🐄🛡️ January 2026 Update | Limited EAS/DAV Access and Restricted Alias Sending

What's Changed

New

• Support for PBKDF2-SHA512 hash algorithm in verify_hash() (FreeIPA compatibility) (issue 6646) by @Ashitaka57 in #6905
• rspamd: upgrade to 3.14.1, trixie rebuild + bcc forwarded hosts fix by @DerLinkman in #6958
• Add MTA-STS support for alias domains by @Copilot in #6972
• Configurable displayName(s) - Fixes issue #6489 by @bluewalk in #6980
• [Web] Disable login UI on autoprotocol domains by @DiscoNova in #6867
• [Web] Allow admins to limit EAS and DAV access for mailbox users by @FreddleSpl0it in #7022
• feat: allow preset of passwords via environment vars by @moregeek in #7007
• [Postfix] Configurable send permissions for alias addresses by @FreddleSpl0it in #7021

Fixes

• ui: fix global filters ui tickbox reappearing by @DerLinkman in #6966
• Prevent duplicate/plaintext login announcement rendering by @Copilot in #6963
• fix: Password for mobileconfig that conforms to password-complexity policy by @psuet in #6990

Updates

• [Postfix] update postscreen_access.cidr by @milkmaker in #6987
• Translations update from Weblate by @milkmaker in #6965
• Translations update from Weblate by @milkmaker in #7002
• Translations update from Weblate by @milkmaker in #7014
• Translations update from Weblate by @milkmaker in #7020
• chore(deps): update peter-evans/create-pull-request action to v8 by @renovate[bot] in #6953
• chore(deps): update dependency krakjoe/apcu to v5.1.28 by @renovate[bot] in #6947
• chore(deps): update dependency imagick/imagick to v3.8.1 by @renovate[bot] in #6927
• chore(deps): update dependency phpredis/phpredis to v6.3.0 by @renovate[bot] in #6901
• chore(deps): update dependency php-memcached-dev/php-memcached to v3.4.0 by @renovate[bot] in #6837
• chore(deps): update dependency tianon/gosu to v1.19 by @renovate[bot] in #6710

New Contributors

• @Ashitaka57 made their first contribution in #6905
• @Copilot made their first contribution in #6963
• @DiscoNova made their first contribution in #6867
• @moregeek made their first contribution in #7007

Full Changelog: 2025-12a...2026-01

🎄🐮 Moocember 2025 | Just another bugfix update - Revision A

Important

If you already use docker compose v5, please run these commands once to fetch the update script which would break otherwise while trying to update mailcow:
git fetch followed by git checkout origin/master update.sh

What's fixed:

• Prevent duplicate/plaintext login announcement rendering in c11ed5d
• ofelia: revert fixed cron syntax for sa-rules download by @DerLinkman in e76f523
• backup: add image prefetch function to verify latest image is used by @DerLinkman in d977ddb
• Support for PBKDF2-SHA512 hash algorithm in verify_hash() (FreeIPA compatibility) by @Ashitaka57 in e8d9315

🎄🐮 Moocember 2025 | Just another bugfix update

Important

If you already use docker compose v5, please run these commands once to fetch the update script which would break otherwise while trying to update mailcow:
git fetch followed by git checkout origin/master update.sh

What's Changed

• chore(deps): update devops-infra/action-pull-request action to v1 by @renovate[bot] in #6840
• chore(deps): update devops-infra/action-pull-request action to v1.0.2 by @renovate[bot] in #6850
• Add Vietnamese language by @milkmaker in #6854
• chore(deps): update alpine docker tag to v3.22 by @renovate[bot] in #6417
• Translations update from Weblate by @milkmaker in #6861
• Disable PHP opcache.jit by @patschi in #6847
• Update 2025-10a Hotfix by @FreddleSpl0it in #6874
• Translations update from Weblate by @milkmaker in #6880
• [Web] Correct order of Dansk/Danish in UI by @PseudoResonance in #6887
• [Postfix] update postscreen_access.cidr by @milkmaker in #6886
• Translations update from Weblate by @milkmaker in #6898
• Translations update from Weblate by @milkmaker in #6906
• Translations update from Weblate by @milkmaker in #6908
• Replace pigz with zstd for backup compression by @cl445 in #6897
• compose: changes cronjobs to regular cron syntax + fixed sogo creds for cronjobs by @DerLinkman in #6866
• Update backup container to trixie by @MAGICCC in #6907
• Remove deprecated 'X-XSS-Protection' header by @patschi in #6871
• Hide nginx version in http context for all sites by @patschi in #6873
• Allow making spam aliases permanent by @PseudoResonance in #6888
• Translations update from Weblate by @milkmaker in #6916
• chore(deps): update actions/checkout action to v6 by @renovate[bot] in #6920
• Translations update from Weblate by @milkmaker in #6924
• Translations update from Weblate by @milkmaker in #6930
• [Postfix] update postscreen_access.cidr by @milkmaker in #6933
• Translations update from Weblate by @milkmaker in #6936
• chore(deps): update actions/stale action to v10.1.1 by @renovate[bot] in #6937
• chore(deps): update alpine docker tag to v3.23 by @renovate[bot] in #6940
• Translations update from Weblate by @milkmaker in #6941
• Translations update from Weblate by @milkmaker in #6943
• fix(api): add missing break in CORS switch block causing save to hang by @khurram-saeed-malik in #6926
• pf-tlspol: upgrade to 1.8.22 by @DerLinkman in #6951

New Contributors

• @cl445 made their first contribution in #6897
• @khurram-saeed-malik made their first contribution in #6926

Full Changelog: 2025-10...2025-12

🎃🐄 Mooctober 2025 Update | Rspamd 3.13.2 and Redis Security Update - Revision A

What's Changed

• Disable PHP opcache.jit by @patschi in #6847
• Add Vietnamese language by @milkmaker in #6854
• Translations update from Weblate by @milkmaker in #6861
• chore(deps): update devops-infra/action-pull-request action to v1 by @renovate[bot] in #6840
• chore(deps): update devops-infra/action-pull-request action to v1.0.2 by @renovate[bot] in #6850
• chore(deps): update alpine docker tag to v3.22 by @renovate[bot] in #6417

Full Changelog: 2025-10...2025-10a

🎃🐄 Mooctober 2025 Update | Rspamd 3.13.2 and Redis Security Update

What's Changed

• [Redis] Update to Redis 7.4.6 by @FreddleSpl0it in #6829
• [Rspamd] Update to 3.13.2 by @FreddleSpl0it in #6830
• fix autodiscover when using ldap with attribute mapping templates by @Hobby-Student in #6797
• [Web] Fix SOGo redirection after login by @FreddleSpl0it in #6828
• Show app passwords for successful logins on user page by @tjmills-dev in #6821
• Optimize phpfpm opcache: more aggressive caching, enable JIT by @patschi in #6783
• [Web] Add password verification when setting recovery email by @FreddleSpl0it in #6836
• chore(deps): update dependency php/pecl-mail-mailparse to v3.1.9 by @renovate[bot] in #6798
• chore(deps): update dependency krakjoe/apcu to v5.1.27 by @renovate[bot] in #6696
• Update pt-br lang by @olavorn in #6803
• Translations update from Weblate by @milkmaker in #6826

New Contributors

• @olavorn made their first contribution in #6803
• @Hobby-Student made their first contribution in #6797
• @tjmills-dev made their first contribution in #6821

Full Changelog: 2025-09c...2025-10

🍂🐄 Mootember Update 2025 - Revision C

What's Changed

• [SOGo][Web] SOGo URL Encryption support by @FreddleSpl0it in #6758
• [Nginx] do not invert ENABLE_IPV6 by @FreddleSpl0it in #6762
• [Web] Remove Port from HTTP_HOST by @FreddleSpl0it in #6760
• [Web] Allow wildcard subdomains for MTA-STS by @FreddleSpl0it in #6759
• [Web] set cookie SameSite attribute to Lax by @FreddleSpl0it in #6766
• [Web] Rename PHP Cookie to MCSESSID by @FreddleSpl0it in #6767
• Update GitHub's issue template by @patschi in #6772
• Clearer message to install required tool, e.g. jq by @patschi in #6764
• Make domain description field readonly when no ACL by @patschi in #6789
• Show "Never" by default if no last-modified date saved by @patschi in #6788
• Hide relayhosts when ACL does not allow by @patschi in #6787
• Fix several SQL statements by @patschi in #6786
• Fixed wrong footer escaping for certain characters by @patschi in #6782
• Rename password fields for AppPasswords same way for consistency by @patschi in #6781
• Fixed password complexity check for AppPasswords creation/edit by @patschi in #6780
• Remove debug console.log calls by @patschi in #6779
• Enable HTTPS redirect by default on new setups by @patschi in #6777
• [Helpers] Fix cold-standby digits in compose project names and inclusion of docker-compose.override.yml by @sdsys-ch in #6800
• Fix enabling of ipv6 when updating by @SpaghettiBorgar in #6791
• Update variable name for prometheus-exporter security token by @vbrandl in #6776
• Fixed typo in lang de-de by @codiflow in #6765
• Fix typos in config by @jonasc in #6792
• chore(deps): update actions/stale action to v10.1.0 by @renovate[bot] in #6806
• [Postfix] update postscreen_access.cidr by @milkmaker in #6801
• Translations update from Weblate by @milkmaker in #6771
• Translations update from Weblate by @milkmaker in #6794
• Translations update from Weblate by @milkmaker in #6785
• Translations update from Weblate by @milkmaker in #6790
• Translations update from Weblate by @milkmaker in #6793
• Translations update from Weblate by @milkmaker in #6743
• Translations update from Weblate by @milkmaker in #6749

New Contributors

• @sdsys-ch made their first contribution in #6800
• @jonasc made their first contribution in #6792
• @SpaghettiBorgar made their first contribution in #6791
• @vbrandl made their first contribution in #6776

Full Changelog: 2025-09b...2025-09c

🍂🐄 Mootember Update 2025 - Revision B

What's Changed

• scripts: ipv6_controller improvement + fix modules handling by @DerLinkman in #6722
• [SOGo] Drop deprecated sogo_update_password sql trigger if it still exists by @FreddleSpl0it in #6727
• [Web] remove unused bcc dest column from alias table by @FreddleSpl0it in #6726
• [Nginx] fix: Disable IPv6 support in Nginx configuration by @p-atr in #6736

New Contributors

• @p-atr made their first contribution in #6736

Full Changelog: 2025-09a...2025-09b

🍂🐄 Mootember Update 2025 - Revision A

What's fixed?

• improved ipv6 controller to detect more ipv6 scenarios in #6722
• improved other scripts submodule handling in #6722
• changed docker 28 needed daemon.json content accordingly in #6722

Full Changelog: 2025-09...2025-09a

🍂🐄 Mootember Update 2025 | MTA-STS Support, SOGo 5.12.3, Rspamd 3.12.1, and More

Caution

mailcow now requires jq to be installed on the host system in order to operate with the redesigned IPv6 controller.
If it's missing, please install it before running the update, this tool is mandatory and will not be removed in a future release.

Caution

This update introduces a brand-new container: postfix-tlspol-mailcow, which adds outbound MTA-STS support to Postfix.
After updating, verify that the new container is running correctly by reviewing the logs:

docker compose logs -f --tail 200 postfix-tlspol-mailcow

If you encounter CPU Problems or continuous restarts, rebuild the image manually:

docker build -t ghcr.io/mailcow/postfix-tlspol:1.0 data/Dockerfiles/postfix-tlspol
docker compose up -d

Features

• [Rspamd][Web] Internal alias support ➡️ PR #6713
• [Postfix][Web] add mta-sts support ➡️ PR #6686
• [Helper-Scripts] Add prometheus exporter and grafana dashboard for mailcow ➡️ PR #6314
• [DB][Web] optimize qhandler by keeping SHA2 in new column qhash ➡️ PR #6556
• [Web] Add delimiter_action to mailbox and mailbox_template add/edit admin forms ➡️ PR #6620
• [Core] modules splitting + ipv6 nat rewrite ➡️ PR #6634

Updates

• [SOGo] update to 5.12.3 ➡️ Commit 360fe03
• [Rspamd] update rspamd to 3.12.1 ➡️ PR #6643

Bug Fixes

• [Clamd] Changed clamavs tmp folder structure ➡️ PR #6698
• [Rspamd] only recreate external_services.conf file if it was deleted ➡️ PR #6717
• [Dovecot] imapsync gets correct timeouts from imapsync_runner.pl ➡️ PR #6682
• [Web] Fix multiple PHP Warnings present in "stock" installation ➡️ PR #6651
• [Dovecot] Prevent user login if protocol access has been disabled ➡️ PR #6716
• [Web] Only include mailcow_info in JS when mailcow_cc_username is set ➡️ PR #6715
• [Rspamd] Add boundary if present when applying domain-wide footer ➡️ PR #6714
• [Rspamd] Do not increment rate limit for emails from user to himself ➡️ PR #6706
• [Web] rename login placeholder for mailbox to email address ➡️ PR #6693
• [Watchdog] use dig instead of check_dns ➡️ PR #6685
• [Rspamd] Fill module name for set_pre_result actions ➡️ PR #6630
• [Netfilter] fix negative timer, no unbanning of IPs ➡️ PR #6575

New Contributors

• @denis-ev made their first contribution in #6575
• @mmachatschek made their first contribution in #6643
• @CodeShellDev made their first contribution in #6570
• @CLechleitner42 made their first contribution in #6556
• @Hassanzadeh-sd made their first contribution in #6314
• @maxi322 made their first contribution in #6685
• @sandroshu made their first contribution in #6697
• @psuet made their first contribution in #6651

Full Changelog: 2025-07...2025-09

🔥🐄 Mooly Update 2025 | Security Update

⚠️ Vulnerability fixed⚠️

This update addresses a critical vulnerability that allowed Remote Code Execution (RCE) by authenticated admin users.
All users are strongly advised to update. A CVE will follow the next Days.

What's Changed

• compose: add selinux label to mysql-socket-vol (permission) by @DerLinkman in #6560
• [Postfix] update postscreen_access.cidr by @milkmaker in #6573
• [Postfix] update postscreen_access.cidr by @milkmaker in #6611
• [ACME] Remove deprecated ACME_CONTACT variable by @FreddleSpl0it in #6617
• [Dovecot] Use Jinja2 sandbox for rendering quota and quarantine notif… by @FreddleSpl0it in #6631
• Translations update from Weblate by @milkmaker in #6548
• Translations update from Weblate by @milkmaker in #6552
• Translations update from Weblate by @milkmaker in #6582
• Translations update from Weblate by @milkmaker in #6589
• Translations update from Weblate by @milkmaker in #6599
• Translations update from Weblate by @milkmaker in #6600
• Translations update from Weblate by @milkmaker in #6601
• Translations update from Weblate by @milkmaker in #6609
• Translations update from Weblate by @milkmaker in #6614
• Translations update from Weblate by @milkmaker in #6622
• Translations update from Weblate by @milkmaker in #6629

Full Changelog: 2025-05...2025-07