Today we announce the release of Stalwart Mail Server version 0.7.2, which now includes support for both DNS-01 and HTTP-01 ACME challenge types. This update marks a significant enhancement in our server's capabilities, addressing one of the most frequent requests from our user community—the inclusion of DNS-01 support for improved domain validation flexibility.

What is ACME?​

The Automated Certificate Management Environment (ACME) protocol is a cornerstone in the world of secure communications. ACME automates the process of certificate issuance, renewal, and revocation, thereby simplifying the management of SSL/TLS certificates. This protocol is not only designed to streamline administrative tasks but also to bolster security measures through rigorous validation mechanisms.

Challenge Types​

Prior to version 0.7.2, Stalwart Mail Server supported only the TLS-ALPN-01 challenge, which utilizes the TLS Application Layer Protocol Negotiation extension for domain validation. This method, while robust, requires port 443 to be open and can limit flexibility for some users and environments.

Recognizing the diverse needs of our users, we have expanded our support to include two additional types of challenges: DNS-01 and HTTP-01. These new features are designed to offer more versatility in how users manage domain validation and certificate issuance.

DNS-01 Challenge​

The DNS-01 challenge validates domain ownership by creating a DNS TXT record. This method is particularly valuable for those needing to issue wildcard certificates, as it allows for the validation of the domain and all its subdomains collectively. It is an ideal choice for users who prefer or require managing their certificates at the DNS level, especially in scenarios where direct web traffic control is not feasible.

HTTP-01 Challenge​

In contrast, the HTTP-01 challenge involves responding to HTTP requests made by the ACME server. This method proves the control over a domain by placing a specific file on the server to be accessed via a standard web path. It is best suited for environments where port 80 is open and accessible. The simplicity of HTTP-01 makes it an attractive option for many administrators, providing an efficient path to compliance without the need for complex DNS configurations.

Benefits​

By integrating DNS-01 and HTTP-01 challenges into Stalwart Mail Server 0.7.2, we are offering our users the flexibility to choose the validation method that best fits their technical requirements and security policies. Whether operating behind a TLS reverse proxy, managing multiple subdomains with a single certificate, or simply seeking a straightforward setup, the expanded challenge options cater to a wider range of use cases.

We are committed to continually improving Stalwart Mail Server to meet the evolving needs of our customers. The inclusion of these new ACME challenges is a direct response to community feedback, and we are excited to see how our users will leverage these new capabilities to enhance their server security and certificate management processes.

Stay tuned for more updates as we keep enhancing our mail server solutions. For detailed information on configuring and using the new challenge types in Stalwart Mail Server 0.7.2, please refer to our updated documentation.

We look forward to your feedback on these new features and to supporting you in your journey to a more secure and efficient server environment!

We're thrilled to announce the release of Stalwart Mail Server version 0.7.0, a significant update that brings a wealth of features and improvements to enhance the performance and manageability of your email services. This release marks a pivotal moment in our journey to provide an email server solution that combines ease of use with robust performance, ensuring that your email infrastructure is both secure and efficient.

Introducing Web-Based Administration​

At the heart of version 0.7.0 is the introduction of a new, web-based administration tool. Developed in Rust, this single-page application (SPA) represents a monumental shift in how you interact with Stalwart Mail Server. Gone are the days of relying on SSH connections or command-line interfaces for routine administration tasks. Now, every aspect of your mail server can be managed from the convenience of a web browser.

The new web administration tool is designed to streamline and simplify the management of your mail server, offering a wide array of features:

• Complete Control Over Accounts and Domains: Easily manage user accounts, domains, groups, and mailing lists, all from a user-friendly interface.
• Advanced Queue Management: Monitor and manage your SMTP queues with ease, including messages and outbound DMARC and TLS reports, ensuring timely delivery and compliance.
• Insightful Report Visualization: Gain valuable insights into your email security with a dedicated interface for visualizing received DMARC, TLS-RPT, and Failure (ARF) reports.
• Full Configuration Flexibility: Adjust and fine-tune every aspect of your mail server settings directly from the webadmin, tailored to meet your specific requirements.
• Enhanced Log Viewing and Searching: Navigate through logs effortlessly with advanced search and filtering capabilities, making it easier to pinpoint issues or monitor activity.
• Self-Service Portal for Users: Empower your users with a self-service portal for password resets and managing encryption-at-rest keys, enhancing security and convenience.

This transformative approach to mail server management not only elevates the administration experience but also significantly reduces the complexity and time required to manage your email infrastructure.

Enhanced Performance and Efficiency​

Beyond management improvements, Stalwart Mail Server 0.7.0 introduces significant performance enhancements to ensure swift and efficient email delivery. A major focus has been placed on optimizing mailbox retrieval speeds to accommodate IMAP clients, particularly those without client-side caching, ensuring that large mailboxes are displayed promptly. This version also integrates automatic compression for messages and binaries stored in the blob store using LZ4, a move that conservatively manages storage space while improving access and transfer speeds. These enhancements collectively ensure that Stalwart Mail Server 0.7.0 delivers unparalleled performance, making it faster and more efficient than ever before.

Embracing the Future​

With the release of version 0.7.0, Stalwart Mail Server sets a new standard for email server solutions. The introduction of a web-based administration tool and significant performance improvements underscore our commitment to innovation and excellence. We invite you to experience the future of email server management and performance with Stalwart Mail Server 0.7.0.

This Valentine's Day, we're not just celebrating love and companionship; we're also celebrating the groundbreaking advancements in the Stalwart Mail Server with the release of version 0.6.0. In a world where reliability and flexibility in mail server management are more critical than ever, Stalwart Mail Server takes a significant leap forward with the introduction of distributed SMTP queues and the integration of expressions in configuration files. Let's delve into how these features transform your mail server experience, making it more robust, efficient, and customizable than ever before.

Distributed SMTP Queues: A Heartbeat of Reliability​

The latest iteration of Stalwart Mail Server introduces a feature that's set to be the cornerstone of reliability and fault tolerance—distributed SMTP queues. Gone are the days when your SMTP queue was confined to the local hard drive, a vulnerability that could lead to data loss or downtime in the event of a server crash. With version 0.6.0, Stalwart Mail Server stores your SMTP queues in the database, a move that not only enhances fault tolerance but also paves the way for queue load distribution across multiple servers in a cluster.

Imagine your mail server as the heart of your organization's communication. Just as the heart's reliability is critical to the body's overall function, so is your SMTP queue's reliability to your organization's communication flow. Distributed SMTP queues ensure that if one server in the cluster experiences issues, the heartbeat of your communication doesn't skip a beat. This feature allows other servers in the cluster to pick up the load, ensuring uninterrupted mail flow and significantly reducing the risk of data loss.

This approach allows for a more balanced and efficient handling of email traffic, making your mail server cluster more resilient to individual failures and capable of handling higher volumes of email more effectively.

Expressions: A Language of Flexibility​

The second headline feature of version 0.6.0 is the support for expressions in configuration files. This addition opens up a new realm of flexibility, allowing you to define complex, dynamic criteria for evaluating and handling email messages based on various attributes, such as recipient, sender, remote IP addresses, and other variables.

With expressions, configuring your Stalwart Mail Server becomes akin to coding the DNA of your mail server's behavior. Whether it's routing, filtering, or processing rules, expressions enable you to tailor the mail server's operations to meet your specific needs with precision and adaptability. Consider a scenario where you want to apply specific actions only to emails from a certain domain or IP range, or perhaps to messages that meet a combination of criteria. With expressions, these complex conditions can be easily defined and integrated into your server's configuration, making it smarter and more aligned with your organizational policies.

Celebrate With Us​

As we release Stalwart Mail Server version 0.6.0 this Valentine's Day, we invite you to celebrate not just a day of love but also a milestone in mail server technology. With distributed SMTP queues and expressions in configuration files, we're not just sending you a token of our affection—we're equipping you with the tools to make your mail server environment more resilient, efficient, and tailored to your needs.

So here's to love, to innovation, and to a future where your mail server's reliability and flexibility are the foundation of your organization's communication success. Happy Valentine's Day, and welcome to the new era of Stalwart Mail Server.

We are excited to announce a significant update to Stalwart Mail Server - the introduction of an integrated fail2ban-like system in our latest version, 0.5.3. This new feature marks an important advancement in our ongoing commitment to providing robust security measures for our users.

Understanding Fail2Ban​

Before diving into the specifics of our new feature, let's revisit what Fail2Ban is. Commonly used in the world of server security, Fail2Ban is an intrusion prevention software that protects servers from brute-force attacks. It operates by monitoring server logs for suspicious activities, like repeated password failures, and responds by blocking the offending IP addresses, typically by updating firewall rules.

Tailored Security​

In Stalwart Mail Server version 0.5.3, we've embraced the core philosophy of Fail2Ban but adapted it to better suit the unique environment of our mail server. Our integrated fail2ban system is designed to enhance security without relying on external Fail2Ban software. It's a part of Stalwart Mail Server, built directly into its architecture.

One key difference in our approach is how we handle the banning of IP addresses. Unlike traditional Fail2Ban that alters firewall rules, our system immediately drops further connections from any banned IP address. This swift action effectively cuts off malicious attempts at their source, ensuring immediate protection.

Fully Integrated​

Another significant aspect of our fail2ban system is its integration across all mail server services. Whether it be JMAP, IMAP, SMTP, or ManageSieve, authentication failures in any of these services contribute to the ban threshold. This comprehensive coverage ensures that the security of one service is not compromised at the expense of another.

Advanced Tracking Beyond IP Addresses​

A standout feature of our fail2ban system is its ability to track authentication failures not only by IP address but also by login name. This is particularly vital in defending against distributed brute-force attacks, where attackers might use numerous IP addresses to target a single account. Our system intelligently identifies such patterns and, after a certain number of failed attempts, blocks further authentication efforts for that account, regardless of the IP used. This means that an attacker cannot simply hop IP addresses to bypass security measures.

Conclusion​

The introduction of this integrated fail2ban system in version 0.5.3 is a testament to our dedication to providing top-tier security for our users. This advanced security feature is meticulously designed to address and neutralize a wide array of cyber threats, especially sophisticated brute-force attacks.

We are proud to bring this new level of security to Stalwart Mail Server. This update reflects our ongoing commitment to adapting and evolving in the face of emerging cyber threats. With the integration of our fail2ban system, Stalwart Mail Server version 0.5.3 stands as a more secure, reliable, and resilient solution for your email server needs.

Stay tuned for more updates and features as we continue to enhance and refine Stalwart Mail Server. Your security is our priority, and we are dedicated to providing you with the best tools to protect it.

ACME (Automatic Certificate Management Environment) represents a breakthrough in managing TLS (Transport Layer Security) certificates. This protocol automates the process of obtaining, installing, and renewing TLS/SSL certificates, which are crucial for securing network communications. TLS certificates provide authentication and encryption, ensuring that data transferred between users and servers remains private and secure.

ACME's ability to automate these tasks greatly simplifies certificate management, particularly for services like mail servers that require ongoing security maintenance. The protocol interacts with Certificate Authorities (CAs) such as Let's Encrypt to automate the verification of domain ownership and the issuance of certificates, significantly reducing manual effort and the risk of human error.

We are thrilled to announce the release of Stalwart Mail Server 0.5.2, which brings two significant advancements: the integration of the ACME protocol for automatic TLS certificate deployment and support for the HAProxy Protocol. These features mark a substantial step forward in our commitment to enhancing the security and efficiency of Stalwart Mail Server.

The Power of ACME​

The integration of ACME into Stalwart Mail Server simplifies the complexities of TLS certificate management. It ensures that the certificates are always up-to-date, thereby enhancing the overall security of your communications. With ACME, the server automatically verifies domain ownership, obtains the necessary certificates, and handles renewals, all without manual intervention. This automation is not only a boon for security but also significantly reduces the administrative burden and the risk of service interruptions due to expired certificates.

Embracing the Proxy Protocol​

The Proxy Protocol is another crucial feature in this release. When running servers behind load balancers or reverse proxies, such as Caddy, HAProxy, or Traefik, the server traditionally only sees the IP address of the proxy, not the actual client. This limitation can impact security and logging functions. By supporting the Proxy Protocol, Stalwart Mail Server 0.5.2 can now accurately identify the original client's IP address and connection details. This capability is essential for maintaining robust security measures and precise logging. It ensures that even in environments where Stalwart is behind a proxy, it retains full visibility over client connections.

Conclusion​

In conclusion, Stalwart Mail Server 0.5.2 is a significant update, offering both ACME for simplified and automated TLS certificate management and the Proxy Protocol for enhanced functionality behind proxy environments. These features underscore our dedication to providing a secure, efficient, and user-friendly mail server solution. We look forward to seeing how our users leverage these new capabilities in their Stalwart Mail Server deployments.

In the world of email security, a recent concern has arisen known as SMTP Smuggling, a vulnerability that can be exploited to spoof emails. This blog post will explain what SMTP smuggling is and how Stalwart Mail Server is designed to be immune to this vulnerability. We'll also discuss a new feature we've implemented to protect other servers that might be vulnerable.

Understanding SMTP Smuggling​

SMTP smuggling is an exploitation technique that manipulates SMTP conversations to send spoofed emails from arbitrary addresses. It leverages interpretation differences in the SMTP protocol to bypass security checks like SPF alignment. The technique was identified as effective against multiple email providers and could have significant implications for email security.

Traditionally, the end of data in an SMTP conversation is indicated by a sequence <CR><LF>.<CR><LF> (CR LF stands for Carriage Return and Line Feed, standard text delimiters). However, if an SMTP server improperly interprets this sequence, it can be tricked into starting a new email within the content of an existing email, allowing attackers to inject malicious content and spoof emails that bypass SPF alignment checks.

Research has shown that even large organizations with sophisticated IT infrastructure are not immune to SMTP smuggling attacks. Notable entities such as Ebay, PayPal, Amazon, and even Microsoft, through their use of services like Microsoft Exchange Online, have experienced challenges due to non-compliance with certain RFC specifications. This underscores the importance of adhering to established protocols and standards in email communications. Compliance with these specifications is crucial for ensuring the security and integrity of email systems.

This vulnerability has led to calls for increased vigilance and improved email server configurations to prevent such exploits. For a detailed understanding of SMTP smuggling, please refer to the full article on SEC Consult's blog.

How Stalwart is Protected​

Stalwart Mail Server is designed with robust security measures that inherently protect it from SMTP smuggling attacks. Stalwart only accepts <CR><LF>.<CR><LF> as the terminating sequence for a DATA command. This strict adherence to protocol specifications prevents the ambiguity that can lead to smuggling attacks. Furthermore, when sending outgoing messages, Stalwart Mail Server utilizes the BDAT command whenever available. The BDAT command is not susceptible to SMTP smuggling issues, as it specifies the exact amount of data being sent, leaving no room for misinterpretation.

Protecting other Servers​

While Stalwart Mail Server itself is not vulnerable to SMTP smuggling, we recognize that other servers might be. To help protect the broader email ecosystem, we have introduced in version 0.5.1 a feature to sanitize outgoing messages that might attempt to exploit this bug in other servers. This feature involves applying the transparency procedure described in RFC5321 to outgoing messages even when these messages do not use CRLF as line terminators, which prevents the exploitation of SMTP smuggling vulnerabilities in other servers.

MECSA Compliance​

In our ongoing efforts to enhance email security, we are proud to announce that Stalwart Mail Server 0.5.1 is now compliant with the My Email Communications Security Assessment (MECSA) set by the European Union. MECSA compliance signifies a robust level of security in email communication, and one of the key features in achieving this compliance is the implementation of SMTP sender validation for authenticated users.

SMTP sender validation ensures that authenticated users can only issue MAIL FROM commands that match their login name or any of the email addresses associated with their accounts. Previously, implementing this level of validation required the creation of a Sieve script. However, with our latest update, this functionality is now a straightforward boolean entry in the system settings, defaulting to true for maximum security.

Conclusion​

In summary, Stalwart Mail Server's architecture and its strict adherence to SMTP protocol specifications inherently protect it against SMTP smuggling attacks. Furthermore, our commitment to the security of the email infrastructure extends beyond our server. The new feature to sanitize outgoing messages and our MECSA compliance demonstrate our proactive approach to safeguarding against vulnerabilities and contributing to a more secure email environment

Stay up to date with the latest in email security and Stalwart Mail Server's features by following our blog and updates.

We are excited to announce the release of Stalwart Mail Server v0.5.0. As we approach the end of the year, this significant update marks a major advancement in our journey to provide a robust, efficient, and versatile mail server solution. This latest version incorporates a range of performance enhancements, storage layer improvements, and new features, designed to elevate your email server experience.

Performance Enhancements​

In the realm of performance, Stalwart v0.5.0 introduces multiple improvements in how messages are handled and stored. Messages are now parsed only once, with their offsets stored in the database. This approach eliminates the need for parsing messages on every FETCH request, significantly boosting server efficiency and response time. Moreover, the server now performs full-text indexing in the background, seamlessly enhancing search capabilities. We have also optimized our database access functions, ensuring smoother and faster interactions with the underlying data store.

Storage Layer Improvements​

Stalwart v0.5.0 expands the options for storage backends. In addition to FoundationDB and SQLite, users can now choose RocksDB, PostgreSQL, or MySQL as their storage backend, offering flexibility to suit different operational needs. Blob storage has also been made more versatile, allowing blobs to be stored in any of the supported data stores, not just limited to the file system or S3/MinIO. This update provides more integrated data management solutions. Full-text search capabilities have been enhanced, with options to conduct searches internally or delegate them to ElasticSearch. Additionally, spam databases can now be stored in any of the supported data stores or Redis, removing the requirement for an SQL server for spam filter usage.

Internal Directory​

With the introduction of an internal directory in Stalwart v0.5.0, user account, group, and mailing list management can now be conducted directly within Stalwart, eliminating the dependency on external LDAP or SQL directories. This feature is complemented by the addition of an HTTP API, offering a more accessible and programmable interface for managing users, groups, domains, and mailing lists.

Additional Features​

Enhancing compatibility with older IMAP clients, Stalwart v0.5.0 now supports the IMAP4rev1 Recent flag, ensuring a smoother user experience. The server also accommodates LDAP bind authentication, catering to LDAP servers like lldap that do not expose the userPassword attribute. Another significant improvement is the automated handling of spam – messages marked as spam by the filter can now be automatically moved to the user's Junk Mail folder.

Conclusion​

As we release Stalwart Mail Server v0.5.0, we also want to take a moment to wish everyone a Happy New Year. This new version is a testament to our continuous efforts to evolve and adapt to the needs of our users. We believe that Stalwart v0.5.0 will not only meet but exceed your expectations, whether you're setting up a new mail server or upgrading an existing one.

For more details, visit our website, and don't forget to join our Discord community to share your experiences, get support, and connect with other Stalwart users.

Here's to a new year filled with success, innovation, and secure email communications!

In today's digital age, the safety and authenticity of your emails are paramount. With that in mind, we're happy to announce the release of the Spam and Phishing filter in Stalwart Mail Server v0.4.0. This release is packed with features that not only enhance your email security but also ensure a seamless communication experience.

Here's a deep dive into what's new:

• Comprehensive Filtering Rules: We've crafted a set of rules that stand shoulder-to-shoulder with the best solutions out there.
• Statistical Spam Classifier: Empower your server with a classifier that constantly learns, adapts, and keeps spam at bay.
• DNS Blocklists (DNSBLs): Safeguard your users' inboxes from notorious spammers through meticulous checks on IP addresses, domains, and hashes.
• Collaborative Digest-Based Filtering: By integrating digest-based spam filtering, we ensure even greater accuracy in weeding out unwanted emails.
• Phishing Protection: Defend against cunning phishing tactics, from homographic URL attacks to deceptive sender spoofing.
• Trusted Replies Tracking: By recognizing and prioritizing genuine replies, we ensure your genuine conversations remain uninterrupted.
• Sender Reputation: An automated system that assesses sender credibility based on their IP, ASN, domain, and email address.
• Greylisting: An added shield against spam, by temporarily holding back unfamiliar senders.
• Spam Traps: Crafty decoy email addresses that help us catch and scrutinize spam, ensuring your users' inboxes remain clutter-free.
• Built-in & Ready to Roll: No dependency on third-party software. Unbox and deploy – it's that simple!

Comparative Analysis​

While we have immense respect for both RSpamd and SpamAssassin, it's essential to highlight some distinctions. RSpamd stands out for its speed and standalone capabilities but necessitates additional configuration and maintenance. Meanwhile, SpamAssassin, built on Perl, might not deliver the same speed as RSpamd due to its heavy reliance on regular expressions.

Stalwart Mail Server's spam and phishing filter offers a level of protection equivalent to both RSpamd and SpamAssassin with one notable advantage: speed. Since the message remains within the server during the entire filtering process, it's considerably quicker. Furthermore, while third-party solutions re-execute checks for DMARC, DKIM, SPF, and ARC, Stalwart has already performed these, making our built-in filter more efficient and streamlined.

In essence, with Stalwart Mail Server, you receive a blend of speed, efficiency, and top-tier protection.

Conclusion​

In essence, with Stalwart Mail Server v0.4.0, you're not just getting an email server, but a comprehensive, fast, and efficient email security solution.

We're committed to continuous innovation and ensuring that your communication remains genuine, secure, and spam-free. Upgrade to Stalwart Mail Server v0.4.0 and experience the difference today!

We are thrilled to announce that Stalwart Mail Server has undergone a comprehensive security audit conducted by Radically Open Security. As a part of their assessment, a crystal-box penetration test was performed to ensure the robustness and security of the mail server.

How Was The Security Audit Conducted?​

• Automated Scanning: Radically Open Security employs state-of-the-art automated tools and scanners to root out common vulnerabilities, coding flaws, or misconfigurations within the codebase. These tools are invaluable in identifying potential problem areas that might necessitate a more in-depth manual analysis. They also confirm that the code adheres strictly to secure coding practices.

• Manual Code Review: Building upon the insights provided by automated scanning, a manual code review was carried out. This process aims to spot complex security issues, logical flaws, and ensures that secure coding practices are consistently met. This meticulous step involves confirming the proper implementation of essential components such as input validation, authentication, authorization, and data protection mechanisms.

What Were the Results?​

We are proud to share that the audit concluded with no vulnerabilities or unsafe code identified in the Stalwart Mail Server. Such an outcome underscores our commitment to offering a safe and secure open-source mail server solution to our users.

For those who would like a deep dive into the audit's findings, the full report is accessible here.

Continuous Improvement​

Though the audit did not unearth any vulnerabilities, Radically Open Security did make a constructive recommendation: They advised against storing directory or OAuth secrets in the configuration file. We took this feedback to heart, and we're excited to introduce Stalwart Mail Server version 0.3.9. Released today, this latest version allows reading configuration settings from environment variables. It’s a step further towards ensuring that our users can trust Stalwart, not just for its capabilities, but also for its steadfast focus on security.

Looking ahead​

We extend our heartfelt gratitude to the team at Radically Open Security for their comprehensive evaluation and invaluable feedback. We're committed to constantly refining and improving our product, with the security and trust of our users being paramount. With this recent audit, we hope to have taken another significant step towards that goal.

Stay secure!

Today we are announcing the latest release of Stalwart Mail Server: version 0.3.6. This update includes multiple enhancements to the Sieve filtering language, including the ability to evaluate arithmetical and logical expressions, and fetch data from SQL or LDAP databases to Sieve variables.

Arithmetical and Logical Expressions​

Stalwart Mail Server now incorporates the ability to evaluate arithmetical and logical operations within Sieve scripts. For instance, the following Sieve script rejects a mail if it satisfies a particular condition:

if test eval "score + ((awl_score / awl_count) - score) * awl_factor > 2.25" {
    reject "Your message is SPAM.";
    stop;
}

Whether you're aiming to refine your filtering mechanisms or just add some mathematical magic to your scripts, this feature is sure to come in handy.

To learn more about expressions in Sieve scripts, check out the Arithmetical and Logical Expressions section in the documentation.

Fetching Data from Databases​

Using Sieve scripts, you can now query SQL or LDAP databases and store the results as Sieve variables. This is done using the query command with the optional :set argument.

Consider this example:

query :use "sql" :set ["awl_score", "awl_count"] "SELECT score, count FROM awl WHERE sender = ? AND ip = ?" ["${env.from}", "%{env.remote_ip}"];

The above Sieve script fetches the score and count columns from the awl table in an SQL database and stores them as the Sieve variables awl_score and awl_count respectively.

To learn more about fetching data from SQL or LDAP queries, check out the query extension documentation.

Conclusion​

These features allow for more advanced filtering mechanisms and more powerful Sieve scripts. We hope you enjoy them!