chore(deps): update ghcr.io/stalwartlabs/stalwart docker tag to v0.16.4

[renovate]

This PR contains the following updates:

Package	Update	Change
ghcr.io/stalwartlabs/stalwart	minor	v0.14.1-alpine → v0.16.4-alpine

---

Release Notes

stalwartlabs/stalwart (ghcr.io/stalwartlabs/stalwart)

v0.16.4

Compare Source

[0.16.4] - 2026-05-05

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

Changed

Fixed

• Live tracing in community and OSS versions.
• Timezone changes from the AccountSettings object return invalidProperties.
• mail-parser panic with certain messages containing corrupted attachments.
• Pagination by anchor for queued messages, tasks and metrics.
• Spam filter: Use original instead of rewritten RCPT on checks.
• JMAP:
  • References in nested objects not resolved.
  • AddressBook/query fetches wrong resources.
• Import tool fails to restore registry entries.
• FDB: Allow multiple FoundationDB instances in the same process.
• Autoconfig: Return %EMAILADDRESS% when no email address is provided.
• Quota: Include Sieve scripts in quota recalculations.

---

Check binary attestation here

v0.16.3

Compare Source

[0.16.3] - 2026-04-30

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

Changed

• Replaced STALWART_HTTPS_PORT with STALWART_PUBLIC_URL.
• App Passwords now begin with app_ instead of app to avoid issues with some clients that do not support spaces in passwords.

Fixed

• Directory:
  • Invalidate caches when group memberships change on an external directory.
  • OIDC: errors instead of "failed to decode token".
  • OIDC: Recovery admin access.
  • User impersonation.
• Tasks:
  • Delete locked tasks.
  • Queue pagination by anchor.
• Log viewer: All events show as INFO.
• Registry: Allow changing object variants.
• Node id renewal.
• DNS Updater: Fix Route53 serialization format.

---

Check binary attestation here

v0.16.2

Compare Source

[0.16.2] - 2026-04-28

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• OIDC: Fallback to userinfo endpoint when JWT token does not contain an email claim.
• S3: verifyAfterWrite option to verify that objects have persisted after writing.

Changed

• Allow HTTP to be used for configuring the server.

Fixed

• LDAP: Generate valid credentialId when there are password changes.
• TLS: Disable cipher suited option disables wrong ciphers.
• DNS Updater:
  • BunnyDNS: Use subdomain as name of record instead of FQDN.
  • RFC2136: Chunk TXT records.
• Skip invalid entries in log files.

---

Check binary attestation here

v0.16.1

Compare Source

[0.16.1] - 2026-04-25

This version includes multiple breaking changes. If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• OIDC: Extract username from JWT token.
• system('node_hostname') and system('node_role') expression variables to retrieve the local node hostname and cluster role respectively.

Changed

Fixed

• JMAP:
  • Invalid receivedAt headers after importing (#​2939).
  • Sorting order issues when emails lack receivedAt headers.
• IMAP: Fix BINARY fetch responses (#​2940).
• WebDAV: Fix ACL validation for target folders.
• ACME: Allow requesting apex domain certificates.
• Hostname issues:
  • Accept RFC 6761 reserved TLDs during bootstrap.
  • Allow hostnames without TLDs in remote server settings.
• Reverse proxy issues.
• OSS builds.
• DNS Updater:
  • RFC2136: TSIG secret not base64 decoded.
  • Google DNS: Chunk TXT records when they exceed 255 characters.
  • Cloudflare:
    • Fix CAA record updates.
    • Check zone subdomains when finding zones

---

Check binary attestation here

v0.16.0

Compare Source

[0.16.0] - 2026-04-20

This version includes multiple breaking changes. If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• Web UI rewritten from the ground up using the JMAP management API, featuring a refreshed design and addressing 76 enhancement requests and bug fixes.
• CLI rewritten from the ground up to use the JMAP management API.
• Security enhancements:
  • Password strength enforcement using the zxcvbn algorithm
  • Password expiration, rotation policies and IP address restrictions for user accounts
  • App Passwords with limited access (#​1609), labels (#​2255), IP address restrictions and expiration dates
  • API keys with limited access, labels, IP address restrictions and expiration dates
  • Auto-ban comments and details about the triggering event (#​1321)
  • Auto-ban expiration after a configurable time period (#​964)
• DNS Management:
  • Automatic DNS management of MX, TXT, CNAME, SRV, CAA and TLSA records (#​463 #​1017 #​1419 #​2438 #​1370 #​1406 #​1371)
  • Automatic update of TLSA records when ACME certificates change (#​1664)
  • RFC2136 SIG(0) support (#​856)
  • Route53 provider support (contributed by @​jimmystewpot)
  • Google Cloud DNS provider support (contributed by @​jimmystewpot)
  • Bunny provider support (contributed by @​angeloanan)
  • Porkbun provider support (contributed by @​jeffesquivels)
  • DNSimple provider support (contributed by @​NelsonVides)
  • Spaceship provider support (contributed by @​matserix)
• DKIM:
  • Automatic DKIM key generation, rotation and DNS management (#​368 #​961)
  • Store DKIM keys in the database (#​1264)
  • Ignore insecure signatures when verifying DKIM (#​1068 #​467)
• ACME/TLS:
  • DNS-PERSIST-01 ACME challenge support (#​2837)
  • Renew certificates on demand, view certificate details (#​675 #​1162 #​2566)
  • CAA record support (#​468) with accounturi parameter (#​1933)
  • TLSA records publishing restricted to 3 1 1 and 2 1 1 (#​2193)
• OIDC and OAuth:
  • JWT token validation without requesting userinfo from the OIDC provider.
  • Audience (aud) claim (#​2603) and scope validation support.
  • Groups support (#​1448)
  • RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients
• LDAP:
  • Separate filter for groups (#​1841)
  • Improve support for OpenLDAP schemas (#​760)
  • Improve and simplify LDAP settings (#​2194 #​2174)
• Directory:
  • Masked email addresses for enhanced privacy (Enterprise)
  • Domain aliases (#​583)
  • E-mail alias descriptions and option to disable aliases (#​506)
  • Account archiving and un-deletion (#​2767) (Enterprise)
  • Per-domain directory backends (Enterprise)
• Account configuration and discovery:
  • Automatic Configuration of Email, Calendar, and Contact Server Settings (draft-mailmaint-uaautoconf-04) (#​2201)
  • MS Autodiscover V2 support (#​679)
• Sieve: Allow deactivating scripts without deleting them (#​1251).
• Tracing: Enable events only mode (#​2276)
• Clustering:
  • Automatic cluster node ID generation and management.
  • Unified cluster management (#​960)
  • Outbound MTA role (#​1692)

Changed

• Replaced REST API with JMAP API (#​2262 #​959 #​1480)
• Removed support for Authenticated Received Chain (ARC) sealing (learn more).
• Directory: Removed smtp, imap and memory directory backends.
• Use aws-lc for cryptographic operations instead of ring.
• Use rustls-platform-verifier for TLS certificate verification instead of webpki (#​247).

Fixed

• Directory:
  • Cannot remove built-in "admin" role from user once it was assigned (#​1467)
  • Delete associated records (#​963)
  • Updated Role permissions not applied (#​2038)
  • Recreated account cannot log in until server is restarted (#​1469)
  • Subaddressing does not work for groups (#​475)
  • New LDAP aliases are rejected (#​1318).
  • Validate account and group names (#​2209)
• MTA:
  • RCPT TO stage settings improvements (#​2217 #​394)
  • Relay to IP addresses (#​838)
  • Duplicate delivery inverted check
  • SASL challenge responses include invalid Go ahead text
• JMAP:
  • Fix inMailboxOtherThan query logic.
  • Fix hasAttachment search field (#​2778)
• IMAP:
  • Increment argument max length to 8000 bytes
  • ACL: Add RIGHTS capability (#​2762)
  • ACL: Fix ACL SET permission override.
• WebDAV:
  • Return 304 NOT_MODIFIED on If-None-Match
  • Use RFC 2616 instead of RFC 1123 for date formatting
  • Fix ACL container/item mismatch in reports.
  • CalDAV: Allow organized properties to be present in PUT requests if they are equal to the existing ones.
  • CalDAV: Enforce cumulative iCalendar instances cap in CalDAV free-busy REPORT handler
• Configuration: Prefix parsing issues (#​2495)
• OIDC: JWKS Exposes Symmetric Signing Key
• SQLite: Fix thread pool exhaustion.
• PostgreSQL: Use clean recycling method on connection pool
• Meilisearch: Make id sorteable.
• ACME: Fix wrong origin for subdomain updates (#​2360)
• Spam filter: Skip invalid messages during training.
• Calendar: Include minutes in localized invite templates (#​2828)
• HTTP: Fix 204 CORS preflight responses

---

Check binary attestation here

v0.15.5

Compare Source

[0.15.5] - 2026-02-14

If you are upgrading from v0.14.x and below, this version includes multiple breaking changes. Please read the upgrading documentation for more information on how to upgrade from previous versions.
If you are upgrading from v0.15.x, replace the binary and update the webadmin.

Added

Changed

Fixed

• IMAP/JMAP: OOM when mail-parser returns cyclical MIME structures (CVE-2026-26312).
• Tracing: Fix tracing indexing when using separate stores.
• JMAP: Fix upToId computation in */queryChanges.
• JMAP: Include createdIds when the property is present.
• JMAP: Respect query arguments in Email/queryChanges.
• JMAP: Return the correct container/item change id when there are no changes.

---

Check binary attestation at here

v0.15.4

Compare Source

[0.15.4] - 2026-01-19

If you are upgrading from v0.14.x and below, this version includes multiple breaking changes. Please read the upgrading documentation for more information on how to upgrade from previous versions.
If you are upgrading from v0.15.x, replace the binary and update the webadmin.

Added

• IMAP: Map HEADER SUBJECT/FROM/TO searches to SUBJECT/FROM/TO queries.
• Sieve: Update spam status on user scripts.

Changed

Fixed

• Search: Return all document ids when no filters are provided.
• Search: Filters not applied when a single message is in the account.
• IMAP: Return ALREADYEXISTS code when creating existing mailboxes.
• IMAP: Do not return quota resources if no quota is set.
• JMAP/changes: Update newState with last changeId if an invalid fromChangeId is provided.
• JMAP/CalendarIdentity: Do not update invalid calendar identities.
• AI API: Include request error details if available.

---

Check binary attestation at here

v0.15.3

Compare Source

[0.15.3] - 2025-12-29

If you are upgrading from v0.14.x and below, this version includes multiple breaking changes. Please read the upgrading documentation for more information on how to upgrade from previous versions.
If you are upgrading from v0.15.x, replace the binary and update the webadmin.

Added

• Polish locale support (contributed by @​mrxkp) (#​2480)

Changed

Fixed

• Meilisearch: Return correct error messages when failing to create indexes (#​2574)
• PostgreSQL search: Truncate emails to 650kb for full-text search indexing.
• FoundationDB search: Batch large transactions (#​2567).
• Spam filter: Fix training sample size checks
• IMAP: Fix UTF7 encoding with Emojis (contributed by @​dojiong) (#​2564).

---

Check binary attestation at here

v0.15.2

Compare Source

[0.15.2] - 2025-12-22

If you are upgrading from v0.14.x and below, this version includes multiple breaking changes. Please read the upgrading documentation for more information on how to upgrade from previous versions.
If you are upgrading from v0.15.x, replace the binary and update the webadmin.

Added

• OAuth: Add device authorization endpoint (#​2225).

Changed

• Antispam: Only auto-learn spam from traps or multiple RBL hits.

Fixed

• mySQL search: Use MEDIUMTEXT field type for email body and attachments (#​2544).
• PostgreSQL search: Truncate large text fields.
• ElasticSearch: Implement pagination (#​2551).
• Antispam: Fix NO_SPACE_IN_FROM spam tag detection logic (#​2372).
• IMAP: Fix shared folder double nesting (test suite credits to @​ochnygosch) (#​2358).
• JMAP: Use latest Received header in JMAP Email/import (credits to @​apexskier) (#​2374).
• JMAP: Return unsorted search results when the index is not ready (#​2544).
• LDAP: Lowercase attribute comparison (credits to @​pdf) (#​2363).
• CLI: Fix same-host JMAP redirection on non-standard ports (#​2271).

---

Check binary attestation at here

v0.15.1

Compare Source

[0.15.1] - 2025-12-17

This version includes multiple breaking changes. Please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

Changed

Fixed

• PostgreSQL: Sanitize search index values (#​2533)
• Elasticsearch: Ignore resource_already_exists_exception errors when creating indexes (#​2535)
• Migrate 0.13.x data (#​2534)

---

Check binary attestation at here

v0.15.0

Compare Source

[0.15.0] - 2025-12-16

This version includes multiple breaking changes. Please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• Linear spam classifier using FTRL-Proximal and feature/cuckoo hashing.
• Meilisearch store backend implementation (#​1482).
• PostgreSQL and mySQL native full-text search support.
• Multiple performance improvements and database access optimizations.
• Encryption-at-rest: Spam training privacy setting.
• Enterprise: Undelete e-mail feature now includes From/Subject/Received information.
• IMAP: Implemented new keywords and mailbox attributes described in draft-ietf-mailmaint-messageflag-mailboxattribute-13

Changed

• IMAP: Always return special use flags in responses.

Fixed

• JMAP: FileNode/set fails to delete files (#​2485).
• JMAP: Return error when using blobId in JSContact and JSCalendar (#​2431).
• Directory: Deletion of list or domain issues (#​2415).
• MTA: Headers and body stripped from mail delivery subsystem failure notifications (#​2344).
• MTA: Hooks only run if sieve script, milter or rewrite is configured (#​2317).
• Autodiscover: Endpoint should be case insensitive (#​2440).
• Housekeeper: Panic during DST transition (#​2366).
• Import/Export: Fix import/export utility (#​1882).
• Enterprise: Remove tenant admin permissions when license is invalid.

---

Check binary attestation at here

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.