We are happy to announce the release of Stalwart Mail Server v0.10.3, which introduces support for AI models —a powerful new feature now available to Enterprise Edition users as well as our GitHub and OpenCollective sponsors. With this feature, Stalwart Mail Server can be integrated with both self-hosted and cloud-based Large Language Models (LLMs), bringing advanced email processing capabilities like never before.

This integration allows you to use AI models for a variety of tasks, including enhanced spam filtering, threat detection, and intelligent email classification. Whether you choose to host your own models with LocalAI or leverage cloud-based services like OpenAI or Anthropic, this release provides the flexibility to incorporate cutting-edge AI into your email infrastructure.

Unlocking the Power of AI​

With the introduction of AI model integration, Stalwart Mail Server can now analyze email content more deeply than traditional filters ever could. For instance, in the realm of spam filtering and threat detection, AI models are highly effective at identifying patterns and detecting malicious or unsolicited content. The system works by analyzing both the subject and body of incoming emails through the lens of an LLM, providing more accurate detection and filtering.

In addition to bolstering security, AI integration enhances email classification. By configuring customized prompts, administrators can instruct AI models to categorize emails based on their content, leading to more precise filtering and organization. This is particularly useful for enterprises managing a high volume of messages that span various topics and departments, as AI-driven filters can quickly and intelligently sort messages into categories like marketing, personal correspondence, or work-related discussions.

The flexibility of using either self-hosted or cloud-based AI models means that Stalwart can be tailored to your infrastructure and performance needs. Self-hosting AI models ensures full control over data and privacy, while cloud-based models offer ease of setup and access to highly optimized, continuously updated language models.

LLMs in Sieve Scripts​

One of the most exciting features of this release is the ability for users and administrators to access AI models directly from Sieve scripts. Stalwart extends the Sieve scripting language by introducing the llm_prompt function, which allows users to send prompts and email content to the AI model for advanced processing.

For example, the following Sieve script demonstrates how an AI model can be used to classify emails into specific folders based on the content:

require ["fileinto", "vnd.stalwart.expressions"];

# Base prompt for email classification
let "prompt" '''You are an AI assistant tasked with classifying personal emails into specific folders. 
Your job is to analyze the email's subject and body, then determine the most appropriate folder for filing. 
Use only the folder names provided in your response.
If the category is not clear, respond with "Inbox".

Classification Rules:
- Family:
   * File here if the message is signed by a Doe family member
   * The recipient's name is John Doe
- Cycling:
   * File here if the message is related to cycling
   * File here if the message mentions the term "MAMIL"
- Work:
   * File here if the message mentions "Dunder Mifflin Paper Company, Inc." or any part of this name
   * File here if the message is related to paper supplies
   * Only classify as Work if it seems to be part of an existing sales thread or directly related to the company's operations
- Junk Mail:
   * File here if the message is trying to sell something and is not work-related
   * Remember that John lives a minimalistic lifestyle and is not interested in purchasing items
- Inbox:
   * Use this if the message doesn't clearly fit into any of the above categories

Analyze the following email and respond with only one of these folder names: Family, Cycling, Work, Junk Mail, or Inbox.
''';

# Prepare the base Subject and Body
let "subject" "thread_name(header.subject)";
let "body" "body.to_text";

# Send the prompt, subject, and body to the AI model
let "llm_response" "llm_prompt('gpt-4', prompt + '\n\nSubject: ' + subject + '\n\n' + body, 0.6)";

# Set the folder name
if eval "contains(['Family', 'Cycling', 'Work', 'Junk Mail'], llm_response)" {
    fileinto "llm_response";
}

This example demonstrates how the llm_prompt function can be used to classify emails into different categories such as Family, Cycling, Work, or Junk Mail based on the content. The AI model analyzes the message’s subject and body according to the classification rules defined in the prompt and returns the most appropriate folder name. The email is then automatically filed into the correct folder, making it easier to organize incoming messages based on their content.

Self-Hosted or Cloud-Based​

With this new feature, Stalwart Mail Server allows for seamless integration with both self-hosted and cloud-based AI models. If you prefer full control over your infrastructure, you can opt to deploy models on your own hardware using solutions like LocalAI. Self-hosting gives you complete ownership over your data and ensures compliance with privacy policies, but it may require significant computational resources, such as GPU acceleration, to maintain high performance.

Alternatively, you can integrate with cloud-based AI providers like OpenAI or Anthropic, which offer access to powerful, pretrained models with minimal setup. Cloud-based models provide cutting-edge language processing capabilities, but you should be aware of potential costs, as these providers typically charge based on the number of tokens processed. Whether you choose self-hosted or cloud-based models, Stalwart gives you the flexibility to tailor the AI integration to your specific needs.

Available for Enterprise Users and Sponsors​

This exciting AI integration feature is exclusively available for Enterprise Edition users as well as GitHub and OpenCollective monthly sponsors. If you want to harness the full potential of AI-powered email processing in Stalwart Mail Server, upgrading to the Enterprise Edition or becoming a sponsor is a great way to access this feature and other advanced capabilities.

Try It Out Today!​

The release of Stalwart Mail Server v0.10.3 marks a major milestone in our journey toward building intelligent, highly customizable email management solutions. By combining traditional email filtering with the power of LLMs, Stalwart gives you the tools to take your email infrastructure to the next level, enhancing security, organization, and automation in ways that were previously impossible. We’re excited to see how you’ll use this new feature to optimize your email workflows!

Today we announce the release of Stalwart Mail Server v0.10.2, and it’s a big one! This version brings full OpenID Connect (OIDC) support, empowering admins and developers to integrate secure authentication and single sign-on (SSO) with modern identity providers. In addition to OIDC, this release introduces OpenID Connect Dynamic Client Registration, OpenID Connect Discovery, and OAuth 2.0 Token Introspection. Let’s dive into what these features are and why they matter.

What is OpenID Connect?​

OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0 that allows clients to verify the identity of users. With OIDC, instead of just authorizing an app to access a resource, the system can also authenticate the user securely. This means users can log in to multiple applications with a single set of credentials, making OIDC ideal for Single Sign-On (SSO) across services.

Why is this important? Because it saves users from password fatigue, reduces login complexity, and centralizes authentication in a secure manner. Stalwart Mail Server’s new OIDC support allows you to authenticate your users either directly through Stalwart as an OpenID Provider or by integrating with third-party OIDC providers like Authentik, Keycloak, or any compliant identity system.

Alongside full OIDC support, Stalwart Mail Server v0.10.2 also introduces several important new features that expand its capabilities:

OpenID Connect Dynamic Client Registration​

Dynamic Client Registration allows clients (applications) to automatically register with the OIDC provider without requiring manual intervention. This feature makes it easier to integrate multiple applications, as clients can dynamically obtain credentials (like client IDs) directly from Stalwart Mail Server. This adds flexibility and reduces administrative overhead.

OpenID Connect Discovery​

With the OpenID Connect Discovery feature, clients can automatically discover the relevant OIDC endpoints and supported capabilities via the /.well-known/openid-configuration endpoint. This simplifies the configuration of OIDC clients, as they don’t need to be manually configured with URLs for token, authorization, and userinfo endpoints — they just query the discovery endpoint and set themselves up!

OAuth 2.0 Token Introspection​

OAuth 2.0 Token Introspection allows resource servers (like APIs or mail servers) to validate access tokens provided by clients. This ensures that the token being used is still active, hasn’t expired, and has the right permissions attached. This is particularly useful for securing interactions between various services while verifying that tokens are still valid.

OpenID Provider or Third-Party OIDC Support​

Stalwart Mail Server v0.10.2 can now act as an OpenID Provider (issuing ID tokens and managing authentication), which means your organization can use it to handle authentication for all your internal applications and services. Alternatively, Stalwart can also integrate with third-party OIDC providers, so you can delegate authentication to systems like Authentik or Auth0, while still using Stalwart to manage your email infrastructure.

This dual functionality gives you the flexibility to choose how you want to manage authentication while taking full advantage of OIDC's security features.

About OAUTHBEARER...​

Now, let’s talk about mail clients and the OAUTHBEARER SASL mechanism. While Stalwart fully supports OIDC, the majority of mainstream mail clients (looking at you, Outlook, Thunderbird, and Apple Mail) still don’t support OAUTHBEARER for OAuth-based authentication. Sure, we’ve done our part by adding OpenID support to Stalwart — now it's up to the mail clients to follow suit and add proper support for OIDC authentication. Maybe one day, we’ll see these clients finally catch up, and we can all enjoy the seamless authentication experience that OIDC offers.

In the meantime, users of these clients will need to continue using App Passwords to access their email accounts. But hey, maybe this is the gentle nudge the developers of these clients need to jump on the OpenID bandwagon!

Try It Out​

Stalwart Mail Server v0.10.2 is available now, so download it, upgrade your server, and start taking advantage of these new features! Whether you’re setting up Stalwart as your OpenID Provider or integrating with a third-party provider, this release gives you the tools to secure authentication with modern standards like OpenID Connect.

Happy mailing and happy authenticating!

We are happy to announce that Stalwart Mail Server 0.10.0 is officially here! This latest release brings some exciting new features to help you manage your email infrastructure more effectively. With multi-tenancy, branding, and a robust roles and permissions system, Stalwart is more powerful and flexible than ever before. Let’s dive into what’s new in this release!

Multi-Tenancy: Streamlined Management​

Multi-tenancy is a game-changer for anyone managing multiple independent organizations on a single instance of Stalwart Mail Server. Whether you’re a hosting provider or an enterprise with multiple departments, tenants allow you to isolate different organizations, each with its own users, groups, mailing lists, and domains.

Each tenant operates within its own secure space, ensuring privacy and separation from other tenants. You can assign disk quotas to control how much storage each tenant can use and limit the number of accounts, groups, and domains they can create. This is perfect for keeping resources in check while maintaining an organized, scalable environment. Imagine a scenario where a tenant is given 100GB of disk space. If the users within that tenant collectively consume all 100GB, the system prevents them from receiving more email, ensuring no one overuses resources.

Multi-tenancy offers security, control, and scalability—all in one package.

Roles & Permissions: Fine-Tuned Access Control​

With the revamped Roles and Permissions system, Stalwart Mail Server 0.10.0 gives you unprecedented control over who can do what in your environment. No more blanket admin accounts! Instead, you can assign specific permissions to individuals, groups, or entire tenants.

Permissions can be bundled into roles, which makes managing access a breeze. Stalwart comes with three built-in roles to get you started: the user role, which grants access to all essential email services; the admin role, which has full control over the system; and the tenant-admin role, which is perfect for tenant or domain administrators, providing just the right amount of access without overstepping into critical system configurations.

This granular permissions model ensures that no one has more access than they need, keeping your system secure while allowing users to perform their required tasks. Whether it’s managing users, updating settings, or overseeing mailing lists, the right permissions are always in the right hands.

Branding: Personalized Web Interface​

Another exciting new feature in Stalwart Mail Server 0.10.0 is branding. This feature allows system administrators to customize the look and feel of the webadmin interface by adding logos specific to each tenant or domain.

When a user logs into the webadmin portal, Stalwart checks the domain associated with the request. If a logo has been set for that domain, it will be displayed. If the domain doesn’t have its own logo but is linked to a tenant that does, the tenant’s logo will be used. If neither the domain nor the tenant has a custom logo, the system defaults to the logo defined in the configuration. If no logo is defined, the trusty Stalwart logo makes an appearance. This feature ensures that your tenants can enjoy a fully branded experience, making the platform feel even more tailored to their organization.

Enterprise-Only Features: Multi-Tenancy & Branding​

It’s important to note that while Roles and Permissions are available in all versions of Stalwart Mail Server, the Multi-tenancy and Branding features are part of the Enterprise package. These advanced tools are designed for organizations with more complex needs, providing flexibility and customization options tailored to large-scale environments.

Support Stalwart: It Costs Less Than Netflix!​

We’ve worked hard to keep Stalwart open and accessible to everyone, but if you want to unlock Enterprise features and support the continued development of Stalwart, please consider subscribing to a Stalwart Enterprise License. It costs less than your Netflix or Spotify Premium subscription and will help us continue building exciting new features, including upcoming developments like CalDAV, CardDAV, WebDAV, and JMAP for contacts, calendars, and tasks.

By subscribing, not only do you unlock advanced functionality, but you also contribute to the growth of a project committed to providing a powerful, open mail server solution for all.

Thank you for being part of the Stalwart community. We hope you enjoy these new features as much as we enjoyed building them, and we look forward to bringing you even more great updates in the future. If you’re interested in learning more about Stalwart Enterprise or obtaining a license, feel free to reach out to us.

Happy mailing!

We're excited to announce the release of Stalwart Mail Server version 0.9.3! Whether you're using the Community or Enterprise version of Stalwart Mail Server, this update brings powerful new features to enhance your email infrastructure's security, performance, and monitoring capabilities. Let's dive into what's new:

Comprehensive Dashboard​

A major highlight of this release for Enterprise users is the introduction of the new Dashboard feature. This tool provides real-time insights into your server's operations, allowing you to monitor critical metrics and trends at a glance. The Dashboard is divided into five distinct sections: Overview, Network, Delivery, Security, and Performance. The Overview dashboard offers a comprehensive summary of general mail server statistics, giving you a quick snapshot of the server's health and activity. The Network dashboard focuses on the number of total and active connections, enabling you to monitor network traffic and identify potential issues with server load. The Delivery dashboard provides detailed information on mail flow, including queued messages and the number of messages sent and received, ensuring that your mail delivery processes are running smoothly. The Security dashboard is dedicated to tracking your server’s defenses, presenting statistics on banned IPs, blocked requests, and spam filtering effectiveness. Finally, the Performance dashboard allows you to monitor key performance indicators such as memory usage, database latency, and DNS latency, helping you optimize the server's performance and address any bottlenecks.

Customizable Alerts​

Also new to the Enterprise version is the Alerts feature, which ensures that you are always in the loop when important metrics reach critical thresholds. Whether it's a spike in memory usage, an increase in queued messages, or any other significant change, Alerts can notify you via email or webhooks the moment these events occur.

Alerts are highly configurable, allowing you to set up complex conditions that trigger notifications only when specific combinations of metrics are met. For example, you could set an alert for when server memory usage exceeds a certain amount and the message queue count rises above a defined level, helping you to react swiftly and prevent potential disruptions.

Security Enhancements​

Security remains a top priority in this release, and version 0.9.3 introduces two new features that enhance the defenses of both the Community and Enterprise versions.

RCPT Brute Force Protection​

Enhance your server's security with our new RCPT brute force protection. This feature automatically bans IP addresses attempting to discover valid email recipients through brute force attacks—a common tactic used by spammers. By implementing this protection, Stalwart Mail Server adds another layer of defense to your email infrastructure, helping to maintain the integrity of your user list and prevent potential security breaches.

Loitering Connection Protection​

Defend against SYN Flood attacks with our loitering connection protection. This smart feature blocks IP addresses that repeatedly keep connections open without meaningful activity, helping to prevent resource exhaustion attacks. By identifying and mitigating these potential threats, Stalwart Mail Server ensures that your server resources are used efficiently and remain available for legitimate email traffic.

Conclusion​

Stalwart Mail Server version 0.9.3 is a significant step forward in our commitment to providing a secure, efficient, and easy-to-manage mail server solution. Whether you are leveraging the powerful new monitoring and alerting tools in the Enterprise version or benefiting from the enhanced security features available across both versions, this update offers valuable enhancements that will help you better manage and protect your mail server.

We encourage all users to upgrade to version 0.9.3 and take advantage of these exciting new features. As always, we remain dedicated to improving Stalwart Mail Server and providing you with the best possible tools to manage your email infrastructure.

Thank you for your continued support, and we look forward to bringing you more updates and features in the future!

We are thrilled to announce the release of Stalwart Mail Server version 0.9.1, which comes packed with significant enhancements to our telemetry capabilities. This release marks a major milestone in our ongoing efforts to provide robust and efficient monitoring and logging solutions, ensuring our users can achieve optimal server performance and reliability.

Enhanced Tracing​

In previous versions of Stalwart, tracing and logging provided valuable insights but lacked the detail and comprehensiveness needed for thorough monitoring. With version 0.9.1, we have completely rewritten the tracing and logging layer, resulting in a faster and more detailed system. The new implementation leverages a lock-free data structure, enabling Stalwart to record thousands of events per second without impacting server performance. This major upgrade ensures that every significant event is captured, providing a comprehensive view of the server's operations.

Stalwart now generates over 600 different types of events, significantly expanding the granularity and depth of our telemetry data. These events can be sent to OpenTelemetry or Webhooks, offering flexibility in how they are processed and analyzed. Additionally, events can be recorded in log files, sent to journald, or written directly to the console, providing multiple avenues for accessing and utilizing this detailed information.

Comprehensive Metrics​

The highlight of Stalwart Mail Server version 0.9.1 is the introduction of support for hundreds of different metrics. This enhancement enables administrators to gain deeper insights into the server's performance and health. Metrics can be exported to OpenTelemetry using a push mechanism, allowing for real-time monitoring and analysis. Alternatively, they can be collected using Prometheus via a pull method, integrating seamlessly with existing monitoring infrastructures.

This robust metrics support ensures that users can monitor a wide range of server parameters, from resource usage to request handling, enabling proactive maintenance and troubleshooting. By providing comprehensive metrics, Stalwart Mail Server empowers administrators to make informed decisions, optimize performance, and maintain high levels of reliability.

HTTP Access Controls​

In addition to these telemetry improvements, Stalwart Mail Server version 0.9.1 introduces a highly requested feature: HTTP endpoint access controls. This new capability allows administrators to limit access to HTTP endpoints based on various criteria, such as remote IP or IP range, HTTP method, listener ID, and more. This fine-grained control enhances security and ensures that only authorized users can access specific server functionalities.

The introduction of HTTP endpoint access controls responds directly to user feedback, demonstrating our commitment to continually enhancing the server based on real-world needs and experiences. This feature provides an additional layer of security and customization, making Stalwart Mail Server more versatile and robust.

Conclusion​

Stalwart Mail Server version 0.9.1 represents a significant leap forward in our telemetry capabilities, offering faster, more detailed tracing and logging, comprehensive metrics support, and new HTTP endpoint access controls. These improvements underscore our dedication to providing a powerful, efficient, and secure mail server solution.

Upgrade to version 0.9.1 today and experience the next level of telemetry with Stalwart Mail Server!

We are excited to announce a partnership between Stalwart Labs and Nextcloud, bringing together our state-of-the-art Stalwart Mail Server with the comprehensive Nextcloud suite. This collaboration marks a significant step forward in enhancing productivity, security, and user experience for our customers.

What This Means for You​

Nextcloud will now also offer a version bundled with Stalwart Mail Server, providing users with a powerful, efficient, and secure email solution seamlessly integrated within the Nextcloud environment. This integration is designed to provide a cohesive and streamlined experience, allowing users to manage their email, files, and collaborative projects all in one place.

Key Benefits​

• Enhanced Productivity: With Stalwart Mail Server bundled into Nextcloud, users can effortlessly access their email and other Nextcloud apps, such as files, calendars, and tasks. This unified approach reduces the time and effort spent on managing multiple platforms.
• Robust Security: Both Stalwart Labs and Nextcloud prioritize security. Our mail server brings industry-leading security features, including encryption and advanced threat detection, ensuring your communications remain safe and confidential.
• Seamless Collaboration: Nextcloud is known for its powerful collaboration tools. Integrating Stalwart Mail Server enhances these capabilities, allowing for better coordination and communication within teams.
• User-Friendly Interface: Our combined efforts focus on delivering an intuitive and user-friendly interface, making it easier for users to navigate and utilize the full potential of the integrated suite.

About Stalwart Mail Server​

Stalwart Mail Server is a highly reliable and secure email server designed for modern businesses. With features such as spam filtering, encryption, and high availability, it provides an unparalleled email experience. Our server is built to handle the demands of any organization, ensuring your communications are always fast, reliable, and secure.

About Nextcloud​

Nextcloud is the leading open-source software suite for file sharing and collaboration. It offers a wide range of tools for managing and sharing files, calendars, contacts, and more, all while maintaining the highest standards of security and privacy. Nextcloud is trusted by millions of users worldwide, from small businesses to large enterprises.

Looking Ahead​

This partnership is just the beginning. We are committed to continuously improving and expanding our integrated solutions to meet the evolving needs of our users. Stay tuned for more updates and enhancements as we work together to bring you the best in productivity and security.

We invite you to explore the new integrated experience and see firsthand how Stalwart Mail Server and Nextcloud can transform the way you work. For more information, please visit our website or contact our team.

Thank you for your continued trust and support.

We are happy to announce the release of Stalwart Mail Server 0.8.3! This latest version introduces two powerful security features: Two-Factor Authentication (2FA) with TOTP codes and Application Passwords. These additions are designed to enhance the security of your email accounts, providing robust protection against unauthorized access.

Two-Factor Authentication​

Two-Factor Authentication (2FA) is a security measure that requires users to provide two forms of identification before gaining access to their accounts. With the introduction of TOTP (Time-based One-Time Password) codes in Stalwart Mail Server 0.8.3, users can now benefit from this extra layer of security. TOTP codes are time-sensitive, one-time passwords generated by an authenticator app, such as Google Authenticator or Authy.

When 2FA is enabled, users must enter their regular password and a TOTP code generated by their authenticator app. This ensures that even if an attacker obtains the user's password, they would still need the TOTP code to access the account, significantly reducing the risk of unauthorized access. The TOTP codes are easy to set up and use, making them a convenient yet highly effective security measure.

Application Passwords​

Alongside 2FA, Stalwart Mail Server 0.8.3 introduces Application Passwords. These are unique, randomly generated passwords that allow users to access their email accounts on devices or applications that do not support the OAUTHBEARER SASL mechanism. Application Passwords are particularly useful for older mail clients, third-party applications, and automated scripts that need access to email accounts but cannot handle the interactive authentication required by 2FA.

By generating an Application Password, users can maintain access to their email accounts on all their devices and applications while still benefiting from the enhanced security of 2FA. These passwords are managed through the self-service portal, where users can create, view, and revoke them as needed.

Improved Security, Enhanced Usability​

The addition of Two-Factor Authentication with TOTP codes and Application Passwords in Stalwart Mail Server 0.8.3 represents a significant step forward in email account security. These features provide robust protection against unauthorized access, ensuring that your email communications remain secure. At the same time, they offer flexibility and ease of use, making it simple for users to secure their accounts without compromising on convenience.

We are committed to continuously improving the security and functionality of Stalwart Mail Server. We encourage all users to upgrade to version 0.8.3 and take advantage of these powerful new security features. As always, we welcome your feedback and look forward to hearing how these enhancements benefit you.

Stay secure, stay connected.

We are happy to announce the release of Stalwart Mail Server version 0.8.2, an update that brings powerful new features designed to enhance the flexibility and responsiveness of your email infrastructure. The highlight of this release is the introduction of Webhooks and MTA Hooks, two significant additions that offer greater control and automation for email processing.

Webhooks: Real-Time Notifications for Your Email System​

Webhooks provide a modern way to receive real-time notifications about various events in your email system. By setting up HTTP callbacks, you can automatically trigger actions or receive alerts when specific events occur. This feature is invaluable for maintaining the health and security of your email operations.

With Stalwart Mail Server's Webhooks, you can be notified about a range of events, including:

• Message Receipt and Delivery: Stay informed when emails are received by or delivered from your server, allowing you to track email flow in real-time.
• User Authentication: Receive alerts for successful logins, authentication failures, or attempts by banned users, helping you monitor and secure user access.
• Account Quota Management: Get notified when an account exceeds its quota, enabling proactive management of storage limits and user activities.
• DMARC and TLS Reports: Keep track of email security by receiving notifications for incoming DMARC reports and TLS reports, ensuring you stay updated on your email authentication status.

By leveraging Webhooks, you can enhance the automation and responsiveness of your email infrastructure, making it easier to manage and monitor various aspects of email activity and security.

MTA Hooks: A Modern Replacement for Milter​

Stalwart Mail Server version 0.8.2 also introduces MTA Hooks, an exciting new protocol developed by Stalwart Labs to replace the traditional milter protocol. MTA Hooks offers a more flexible and straightforward way to handle email processing at various stages of the SMTP transaction.

What are MTA Hooks?​

MTA Hooks is an HTTP-based protocol that uses POST requests to submit a JSON payload containing details about the SMTP transaction. It supports comprehensive coverage of SMTP stages, from the initial connection to final message delivery. By using JSON, MTA Hooks provides a clear and human-readable format, making it easier to implement and debug.

Benefits of MTA Hooks​

• Enhanced Flexibility: MTA Hooks can be invoked at any stage of the SMTP transaction, allowing for precise control over email processing.
• Ease of Integration: Using standard HTTP and JSON makes it simpler to integrate MTA Hooks into your existing infrastructure.
• Real-Time Processing: MTA Hooks enables real-time processing and modification of email transactions, ensuring immediate response to critical events.

Standardization Efforts​

Stalwart Labs is actively working to have MTA Hooks standardized as an IETF RFC, aiming to establish it as a new industry standard for email processing. This effort underscores our commitment to innovation and leadership in the email infrastructure space.

Looking Ahead​

We invite you to upgrade to Stalwart Mail Server version 0.8.2 and experience the benefits of Webhooks and MTA Hooks. These new features are designed to provide you with greater control, automation, and real-time capabilities, making your email infrastructure more robust and responsive.

We are pleased to announce that Stalwart Mail Server is not vulnerable to the recently disclosed CVE-2024-34055 exploit, which affects Cyrus IMAP versions before 3.8.3 and 3.10.x before 3.10.0-rc1. This vulnerability allows authenticated attackers to cause unbounded memory allocation, potentially leading to a server crash through an Out-Of-Memory (OOM) condition.

Understanding the CVE-2024-34055 Exploit​

The CVE-2024-34055 exploit leverages a specific weakness in the Cyrus IMAP server. By sending numerous LITERALs in a single command, an attacker can trigger excessive memory allocation. The vulnerability can be demonstrated with the following example:

A2 SEARCH BODY {1048576}
+ Ready for 1048576 bytes.
[1048576 bytes chunk] BODY {1048576}
+ Ready for 1048576 bytes.
[1048576 bytes chunk] BODY {1048576}
...
+ Ready for 1048576 bytes.
[1048576 bytes chunk] BODY {1048576}
<cyrus crashes with oom>

In this scenario, the server is repeatedly asked to allocate large chunks of memory, eventually leading to an OOM crash.

Why Stalwart is Secure​

Stalwart Mail Server is designed with security and robustness in mind, and it is not susceptible to the type of attacks outlined in CVE-2024-34055. Here’s why:

• Strict Parsers: Stalwart’s parsers are highly strict when reading input from the network. This strictness ensures that any malformed or malicious commands are promptly identified and handled without leading to excessive resource allocation.
• Extensive Fuzzing and Testing: All parsers in Stalwart have undergone rigorous fuzzing and testing. Fuzzing is a testing technique that involves providing invalid, unexpected, or random data inputs to the software to identify vulnerabilities. This meticulous testing regime ensures that Stalwart can robustly handle a wide range of inputs without compromising on stability or security.
• Written in Rust: Stalwart is developed using the Rust programming language, which offers inherent safety features. Rust’s ownership model and type system prevent many common vulnerabilities associated with memory management that are prevalent in languages like C. This makes Stalwart inherently less susceptible to memory-related exploits compared to other mail servers such as Cyrus and Dovecot.

Conclusion​

At Stalwart, we prioritize security and reliability. Our commitment to using secure coding practices, comprehensive testing, and leveraging the advantages of Rust ensures that Stalwart Mail Server remains resilient against the latest threats. We encourage our users to continue enjoying the peace of mind that comes with knowing their mail server is robust against vulnerabilities like CVE-2024-34055.

For more information or support, please contact our team or visit our website. Stay secure with Stalwart!

Email security is a critical aspect of digital communication, especially given the rising sophistication of cyber threats. DomainKeys Identified Mail (DKIM) and Authenticated Received Chain (ARC) are standards designed to ensure the authenticity and integrity of emails. However, as discovered by analysts at Zone.eu, vulnerabilities in the DKIM standard could undermine these protections, affecting billions of users worldwide.

Introduction to DKIM and ARC​

DKIM provides an email authentication method that allows an organization to take responsibility for a message in transit. The standard uses cryptographic signatures to verify that an email has not been altered since it was originally sent. ARC, on the other hand, is an email authentication system designed to provide a way to preserve email authentication results across subsequent intermediaries that might modify the message, thus extending the benefits of DKIM.

The Exploit Revealed​

The vulnerability uncovered by Zone.eu revolves around the DKIM's "l=" parameter, which specifies the exact number of octets in the body of the email that are signed. This can be exploited by attackers who can append additional content to the message without affecting the validity of the DKIM signature. This oversight can lead emails with forged content to still appear as authenticated, deceiving both email systems and end-users, especially when visual trust indicators like BIMI are employed.

Stalwart’s Response to the Exploit​

Recognizing the gravity of this exploit, Stalwart Mail Server has taken decisive steps to mitigate this risk and reinforce the security of email communications for its users. Initially, in Stalwart's implementation of DKIM and ARC, the option to set a signature length was disabled by default, which was a preventive measure against potential misuse. To further strengthen security in light of the new findings, Stalwart has now entirely removed the ability to specify signature lengths in both DKIM signatures and ARC seals. This change ensures that users cannot accidentally enable this feature, which could lead to vulnerabilities.

Furthermore, Stalwart has enhanced its validation processes. Both DKIM signatures and ARC seals are now verified in strict mode exclusively. Stalwart will not validate any signatures or seals that include a length parameter (the "l=" tag). Instead, these will receive a neutral result, meaning they neither pass nor fail the verification process but are flagged for potential risk. This approach aligns with best practices recommended in the wake of the exploit's discovery and is designed to prevent similar types of vulnerabilities from being exploited.

Conclusion​

Stalwart Mail Server's response illustrates a proactive and security-conscious approach, ensuring that our users remain protected against emerging threats. By eliminating the option to specify signature lengths and enforcing strict validation standards, Stalwart continues to be at the forefront of safeguarding email communications against evolving cyber threats.

We extend our thanks to the researchers at Zone.eu for their diligence in uncovering this significant security concern, thereby contributing to the broader effort of enhancing email security across the globe.