We are excited to announce a partnership between Stalwart Labs and Nextcloud, bringing together our state-of-the-art Stalwart Mail Server with the comprehensive Nextcloud suite. This collaboration marks a significant step forward in enhancing productivity, security, and user experience for our customers.

What This Means for You​

Nextcloud will now also offer a version bundled with Stalwart Mail Server, providing users with a powerful, efficient, and secure email solution seamlessly integrated within the Nextcloud environment. This integration is designed to provide a cohesive and streamlined experience, allowing users to manage their email, files, and collaborative projects all in one place.

Key Benefits​

• Enhanced Productivity: With Stalwart Mail Server bundled into Nextcloud, users can effortlessly access their email and other Nextcloud apps, such as files, calendars, and tasks. This unified approach reduces the time and effort spent on managing multiple platforms.
• Robust Security: Both Stalwart Labs and Nextcloud prioritize security. Our mail server brings industry-leading security features, including encryption and advanced threat detection, ensuring your communications remain safe and confidential.
• Seamless Collaboration: Nextcloud is known for its powerful collaboration tools. Integrating Stalwart Mail Server enhances these capabilities, allowing for better coordination and communication within teams.
• User-Friendly Interface: Our combined efforts focus on delivering an intuitive and user-friendly interface, making it easier for users to navigate and utilize the full potential of the integrated suite.

About Stalwart Mail Server​

Stalwart Mail Server is a highly reliable and secure email server designed for modern businesses. With features such as spam filtering, encryption, and high availability, it provides an unparalleled email experience. Our server is built to handle the demands of any organization, ensuring your communications are always fast, reliable, and secure.

About Nextcloud​

Nextcloud is the leading open-source software suite for file sharing and collaboration. It offers a wide range of tools for managing and sharing files, calendars, contacts, and more, all while maintaining the highest standards of security and privacy. Nextcloud is trusted by millions of users worldwide, from small businesses to large enterprises.

Looking Ahead​

This partnership is just the beginning. We are committed to continuously improving and expanding our integrated solutions to meet the evolving needs of our users. Stay tuned for more updates and enhancements as we work together to bring you the best in productivity and security.

We invite you to explore the new integrated experience and see firsthand how Stalwart Mail Server and Nextcloud can transform the way you work. For more information, please visit our website or contact our team.

Thank you for your continued trust and support.

We are happy to announce the release of Stalwart Mail Server 0.8.3! This latest version introduces two powerful security features: Two-Factor Authentication (2FA) with TOTP codes and Application Passwords. These additions are designed to enhance the security of your email accounts, providing robust protection against unauthorized access.

Two-Factor Authentication​

Two-Factor Authentication (2FA) is a security measure that requires users to provide two forms of identification before gaining access to their accounts. With the introduction of TOTP (Time-based One-Time Password) codes in Stalwart Mail Server 0.8.3, users can now benefit from this extra layer of security. TOTP codes are time-sensitive, one-time passwords generated by an authenticator app, such as Google Authenticator or Authy.

When 2FA is enabled, users must enter their regular password and a TOTP code generated by their authenticator app. This ensures that even if an attacker obtains the user's password, they would still need the TOTP code to access the account, significantly reducing the risk of unauthorized access. The TOTP codes are easy to set up and use, making them a convenient yet highly effective security measure.

Application Passwords​

Alongside 2FA, Stalwart Mail Server 0.8.3 introduces Application Passwords. These are unique, randomly generated passwords that allow users to access their email accounts on devices or applications that do not support the OAUTHBEARER SASL mechanism. Application Passwords are particularly useful for older mail clients, third-party applications, and automated scripts that need access to email accounts but cannot handle the interactive authentication required by 2FA.

By generating an Application Password, users can maintain access to their email accounts on all their devices and applications while still benefiting from the enhanced security of 2FA. These passwords are managed through the self-service portal, where users can create, view, and revoke them as needed.

Improved Security, Enhanced Usability​

The addition of Two-Factor Authentication with TOTP codes and Application Passwords in Stalwart Mail Server 0.8.3 represents a significant step forward in email account security. These features provide robust protection against unauthorized access, ensuring that your email communications remain secure. At the same time, they offer flexibility and ease of use, making it simple for users to secure their accounts without compromising on convenience.

We are committed to continuously improving the security and functionality of Stalwart Mail Server. We encourage all users to upgrade to version 0.8.3 and take advantage of these powerful new security features. As always, we welcome your feedback and look forward to hearing how these enhancements benefit you.

Stay secure, stay connected.

We are happy to announce the release of Stalwart Mail Server version 0.8.2, an update that brings powerful new features designed to enhance the flexibility and responsiveness of your email infrastructure. The highlight of this release is the introduction of Webhooks and MTA Hooks, two significant additions that offer greater control and automation for email processing.

Webhooks: Real-Time Notifications for Your Email System​

Webhooks provide a modern way to receive real-time notifications about various events in your email system. By setting up HTTP callbacks, you can automatically trigger actions or receive alerts when specific events occur. This feature is invaluable for maintaining the health and security of your email operations.

With Stalwart Mail Server's Webhooks, you can be notified about a range of events, including:

• Message Receipt and Delivery: Stay informed when emails are received by or delivered from your server, allowing you to track email flow in real-time.
• User Authentication: Receive alerts for successful logins, authentication failures, or attempts by banned users, helping you monitor and secure user access.
• Account Quota Management: Get notified when an account exceeds its quota, enabling proactive management of storage limits and user activities.
• DMARC and TLS Reports: Keep track of email security by receiving notifications for incoming DMARC reports and TLS reports, ensuring you stay updated on your email authentication status.

By leveraging Webhooks, you can enhance the automation and responsiveness of your email infrastructure, making it easier to manage and monitor various aspects of email activity and security.

MTA Hooks: A Modern Replacement for Milter​

Stalwart Mail Server version 0.8.2 also introduces MTA Hooks, an exciting new protocol developed by Stalwart Labs to replace the traditional milter protocol. MTA Hooks offers a more flexible and straightforward way to handle email processing at various stages of the SMTP transaction.

What are MTA Hooks?​

MTA Hooks is an HTTP-based protocol that uses POST requests to submit a JSON payload containing details about the SMTP transaction. It supports comprehensive coverage of SMTP stages, from the initial connection to final message delivery. By using JSON, MTA Hooks provides a clear and human-readable format, making it easier to implement and debug.

Benefits of MTA Hooks​

• Enhanced Flexibility: MTA Hooks can be invoked at any stage of the SMTP transaction, allowing for precise control over email processing.
• Ease of Integration: Using standard HTTP and JSON makes it simpler to integrate MTA Hooks into your existing infrastructure.
• Real-Time Processing: MTA Hooks enables real-time processing and modification of email transactions, ensuring immediate response to critical events.

Standardization Efforts​

Stalwart Labs is actively working to have MTA Hooks standardized as an IETF RFC, aiming to establish it as a new industry standard for email processing. This effort underscores our commitment to innovation and leadership in the email infrastructure space.

Looking Ahead​

We invite you to upgrade to Stalwart Mail Server version 0.8.2 and experience the benefits of Webhooks and MTA Hooks. These new features are designed to provide you with greater control, automation, and real-time capabilities, making your email infrastructure more robust and responsive.

We are pleased to announce that Stalwart Mail Server is not vulnerable to the recently disclosed CVE-2024-34055 exploit, which affects Cyrus IMAP versions before 3.8.3 and 3.10.x before 3.10.0-rc1. This vulnerability allows authenticated attackers to cause unbounded memory allocation, potentially leading to a server crash through an Out-Of-Memory (OOM) condition.

Understanding the CVE-2024-34055 Exploit​

The CVE-2024-34055 exploit leverages a specific weakness in the Cyrus IMAP server. By sending numerous LITERALs in a single command, an attacker can trigger excessive memory allocation. The vulnerability can be demonstrated with the following example:

A2 SEARCH BODY {1048576}
+ Ready for 1048576 bytes.
[1048576 bytes chunk] BODY {1048576}
+ Ready for 1048576 bytes.
[1048576 bytes chunk] BODY {1048576}
...
+ Ready for 1048576 bytes.
[1048576 bytes chunk] BODY {1048576}
<cyrus crashes with oom>

In this scenario, the server is repeatedly asked to allocate large chunks of memory, eventually leading to an OOM crash.

Why Stalwart is Secure​

Stalwart Mail Server is designed with security and robustness in mind, and it is not susceptible to the type of attacks outlined in CVE-2024-34055. Here’s why:

• Strict Parsers: Stalwart’s parsers are highly strict when reading input from the network. This strictness ensures that any malformed or malicious commands are promptly identified and handled without leading to excessive resource allocation.
• Extensive Fuzzing and Testing: All parsers in Stalwart have undergone rigorous fuzzing and testing. Fuzzing is a testing technique that involves providing invalid, unexpected, or random data inputs to the software to identify vulnerabilities. This meticulous testing regime ensures that Stalwart can robustly handle a wide range of inputs without compromising on stability or security.
• Written in Rust: Stalwart is developed using the Rust programming language, which offers inherent safety features. Rust’s ownership model and type system prevent many common vulnerabilities associated with memory management that are prevalent in languages like C. This makes Stalwart inherently less susceptible to memory-related exploits compared to other mail servers such as Cyrus and Dovecot.

Conclusion​

At Stalwart, we prioritize security and reliability. Our commitment to using secure coding practices, comprehensive testing, and leveraging the advantages of Rust ensures that Stalwart Mail Server remains resilient against the latest threats. We encourage our users to continue enjoying the peace of mind that comes with knowing their mail server is robust against vulnerabilities like CVE-2024-34055.

For more information or support, please contact our team or visit our website. Stay secure with Stalwart!

Email security is a critical aspect of digital communication, especially given the rising sophistication of cyber threats. DomainKeys Identified Mail (DKIM) and Authenticated Received Chain (ARC) are standards designed to ensure the authenticity and integrity of emails. However, as discovered by analysts at Zone.eu, vulnerabilities in the DKIM standard could undermine these protections, affecting billions of users worldwide.

Introduction to DKIM and ARC​

DKIM provides an email authentication method that allows an organization to take responsibility for a message in transit. The standard uses cryptographic signatures to verify that an email has not been altered since it was originally sent. ARC, on the other hand, is an email authentication system designed to provide a way to preserve email authentication results across subsequent intermediaries that might modify the message, thus extending the benefits of DKIM.

The Exploit Revealed​

The vulnerability uncovered by Zone.eu revolves around the DKIM's "l=" parameter, which specifies the exact number of octets in the body of the email that are signed. This can be exploited by attackers who can append additional content to the message without affecting the validity of the DKIM signature. This oversight can lead emails with forged content to still appear as authenticated, deceiving both email systems and end-users, especially when visual trust indicators like BIMI are employed.

Stalwart’s Response to the Exploit​

Recognizing the gravity of this exploit, Stalwart Mail Server has taken decisive steps to mitigate this risk and reinforce the security of email communications for its users. Initially, in Stalwart's implementation of DKIM and ARC, the option to set a signature length was disabled by default, which was a preventive measure against potential misuse. To further strengthen security in light of the new findings, Stalwart has now entirely removed the ability to specify signature lengths in both DKIM signatures and ARC seals. This change ensures that users cannot accidentally enable this feature, which could lead to vulnerabilities.

Furthermore, Stalwart has enhanced its validation processes. Both DKIM signatures and ARC seals are now verified in strict mode exclusively. Stalwart will not validate any signatures or seals that include a length parameter (the "l=" tag). Instead, these will receive a neutral result, meaning they neither pass nor fail the verification process but are flagged for potential risk. This approach aligns with best practices recommended in the wake of the exploit's discovery and is designed to prevent similar types of vulnerabilities from being exploited.

Conclusion​

Stalwart Mail Server's response illustrates a proactive and security-conscious approach, ensuring that our users remain protected against emerging threats. By eliminating the option to specify signature lengths and enforcing strict validation standards, Stalwart continues to be at the forefront of safeguarding email communications against evolving cyber threats.

We extend our thanks to the researchers at Zone.eu for their diligence in uncovering this significant security concern, thereby contributing to the broader effort of enhancing email security across the globe.

We are excited to announce the release of Stalwart Mail Server v0.8.0, a significant update that introduces powerful new features and enhancements designed to improve performance, scalability, and ease of use. This release marks a major step forward in our commitment to providing a robust and highly available email server solution for businesses and organizations of all sizes.

Enhanced Clustering Capabilities​

A major highlight of this release is the introduction of advanced clustering support, a feature aimed at enterprises needing high availability and fault tolerance in their email services. The new clustering functionality includes node auto-discovery, which simplifies the scaling process by automatically detecting and integrating new nodes into the existing cluster. Additionally, the partition-tolerant failure detection system ensures that the system remains operational even when network partitions occur. These features collectively enhance the resilience of the mail server, ensuring continuous service availability and reliability.

Simplified Email Client Configuration​

Stalwart v0.8.0 also brings support for Autoconfig and Autodiscover protocols, which are essential for streamlining the user experience. These protocols automate the configuration process for email clients, eliminating the need for manual setup and reducing the potential for errors. By supporting these standards, Stalwart makes it easier for users to connect their email clients to the server, promoting a seamless integration with a variety of platforms.

Performance and Storage Optimizations​

We have implemented significant performance improvements, particularly in our integration with FoundationDB, enhancing the speed and efficiency of our database interactions. This version also introduces improved full-text indexing, which now uses less disk space without compromising search capabilities. These optimizations ensure that Stalwart Mail Server can handle larger volumes of data more efficiently, making it ideal for organizations with high email traffic.

Security and Administration Enhancements​

Stalwart v0.8.0 enhances security measures by automatically publishing MTA-STS policies and generating TLSA records for DANE, providing an additional layer of security by enabling encrypted email transport. These features help in preventing man-in-the-middle attacks and ensure that email communications are secured at transit.

Furthermore, this release includes a new feature in the web-admin panel that allows administrators to visualize queued messages. This tool is invaluable for monitoring and managing email flow, providing insights into the server's operational status and helping to quickly address delivery issues.

Looking Forward​

The release of Stalwart Mail Server v0.8.0 with its focus on clustering, autoconfiguration, and performance improvements demonstrates our ongoing commitment to developing cutting-edge technology that meets the needs of our users. We believe these enhancements will make a significant difference in how businesses and organizations manage their email infrastructures.

We invite you to download and experience the new features of Stalwart Mail Server v0.8.0. As always, we look forward to your feedback, which is crucial in helping us continue to improve and evolve our product to better serve you.

Today we announce the release of Stalwart Mail Server version 0.7.2, which now includes support for both DNS-01 and HTTP-01 ACME challenge types. This update marks a significant enhancement in our server's capabilities, addressing one of the most frequent requests from our user community—the inclusion of DNS-01 support for improved domain validation flexibility.

What is ACME?​

The Automated Certificate Management Environment (ACME) protocol is a cornerstone in the world of secure communications. ACME automates the process of certificate issuance, renewal, and revocation, thereby simplifying the management of SSL/TLS certificates. This protocol is not only designed to streamline administrative tasks but also to bolster security measures through rigorous validation mechanisms.

Challenge Types​

Prior to version 0.7.2, Stalwart Mail Server supported only the TLS-ALPN-01 challenge, which utilizes the TLS Application Layer Protocol Negotiation extension for domain validation. This method, while robust, requires port 443 to be open and can limit flexibility for some users and environments.

Recognizing the diverse needs of our users, we have expanded our support to include two additional types of challenges: DNS-01 and HTTP-01. These new features are designed to offer more versatility in how users manage domain validation and certificate issuance.

DNS-01 Challenge​

The DNS-01 challenge validates domain ownership by creating a DNS TXT record. This method is particularly valuable for those needing to issue wildcard certificates, as it allows for the validation of the domain and all its subdomains collectively. It is an ideal choice for users who prefer or require managing their certificates at the DNS level, especially in scenarios where direct web traffic control is not feasible.

HTTP-01 Challenge​

In contrast, the HTTP-01 challenge involves responding to HTTP requests made by the ACME server. This method proves the control over a domain by placing a specific file on the server to be accessed via a standard web path. It is best suited for environments where port 80 is open and accessible. The simplicity of HTTP-01 makes it an attractive option for many administrators, providing an efficient path to compliance without the need for complex DNS configurations.

Benefits​

By integrating DNS-01 and HTTP-01 challenges into Stalwart Mail Server 0.7.2, we are offering our users the flexibility to choose the validation method that best fits their technical requirements and security policies. Whether operating behind a TLS reverse proxy, managing multiple subdomains with a single certificate, or simply seeking a straightforward setup, the expanded challenge options cater to a wider range of use cases.

We are committed to continually improving Stalwart Mail Server to meet the evolving needs of our customers. The inclusion of these new ACME challenges is a direct response to community feedback, and we are excited to see how our users will leverage these new capabilities to enhance their server security and certificate management processes.

Stay tuned for more updates as we keep enhancing our mail server solutions. For detailed information on configuring and using the new challenge types in Stalwart Mail Server 0.7.2, please refer to our updated documentation.

We look forward to your feedback on these new features and to supporting you in your journey to a more secure and efficient server environment!

We're thrilled to announce the release of Stalwart Mail Server version 0.7.0, a significant update that brings a wealth of features and improvements to enhance the performance and manageability of your email services. This release marks a pivotal moment in our journey to provide an email server solution that combines ease of use with robust performance, ensuring that your email infrastructure is both secure and efficient.

Introducing Web-Based Administration​

At the heart of version 0.7.0 is the introduction of a new, web-based administration tool. Developed in Rust, this single-page application (SPA) represents a monumental shift in how you interact with Stalwart Mail Server. Gone are the days of relying on SSH connections or command-line interfaces for routine administration tasks. Now, every aspect of your mail server can be managed from the convenience of a web browser.

The new web administration tool is designed to streamline and simplify the management of your mail server, offering a wide array of features:

• Complete Control Over Accounts and Domains: Easily manage user accounts, domains, groups, and mailing lists, all from a user-friendly interface.
• Advanced Queue Management: Monitor and manage your SMTP queues with ease, including messages and outbound DMARC and TLS reports, ensuring timely delivery and compliance.
• Insightful Report Visualization: Gain valuable insights into your email security with a dedicated interface for visualizing received DMARC, TLS-RPT, and Failure (ARF) reports.
• Full Configuration Flexibility: Adjust and fine-tune every aspect of your mail server settings directly from the webadmin, tailored to meet your specific requirements.
• Enhanced Log Viewing and Searching: Navigate through logs effortlessly with advanced search and filtering capabilities, making it easier to pinpoint issues or monitor activity.
• Self-Service Portal for Users: Empower your users with a self-service portal for password resets and managing encryption-at-rest keys, enhancing security and convenience.

This transformative approach to mail server management not only elevates the administration experience but also significantly reduces the complexity and time required to manage your email infrastructure.

Enhanced Performance and Efficiency​

Beyond management improvements, Stalwart Mail Server 0.7.0 introduces significant performance enhancements to ensure swift and efficient email delivery. A major focus has been placed on optimizing mailbox retrieval speeds to accommodate IMAP clients, particularly those without client-side caching, ensuring that large mailboxes are displayed promptly. This version also integrates automatic compression for messages and binaries stored in the blob store using LZ4, a move that conservatively manages storage space while improving access and transfer speeds. These enhancements collectively ensure that Stalwart Mail Server 0.7.0 delivers unparalleled performance, making it faster and more efficient than ever before.

Embracing the Future​

With the release of version 0.7.0, Stalwart Mail Server sets a new standard for email server solutions. The introduction of a web-based administration tool and significant performance improvements underscore our commitment to innovation and excellence. We invite you to experience the future of email server management and performance with Stalwart Mail Server 0.7.0.

This Valentine's Day, we're not just celebrating love and companionship; we're also celebrating the groundbreaking advancements in the Stalwart Mail Server with the release of version 0.6.0. In a world where reliability and flexibility in mail server management are more critical than ever, Stalwart Mail Server takes a significant leap forward with the introduction of distributed SMTP queues and the integration of expressions in configuration files. Let's delve into how these features transform your mail server experience, making it more robust, efficient, and customizable than ever before.

Distributed SMTP Queues: A Heartbeat of Reliability​

The latest iteration of Stalwart Mail Server introduces a feature that's set to be the cornerstone of reliability and fault tolerance—distributed SMTP queues. Gone are the days when your SMTP queue was confined to the local hard drive, a vulnerability that could lead to data loss or downtime in the event of a server crash. With version 0.6.0, Stalwart Mail Server stores your SMTP queues in the database, a move that not only enhances fault tolerance but also paves the way for queue load distribution across multiple servers in a cluster.

Imagine your mail server as the heart of your organization's communication. Just as the heart's reliability is critical to the body's overall function, so is your SMTP queue's reliability to your organization's communication flow. Distributed SMTP queues ensure that if one server in the cluster experiences issues, the heartbeat of your communication doesn't skip a beat. This feature allows other servers in the cluster to pick up the load, ensuring uninterrupted mail flow and significantly reducing the risk of data loss.

This approach allows for a more balanced and efficient handling of email traffic, making your mail server cluster more resilient to individual failures and capable of handling higher volumes of email more effectively.

Expressions: A Language of Flexibility​

The second headline feature of version 0.6.0 is the support for expressions in configuration files. This addition opens up a new realm of flexibility, allowing you to define complex, dynamic criteria for evaluating and handling email messages based on various attributes, such as recipient, sender, remote IP addresses, and other variables.

With expressions, configuring your Stalwart Mail Server becomes akin to coding the DNA of your mail server's behavior. Whether it's routing, filtering, or processing rules, expressions enable you to tailor the mail server's operations to meet your specific needs with precision and adaptability. Consider a scenario where you want to apply specific actions only to emails from a certain domain or IP range, or perhaps to messages that meet a combination of criteria. With expressions, these complex conditions can be easily defined and integrated into your server's configuration, making it smarter and more aligned with your organizational policies.

Celebrate With Us​

As we release Stalwart Mail Server version 0.6.0 this Valentine's Day, we invite you to celebrate not just a day of love but also a milestone in mail server technology. With distributed SMTP queues and expressions in configuration files, we're not just sending you a token of our affection—we're equipping you with the tools to make your mail server environment more resilient, efficient, and tailored to your needs.

So here's to love, to innovation, and to a future where your mail server's reliability and flexibility are the foundation of your organization's communication success. Happy Valentine's Day, and welcome to the new era of Stalwart Mail Server.

We are excited to announce a significant update to Stalwart Mail Server - the introduction of an integrated fail2ban-like system in our latest version, 0.5.3. This new feature marks an important advancement in our ongoing commitment to providing robust security measures for our users.

Understanding Fail2Ban​

Before diving into the specifics of our new feature, let's revisit what Fail2Ban is. Commonly used in the world of server security, Fail2Ban is an intrusion prevention software that protects servers from brute-force attacks. It operates by monitoring server logs for suspicious activities, like repeated password failures, and responds by blocking the offending IP addresses, typically by updating firewall rules.

Tailored Security​

In Stalwart Mail Server version 0.5.3, we've embraced the core philosophy of Fail2Ban but adapted it to better suit the unique environment of our mail server. Our integrated fail2ban system is designed to enhance security without relying on external Fail2Ban software. It's a part of Stalwart Mail Server, built directly into its architecture.

One key difference in our approach is how we handle the banning of IP addresses. Unlike traditional Fail2Ban that alters firewall rules, our system immediately drops further connections from any banned IP address. This swift action effectively cuts off malicious attempts at their source, ensuring immediate protection.

Fully Integrated​

Another significant aspect of our fail2ban system is its integration across all mail server services. Whether it be JMAP, IMAP, SMTP, or ManageSieve, authentication failures in any of these services contribute to the ban threshold. This comprehensive coverage ensures that the security of one service is not compromised at the expense of another.

Advanced Tracking Beyond IP Addresses​

A standout feature of our fail2ban system is its ability to track authentication failures not only by IP address but also by login name. This is particularly vital in defending against distributed brute-force attacks, where attackers might use numerous IP addresses to target a single account. Our system intelligently identifies such patterns and, after a certain number of failed attempts, blocks further authentication efforts for that account, regardless of the IP used. This means that an attacker cannot simply hop IP addresses to bypass security measures.

Conclusion​

The introduction of this integrated fail2ban system in version 0.5.3 is a testament to our dedication to providing top-tier security for our users. This advanced security feature is meticulously designed to address and neutralize a wide array of cyber threats, especially sophisticated brute-force attacks.

We are proud to bring this new level of security to Stalwart Mail Server. This update reflects our ongoing commitment to adapting and evolving in the face of emerging cyber threats. With the integration of our fail2ban system, Stalwart Mail Server version 0.5.3 stands as a more secure, reliable, and resilient solution for your email server needs.

Stay tuned for more updates and features as we continue to enhance and refine Stalwart Mail Server. Your security is our priority, and we are dedicated to providing you with the best tools to protect it.