🍀🐮 Moorch 2026 | forced 2FA, DNS-01, SOGo & Rspamd Updates - Revision B

What's Changed

This is a small but important update that fixes several security-related issues.
We recommend updating to this version.
Associated CVE identifiers will be published later.

• [Web][Dovecot] Improve input validation and escaping by @FreddleSpl0it in #7173

Full Changelog: 2026-03a...2026-03b

🍀🐮 Moorch 2026 | forced 2FA, DNS-01, SOGo & Rspamd Updates - Revision A

What's Changed

This is a small update that fixes issues related to LDAP and Keycloak authentication, as well as problems with the new ACME DNS-01 challenge feature.

Full release: https://github.com/mailcow/mailcow-dockerized/releases/tag/2026-03

• [Web] Fix LDAP/Keycloak login TypeError - missing JSON decode for attributes by @FreddleSpl0it in #7123
• [ACME] Fix wildcard certificate conflict with MAILCOW_HOSTNAME by @FreddleSpl0it in #7124
• Fix theme localStorage collision with rspamd UI by @rezzorix in #7121
• Translations update from Weblate by @milkmaker in #7130
• [ACME] Skip autodiscover/mta-sts subdomains covered by wildcard certificates by @FreddleSpl0it in #7134

New Contributors

• @rezzorix made their first contribution in #7121

Full Changelog: 2026-03...2026-03a

🍀🐮 Moorch 2026 | forced 2FA, DNS-01, SOGo & Rspamd Updates

What's Changed

New Features

• [Web] Add forced 2FA setup and password update enforcement by @FreddleSpl0it in #7077
• Add skip feature to mailcow admin password reset script by @HichemAK in #7078
• feat: Implement passwordless autodiscover endpoint by @DerLinkman in #6976
• acme: add DNS challenges by @cjlapao in #6912 (Documentation)
• [SOGo] Build SOGo from source with security patches by @FreddleSpl0it in #7086
• [SOGo] Update to 5.12.5 by @FreddleSpl0it in #7098
• [Rspamd] Update to 3.14.3-1 by @FreddleSpl0it in #7100

Bug Fixes

• Fix lua script sub-addressing by @DocFraggle in #7037
• Document qitem endpoint in openapi.yaml for editing quarantine mails by @jonprocter in #7047
• check_dns: better time measurement by @maxi322 in #6695
• fix: show stopped and failed containers in dashboard and API by @JeremieCrinon in #7082
• Bump alpine version of netfilter by @jovobe in #7060
• [Web] Add missing EAS and DAV protocol options to mailbox bulk actions by @FreddleSpl0it in #7088
• [Web] switch from GET to POST for datatable requests by @FreddleSpl0it in #7089
• [SOGo][Web] use incremental updates for mailbox/alias/resource sync in sogo_static_view by @FreddleSpl0it in #7093

Other

• Translations update from Weblate by @milkmaker in #7040
• Translations update from Weblate by @milkmaker in #7055
• Translations update from Weblate by @milkmaker in #7069
• Translations update from Weblate by @milkmaker in #7091
• Translations update from Weblate by @milkmaker in #7095
• [Postfix] update postscreen_access.cidr by @milkmaker in #7042
• [Postfix] update postscreen_access.cidr by @milkmaker in #7084
• Update actions/stale action to v10.2.0 by @renovate[bot] in #7062
• Update docker/build-push-action action to v7 by @renovate[bot] in #7097
• chore(deps): update dependency composer/composer to v2.9.5 by @renovate[bot] in #6457
• chore(deps): update docker/setup-qemu-action action to v4 by @renovate[bot] in #7092
• chore(deps): update docker/login-action action to v4 by @renovate[bot] in #7094
• chore(deps): update docker/setup-buildx-action action to v4 by @renovate[bot] in #7096

Notes

Special thanks to Philipps-Universität Marburg for sponsoring the development of the forced 2FA setup feature in this release and supporting the continued security improvements of mailcow.

New Contributors

• @HichemAK made their first contribution in #7078
• @jonprocter made their first contribution in #7047
• @JeremieCrinon made their first contribution in #7082
• @jovobe made their first contribution in #7060
• @cjlapao made their first contribution in #6912

Full Changelog: 2026-01...2026-03

🐄🛡️ January 2026 Update | Limited EAS/DAV Access and Restricted Alias Sending

What's Changed

New

• Support for PBKDF2-SHA512 hash algorithm in verify_hash() (FreeIPA compatibility) (issue 6646) by @Ashitaka57 in #6905
• rspamd: upgrade to 3.14.1, trixie rebuild + bcc forwarded hosts fix by @DerLinkman in #6958
• Add MTA-STS support for alias domains by @Copilot in #6972
• Configurable displayName(s) - Fixes issue #6489 by @bluewalk in #6980
• [Web] Disable login UI on autoprotocol domains by @DiscoNova in #6867
• [Web] Allow admins to limit EAS and DAV access for mailbox users by @FreddleSpl0it in #7022
• feat: allow preset of passwords via environment vars by @moregeek in #7007
• [Postfix] Configurable send permissions for alias addresses by @FreddleSpl0it in #7021

Fixes

• ui: fix global filters ui tickbox reappearing by @DerLinkman in #6966
• Prevent duplicate/plaintext login announcement rendering by @Copilot in #6963
• fix: Password for mobileconfig that conforms to password-complexity policy by @psuet in #6990

Updates

• [Postfix] update postscreen_access.cidr by @milkmaker in #6987
• Translations update from Weblate by @milkmaker in #6965
• Translations update from Weblate by @milkmaker in #7002
• Translations update from Weblate by @milkmaker in #7014
• Translations update from Weblate by @milkmaker in #7020
• chore(deps): update peter-evans/create-pull-request action to v8 by @renovate[bot] in #6953
• chore(deps): update dependency krakjoe/apcu to v5.1.28 by @renovate[bot] in #6947
• chore(deps): update dependency imagick/imagick to v3.8.1 by @renovate[bot] in #6927
• chore(deps): update dependency phpredis/phpredis to v6.3.0 by @renovate[bot] in #6901
• chore(deps): update dependency php-memcached-dev/php-memcached to v3.4.0 by @renovate[bot] in #6837
• chore(deps): update dependency tianon/gosu to v1.19 by @renovate[bot] in #6710

New Contributors

• @Ashitaka57 made their first contribution in #6905
• @Copilot made their first contribution in #6963
• @DiscoNova made their first contribution in #6867
• @moregeek made their first contribution in #7007

Full Changelog: 2025-12a...2026-01

🎄🐮 Moocember 2025 | Just another bugfix update - Revision A

Important

If you already use docker compose v5, please run these commands once to fetch the update script which would break otherwise while trying to update mailcow:
git fetch followed by git checkout origin/master update.sh

What's fixed:

• Prevent duplicate/plaintext login announcement rendering in c11ed5d
• ofelia: revert fixed cron syntax for sa-rules download by @DerLinkman in e76f523
• backup: add image prefetch function to verify latest image is used by @DerLinkman in d977ddb
• Support for PBKDF2-SHA512 hash algorithm in verify_hash() (FreeIPA compatibility) by @Ashitaka57 in e8d9315

🎄🐮 Moocember 2025 | Just another bugfix update

Important

If you already use docker compose v5, please run these commands once to fetch the update script which would break otherwise while trying to update mailcow:
git fetch followed by git checkout origin/master update.sh

What's Changed

• chore(deps): update devops-infra/action-pull-request action to v1 by @renovate[bot] in #6840
• chore(deps): update devops-infra/action-pull-request action to v1.0.2 by @renovate[bot] in #6850
• Add Vietnamese language by @milkmaker in #6854
• chore(deps): update alpine docker tag to v3.22 by @renovate[bot] in #6417
• Translations update from Weblate by @milkmaker in #6861
• Disable PHP opcache.jit by @patschi in #6847
• Update 2025-10a Hotfix by @FreddleSpl0it in #6874
• Translations update from Weblate by @milkmaker in #6880
• [Web] Correct order of Dansk/Danish in UI by @PseudoResonance in #6887
• [Postfix] update postscreen_access.cidr by @milkmaker in #6886
• Translations update from Weblate by @milkmaker in #6898
• Translations update from Weblate by @milkmaker in #6906
• Translations update from Weblate by @milkmaker in #6908
• Replace pigz with zstd for backup compression by @cl445 in #6897
• compose: changes cronjobs to regular cron syntax + fixed sogo creds for cronjobs by @DerLinkman in #6866
• Update backup container to trixie by @MAGICCC in #6907
• Remove deprecated 'X-XSS-Protection' header by @patschi in #6871
• Hide nginx version in http context for all sites by @patschi in #6873
• Allow making spam aliases permanent by @PseudoResonance in #6888
• Translations update from Weblate by @milkmaker in #6916
• chore(deps): update actions/checkout action to v6 by @renovate[bot] in #6920
• Translations update from Weblate by @milkmaker in #6924
• Translations update from Weblate by @milkmaker in #6930
• [Postfix] update postscreen_access.cidr by @milkmaker in #6933
• Translations update from Weblate by @milkmaker in #6936
• chore(deps): update actions/stale action to v10.1.1 by @renovate[bot] in #6937
• chore(deps): update alpine docker tag to v3.23 by @renovate[bot] in #6940
• Translations update from Weblate by @milkmaker in #6941
• Translations update from Weblate by @milkmaker in #6943
• fix(api): add missing break in CORS switch block causing save to hang by @khurram-saeed-malik in #6926
• pf-tlspol: upgrade to 1.8.22 by @DerLinkman in #6951

New Contributors

• @cl445 made their first contribution in #6897
• @khurram-saeed-malik made their first contribution in #6926

Full Changelog: 2025-10...2025-12

🎃🐄 Mooctober 2025 Update | Rspamd 3.13.2 and Redis Security Update - Revision A

What's Changed

• Disable PHP opcache.jit by @patschi in #6847
• Add Vietnamese language by @milkmaker in #6854
• Translations update from Weblate by @milkmaker in #6861
• chore(deps): update devops-infra/action-pull-request action to v1 by @renovate[bot] in #6840
• chore(deps): update devops-infra/action-pull-request action to v1.0.2 by @renovate[bot] in #6850
• chore(deps): update alpine docker tag to v3.22 by @renovate[bot] in #6417

Full Changelog: 2025-10...2025-10a

🎃🐄 Mooctober 2025 Update | Rspamd 3.13.2 and Redis Security Update

What's Changed

• [Redis] Update to Redis 7.4.6 by @FreddleSpl0it in #6829
• [Rspamd] Update to 3.13.2 by @FreddleSpl0it in #6830
• fix autodiscover when using ldap with attribute mapping templates by @Hobby-Student in #6797
• [Web] Fix SOGo redirection after login by @FreddleSpl0it in #6828
• Show app passwords for successful logins on user page by @tjmills-dev in #6821
• Optimize phpfpm opcache: more aggressive caching, enable JIT by @patschi in #6783
• [Web] Add password verification when setting recovery email by @FreddleSpl0it in #6836
• chore(deps): update dependency php/pecl-mail-mailparse to v3.1.9 by @renovate[bot] in #6798
• chore(deps): update dependency krakjoe/apcu to v5.1.27 by @renovate[bot] in #6696
• Update pt-br lang by @olavorn in #6803
• Translations update from Weblate by @milkmaker in #6826

New Contributors

• @olavorn made their first contribution in #6803
• @Hobby-Student made their first contribution in #6797
• @tjmills-dev made their first contribution in #6821

Full Changelog: 2025-09c...2025-10

🍂🐄 Mootember Update 2025 - Revision C

What's Changed

• [SOGo][Web] SOGo URL Encryption support by @FreddleSpl0it in #6758
• [Nginx] do not invert ENABLE_IPV6 by @FreddleSpl0it in #6762
• [Web] Remove Port from HTTP_HOST by @FreddleSpl0it in #6760
• [Web] Allow wildcard subdomains for MTA-STS by @FreddleSpl0it in #6759
• [Web] set cookie SameSite attribute to Lax by @FreddleSpl0it in #6766
• [Web] Rename PHP Cookie to MCSESSID by @FreddleSpl0it in #6767
• Update GitHub's issue template by @patschi in #6772
• Clearer message to install required tool, e.g. jq by @patschi in #6764
• Make domain description field readonly when no ACL by @patschi in #6789
• Show "Never" by default if no last-modified date saved by @patschi in #6788
• Hide relayhosts when ACL does not allow by @patschi in #6787
• Fix several SQL statements by @patschi in #6786
• Fixed wrong footer escaping for certain characters by @patschi in #6782
• Rename password fields for AppPasswords same way for consistency by @patschi in #6781
• Fixed password complexity check for AppPasswords creation/edit by @patschi in #6780
• Remove debug console.log calls by @patschi in #6779
• Enable HTTPS redirect by default on new setups by @patschi in #6777
• [Helpers] Fix cold-standby digits in compose project names and inclusion of docker-compose.override.yml by @sdsys-ch in #6800
• Fix enabling of ipv6 when updating by @SpaghettiBorgar in #6791
• Update variable name for prometheus-exporter security token by @vbrandl in #6776
• Fixed typo in lang de-de by @codiflow in #6765
• Fix typos in config by @jonasc in #6792
• chore(deps): update actions/stale action to v10.1.0 by @renovate[bot] in #6806
• [Postfix] update postscreen_access.cidr by @milkmaker in #6801
• Translations update from Weblate by @milkmaker in #6771
• Translations update from Weblate by @milkmaker in #6794
• Translations update from Weblate by @milkmaker in #6785
• Translations update from Weblate by @milkmaker in #6790
• Translations update from Weblate by @milkmaker in #6793
• Translations update from Weblate by @milkmaker in #6743
• Translations update from Weblate by @milkmaker in #6749

New Contributors

• @sdsys-ch made their first contribution in #6800
• @jonasc made their first contribution in #6792
• @SpaghettiBorgar made their first contribution in #6791
• @vbrandl made their first contribution in #6776

Full Changelog: 2025-09b...2025-09c

🍂🐄 Mootember Update 2025 - Revision B

What's Changed

• scripts: ipv6_controller improvement + fix modules handling by @DerLinkman in #6722
• [SOGo] Drop deprecated sogo_update_password sql trigger if it still exists by @FreddleSpl0it in #6727
• [Web] remove unused bcc dest column from alias table by @FreddleSpl0it in #6726
• [Nginx] fix: Disable IPv6 support in Nginx configuration by @p-atr in #6736

New Contributors

• @p-atr made their first contribution in #6736

Full Changelog: 2025-09a...2025-09b