Skip to main content

20 posts tagged with "server"

View All Tags

· 3 min read
Mauro D.

Email security is a critical aspect of digital communication, especially given the rising sophistication of cyber threats. DomainKeys Identified Mail (DKIM) and Authenticated Received Chain (ARC) are standards designed to ensure the authenticity and integrity of emails. However, as discovered by analysts at Zone.eu, vulnerabilities in the DKIM standard could undermine these protections, affecting billions of users worldwide.

Introduction to DKIM and ARC

DKIM provides an email authentication method that allows an organization to take responsibility for a message in transit. The standard uses cryptographic signatures to verify that an email has not been altered since it was originally sent. ARC, on the other hand, is an email authentication system designed to provide a way to preserve email authentication results across subsequent intermediaries that might modify the message, thus extending the benefits of DKIM.

The Exploit Revealed

The vulnerability uncovered by Zone.eu revolves around the DKIM's "l=" parameter, which specifies the exact number of octets in the body of the email that are signed. This can be exploited by attackers who can append additional content to the message without affecting the validity of the DKIM signature. This oversight can lead emails with forged content to still appear as authenticated, deceiving both email systems and end-users, especially when visual trust indicators like BIMI are employed.

Stalwart’s Response to the Exploit

Recognizing the gravity of this exploit, Stalwart Mail Server has taken decisive steps to mitigate this risk and reinforce the security of email communications for its users. Initially, in Stalwart's implementation of DKIM and ARC, the option to set a signature length was disabled by default, which was a preventive measure against potential misuse. To further strengthen security in light of the new findings, Stalwart has now entirely removed the ability to specify signature lengths in both DKIM signatures and ARC seals. This change ensures that users cannot accidentally enable this feature, which could lead to vulnerabilities.

Furthermore, Stalwart has enhanced its validation processes. Both DKIM signatures and ARC seals are now verified in strict mode exclusively. Stalwart will not validate any signatures or seals that include a length parameter (the "l=" tag). Instead, these will receive a neutral result, meaning they neither pass nor fail the verification process but are flagged for potential risk. This approach aligns with best practices recommended in the wake of the exploit's discovery and is designed to prevent similar types of vulnerabilities from being exploited.

Conclusion

Stalwart Mail Server's response illustrates a proactive and security-conscious approach, ensuring that our users remain protected against emerging threats. By eliminating the option to specify signature lengths and enforcing strict validation standards, Stalwart continues to be at the forefront of safeguarding email communications against evolving cyber threats.

We extend our thanks to the researchers at Zone.eu for their diligence in uncovering this significant security concern, thereby contributing to the broader effort of enhancing email security across the globe.

· 3 min read
Mauro D.

We are excited to announce the release of Stalwart Mail Server v0.8.0, a significant update that introduces powerful new features and enhancements designed to improve performance, scalability, and ease of use. This release marks a major step forward in our commitment to providing a robust and highly available email server solution for businesses and organizations of all sizes.

Enhanced Clustering Capabilities

A major highlight of this release is the introduction of advanced clustering support, a feature aimed at enterprises needing high availability and fault tolerance in their email services. The new clustering functionality includes node auto-discovery, which simplifies the scaling process by automatically detecting and integrating new nodes into the existing cluster. Additionally, the partition-tolerant failure detection system ensures that the system remains operational even when network partitions occur. These features collectively enhance the resilience of the mail server, ensuring continuous service availability and reliability.

Simplified Email Client Configuration

Stalwart v0.8.0 also brings support for Autoconfig and Autodiscover protocols, which are essential for streamlining the user experience. These protocols automate the configuration process for email clients, eliminating the need for manual setup and reducing the potential for errors. By supporting these standards, Stalwart makes it easier for users to connect their email clients to the server, promoting a seamless integration with a variety of platforms.

Performance and Storage Optimizations

We have implemented significant performance improvements, particularly in our integration with FoundationDB, enhancing the speed and efficiency of our database interactions. This version also introduces improved full-text indexing, which now uses less disk space without compromising search capabilities. These optimizations ensure that Stalwart Mail Server can handle larger volumes of data more efficiently, making it ideal for organizations with high email traffic.

Security and Administration Enhancements

Stalwart v0.8.0 enhances security measures by automatically publishing MTA-STS policies and generating TLSA records for DANE, providing an additional layer of security by enabling encrypted email transport. These features help in preventing man-in-the-middle attacks and ensure that email communications are secured at transit.

Furthermore, this release includes a new feature in the web-admin panel that allows administrators to visualize queued messages. This tool is invaluable for monitoring and managing email flow, providing insights into the server's operational status and helping to quickly address delivery issues.

Looking Forward

The release of Stalwart Mail Server v0.8.0 with its focus on clustering, autoconfiguration, and performance improvements demonstrates our ongoing commitment to developing cutting-edge technology that meets the needs of our users. We believe these enhancements will make a significant difference in how businesses and organizations manage their email infrastructures.

We invite you to download and experience the new features of Stalwart Mail Server v0.8.0. As always, we look forward to your feedback, which is crucial in helping us continue to improve and evolve our product to better serve you.

· 3 min read
Mauro D.

Today we announce the release of Stalwart Mail Server version 0.7.2, which now includes support for both DNS-01 and HTTP-01 ACME challenge types. This update marks a significant enhancement in our server's capabilities, addressing one of the most frequent requests from our user community—the inclusion of DNS-01 support for improved domain validation flexibility.

What is ACME?

The Automated Certificate Management Environment (ACME) protocol is a cornerstone in the world of secure communications. ACME automates the process of certificate issuance, renewal, and revocation, thereby simplifying the management of SSL/TLS certificates. This protocol is not only designed to streamline administrative tasks but also to bolster security measures through rigorous validation mechanisms.

acme social-card image

Challenge Types

Prior to version 0.7.2, Stalwart Mail Server supported only the TLS-ALPN-01 challenge, which utilizes the TLS Application Layer Protocol Negotiation extension for domain validation. This method, while robust, requires port 443 to be open and can limit flexibility for some users and environments.

Recognizing the diverse needs of our users, we have expanded our support to include two additional types of challenges: DNS-01 and HTTP-01. These new features are designed to offer more versatility in how users manage domain validation and certificate issuance.

DNS-01 Challenge

The DNS-01 challenge validates domain ownership by creating a DNS TXT record. This method is particularly valuable for those needing to issue wildcard certificates, as it allows for the validation of the domain and all its subdomains collectively. It is an ideal choice for users who prefer or require managing their certificates at the DNS level, especially in scenarios where direct web traffic control is not feasible.

HTTP-01 Challenge

In contrast, the HTTP-01 challenge involves responding to HTTP requests made by the ACME server. This method proves the control over a domain by placing a specific file on the server to be accessed via a standard web path. It is best suited for environments where port 80 is open and accessible. The simplicity of HTTP-01 makes it an attractive option for many administrators, providing an efficient path to compliance without the need for complex DNS configurations.

Benefits

By integrating DNS-01 and HTTP-01 challenges into Stalwart Mail Server 0.7.2, we are offering our users the flexibility to choose the validation method that best fits their technical requirements and security policies. Whether operating behind a TLS reverse proxy, managing multiple subdomains with a single certificate, or simply seeking a straightforward setup, the expanded challenge options cater to a wider range of use cases.

We are committed to continually improving Stalwart Mail Server to meet the evolving needs of our customers. The inclusion of these new ACME challenges is a direct response to community feedback, and we are excited to see how our users will leverage these new capabilities to enhance their server security and certificate management processes.

Stay tuned for more updates as we keep enhancing our mail server solutions. For detailed information on configuring and using the new challenge types in Stalwart Mail Server 0.7.2, please refer to our updated documentation.

We look forward to your feedback on these new features and to supporting you in your journey to a more secure and efficient server environment!

· 3 min read
Mauro D.

We're thrilled to announce the release of Stalwart Mail Server version 0.7.0, a significant update that brings a wealth of features and improvements to enhance the performance and manageability of your email services. This release marks a pivotal moment in our journey to provide an email server solution that combines ease of use with robust performance, ensuring that your email infrastructure is both secure and efficient.

Introducing Web-Based Administration

Setup screencast

At the heart of version 0.7.0 is the introduction of a new, web-based administration tool. Developed in Rust, this single-page application (SPA) represents a monumental shift in how you interact with Stalwart Mail Server. Gone are the days of relying on SSH connections or command-line interfaces for routine administration tasks. Now, every aspect of your mail server can be managed from the convenience of a web browser.

The new web administration tool is designed to streamline and simplify the management of your mail server, offering a wide array of features:

  • Complete Control Over Accounts and Domains: Easily manage user accounts, domains, groups, and mailing lists, all from a user-friendly interface.
  • Advanced Queue Management: Monitor and manage your SMTP queues with ease, including messages and outbound DMARC and TLS reports, ensuring timely delivery and compliance.
  • Insightful Report Visualization: Gain valuable insights into your email security with a dedicated interface for visualizing received DMARC, TLS-RPT, and Failure (ARF) reports.
  • Full Configuration Flexibility: Adjust and fine-tune every aspect of your mail server settings directly from the webadmin, tailored to meet your specific requirements.
  • Enhanced Log Viewing and Searching: Navigate through logs effortlessly with advanced search and filtering capabilities, making it easier to pinpoint issues or monitor activity.
  • Self-Service Portal for Users: Empower your users with a self-service portal for password resets and managing encryption-at-rest keys, enhancing security and convenience.

This transformative approach to mail server management not only elevates the administration experience but also significantly reduces the complexity and time required to manage your email infrastructure.

Enhanced Performance and Efficiency

Beyond management improvements, Stalwart Mail Server 0.7.0 introduces significant performance enhancements to ensure swift and efficient email delivery. A major focus has been placed on optimizing mailbox retrieval speeds to accommodate IMAP clients, particularly those without client-side caching, ensuring that large mailboxes are displayed promptly. This version also integrates automatic compression for messages and binaries stored in the blob store using LZ4, a move that conservatively manages storage space while improving access and transfer speeds. These enhancements collectively ensure that Stalwart Mail Server 0.7.0 delivers unparalleled performance, making it faster and more efficient than ever before.

Embracing the Future

With the release of version 0.7.0, Stalwart Mail Server sets a new standard for email server solutions. The introduction of a web-based administration tool and significant performance improvements underscore our commitment to innovation and excellence. We invite you to experience the future of email server management and performance with Stalwart Mail Server 0.7.0.

· 3 min read
Mauro D.

This Valentine's Day, we're not just celebrating love and companionship; we're also celebrating the groundbreaking advancements in the Stalwart Mail Server with the release of version 0.6.0. In a world where reliability and flexibility in mail server management are more critical than ever, Stalwart Mail Server takes a significant leap forward with the introduction of distributed SMTP queues and the integration of expressions in configuration files. Let's delve into how these features transform your mail server experience, making it more robust, efficient, and customizable than ever before.

Distributed SMTP Queues: A Heartbeat of Reliability

The latest iteration of Stalwart Mail Server introduces a feature that's set to be the cornerstone of reliability and fault tolerance—distributed SMTP queues. Gone are the days when your SMTP queue was confined to the local hard drive, a vulnerability that could lead to data loss or downtime in the event of a server crash. With version 0.6.0, Stalwart Mail Server stores your SMTP queues in the database, a move that not only enhances fault tolerance but also paves the way for queue load distribution across multiple servers in a cluster.

Imagine your mail server as the heart of your organization's communication. Just as the heart's reliability is critical to the body's overall function, so is your SMTP queue's reliability to your organization's communication flow. Distributed SMTP queues ensure that if one server in the cluster experiences issues, the heartbeat of your communication doesn't skip a beat. This feature allows other servers in the cluster to pick up the load, ensuring uninterrupted mail flow and significantly reducing the risk of data loss.

This approach allows for a more balanced and efficient handling of email traffic, making your mail server cluster more resilient to individual failures and capable of handling higher volumes of email more effectively.

Expressions: A Language of Flexibility

The second headline feature of version 0.6.0 is the support for expressions in configuration files. This addition opens up a new realm of flexibility, allowing you to define complex, dynamic criteria for evaluating and handling email messages based on various attributes, such as recipient, sender, remote IP addresses, and other variables.

With expressions, configuring your Stalwart Mail Server becomes akin to coding the DNA of your mail server's behavior. Whether it's routing, filtering, or processing rules, expressions enable you to tailor the mail server's operations to meet your specific needs with precision and adaptability. Consider a scenario where you want to apply specific actions only to emails from a certain domain or IP range, or perhaps to messages that meet a combination of criteria. With expressions, these complex conditions can be easily defined and integrated into your server's configuration, making it smarter and more aligned with your organizational policies.

Celebrate With Us

As we release Stalwart Mail Server version 0.6.0 this Valentine's Day, we invite you to celebrate not just a day of love but also a milestone in mail server technology. With distributed SMTP queues and expressions in configuration files, we're not just sending you a token of our affection—we're equipping you with the tools to make your mail server environment more resilient, efficient, and tailored to your needs.

So here's to love, to innovation, and to a future where your mail server's reliability and flexibility are the foundation of your organization's communication success. Happy Valentine's Day, and welcome to the new era of Stalwart Mail Server.

· 3 min read
Mauro D.

We are excited to announce a significant update to Stalwart Mail Server - the introduction of an integrated fail2ban-like system in our latest version, 0.5.3. This new feature marks an important advancement in our ongoing commitment to providing robust security measures for our users.

Understanding Fail2Ban

Before diving into the specifics of our new feature, let's revisit what Fail2Ban is. Commonly used in the world of server security, Fail2Ban is an intrusion prevention software that protects servers from brute-force attacks. It operates by monitoring server logs for suspicious activities, like repeated password failures, and responds by blocking the offending IP addresses, typically by updating firewall rules.

Tailored Security

In Stalwart Mail Server version 0.5.3, we've embraced the core philosophy of Fail2Ban but adapted it to better suit the unique environment of our mail server. Our integrated fail2ban system is designed to enhance security without relying on external Fail2Ban software. It's a part of Stalwart Mail Server, built directly into its architecture.

One key difference in our approach is how we handle the banning of IP addresses. Unlike traditional Fail2Ban that alters firewall rules, our system immediately drops further connections from any banned IP address. This swift action effectively cuts off malicious attempts at their source, ensuring immediate protection.

Fully Integrated

Another significant aspect of our fail2ban system is its integration across all mail server services. Whether it be JMAP, IMAP, SMTP, or ManageSieve, authentication failures in any of these services contribute to the ban threshold. This comprehensive coverage ensures that the security of one service is not compromised at the expense of another.

Advanced Tracking Beyond IP Addresses

A standout feature of our fail2ban system is its ability to track authentication failures not only by IP address but also by login name. This is particularly vital in defending against distributed brute-force attacks, where attackers might use numerous IP addresses to target a single account. Our system intelligently identifies such patterns and, after a certain number of failed attempts, blocks further authentication efforts for that account, regardless of the IP used. This means that an attacker cannot simply hop IP addresses to bypass security measures.

Conclusion

The introduction of this integrated fail2ban system in version 0.5.3 is a testament to our dedication to providing top-tier security for our users. This advanced security feature is meticulously designed to address and neutralize a wide array of cyber threats, especially sophisticated brute-force attacks.

We are proud to bring this new level of security to Stalwart Mail Server. This update reflects our ongoing commitment to adapting and evolving in the face of emerging cyber threats. With the integration of our fail2ban system, Stalwart Mail Server version 0.5.3 stands as a more secure, reliable, and resilient solution for your email server needs.

Stay tuned for more updates and features as we continue to enhance and refine Stalwart Mail Server. Your security is our priority, and we are dedicated to providing you with the best tools to protect it.

· 2 min read
Mauro D.

E-mail filtering is a crucial part of any modern mail server and, for this reason, we're excited to announce the addition of Milter support to Stalwart Mail Server. This update, driven by user feedback, allows the integration of both new and old Milter filters, supporting versions 2 and 6, which expands the server's capabilities in inspecting, filtering, or modifying emails during processing.

A milter, or "mail filter", is an extension to mail servers based on the Sendmail protocol. Milters allow third-party software to access mail messages as they are being processed in order to filter, modify, or annotate them. By using Milters, a mail server can utilize a variety of functionalities such as spam filtering, virus scanning, and other types of mail processing, beyond what is built into the mail server itself. Milters operate at the SMTP protocol level, which means they have access to both the SMTP envelope and the message contents.

This new feature not only responds to our users' needs but also ensures that Stalwart can work seamlessly with any existing setup. Whether you are seeking better spam protection, antivirus measures, or implementing specific processing rules, milter filtering has got you covered.

Learn more about milter filters and how to set them up in our documentation.

· 2 min read
Mauro D.

We're thrilled to announce the release of Stalwart Mail Server, our biggest leap forward yet. This version combines the powerful capabilities of Stalwart JMAP, Stalwart IMAP, and Stalwart SMTP servers into one easy-to-install binary, offering you a unified, highly efficient mail server solution.

Here are some of the exciting new features:

  • LDAP and SQL authentication support was added, giving you more flexibility and options to integrate Stalwart with your existing infrastructure.
  • We've incorporated support for disk quotas to provide better control over your storage resources.
  • Subaddressing and catch-all addresses are now supported. These features make the email handling process more flexible and efficient.
  • Storage options have been extended with the inclusion of S3-compatible storage. Now you can store your emails and blobs using reliable and scalable solutions such as MinIO, Amazon S3, or Google Cloud Storage.
  • In response to user feedback, we've replaced RocksDB with SQLite. Our community told us they wanted an open, trusted database technology with easier access to their data, and we listened!
  • For those operating in distributed environments, you can now opt for the FoundationDB backend, supporting millions of users without sacrificing performance.
  • Stalwart IMAP is no longer an IMAP-to-JMAP proxy, instead, it now provides direct access to the message store. This significant change has brought a tremendous improvement in performance, reducing latency, and making your mail operations faster than ever.
  • We've also made significant strides in enhancing performance by rewriting the JMAP protocol parser and the storage API.
  • Lastly, we've made the decision to switch from Actix Web Server to Hyper. This change has allowed us to reduce memory footprint and increase performance, resulting in a more optimized and efficient mail server.

With Stalwart Mail Server, we're delivering a more unified, powerful, and efficient solution that meets your growing email infrastructure needs. We're excited to see how you'll leverage these new capabilities, and as always, we're here to support you every step of the way!

· 2 min read
Mauro D.

Sieve (RFC5228) is a scripting language for filtering email messages at or around the time of final delivery. It is suitable for running on a mail server where users may not be allowed to execute arbitrary programs as it has no user-controlled loops or the ability to run external programs. Sieve is a data-driven programming language, similar to earlier email filtering languages such as procmail and maildrop, and earlier line-oriented languages such as sed and AWK: it specifies conditions to match and actions to take on matching.

Today Stalwart JMAP v0.2 was released including support for the for JMAP for Sieve Scripts draft. Additionally, ManageSieve support was added to Stalwart IMAP v0.2.

Stalwart JMAP safely runs Sieve scripts in a controlled sandbox that ensures that programs do not exceed or abuse their allocated system resources.

Unlike other mail servers that offer limited support for Sieve extensions, Stalwart JMAP supports all existing Sieve extensions including:

· One min read
Mauro D.

We are happy to announce Stalwart JMAP, an open-source JSON Meta Application Protocol server written in Rust that aims to be scalable, robust and secure.

Some of its key features are:

  • JMAP Core, JMAP Mail and JMAP over WebSocket full compliance.
  • IMAP4 rev2/1 support via Stalwart IMAP, an imap-to-jmap proxy.
  • Scalable and fault tolerant: consensus over Raft, node autodiscovery over gossip and read-only replicas.
  • RocksDB backend with full-text search support in 17 languages.
  • OAuth 2.0 authorization code and device authorization flows.
  • Domain Keys Identified Mail (DKIM) message signing.
  • Written in Rust.
  • No third-party software required to run or scale.

Currently Stalwart JMAP requires an SMTP server such as Postfix in order to receive e-mails. However, the next item on the roadmap is to release an SMTP server in Rust with the goal of making self-hosting an e-mail server much simpler without sacrificing any security.