💮🐮 Moorch 2025 Update | The Update which changed the Cow | Revision A

This release includes only bug fixes for the 2025-03 release.

Caution

The 2025-03 release contains breaking changes.
Please read the changelog: https://github.com/mailcow/mailcow-dockerized/releases/tag/2025-03

What's Changed

• [Nginx] Move conf.d include before SNI vhosts by @FreddleSpl0it in #6411
• [Web] Use absolute paths for flag SVGs by @FreddleSpl0it in #6410
• [Web] Check if mailbox is active before renaming by @FreddleSpl0it in #6409
• [Swagger] Fix type property for /api/v1/add/bcc endpoint by @FreddleSpl0it in #6408
• [Web] Fix oauth2 redirect after user login by @FreddleSpl0it in #6407
• [Web] Fix SOGo access after Passwordless auth by @FreddleSpl0it in #6406
• fix(ui): Swap translations for oversized dropdown by @marvinruder in #6402

Full Changelog: 2025-03...2025-03a

💮🐮 Moorch 2025 Update | The Update which changed the Cow

This release includes features that have been tested in the nightly branch over the past year. If you’ve been following our nightly progress update, you may already be familiar with some of the changes listed below.

Caution

Before updating, please ensure you have a current backup of your installation.

This update heavily changes the authentication process. If you don’t want to apply the 2025-03 update, you can switch to the legacy branch with ./update.sh --legacy.
The legacy branch will only receive security updates until February 2026.
Read more about the legacy branch

Breaking Changes

Logins for Administrator, Domain Administrator, and Users have been separated:

• Administrator Login: /admin
• Domain Administrator Login: /domainadmin
• Users: /

Direct SOGo login is now disabled. All unauthenticated requests to /SOGo will be redirected to /.
Users must use the mailcow login.
Administrators can define whether a user should be redirected to the mailcow UI or SOGo after login.

Other Notable Changes

• All Alpine-based images have been updated to Alpine 3.21.
• 2FA protected mailboxes will need an app password for authentication with mail protocols.

New Feature

mailcow now supports external Identity Providers for authentication.
This is optional — administrators can configure an external identity provider, which can be used alongside the SQL database for authentication.
You can even configure which authentication source a specific user should use.

Currently supported Identity Providers:

1. Keycloak – Documentation
2. LDAP/AD – Documentation
3. Generic OIDC – Documentation

Improvements

mailcow now uses Dovecot's password caching to reduce authentication-related load.

Changelog

Full Changelog: 2025-02...2025-03

New Contributors

• @marvinruder made their first contribution in #6365

🐥🐄 Febmooary 2025 Update | Rspamd and MariaDB Update

Important

Dovecot previously allowed multiple login attempts within a single session without triggering Netfilter.
This issue has now been addressed.
Administrators should reset Fail2Ban Regex:
System → Configuration → Options → Fail2Ban Parameters → Expand Regex Filters → Click "Reset to Default"

Caution

This mailcow release upgrades mariadb from 10.5 to 10.11 to align with the current EOLs of mariadb for the next years.
Please do not modify the image version from mariadb inside the docker-compose.yml on your own as serious damage may occur if the code has not been adapted properly

Also notice, that you cannot downgrade mariadb databases from 10.11 back to 10.5!

Note

This release changes the image source for our own build docker images from Docker Hub to GitHub due to Docker's upcoming ratelimits.
If interested, read Dockers limitations here: https://docs.docker.com/docker-hub/usage/

What's Changed

• Fix check_prs_if_on_staging workflow by @MAGICCC in #6286
• Update generate_config.sh version checking for wider compatibility by @digitalhen in #6270
• chore(deps): update devops-infra/action-pull-request action to v0.6.0 by @renovate in #6302
• Ffdhe2048 by @dragoangel in #6223
• Adding lines to docker-compose.yml to allow for simpler SOGo web client UI customisation by @Babybatrick in #6220
• Translations update from Weblate by @milkmaker in #6307
• Update Rspamd to 3.11.0 and enable SMTPUTF8 for outgoing mail by @dragoangel in #6216
• [Mariadb] Update to 10.11 (LTS) by @DerLinkman in #5152
• Move sed cmd to remove discontinued DNSBLs by @MAGICCC in #6315
• [Dovecot][Netfilter] Fix dovecot failed login regex by @FreddleSpl0it in #6309
• rspamd: upgraded rspamd to 3.11.0-2 (incl. NIXSPAM Removal) by @DerLinkman in #6328
• Fix #2752 - Allow domain recipients for address rewrite by @PseudoResonance in #6155
• compose: use ghcr.io for new/current mailcow docker images by @DerLinkman in #6332
• Prompt user before applying major updates by @FreddleSpl0it in #6330
• use ghcr.io for backupimage by @MAGICCC in #6333
• Fix #5892 - Adding a domain wide footer leads to broken attachments
• Fix #6305 - Use Redis ACL user quota_notify with restricted access ef2f5f7
• Fix incorrect session lifetime in sogo-auth.php aaa7e4a
• [Nginx] Add support for trusted proxies via env var a567d5d
• [Redis] Add support for masterauth via env var 351f4ce

New Contributors

• @digitalhen made their first contribution in #6270
• @Babybatrick made their first contribution in #6220
• @PseudoResonance made their first contribution in #6155

Full Changelog: 2025-01a...2025-02

⚡🐄 Janmooary 2025 Update | The Update which changed the Full-text search (and which kicked out Nextcloud) | Revision A

Warning

This update includes a fixed security issue.
Detailed information as well as CVE will follow in the next days.

What's Changed

• Remove discontinued Nixspam DNSBL by @mkuron in #6260
• clamd: update to 1.4.2 + build from source instead using alpine packages by @DerLinkman in #6273
• [Nginx] Fix by @FreddleSpl0it in #6281
• postfix: added master.pid removal and startsecs to supervisord by @DerLinkman in #6284
• [Postfix] update postscreen_access.cidr by @milkmaker in #6287
• [Nginx] Use vhosts for additional server names by @FreddleSpl0it in #6290
• [Nginx] Invert SKIP container condition 97890b7
• [Nginx] Add env var for HTTP to HTTPS redirection e645f93

Full Changelog: 2025-01...2025-01a
Blog: https://mailcow.email/posts/2025/release-2025-01/

⚡🐄 Janmooary 2025 Update | The Update which changed the Full-text search (and which kicked out Nextcloud)

Caution

Please create a backup before updating, as several internal components got major changes

FTS Changes

Due to the FTS change, all previous Solr Indices are unused. Once updated, FTS will be disabled automatically. If you had it enabled, change the Variable SKIP_FTS from y to n.

Nextcloud Removal

This update removes the integrated Nextcloud helper-script. Any running installations with the Nextcloud implementation are unsupported. Please consider a switch to a native Nextcloud installation instead.

Important

UI changes (related to netfilter-mailcow)

If you used the external Fail2Ban List Endpoint, you have to change the Endpoint URL to the one displayed in mailcow UI, as it has changed with this update.

For Systems with disabled IPv6

This Update included some changes for NGINX, make sure to check out the updated Disable IPv6 Documentation to apply the changes if needed.

Warning

This update include a fixed security issue. Which can only be exploited if an attacker has access to a victims computer.
Detailed information as well as CVE will follow in the next days.

What's Changed

• [Nginx] Use jinja2 for templating nginx configuration by @FreddleSpl0it in #6177
• [Web] remove f2b banlist from json_api.php by @FreddleSpl0it in #6168
• Enable password protection for Redis by @FreddleSpl0it in #6146
• [Web] add missing translation for ratelimit in templates overview by @FreddleSpl0it in #6180
• [Web] Add additional columns to _sogo_static_view by @FreddleSpl0it in #6181
• [Web] allow dots in dkim selectors by @FreddleSpl0it in #6182
• Only show active protocols on "last login" in mailbox overview by @Habetdin in #6076
• Update Russian translation by @Habetdin in #6184
• Translations update from Weblate by @milkmaker in #6190
• [Postfix] update postscreen_access.cidr by @milkmaker in #6189
• fix: check docker version fail in generate_config.sh #6187 by @i-curve in #6188
• Add initial Japanese language files by @kotaroman in #6198
• Implement search mailboxes by fullname by @h3ssan in #6186
• Remove legacy Nextcloud settings by @MAGICCC in #6050
• Add create command to prevent external: true warnings by @codiflow in #6203
• sogo: added SOGoDisableOrganizerEventCheck value to sogo.conf by @DerLinkman in #6204
• Translations update from Weblate by @milkmaker in #6206
• dovecot: replace solr fts with flatcurve (xapian) by @DerLinkman in #5680
• Translations update from Weblate by @milkmaker in #6209
• Translations update from Weblate by @milkmaker in #6221
• [Postfix] update postscreen_access.cidr by @milkmaker in #6232
• Translations update from Weblate by @milkmaker in #6235
• Translations update from Weblate by @milkmaker in #6238
• add temporary email description by @marekfilip in #6001
• Improve the existing validation flow for sieve filter by @PhoenixPeca in #6205
• Fix missing property in Create Sync Job request by @jan-oratowski in #6211
• Fix community support url by @gwelch-contegix in #6245
• Reduce sa rules download retry limit to 5 by @alyxto in #6225
• chore(deps): update actions/stale action to v9.1.0 by @renovate in #6247
• [Nginx] move conf.d include to end of nginx.conf by @FreddleSpl0it in #6256

New Contributors

• @i-curve made their first contribution in #6188
• @kotaroman made their first contribution in #6198
• @codiflow made their first contribution in #6203
• @marekfilip made their first contribution in #6001
• @jan-oratowski made their first contribution in #6211
• @gwelch-contegix made their first contribution in #6245
• @alyxto made their first contribution in #6225

Full Changelog: 2024-11b...2025-01
Blog: https://mailcow.email/posts/2025/release-2025-01/

🏮🐄 Moovember | Mailbox Rename, SOGo 5.11.1, Rspamd 3.10.2, and More | Revision B

Note

This Release Marks Revision B for 2024-11 and is fixing some bugs from 2024-11(a)

What's Changed

• mysql: increased thread_stack to 192k since 10.5.27 by @DerLinkman in d10d64d
• [Web] broadcast maildir move to dovecot containers on mailbox_rename by @FreddleSpl0it in 6d1f748
• [Web] update _sogo_static_view on password reset by @FreddleSpl0it in b9f52df

Full Changelog: 2024-11a...2024-11b

🏮🐄 Moovember | Mailbox Rename, SOGo 5.11.1, Rspamd 3.10.2, and More | Revision A

Note

This Release Marks Revision A for 2024-11 and is fixing some critical bugs from 2024-11

What's Changed

• update.sh: precaution ask for deletion of dns_blocklists.cf if old format by @DerLinkman in #6154
• [Web] Updated lang.zh-cn.json by @milkmaker in #6151
• compose: bump sogo version to include 5.11.2 by @DerLinkman in #6156
• php: use correct php image + workaround of #6149 by @DerLinkman & @FreddleSpl0it in #6159

Full Changelog: 2024-11...2024-11a

🏮🐄 Moovember | Mailbox Rename, SOGo 5.11.1, Rspamd 3.10.2, and More

Caution

We got some reports of postfix not starting correctly (see #6143) before update delete the dns_blocklists.cf file in your data/conf/postfix folder to make sure this file is properly regenerated.

What's Changed

• Translations update from Weblate by @milkmaker in #6039
• Translations update from Weblate by @milkmaker in #6049
• Translations update from Weblate by @milkmaker in #6053
• [Postfix] update postscreen_access.cidr by @milkmaker in #6056
• feat: Added check for newer version tags on remote by @Finnlife in #6054
• chore(deps): update peter-evans/create-pull-request action to v7 by @renovate in #6059
• compose: added clamd as depends_on to rspamd by @DerLinkman in #6062
• [PHP-FPM] Use redis as session store by @FreddleSpl0it in #6044
• [SOGo] Fix vacation auto reply date shifting by @FreddleSpl0it in #6057
• show last sso login in mailbox table by @q16marvin in #5724
• feat/nginx-mailcow_brazilian-translations by @airon-assustadus in #6048
• Translations update from Weblate by @milkmaker in #6064
• Add missing Russian translation by @h3ssan in #6065
• fix: added tls1.0/1.1 patch for openssl when using older tls versions… by @DerLinkman in #6105
• chore(deps): update thollander/actions-comment-pull-request action to v3 by @renovate in #6102
• [Postfix] update postscreen_access.cidr by @milkmaker in #6093
• chore(deps): update dependency nextcloud/server to v28.0.11 by @renovate in #6101
• chore(deps): update dependency phpredis/phpredis to v6.1.0 by @renovate in #6098
• chore(deps): update dependency php/pecl-mail-mailparse to v3.1.8 by @renovate in #6096
• chore(deps): update dependency krakjoe/apcu to v5.1.24 by @renovate in #6087
• sogo: upgrade to 5.11.1 by @DerLinkman in #6109
• postfix: add X-Original-To header per default by @DerLinkman in #6110
• php: upgrade to alpine 3.20 (base os) by @DerLinkman in #6106
• Update dependency twig/twig to v3.14.0 by @MAGICCC in #6071
• dovecot: activate lazy_expunge plugin per default (unconfigured) by @DerLinkman in #6112
• Update mime_types.conf configuration by @patschi in #6013
• lang.zh-tw.json "memory" translation fix by @SamWang8891 in #6114
• rspamd: update to 3.10.1 by @DerLinkman in #6115
• Translations update from Weblate by @milkmaker in #6120
• Feat/rspamd 3.10.2 by @DerLinkman in #6122
• Translations update from Weblate by @milkmaker in #6123
• [Web][DockerApi] Add Feature to Rename Email Addresses by @FreddleSpl0it in #6045
• chore(deps): update thollander/actions-comment-pull-request action to v3.0.1 by @renovate in #6130
• [Postfix] update postscreen_access.cidr by @milkmaker in #6129
• fix: broken sogo cron notifications (for appointments etc.) by @DerLinkman in #6128
• Translations update from Weblate by @milkmaker in #6140

New Contributors

• @Finnlife made their first contribution in #6054
• @q16marvin made their first contribution in #5724
• @airon-assustadus made their first contribution in #6048
• @SamWang8891 made their first contribution in #6114

Full Changelog: 2024-08a...2024-11

🕶️🐄 Moogust Update 2024 | Revision A (Dovecot CVE Fixes)

What's Changed

• fix: 🚑 Fixed version parsing of docker by @jkrgr0 in #6016
• Refactor/Change Dockerfiles cmd from shell to exec form by @h3ssan in #6019
• dovecot: added timeout option when sa-rules cannot be downloaded by @DerLinkman in #6025
• containers: use mariadb-admin instead of deprecated mysqladmin by @DerLinkman in #6026
• Fix: bash variables are not quoted by @h3ssan in #6022
• Replace weird character to the correct ' by @h3ssan in #6029
• Pushover/Quarantine utf 8 fix - fixes #6028 by @bluewalk in #6031
• 2024-08a by @DerLinkman in #6033
• Fix: Escape a ' character in update.sh by @h3ssan in #6034

New Contributors

• @jkrgr0 made their first contribution in #6016

Full Changelog: 2024-08...2024-08a
Blog: https://mailcow.email/posts/2024/release-2024-08/

🕶️🐄 Moogust Update 2024 | Forgot Password?, SOGo 5.11, Rspamd 3.9.1 and More

What's Changed

• Translations update from Weblate by @milkmaker in #5980
• Allow prompt-less install on low-resource systems by @Ayowel in #5804
• dovecot: fix precompiling of sieve scripts by @DerLinkman in #5983
• Greek names of dovecot folders by @rallisf1 in #5972
• ui: added enotify and mime as valid options for ui by @DerLinkman in #5985
• Bug Fix: Check mailcow.conf exists before work with it by @h3ssan in #5987
• Fix typo in update.sh: word Proceeding by @h3ssan in #5989
• Fix LABEL in Dockerfile, should be key=value by @h3ssan in #5990
• fix: change internal urls for containers using curl on alpine by @Doozy134 in #5967
• rspamd: upgrade to rspamd 3.9.1 by @DerLinkman in #5661
• Refactor: update.sh script with --help should exit with status code 0 by @h3ssan in #5991
• [Fix] Watchdog: escape subject and body for webhooks by @mrclschstr in #5773
• Translations update from Weblate by @milkmaker in #5995
• Filter to limit ofelia scope by @Kitof in #5776
• restore: remove tty requirement from restore process to allow for automated restores by @muhlba91 in #5934
• Translations update from Weblate by @milkmaker in #5999
• [Rspamd] Fix bayes config by @dragoangel in #6000
• sogo: update to 5.11.0 + Rebase on Bookworm by @DerLinkman in #6002
• unbound: fix healthcheck logging + added fail tolerance to checks by @DerLinkman in #6004
• flatcurve-fts: limit tokenizers size in e-mail adress by @DerLinkman in #6006
• [Web] Add a forgot password flow by @FreddleSpl0it in #6009
• .github: Add pull_request_template.md by @DerLinkman in #6011

Sponsoring

Thank you to the Youth Foundation of Baden-Württemberg (Germany) for sponsoring the "Forgot Password?" feature!

New Contributors

• @Ayowel made their first contribution in #5804
• @rallisf1 made their first contribution in #5972
• @h3ssan made their first contribution in #5987
• @SailReal made their first contribution in #5945
• @Doozy134 made their first contribution in #5967
• @mrclschstr made their first contribution in #5773
• @Kitof made their first contribution in #5776
• @muhlba91 made their first contribution in #5934

Full Changelog: 2024-07...2024-08
Blog Post for additional informations: https://mailcow.email/posts/2024/release-2024-08/