maddy 0.6.3

This release does not include most changes from master branch (intended to become 0.7) and is instead based on 0.6.2.

Bugfixes

• [security] Fix authentication bypass if SASL authorization username is used (GHSA-4g76-w3xw-2x6w, CVE-2023-27582).

maddy 0.6.2

Bugfixes

• Fix empty IMAP folders being shown sometimes (#512)
• Fix maddyctl imap-msgs lists crash (#509)
• Fix maddyctl imap-msgs remove being no-op (#510)
• pass_table: fix user hash creation (#507)

Docs

• Update Arch repository and Docker instructions links

Misc

• cli: Warn about upcoming --uid=true change

maddy 0.6.1

⚠️ Release is recalled due to severe issues. Use 0.6.2 instead.

Bugfixes

• Fixed missing IMAP IDLE capability, again... (#504)
• Fixed broken storage.imapsql schema upgrade

Broken storage.imapsql schema upgrade

If you happen to run 0.6.0 and got error about schema being
too old, you need to run the following SQL query on your imapsql.db
before you will be able to use 0.6.1:

UPDATE schema_version SET version = 6;

maddy 0.6.0

⚠️ Release is recalled due to severe issues. Use 0.6.2 instead.

Breaking changes

• check: Remove require_matching_echo (deprecated in 0.5) (#280)
• modify/dkim: Remove require_sender_match from code (#465)

New features

• maddyctl and maddy executables are merged

To start the server: maddy run ...
Other maddyctl subcommands are available
similiarly: maddy imap-acct, etc

• Support 1-N recipient address expansion (#401)

For example, when using table.regexp:

replace_rcpt regexp "root@(.+)" "admin1@$1" "admin2@$1"

Or table.file:

root@example.com: admin1@example.com, admin2@example.com

For SQL-based tables, just add multiple rows with the same key (address to be replaced).

• Add more placeholders for imap_filter (PR #449)

{rcpt_to} (SMTP RCPT TO), {original_rcpt_to} (SMTP RCPT TO before any local rewrites), {subject}.

• storage/imapsql: Add support for using PostgreSQL broker for updates

It is used automatically, so now it is safe run multiple maddy server instancesusing the same PostgreSQL DB.

Bugfixes

• Migrate to go-imap v2 (#188)

go-imap v2 is my fork of emersion/go-imap library that makes
massive changes to the server code.

In particular, it fixes long-standing issue of update handling
being non conforming to RFC 3501.

• check/spf: Fix "lookup limit reached" for some conforming records (#487)
• cmd/maddyctl: Fix --argon2-time setting memory instead of time (PR #502)
• check/spf: Ignore SPF permerr and temperr by default (#485)
• Move closing the default logger after printing configuration errors
• Fix TLS Internal Error caused by SNI-unuware clients when ACME is used (#467)

Documentation changes

• docs: Add Docker-specific documentation
• docs: Convert manual pages into per-module Markdown pages

Misc

• Go 1.17 is required now
• Dockerfile: Use TLS filenames same as certbot (#350)
• Dockerfile: Put Docker-specific config in the repo
• ci: Set OCI labels in built Docker image
• ci: Use docker buildx and qemu to build ARM64 images (#404)

maddy 0.5.4

Bugfixes

• auth/pam: Fix double-free crash (GH #272)
• [security] auth/pam: Check for account/password expiry (GHSA-6cp7-g972-w9m9)
• endpoint/smtp: Fix incoming message log record having no msg_id

maddy 0.5.3

Docker image changes

maddy image is now also available at ghcr.io registry:

docker pull ghcr.io/foxcpp/maddy:0.5

Currently this is just an experiment, we are not sure if we will fully migrate to it.

Image tags no longer include v prefix with the exception of v0.5 still being updated to maintain compatibility for people that use this tag.

docker pull foxcpp/maddy:0.5.3 # instead of foxcpp/maddy:v0.5.3

Bug fixes

• Fix errors from LMTP downstream being ignored (#453)
• Make it possible to use dovecot_sasl auth with TCP sockets (#450, thanks @jonlundy)
• Fix MAIL after STARTTLS causing panic
• Fix IMAP IDLE capability missing (#446)

Misc

• Add target.remote force_ipv4 option (#442, thanks @delthas)

maddy 0.5.2

Bug fixes

• Correctly apply Read Timeout to implicit TLS handshake
• [security] auth/shadow: Remove support for MD5-based hashes
• check/spf: Print "deferred" message only if SPF check failed

maddy 0.5.1

Bug fixes

• table/sql_table: Fix incorrect for PostgreSQL type being used in table creation (GH #386)
• endpoint/smtp: Fix limitedReader causing message body read to loop forever (GH #403, GH #389)
• storage/blob/s3: Fix PutObject goroutines leaking if message write is aborted (GH #395)
• storage/blob/s3: Force a smaller PartSize when blob size is unknown (GH #395)
• storage/blob: Pass blobSize to go-imap-sql (GH #395)
• storage/blob/s3: Correctly handle PutObject errors (GH #387)

Misc

• libdns: Add namecheap provider (GH #392)

Added only if maddy is built with Go 1.16.

• Add postmaster address rewrite back to default config (GH #384)

maddy 0.5.0

New features

• Experimental: Built-in ACME client (GH #3)

Currently supports only dns-01 challenge with a limited set of
providers. See documentation for details.

• S3-backed storage for message contents (GH #304)

• Local sender authorization (GH #268)

• LDAP BindDN authentication (GH #273)

• storage/imapsql: Implement auth_map

• storage/imapsql: Implement delivery_map

This functionality allows imapsql storage backend to be correctly
used with non-email-based authentication providers.
In particular, this unbreaks PAM and shadow modules.

• Implement table.chain module

• Implement table.email_localpart as a helper to strip domain from emails

Improvements

• Implement client timeouts for target.remote and target.smtp
• endpoint/smtp: Add max_header_size

Fixes

• check/spf: Change default action for softfail to 'ignore'
• endpoint/smtp: Allow to change the line length limit enforced by go-smtp
• table/sql_query: Allow to use numbered parameters in queries
• auth/plain_separate: Make configuration directives actually work
• table/file: Allow table to be created without specifying files in inline args
• config/tls: Fix custom loader configuration reading

Removed functionality

• check/dns: Mark require_matching_echo as deprecated
• config/tls: Remove deprecated "tls CERT KEY" syntax
• Remove deprecated 0.3 module name aliases

maddy 0.4.4

The long awaited release!

Outbound SMTP

• target/remote: Force MX domain to be FQDN when looking up TLSA records (GH #321)
• Fix two issues in handling of DSN messages in SMTP pipeline and checks (GH #327)
• dns: Attempt to use 127.0.0.1 if no DNS servers are configured in system
• target/queue: Do not attempt to do atomic overwrite for metadata on Windows (GH #334)

Inbound SMTP

• endpoint/smtp: Unbreak MAIL FROM:<> handling (GH #337)
• endpoint/smtp: Release Msg limiter correctly if pipeline.Start fails (GH #348)

Misc

• config/tls: Fix tls_client parsing (Thanks @AluisioASG!)

Documentation

• docs: Replace foxcpp.dev/maddy with maddy.email
• docs: Remove reference to local_modifiers from multiple-domains.md
• docs: fixed small error (Thanks @0xflotus!)
• Fix a typo in maddy-smtp man doc (Thanks @Defman21!)

Docker

This release changes how Docker image is built reverting default directories
behavior to what 0.4.2 did but implemented in a different way so we have
the best of both worlds.

build.sh

• Allow setting build tags
• Do not try to install man pages if they were not built

3rd party libraries

• go-smtp now uses Postfix success responses
• go-msgauth/dkim now supports both RSA public key formats
  (see emersion/go-msgauth#43)