers, establishes more robust vulnerability disclosure procedures, and outlines our commitment to maintaining security standards throughout Stalwart’s development lifecycle.

The training also introduced us to various security concepts and tools, including an introduction to fuzzing techniques for discovering potential vulnerabilities. However, the Rust programming language’s memory safety guarantees and the security-conscious culture of the Rust community mean that many of the security recommendations from the GitHub program were already implemented in Stalwart’s codebase. This validation from security experts reinforced our choice of Rust as the foundation for Stalwart and highlighted the proactive security feedback we’ve received from the broader Rust ecosystem.

Leveraging Azure Credits

While the GitHub funding provides important financial support for the project, we’re particularly excited about the $100,000 in Azure credits that accompany our participation in the program. These credits represent an unprecedented opportunity to conduct large-scale testing and optimization of Stalwart’s performance and security characteristics.

We plan to use these Azure credits to deploy Stalwart across a massive cluster configuration, enabling us to generate millions of concurrent connections and simulate real-world load scenarios that would be impossible to replicate in smaller testing environments. This extensive testing will focus on three critical areas that are essential for any mail server infrastructure.

First, we’ll conduct comprehensive performance testing to identify and resolve bottlenecks that might emerge under extreme load conditions. Email servers must handle varying loads gracefully, from quiet periods to sudden spikes in activity, and this testing will help us optimize Stalwart’s resource utilization and response times across all scenarios.

Second, we’ll focus extensively on scalability improvements, ensuring that Stalwart can grow seamlessly from small deployments to enterprise-scale installations. Understanding how different components interact and potentially conflict under high-load conditions will enable us to make architectural improvements that benefit all users, regardless of their deployment size.

Finally, and perhaps most importantly for security, we’ll conduct thorough resilience testing against various types of Denial of Service (DoS) attacks. Mail servers are frequent targets for such attacks, and having the ability to simulate these scenarios in a controlled environment will allow us to implement and verify defensive mechanisms that protect real deployments. The insights gained from this testing will be invaluable for administrators who need to deploy Stalwart in security-conscious environments.

Ongoing Security Audit

Our commitment to security extends beyond the GitHub program, as evidenced by our current engagement with Radically Open Security for a comprehensive second security audit of Stalwart. This audit represents a significant milestone in our security journey, coming approximately two years after our first security audit conducted on October 7, 2023.

The timing of this second audit is particularly important because Stalwart has evolved considerably since that initial security review. New features have been added, performance optimizations have been implemented, and the overall architecture has matured significantly. A fresh security perspective is essential to ensure that these improvements haven’t introduced new vulnerabilities and that our security posture has kept pace with the software’s development.

Radically Open Security brings extensive experience in open source security auditing, and their thorough approach will provide valuable insights into Stalwart’s current security status. This audit is being financed through a grant from NLNet, demonstrating the broader open source community’s investment in Stalwart’s security and reliability.

We expect to release the complete results of this security audit soon, continuing our commitment to transparency and community trust. The combination of the GitHub security training, the ongoing Azure-powered testing, and this comprehensive security audit represents a multi-faceted approach to security that reflects the importance we place on protecting our users’ communications and data.

Acknowledgments

We want to take a moment to express our sincere thanks to GitHub for selecting Stalwart to participate in the Open Source Secure Fund and for providing us with the training and resources that will help strengthen the security of our project. We also want to extend our gratitude to Zerodha for referring Stalwart to be part of GitHub’s OSSF Session 2. Their support has been invaluable, and we look forward to continuing this journey of growth and improvement with their help.

Stalwart is committed to providing secure and reliable mail and collaboration services, and with the backing of the GitHub OSSF and the ongoing work of our team, we are confident that we can continue to meet and exceed the expectations of our users.

Thank you for your continued support!

Introducing Virtual Queues and Strategy-Driven Delivery in Stalwart MTA

Tue, 15 Jul 2025 00:00:00 GMT

Smarter Queueing with Virtual Queues

To solve this, we’ve introduced virtual queues—a powerful feature that allows administrators to define separate, independently managed delivery queues for different categories of mail.

Each virtual queue operates with its own set of delivery threads, giving you control over how system resources are allocated. Messages can now be segmented by message type, source, priority, recipient domain, or any other attribute, and assigned to different queues with tailored delivery policies.

For example, you can isolate system-generated messages such as DSNs or reports into low-concurrency queues, while prioritizing user-facing transactional mail in high-capacity queues—ensuring the latter is never blocked or delayed by the former.

Strategy-Driven Delivery

At the core of this system is a strategy-based architecture that governs how messages are handled from the moment they’re queued to the point of delivery. These strategies are dynamically evaluated per recipient and control four key aspects of delivery:

Scheduling Strategy: Determines which virtual queue to use, how frequently to retry failed deliveries, when to notify the sender of delays, and when to give up and bounce a message.
Routing Strategy: Controls whether a message should be delivered locally, via MX resolution, or relayed through a smart host.
Connection Strategy: Defines connection parameters such as the source IP address, EHLO hostname, and SMTP timeouts.
TLS Strategy: Enforces transport-layer security policies, including STARTTLS behavior and support for MTA-STS and DANE.

All of these strategies are defined through expressions that can evaluate runtime variables like the sender, recipient, message size, source classification, and more. This enables extremely granular control over delivery logic, with different strategies dynamically assigned to different recipients within the same message.

With this enhancement, Stalwart now gives you the tools to build highly customized delivery workflows. You can throttle or isolate problematic traffic, prioritize VIP clients, set domain-specific retry policies, and fine-tune your system for performance, reliability, and security—all with a simple and transparent configuration model.

MTA Hooks: Moving Toward Standardization

For those not already familiar, MTA Hooks is a modern alternative to the legacy Milter protocol originally developed for Sendmail. Milter has long served as a way to inspect, modify, or reject messages during the SMTP transaction, but its binary format and low-level implementation have made it difficult to work with and integrate into modern systems.

MTA Hooks, introduced by Stalwart Labs some years ago, was designed to solve these problems with a cleaner, more accessible approach. Instead of relying on obscure binary protocols, MTA Hooks uses HTTP and a human-readable JSON schema, making it easy for administrators and developers to write filters in any language, debug behavior transparently, and integrate with modern infrastructure.

Using MTA Hooks, it’s possible to intercept, inspect, and alter any part of the SMTP transaction—whether that’s rejecting mail during RCPT TO, modifying headers after DATA, or applying policy logic during message queuing. Many users are already using MTA Hooks in production for a wide range of use cases, from spam filtering and data leak prevention to routing logic and outbound content policy enforcement.

Now, we’re excited to share that Stalwart Labs will begin the process of standardizing MTA Hooks with the broader email community.

We’ll be presenting the protocol at IETF 123 in Madrid, where we plan to engage with the mailmaint working group to start formal discussions around standardization. Our goal is to make MTA Hooks an open, community-driven specification—so it can serve as a modern, interoperable alternative to Milter for the entire mail ecosystem.

If you’re attending IETF 123 and would like to connect with us about this effort, we welcome your input. Please reach out through any of our official channels or come speak with us during the event. Whether you’re an MTA developer, operator, or interested party, we’d love to hear your perspective.

Looking Ahead

Stalwart is evolving rapidly, and this release represents a major step forward in performance, flexibility, and modern protocol design. As always, we’re grateful to our community for your feedback and support. We look forward to seeing what you build with these new capabilities.

Stay tuned for more updates—and see you in Madrid!

The Future of Stalwart: Webmail, Roadmap, and Beyond

Fri, 20 Jun 2025 00:00:00 GMT

Almost exactly one year later, on September 17th, 2022, we proudly released version 0.1, initially known as the Stalwart JMAP server. From that initial launch, we’ve continuously expanded Stalwart’s capabilities, consistently introducing valuable new features. Just last month, we celebrated a major milestone by transforming Stalwart from solely a mail server into a comprehensive mail and collaboration server. This significant update brought CalDAV, CardDAV, and WebDAV support, positioning Stalwart as the open-source mail and collaboration server with the most extensive feature set available today—even compared to many commercial solutions.

Despite these significant advancements and the existing web-based administration interface that includes essential self-service capabilities, we’ve noticed one prominent request from our community: a built-in webmail client. Many of you have been eagerly asking whether we plan to offer this feature. Today, we’re excited to share with you that yes, a dedicated Stalwart Webmail is indeed in our plans—but it’s not currently our immediate priority.

Our roadmap for the remainder of 2025 is already well-defined. We will first release JMAP support for Calendars, Contacts, and File Storage, which will further strengthen Stalwart’s position as a powerful collaborative tool. Immediately following these updates, our main focus will shift to preparing for our much-anticipated version 1.0 release.

Although Stalwart is already being confidently used in production environments globally, version 1.0 marks an essential milestone. It signifies that we’ve finalized our database schema—no more daunting database migrations!—ensuring stability for long-term users. Unless an entirely new protocol surpassing email emerges (who knows?), our database schema will remain stable and optimized. Moreover, this version will involve a comprehensive performance optimization initiative. Every line of our code was initially written with speed and efficiency in mind, yet there are still critical areas we believe can be further improved. By systematically benchmarking critical code paths, we’re confident we’ll find opportunities to make Stalwart even faster and more efficient.

Post version 1.0, our commitment remains firm: Stalwart will remain lean and specialized. While our GitHub issue tracker proudly showcases numerous exciting enhancement requests, rest assured we won’t lose sight of our core mission. Our primary goal is to continue being the absolute best in JMAP, IMAP, POP3, SMTP, and WebDAV protocols—nothing more, nothing less. We strive to avoid becoming a proverbial jack-of-all-trades, instead remaining focused and exceptional at our core competencies.

As for the much-requested Webmail, once we’ve achieved the critical milestone of version 1.0, we plan to start its development—most likely sometime in 2026. We’ll be building a Single Page Application (SPA) using Rust and the Dioxus framework. Dioxus is quite distinct from more popular frameworks like React, meaning many necessary UI components still don’t exist. Consequently, we’ll likely spend considerable time contributing directly to the Dioxus ecosystem, expanding available components and features.

Now, you might ask, “Why not simply use React or another established framework?” Well, humorously and earnestly, at Stalwart, we operate by an unofficial motto: “Aut Rust aut nihil,” meaning “Either Rust or nothing.” We’re committed to Rust because we truly believe it’s the best language for creating secure, reliable, and performant software—even if this approach means occasionally delaying releases by a few months.

In the meantime, while our webmail is in development, we highly recommend using alternative webmail solutions that integrate smoothly with Stalwart. Some choices include Roundcube, SnappyMail, SoGo, or TMail Web—which notably supports the JMAP protocol.

We’re grateful for your continued support and patience as we steadily build toward a fully integrated Stalwart experience. Stay tuned, and thank you for being part of this exciting journey!

Introducing Calendars, Contacts and Files in Stalwart

Mon, 26 May 2025 00:00:00 GMT

Calendars, Contacts & Files – All in One Place

With v0.12, you no longer need to integrate third-party groupware solutions or run parallel systems to support collaboration. Stalwart now includes first-class support for CalDAV calendars, CardDAV contacts, and WebDAV-based file storage. This means users can manage their events, address books, and documents through any standards-compliant client, seamlessly connected to the same backend that handles their email.

Shared resources such as group calendars, shared address books, and team-accessible file folders are also fully supported, providing a robust foundation for collaboration without the need for external software or services. And, to support flexible collaboration, Stalwart includes full support for the WebDAV Access Control List (ACL) extension, enabling detailed, per-user and per-group permission management.

Improved Spam Filtering

Another thoughtful addition in this release is the integration of the spam filter with users’ personal address books. Messages from known or trusted contacts are now far less likely to be incorrectly flagged as spam. And if a legitimate message does get misclassified, the system automatically trains the Bayesian classifier to treat future similar messages as legitimate, improving accuracy over time without additional user intervention.

Performance Enhancements

Under the hood, Stalwart v0.12 introduces several key performance optimizations designed especially for large, multi-node environments. One of the most impactful changes is the introduction of incremental caching: Stalwart now keeps account metadata in memory and only fetches updates when something changes in the database. This significantly reduces load and speeds up response times.

Another major enhancement is the use of zero-copy deserialization. This means Stalwart can read data directly from memory buffers without copying it into new structures, lowering CPU usage and improving throughput. Combined with optimizations that reduce the number of required database queries for common operations, these changes result in a leaner, faster backend that scales much more efficiently.

While these gains may not be noticeable in smaller setups, larger clusters and high-volume deployments will see noticeable performance improvements.

Smarter and Faster Clustering

We’ve also made big strides in cluster coordination. Previously, Stalwart relied on a UDP-based gossip protocol that performed well but didn’t scale ideally under heavy workloads. With v0.12, cluster behavior is now adaptable based on deployment size.

In small deployments, Stalwart uses Eclipse Zenoh, a lightweight and efficient peer-to-peer pub/sub protocol. For larger infrastructures, you can now choose from robust, scalable backends like Apache Kafka, Redpanda, NATS, or Redis for handling inter-node coordination, state synchronization, and workload distribution.

Looking Ahead: What’s Next?

With Stalwart v0.12, we’re delivering more than just features—we’re delivering freedom from fragmented infrastructure. No more patching together third-party services to get the basics of collaboration working. Now, everything—email, calendars, contacts, files, and sharing—lives in a single, efficient, and secure system.

While v0.12 is a major leap forward, we’re already preparing additional enhancements for the next point release. In v0.12.1, you can expect support for CalDAV Scheduling (RFC 6638), enabling automatic meeting invitations and attendee responses. We’re also adding support for event notification alerts via email, so users are always aware of upcoming events, even if they’re not logged into their calendars.

Additionally, in the coming months, we will be releasing support for the JMAP for Calendars, JMAP for Contacts, and JMAP for File Storage extensions. JMAP offers a modern, efficient, and JSON-based alternative to legacy protocols, making it faster and easier to develop responsive, real-time collaboration tools. These additions will further streamline the user experience and reduce bandwidth and processing overhead across client-server interactions.

Thank you to everyone who contributed feedback, suggestions, and encouragement. We can’t wait to hear what you build with this release—and we’re just getting started.

Stalwart Receives NLNet Grant to Build Collaboration Server

Fri, 21 Mar 2025 00:00:00 GMT

Expanding the Vision: From Email to Collaboration

Stalwart Mail Server was created to address the challenges of self-hosting email by offering a secure, easy-to-maintain, and high-performance solution. With native support for JMAP, IMAP4, POP3, and SMTP, it already serves as a powerful alternative to traditional email solutions, giving individuals and organizations full control over their email systems.

With the help of this new grant, we are now expanding the Stalwart platform beyond email. Development is officially underway on the Stalwart Collaboration Server, a new component that will integrate seamlessly with Stalwart Mail Server. This addition will provide support for calendaring through CalDAV and JMAP for Calendars, contact management using CardDAV and JMAP for Contacts, and file storage and sharing using WebDAV and JMAP for File Management. Together, these features will form the foundation of a fully integrated, open-source collaboration suite.

Our goal is to offer a privacy-focused, vendor-neutral alternative to platforms like Microsoft Exchange. By consolidating email, calendar, contacts, and file sharing into one unified system, Stalwart will give users the ability to self-host their entire collaboration stack without sacrificing modern functionality, scalability, or security.

What the Grant Will Fund

The new funding will support a series of developments that will be released gradually throughout the year under the AGPL-3.0 license:

A full-featured CalDAV and CardDAV server will be implemented, allowing users to manage their calendars and contacts directly within Stalwart. This means there will be no need to rely on external software to provide these functions. Users will be able to keep all of their collaboration data in one place, within a single, tightly integrated platform.
In addition, we will extend Stalwart’s existing JMAP implementation to support JMAP for Calendars and JMAP for Contacts. This will involve developing parsers for JSCalendar and JSContact, as well as creating bidirectional converters between JSCalendar and iCalendar, and JSContact and vCard.
File storage and management will also become a first-class feature of the platform. A WebDAV-based file storage system will be built on top of Stalwart’s internal blob store. Alongside this, we will implement support for JMAP for File Management, allowing users to upload, organize, and share files using either standard WebDAV clients or JMAP-based applications. The JMAP support will align with the ongoing efforts to standardize file management within the JMAP ecosystem.
Finally, the grant will fund the implementation of the three most requested features by the Stalwart community. These include support for the IMAP XAPPLEPUSHSERVICE extension, which enables push notifications on iOS devices; automatic DKIM record updates via RFC2136, making it easier to manage DNS records dynamically; and support for exporting Maildir mailboxes with nested folders, improving compatibility and backup workflows.

Acknowledgements

We would like to express our sincere thanks to the NLnet Foundation and the European Commission for making this work possible. The project is funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission’s Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology, as part of grant agreement No. 101092990.

This support plays a vital role in advancing open-source infrastructure and helps ensure that secure, decentralized alternatives remain viable and accessible to everyone.

Looking Ahead

As we roll out these new features throughout the year, we remain committed to the core values that drive Stalwart’s development: privacy, performance, transparency, and user empowerment. The Stalwart Collaboration Server will transform the platform into a comprehensive, modern collaboration suite — one that is open, scalable, and fully self-hosted.

We look forward to sharing more progress soon. In the meantime, we invite developers, testers, and curious users to follow our work, contribute ideas, and help shape the future of self-hosted collaboration.

Stay tuned, and thank you for your continued support.

OpenID Connect Integration is now Open Source

Fri, 31 Jan 2025 00:00:00 GMT

Why is Stalwart Not 100% Free?

At Stalwart Labs, our goal is to provide a robust and feature-rich mail server solution. However, sustaining long-term development for a project of this scale requires significant financial resources. At present, open-source sponsorships alone do not generate sufficient funding to cover these costs entirely.

To ensure that Stalwart Mail Server continues to evolve and improve, we offer a paid Enterprise version. Revenue from Enterprise subscriptions allows our team to dedicate full-time efforts to development, ensuring the continuous enhancement of both the open-source and paid versions. This funding model allows us to introduce new features while maintaining the high standards that make Stalwart Mail Server a leading solution in the industry.

Furthermore, the existence of an Enterprise edition directly benefits the open-source community. By sustaining active development, we can periodically release new features into the open-source version, as we have done with third-party OIDC support. It is worth noting that even the community edition of Stalwart Mail Server already provides more features than any other open-source or commercial mail server available today. We are dedicated to maintaining and expanding this competitive edge.

If you would like to support open-source development and help accelerate the release of additional features as open-source, we invite you to become a sponsor. Your sponsorship plays a vital role in the project’s sustainability and future growth. Thank you for your support and understanding.

Join Us at FOSDEM 2025

To learn more about Stalwart Mail Server and its latest developments, we invite you to watch our talk at FOSDEM 2025. The session will take place tomorrow, Saturday, February 1st, at 12:00 PM Central European Time in Brussels. If you cannot attend in person, you can follow the presentation online at fosdem.org.

We look forward to sharing more about the project and engaging with the community at this exciting event!

Goodbye Spam: Introducing Faster, Smarter Spam Filtering

Mon, 06 Jan 2025 00:00:00 GMT

A Faster, Smarter Spam Filter

In earlier versions of Stalwart Mail Server, the spam filter was implemented as a Sieve script. This design choice was inspired by platforms like Rspamd, which use scripting languages like Lua to allow customizations. However, over time, we identified two key challenges with this approach. First, because it was an interpreted script, the spam filter’s performance was slightly slower than we’d like. Second, many users found it complicated to update the script when adding custom rules or configuring custom DNSBL (Domain Name System Blocklist) servers.

To address these issues, we rewrote the spam filter entirely in Rust. The result is a system that is five times faster than before, delivering superior performance while keeping resource usage minimal. Moreover, defining new rules or adding DNSBL servers is now as simple as editing the configuration file—no scripting expertise required. This shift eliminates complexity while maintaining the high level of customization our users expect. For those who still need advanced control, Stalwart continues to support custom Sieve scripts and expressions, ensuring maximum flexibility.

Enhanced Training

One of the most requested features we’ve added is the ability for end users to train their own spam filter Bayesian model. Now, users can customize their spam filtering by simply moving messages to and from the “Junk Mail” folder or by adding and removing the $Junk flag. This personalized approach allows each account to maintain its own tailored spam filter, providing greater accuracy and user satisfaction.

Improved Performance

This update isn’t just about the spam filter. We’ve also made broader performance enhancements to Stalwart Mail Server. Previously, we relied on LRU (Least Recently Used) caches. With this release, we’ve switched to scan-resistant S3-FIFO caches, offering better performance under heavy workloads. Additionally, we’ve optimized Stalwart’s handling of large distributed SMTP queues, ensuring smoother operation in clustered environments. These changes make Stalwart even more capable of handling demanding enterprise setups.

Meet Us at FOSDEM’25

We’re thrilled to announce that Stalwart Mail Server will be featured at FOSDEM’25! Join us on February 1st at 12:00 PM in Brussels, where we’ll showcase these new features and share insights into what’s coming next for Stalwart. This is a fantastic opportunity to connect with our team, ask questions, and explore how Stalwart can power your email infrastructure.

Upgrade Today

These improvements are available now, and we’re confident they’ll make a big difference for administrators and users alike. Whether you’re drawn to the speed of the new spam filter, the enhanced training capabilities, or the overall performance boosts, this update is designed to help you get the most out of Stalwart Mail Server.

As always, thank you for choosing Stalwart. We’re committed to delivering a reliable, feature-rich email server that evolves with your needs. Here’s to a productive and spam-free 2025!

Diagnose and Resolve Email Issues Faster

Wed, 04 Dec 2024 00:00:00 GMT

Advanced Troubleshooting

One of the key highlights of version 0.10.7 is the addition of comprehensive troubleshooting tools designed to help administrators diagnose and resolve email delivery and DMARC-related issues more efficiently.

The email delivery troubleshooting tool provides a step-by-step simulation of the email delivery process. Accessible through the Webadmin interface under Manage -> Troubleshoot -> Email Delivery, this tool allows administrators to test delivery paths for any email address or domain. It performs critical tasks like resolving MX records, retrieving IP addresses, validating MTA-STS and DANE policies, upgrading the connection to TLS, and verifying recipient availability. Importantly, this tool does not send actual emails but offers a detailed analysis of the delivery pipeline, displaying each step in real-time and flagging any issues that arise. This ensures that administrators can identify and address problems before they impact actual email traffic.

The DMARC troubleshooting tool is another powerful addition. Located under Manage -> Troubleshoot -> DMARC, it enables administrators to verify the DMARC setup for both local and remote domains. By simulating the server’s authentication process, this tool checks SPF, DKIM, ARC, and DMARC policies while also verifying that the reverse PTR matches the SPF EHLO hostname. Administrators can input details such as the sender address, server IP, EHLO hostname, and optionally, the message body for detailed DKIM and ARC testing. This comprehensive tool mirrors the checks Stalwart performs when receiving emails, making it easier to identify and resolve policy compliance issues.

External Recipients

Another significant enhancement in version 0.10.7 is the ability to add external recipients to mailing lists. In previous versions, mailing lists were restricted to local recipients, limiting their flexibility. With this update, administrators can now include recipients from external domains in mailing lists, enabling broader collaboration and more versatile email distribution. This change reflects our commitment to making Stalwart Mail Server more adaptable to the diverse needs of our users.

Azure Blob Storage

In addition to the major feature updates, Stalwart Mail Server 0.10.7 introduces support for storing emails and blobs on Azure Blob Storage. This new capability provides users with greater flexibility in managing their data storage, especially for organizations already leveraging Azure’s robust cloud infrastructure. The release also includes a range of minor fixes to improve overall stability and performance.

Looking Ahead

As we celebrate the release of version 0.10.7, we are already working on the next major feature: faster and improved spam filtering. This enhancement, another highly requested feature, will bring more effective tools to combat unwanted emails while ensuring legitimate messages are processed efficiently. We are eager to share more details in the coming weeks.

Shape the Future

Stalwart Mail Server continues to evolve based on feedback from our community. New features and improvements are implemented in the order of the votes they receive, ensuring that development aligns with the needs of our users. We invite you to visit our GitHub page to review the current list of enhancement requests and vote for the features you would like to see implemented next. You can find the list at GitHub Enhancement Requests.

Thank you for your ongoing support and feedback, which are instrumental in shaping Stalwart Mail Server into the reliable, user-focused solution it is today. We look forward to hearing your thoughts on version 0.10.7 and what you’d like to see in future releases!

Revolutionize Your Email Workflow with AI

Mon, 07 Oct 2024 00:00:00 GMT

Unlocking the Power of AI

With the introduction of AI model integration, Stalwart Mail Server can now analyze email content more deeply than traditional filters ever could. For instance, in the realm of spam filtering and threat detection, AI models are highly effective at identifying patterns and detecting malicious or unsolicited content. The system works by analyzing both the subject and body of incoming emails through the lens of an LLM, providing more accurate detection and filtering.

In addition to bolstering security, AI integration enhances email classification. By configuring customized prompts, administrators can instruct AI models to categorize emails based on their content, leading to more precise filtering and organization. This is particularly useful for enterprises managing a high volume of messages that span various topics and departments, as AI-driven filters can quickly and intelligently sort messages into categories like marketing, personal correspondence, or work-related discussions.

The flexibility of using either self-hosted or cloud-based AI models means that Stalwart can be tailored to your infrastructure and performance needs. Self-hosting AI models ensures full control over data and privacy, while cloud-based models offer ease of setup and access to highly optimized, continuously updated language models.

LLMs in Sieve Scripts

One of the most exciting features of this release is the ability for users and administrators to access AI models directly from Sieve scripts. Stalwart extends the Sieve scripting language by introducing the llm_prompt function, which allows users to send prompts and email content to the AI model for advanced processing.

For example, the following Sieve script demonstrates how an AI model can be used to classify emails into specific folders based on the content:

require ["fileinto", "vnd.stalwart.expressions"];

# Base prompt for email classification
let "prompt" '''You are an AI assistant tasked with classifying personal emails into specific folders.
Your job is to analyze the email's subject and body, then determine the most appropriate folder for filing.
Use only the folder names provided in your response.
If the category is not clear, respond with "Inbox".

Classification Rules:
- Family:
   * File here if the message is signed by a Doe family member
   * The recipient's name is John Doe
- Cycling:
   * File here if the message is related to cycling
   * File here if the message mentions the term "MAMIL"
- Work:
   * File here if the message mentions "Dunder Mifflin Paper Company, Inc." or any part of this name
   * File here if the message is related to paper supplies
   * Only classify as Work if it seems to be part of an existing sales thread or directly related to the company's operations
- Junk Mail:
   * File here if the message is trying to sell something and is not work-related
   * Remember that John lives a minimalistic lifestyle and is not interested in purchasing items
- Inbox:
   * Use this if the message doesn't clearly fit into any of the above categories

Analyze the following email and respond with only one of these folder names: Family, Cycling, Work, Junk Mail, or Inbox.
''';

# Prepare the base Subject and Body
let "subject" "thread_name(header.subject)";
let "body" "body.to_text";

# Send the prompt, subject, and body to the AI model
let "llm_response" "llm_prompt('gpt-4', prompt + '\n\nSubject: ' + subject + '\n\n' + body, 0.6)";

# Set the folder name
if eval "contains(['Family', 'Cycling', 'Work', 'Junk Mail'], llm_response)" {
    fileinto "${llm_response}";
}

This example demonstrates how the llm_prompt function can be used to classify emails into different categories such as Family, Cycling, Work, or Junk Mail based on the content. The AI model analyzes the message’s subject and body according to the classification rules defined in the prompt and returns the most appropriate folder name. The email is then automatically filed into the correct folder, making it easier to organize incoming messages based on their content.

Self-Hosted or Cloud-Based

With this new feature, Stalwart Mail Server allows for seamless integration with both self-hosted and cloud-based AI models. If you prefer full control over your infrastructure, you can opt to deploy models on your own hardware using solutions like LocalAI. Self-hosting gives you complete ownership over your data and ensures compliance with privacy policies, but it may require significant computational resources, such as GPU acceleration, to maintain high performance.

Alternatively, you can integrate with cloud-based AI providers like OpenAI or Anthropic, which offer access to powerful, pretrained models with minimal setup. Cloud-based models provide cutting-edge language processing capabilities, but you should be aware of potential costs, as these providers typically charge based on the number of tokens processed. Whether you choose self-hosted or cloud-based models, Stalwart gives you the flexibility to tailor the AI integration to your specific needs.

Available for Enterprise Users and Sponsors

This exciting AI integration feature is exclusively available for Enterprise Edition users as well as GitHub and OpenCollective monthly sponsors. If you want to harness the full potential of AI-powered email processing in Stalwart Mail Server, upgrading to the Enterprise Edition or becoming a sponsor is a great way to access this feature and other advanced capabilities.

Try It Out Today!

The release of Stalwart Mail Server v0.10.3 marks a major milestone in our journey toward building intelligent, highly customizable email management solutions. By combining traditional email filtering with the power of LLMs, Stalwart gives you the tools to take your email infrastructure to the next level, enhancing security, organization, and automation in ways that were previously impossible. We’re excited to see how you’ll use this new feature to optimize your email workflows!

OpenID Connect - Secure Authentication Just Got Easier

Wed, 02 Oct 2024 00:00:00 GMT

What is OpenID Connect?

OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0 that allows clients to verify the identity of users. With OIDC, instead of just authorizing an app to access a resource, the system can also authenticate the user securely. This means users can log in to multiple applications with a single set of credentials, making OIDC ideal for Single Sign-On (SSO) across services.

Why is this important? Because it saves users from password fatigue, reduces login complexity, and centralizes authentication in a secure manner. Stalwart Mail Server’s new OIDC support allows you to authenticate your users either directly through Stalwart as an OpenID Provider or by integrating with third-party OIDC providers like Authentik, Keycloak, or any compliant identity system.

Alongside full OIDC support, Stalwart Mail Server v0.10.2 also introduces several important new features that expand its capabilities:

OpenID Connect Dynamic Client Registration

Dynamic Client Registration allows clients (applications) to automatically register with the OIDC provider without requiring manual intervention. This feature makes it easier to integrate multiple applications, as clients can dynamically obtain credentials (like client IDs) directly from Stalwart Mail Server. This adds flexibility and reduces administrative overhead.

OpenID Connect Discovery

With the OpenID Connect Discovery feature, clients can automatically discover the relevant OIDC endpoints and supported capabilities via the /.well-known/openid-configuration endpoint. This simplifies the configuration of OIDC clients, as they don’t need to be manually configured with URLs for token, authorization, and userinfo endpoints — they just query the discovery endpoint and set themselves up!

OAuth 2.0 Token Introspection

OAuth 2.0 Token Introspection allows resource servers (like APIs or mail servers) to validate access tokens provided by clients. This ensures that the token being used is still active, hasn’t expired, and has the right permissions attached. This is particularly useful for securing interactions between various services while verifying that tokens are still valid.

OpenID Provider or Third-Party OIDC Support

Stalwart Mail Server v0.10.2 can now act as an OpenID Provider (issuing ID tokens and managing authentication), which means your organization can use it to handle authentication for all your internal applications and services. Alternatively, Stalwart can also integrate with third-party OIDC providers, so you can delegate authentication to systems like Authentik or Auth0, while still using Stalwart to manage your email infrastructure.

This dual functionality gives you the flexibility to choose how you want to manage authentication while taking full advantage of OIDC’s security features.

About OAUTHBEARER…

Now, let’s talk about mail clients and the OAUTHBEARER SASL mechanism. While Stalwart fully supports OIDC, the majority of mainstream mail clients (looking at you, Outlook, Thunderbird, and Apple Mail) still don’t support OAUTHBEARER for OAuth-based authentication. Sure, we’ve done our part by adding OpenID support to Stalwart — now it’s up to the mail clients to follow suit and add proper support for OIDC authentication. Maybe one day, we’ll see these clients finally catch up, and we can all enjoy the seamless authentication experience that OIDC offers.

In the meantime, users of these clients will need to continue using App Passwords to access their email accounts. But hey, maybe this is the gentle nudge the developers of these clients need to jump on the OpenID bandwagon!

Try It Out

Stalwart Mail Server v0.10.2 is available now, so download it, upgrade your server, and start taking advantage of these new features! Whether you’re setting up Stalwart as your OpenID Provider or integrating with a third-party provider, this release gives you the tools to secure authentication with modern standards like OpenID Connect.

Happy mailing and happy authenticating!

Unlock Multi-Tenancy, Branding, and Fine-Grained Control

Sat, 21 Sep 2024 00:00:00 GMT

Multi-Tenancy: Streamlined Management

Multi-tenancy is a game-changer for anyone managing multiple independent organizations on a single instance of Stalwart Mail Server. Whether you’re a hosting provider or an enterprise with multiple departments, tenants allow you to isolate different organizations, each with its own users, groups, mailing lists, and domains.

Each tenant operates within its own secure space, ensuring privacy and separation from other tenants. You can assign disk quotas to control how much storage each tenant can use and limit the number of accounts, groups, and domains they can create. This is perfect for keeping resources in check while maintaining an organized, scalable environment. Imagine a scenario where a tenant is given 100GB of disk space. If the users within that tenant collectively consume all 100GB, the system prevents them from receiving more email, ensuring no one overuses resources.

Multi-tenancy offers security, control, and scalability—all in one package.

Roles & Permissions: Fine-Tuned Access Control

With the revamped Roles and Permissions system, Stalwart Mail Server 0.10.0 gives you unprecedented control over who can do what in your environment. No more blanket admin accounts! Instead, you can assign specific permissions to individuals, groups, or entire tenants.

Permissions can be bundled into roles, which makes managing access a breeze. Stalwart comes with three built-in roles to get you started: the user role, which grants access to all essential email services; the admin role, which has full control over the system; and the tenant-admin role, which is perfect for tenant or domain administrators, providing just the right amount of access without overstepping into critical system configurations.

This granular permissions model ensures that no one has more access than they need, keeping your system secure while allowing users to perform their required tasks. Whether it’s managing users, updating settings, or overseeing mailing lists, the right permissions are always in the right hands.

Branding: Personalized Web Interface

Another exciting new feature in Stalwart Mail Server 0.10.0 is branding. This feature allows system administrators to customize the look and feel of the webadmin interface by adding logos specific to each tenant or domain.

When a user logs into the webadmin portal, Stalwart checks the domain associated with the request. If a logo has been set for that domain, it will be displayed. If the domain doesn’t have its own logo but is linked to a tenant that does, the tenant’s logo will be used. If neither the domain nor the tenant has a custom logo, the system defaults to the logo defined in the configuration. If no logo is defined, the trusty Stalwart logo makes an appearance. This feature ensures that your tenants can enjoy a fully branded experience, making the platform feel even more tailored to their organization.

Enterprise-Only Features: Multi-Tenancy & Branding

It’s important to note that while Roles and Permissions are available in all versions of Stalwart Mail Server, the Multi-tenancy and Branding features are part of the Enterprise package. These advanced tools are designed for organizations with more complex needs, providing flexibility and customization options tailored to large-scale environments.

Support Stalwart: It Costs Less Than Netflix!

We’ve worked hard to keep Stalwart open and accessible to everyone, but if you want to unlock Enterprise features and support the continued development of Stalwart, please consider subscribing to a Stalwart Enterprise License. It costs less than your Netflix or Spotify Premium subscription and will help us continue building exciting new features, including upcoming developments like CalDAV, CardDAV, WebDAV, and JMAP for contacts, calendars, and tasks.

By subscribing, not only do you unlock advanced functionality, but you also contribute to the growth of a project committed to providing a powerful, open mail server solution for all.

Thank you for being part of the Stalwart community. We hope you enjoy these new features as much as we enjoyed building them, and we look forward to bringing you even more great updates in the future. If you’re interested in learning more about Stalwart Enterprise or obtaining a license, feel free to reach out to us.

Happy mailing!

Announcing Dashboards and Strengthened Security

Thu, 29 Aug 2024 00:00:00 GMT

Comprehensive Dashboard

A major highlight of this release for Enterprise users is the introduction of the new Dashboard feature. This tool provides real-time insights into your server’s operations, allowing you to monitor critical metrics and trends at a glance. The Dashboard is divided into five distinct sections: Overview, Network, Delivery, Security, and Performance. The Overview dashboard offers a comprehensive summary of general mail server statistics, giving you a quick snapshot of the server’s health and activity. The Network dashboard focuses on the number of total and active connections, enabling you to monitor network traffic and identify potential issues with server load. The Delivery dashboard provides detailed information on mail flow, including queued messages and the number of messages sent and received, ensuring that your mail delivery processes are running smoothly. The Security dashboard is dedicated to tracking your server’s defenses, presenting statistics on banned IPs, blocked requests, and spam filtering effectiveness. Finally, the Performance dashboard allows you to monitor key performance indicators such as memory usage, database latency, and DNS latency, helping you optimize the server’s performance and address any bottlenecks.

Customizable Alerts

Also new to the Enterprise version is the Alerts feature, which ensures that you are always in the loop when important metrics reach critical thresholds. Whether it’s a spike in memory usage, an increase in queued messages, or any other significant change, Alerts can notify you via email or webhooks the moment these events occur.

Alerts are highly configurable, allowing you to set up complex conditions that trigger notifications only when specific combinations of metrics are met. For example, you could set an alert for when server memory usage exceeds a certain amount and the message queue count rises above a defined level, helping you to react swiftly and prevent potential disruptions.

Security Enhancements

Security remains a top priority in this release, and version 0.9.3 introduces two new features that enhance the defenses of both the Community and Enterprise versions.

RCPT Brute Force Protection

Enhance your server’s security with our new RCPT brute force protection. This feature automatically bans IP addresses attempting to discover valid email recipients through brute force attacks—a common tactic used by spammers. By implementing this protection, Stalwart Mail Server adds another layer of defense to your email infrastructure, helping to maintain the integrity of your user list and prevent potential security breaches.

Loitering Connection Protection

Defend against SYN Flood attacks with our loitering connection protection. This smart feature blocks IP addresses that repeatedly keep connections open without meaningful activity, helping to prevent resource exhaustion attacks. By identifying and mitigating these potential threats, Stalwart Mail Server ensures that your server resources are used efficiently and remain available for legitimate email traffic.

Conclusion

Stalwart Mail Server version 0.9.3 is a significant step forward in our commitment to providing a secure, efficient, and easy-to-manage mail server solution. Whether you are leveraging the powerful new monitoring and alerting tools in the Enterprise version or benefiting from the enhanced security features available across both versions, this update offers valuable enhancements that will help you better manage and protect your mail server.

We encourage all users to upgrade to version 0.9.3 and take advantage of these exciting new features. As always, we remain dedicated to improving Stalwart Mail Server and providing you with the best possible tools to manage your email infrastructure.

Thank you for your continued support, and we look forward to bringing you more updates and features in the future!

Boost Your Insights with Advanced Telemetry

Thu, 08 Aug 2024 00:00:00 GMT

Enhanced Tracing

In previous versions of Stalwart, tracing and logging provided valuable insights but lacked the detail and comprehensiveness needed for thorough monitoring. With version 0.9.1, we have completely rewritten the tracing and logging layer, resulting in a faster and more detailed system. The new implementation leverages a lock-free data structure, enabling Stalwart to record thousands of events per second without impacting server performance. This major upgrade ensures that every significant event is captured, providing a comprehensive view of the server’s operations.

Stalwart now generates over 600 different types of events, significantly expanding the granularity and depth of our telemetry data. These events can be sent to OpenTelemetry or Webhooks, offering flexibility in how they are processed and analyzed. Additionally, events can be recorded in log files, sent to journald, or written directly to the console, providing multiple avenues for accessing and utilizing this detailed information.

Comprehensive Metrics

The highlight of Stalwart Mail Server version 0.9.1 is the introduction of support for hundreds of different metrics. This enhancement enables administrators to gain deeper insights into the server’s performance and health. Metrics can be exported to OpenTelemetry using a push mechanism, allowing for real-time monitoring and analysis. Alternatively, they can be collected using Prometheus via a pull method, integrating seamlessly with existing monitoring infrastructures.

This robust metrics support ensures that users can monitor a wide range of server parameters, from resource usage to request handling, enabling proactive maintenance and troubleshooting. By providing comprehensive metrics, Stalwart Mail Server empowers administrators to make informed decisions, optimize performance, and maintain high levels of reliability.

HTTP Access Controls

In addition to these telemetry improvements, Stalwart Mail Server version 0.9.1 introduces a highly requested feature: HTTP endpoint access controls. This new capability allows administrators to limit access to HTTP endpoints based on various criteria, such as remote IP or IP range, HTTP method, listener ID, and more. This fine-grained control enhances security and ensures that only authorized users can access specific server functionalities.

The introduction of HTTP endpoint access controls responds directly to user feedback, demonstrating our commitment to continually enhancing the server based on real-world needs and experiences. This feature provides an additional layer of security and customization, making Stalwart Mail Server more versatile and robust.

Conclusion

Stalwart Mail Server version 0.9.1 represents a significant leap forward in our telemetry capabilities, offering faster, more detailed tracing and logging, comprehensive metrics support, and new HTTP endpoint access controls. These improvements underscore our dedication to providing a powerful, efficient, and secure mail server solution.

Upgrade to version 0.9.1 today and experience the next level of telemetry with Stalwart Mail Server!

Stalwart and Nextcloud Join Forces

Tue, 23 Jul 2024 00:00:00 GMT

What This Means for You

Nextcloud will now also offer a version bundled with Stalwart Mail Server, providing users with a powerful, efficient, and secure email solution seamlessly integrated within the Nextcloud environment. This integration is designed to provide a cohesive and streamlined experience, allowing users to manage their email, files, and collaborative projects all in one place.

Key Benefits

Enhanced Productivity: With Stalwart Mail Server bundled into Nextcloud, users can effortlessly access their email and other Nextcloud apps, such as files, calendars, and tasks. This unified approach reduces the time and effort spent on managing multiple platforms.
Robust Security: Both Stalwart Labs and Nextcloud prioritize security. Our mail server brings industry-leading security features, including encryption and advanced threat detection, ensuring your communications remain safe and confidential.
Seamless Collaboration: Nextcloud is known for its powerful collaboration tools. Integrating Stalwart Mail Server enhances these capabilities, allowing for better coordination and communication within teams.
User-Friendly Interface: Our combined efforts focus on delivering an intuitive and user-friendly interface, making it easier for users to navigate and utilize the full potential of the integrated suite.

About Stalwart Mail Server

Stalwart Mail Server is a highly reliable and secure email server designed for modern businesses. With features such as spam filtering, encryption, and high availability, it provides an unparalleled email experience. Our server is built to handle the demands of any organization, ensuring your communications are always fast, reliable, and secure.

About Nextcloud

Nextcloud is the leading open-source software suite for file sharing and collaboration. It offers a wide range of tools for managing and sharing files, calendars, contacts, and more, all while maintaining the highest standards of security and privacy. Nextcloud is trusted by millions of users worldwide, from small businesses to large enterprises.

Looking Ahead

This partnership is just the beginning. We are committed to continuously improving and expanding our integrated solutions to meet the evolving needs of our users. Stay tuned for more updates and enhancements as we work together to bring you the best in productivity and security.

We invite you to explore the new integrated experience and see firsthand how Stalwart Mail Server and Nextcloud can transform the way you work. For more information, please visit our website or contact our team.

Thank you for your continued trust and support.

Enhanced E-mail Security with Two-Factor Authentication

Mon, 01 Jul 2024 00:00:00 GMT

Two-Factor Authentication

Two-Factor Authentication (2FA) is a security measure that requires users to provide two forms of identification before gaining access to their accounts. With the introduction of TOTP (Time-based One-Time Password) codes in Stalwart Mail Server 0.8.3, users can now benefit from this extra layer of security. TOTP codes are time-sensitive, one-time passwords generated by an authenticator app, such as Google Authenticator or Authy.

When 2FA is enabled, users must enter their regular password and a TOTP code generated by their authenticator app. This ensures that even if an attacker obtains the user’s password, they would still need the TOTP code to access the account, significantly reducing the risk of unauthorized access. The TOTP codes are easy to set up and use, making them a convenient yet highly effective security measure.

Application Passwords

Alongside 2FA, Stalwart Mail Server 0.8.3 introduces Application Passwords. These are unique, randomly generated passwords that allow users to access their email accounts on devices or applications that do not support the OAUTHBEARER SASL mechanism. Application Passwords are particularly useful for older mail clients, third-party applications, and automated scripts that need access to email accounts but cannot handle the interactive authentication required by 2FA.

By generating an Application Password, users can maintain access to their email accounts on all their devices and applications while still benefiting from the enhanced security of 2FA. These passwords are managed through the self-service portal, where users can create, view, and revoke them as needed.

Improved Security, Enhanced Usability

The addition of Two-Factor Authentication with TOTP codes and Application Passwords in Stalwart Mail Server 0.8.3 represents a significant step forward in email account security. These features provide robust protection against unauthorized access, ensuring that your email communications remain secure. At the same time, they offer flexibility and ease of use, making it simple for users to secure their accounts without compromising on convenience.

We are committed to continuously improving the security and functionality of Stalwart Mail Server. We encourage all users to upgrade to version 0.8.3 and take advantage of these powerful new security features. As always, we welcome your feedback and look forward to hearing how these enhancements benefit you.

Stay secure, stay connected.

Stalwart | Stalwart Blog

Introducing the Stalwart Support Portal

What the support portal is

How to sign in

What happens to the existing channels

Enterprise support

Looking forward

Stalwart v0.16: A New Foundation

A Brand-New WebUI

Unified Management via JMAP and a New CLI

Automated DNS Management

Automated DKIM Rotation

Masked Emails

Security Enhancements

Other Highlights

Upgrading

Marginal Gains: Major Impact

Rethinking Spam Classification

A Faster, Simpler Search Layer

Faster Database Access and Leaner Storage

Meet Us at FOSDEM 2026

Looking Ahead

JMAP for Calendars, Contacts and Files now in Stalwart

A New Generation of Protocols

Limitations of Yesterday’s Technology

JMAP: A Modern Solution for Modern Needs

Why This Matters

Client Support and Ecosystem

A Word of Thanks

Looking Ahead to 1.0.0

Security at the Core: Stalwart completes Second Security Audit

Comprehensive Assessment

Findings

Our Commitment to Security

Stalwart Joins GitHub's Open Source Secure Fund

About GitHub’s OSSF

Our Experience

Leveraging Azure Credits

Ongoing Security Audit

Acknowledgments

Introducing Virtual Queues and Strategy-Driven Delivery in Stalwart MTA

Smarter Queueing with Virtual Queues

Strategy-Driven Delivery

MTA Hooks: Moving Toward Standardization

Looking Ahead

The Future of Stalwart: Webmail, Roadmap, and Beyond

Introducing Calendars, Contacts and Files in Stalwart

Calendars, Contacts & Files – All in One Place

Improved Spam Filtering

Performance Enhancements

Smarter and Faster Clustering

Looking Ahead: What’s Next?

Stalwart Receives NLNet Grant to Build Collaboration Server

Expanding the Vision: From Email to Collaboration

What the Grant Will Fund

Acknowledgements

Looking Ahead

OpenID Connect Integration is now Open Source

Why is Stalwart Not 100% Free?

Join Us at FOSDEM 2025

Goodbye Spam: Introducing Faster, Smarter Spam Filtering

A Faster, Smarter Spam Filter

Enhanced Training

Improved Performance

Meet Us at FOSDEM’25

Upgrade Today

Diagnose and Resolve Email Issues Faster

Advanced Troubleshooting

External Recipients

Azure Blob Storage

Looking Ahead

Shape the Future

Revolutionize Your Email Workflow with AI

Unlocking the Power of AI

LLMs in Sieve Scripts

Self-Hosted or Cloud-Based

Available for Enterprise Users and Sponsors

Try It Out Today!

OpenID Connect - Secure Authentication Just Got Easier

What is OpenID Connect?