v1.4.13 — Trusted Senders, Tag Management, Attachment Guard, and Secret File Support

1.4.13 (2026-04-12)

Thank you for your donations:

One-time

• @boris22100
• @mkorthaus-private

Monthly

• You? Become a sponsor!

Features

• Contacts: Store trusted senders in a dedicated JMAP address book (#176)
• Email: Warn on send when attachment keyword found but no file attached (#172)
• Email: Enable keyword reordering (#174) and multi-tag support per email (#173)
• PWA: Add "don't remind me again" option to install prompt
• Auth: Add SESSION_SECRET_FILE and OAUTH_CLIENT_SECRET_FILE environment variable support
• Plugins: Add onAvatarResolve plugin hook
• Docker: Publish main and dev branches as separate GHCR packages

Fixes

• Email: Style links in plain text emails
• Email: Seed list history entry when app initializes on an email view
• Email: Remount composer on draft edit and preserve identity (#60)
• Contacts: Display contact names stored in name.full (#179)
• Contacts: Fix category dropdown blocking Save button in contact form (#177)
• Contacts: Resolve TS error from optional name.components in vCard parser
• Search: Search all folders when filtering emails by tag (#175)
• Auth: Include mount prefix in SSO redirect URI when app is served under a subpath
• PWA: Correct PWA icons with proper sizing, transparency, and dark/light mode support

v1.4.12 — PWA Support, Birthday Calendar, Identity Sync, and multiple New Locales

1.4.12 (2026-04-09)

Thank you for your donations:

One-time

• @mkorthaus-private

Monthly

• You? Become a sponsor!

Features

• PWA: Add PWA support with service worker and install prompt
• Calendar: Add birthday calendar feature with settings and localization
• Calendar: Clamp February 29 birthdays in non-leap years
• Identity: Add automatic identity synchronization (#167)
• Plugins: Disable plugins by default and require admin approval
• Plugins: Replace auth header exposure with a secure HTTP proxy API for plugins
• Auth: Add configurable OAuth scopes and cookie security via environment variables
• Email: Sync mail view to browser history for back/forward navigation
• Contacts: Add ability to rename address books (#152)
• UI: Add version badge in settings
• i18n: Add Latvian (lv) locale support
• i18n: Add Polish language support
• i18n: Add Korean language support
• i18n: Add Simplified Chinese (zh_CN) locale support

Fixes

• Email: Show recipient instead of sender in Sent and Drafts folder lists
• Email: Embed dropped images as data URLs and prevent duplicate attachments (#163)
• Email: Fix logic for marking email as read in EmailViewer
• Email: Fix archive action passing MouseEvent as argument
• Mailbox: Preserve search filters on push-triggered mailbox refresh (#164)
• Mailbox: Align shared account folders with primary folders (#151)
• Mailbox: Fetch mailboxes on mount in FolderSettings when store is empty
• Mailbox: Improve mailbox deletion error handling
• Calendar: Improve calendar event retrieval by batching requests to avoid server limits (#141)
• Calendar: Compute per-occurrence UTC start/end in recurrence expansion (#116)
• Calendar: Guard against undefined trigger in calendar event alert popover (#143)
• Files: Stream WebDAV PUT uploads to avoid buffering in memory (#162)
• Files: Prune recent files against server nodes on refresh (#146)
• Files: Fix file deletion logic to update recent files and handle errors (#146)
• Files: Extend file drop zone to fill remaining viewport height
• Files: Fallback to application/octet-stream for long MIME types
• Security: Replace unguarded crypto.randomUUID() with safe generateUUID() utility
• Security: Validate plugin HTTP post URL against origin with regression tests
• Security: Allow blob images in CSP for inline drag-and-drop (#163)
• Auth: Resolve settings sync identity mismatch for OAuth/SSO sessions (#127)
• Contacts: Fix address book ID namespacing for shared contacts in create and update operations (#133)
• UI: Fix focused mode expanding beyond screen bounds (#156)
• API: Handle 403 on principal fetch without console error
• API: Enhance error handling in Stalwart API responses

v1.4.11 — Logging Categories, Proxy & Plugin Security, and Mailbox Fixes

1.4.11 (2026-03-31)

Features

• Logging: Add logging categories for better log management

Fixes

• Security: Harden security with CSP enforcement, SSRF redirect validation, reenabled S/MIME chain verify, IP spoofing prevention, and PDF iframe sandbox
• Security: Harden proxy authentication and SSRF defenses
• Security: Block plugins with dangerous JS patterns and enforce strict session secret length validation
• S/MIME: Add self-signed certificate detection and update status messages for S/MIME signatures
• Email: Auto-focus input fields in email composer for improved user experience (#126)
• Mailbox: Prevent orphaning of nested mailboxes by restricting deduplication to root-level folders
• JMAP: Strip server-immutable fields from updates before sending to JMAP (#128)
• Files: Update file feature disabled messages and add stability warnings
• i18n: Add missing translation keys to all non-English locales

v1.4.10 — Plugin Configuration, iCal Subscriptions, and Security Hardening

1.4.10 (2026-03-31)

Features

• Plugins: Add plugin configuration UI with schema-driven admin config page, calendar event action slot, and Jitsi Meet plugin
• Calendar: Implement client-side recurrence expansion for calendar events
• Calendar: Add iCal subscription editing and batch event import
• Calendar: Add hover preview settings and functionality
• Calendar: Add virtual location input for calendar events (#121)
• Email: Add reply-to addresses support in email composer
• Email: Add mail layout settings and update email list components
• Email: Add auto-select reply identity feature with settings and localization
• Email: Enhance compose functionality with button integration and translations
• Filters: Preserve activation state when updating or creating Sieve scripts to avoid deactivating server-managed vacation scripts
• Filters: Skip server-managed vacation script in Sieve script handling
• Settings: Add support for custom JMAP server endpoints in login and settings
• Settings: Add folder expansion state management and settings navigation
• UI: Add options to hide account switcher and show account avatars on navigation rail
• i18n: Add JMAP server endpoint labels and hints in multiple languages
• i18n: Add missing translation keys to all non-English locales

Fixes

• Security: Patch critical auth bypass and credential leak vulnerabilities
• Security: Support 3DES S/MIME decryption by importing legacy RSAES-PKCS1-v1_5 keys and add diagnostic logging (#35)
• Security: Account isolation, auto-import signer certs, and no-key error handling (#35)
• Calendar: Fix JSCalendar 2.0 recurrenceRule single-object compatibility (#116)
• Calendar: Enhance calendar event handling to distinguish between events and tasks
• Calendar: Link existing events to target calendar during iCal import instead of skipping (#113)
• Calendar: Deduplicate UIDs during iCal import to prevent mass failures (#113)
• Calendar: Fix events disappearing after iCal import/subscription refresh
• Calendar: Enhance calendar event handling with full-day detection and layout adjustments
• Calendar: Use UTC timestamps for timed event rendering
• Calendar: Work around Stalwart not returning Task objects via CalendarEvent/query
• Email: Enhance email loading and deduplication logic in email store (#119)
• Email: Ensure draft editing function is called correctly in EmailViewer component (#60)
• Email: Match hover action background to selected row state
• Email: Align tag counts with mailbox folder counts in sidebar
• Auth: Handle 2FA/TOTP session expiry with basic auth (#117)
• Mailbox: Improve mailbox tree logic and enhance mailbox handling with logging (#118)
• UI: Improve dark mode handling for media elements and background images
• UI: Adjust account list spacing and remove push connection indicator
• UI: Fix nested button in theme card

v1.4.9 — Admin Controls, Vacation Responder, and Plugin Policy Upgrades Latest

1.4.9 (2026-03-27)

Features

• Admin: Add Stalwart admin authentication, sidebar access, and a reorganized dashboard with dedicated policy sections
• Plugins: Add plugin/theme admin dashboard, harness tooling, forced enable or disable controls, managed policy enforcement, and a resizable detail sidebar
• Filters: Add vacation responder management with Sieve generation and parsing, UI integration, and improved sync preservation
• Email: Add plain text only composer mode, optional conversation threading disable, configurable hover action placement, and OAuth app password support
• UI: Add drag-and-drop customization for sidebar apps
• Files: Use dynamic server-configured maximum upload sizes
• i18n: Add Russian locale support and complete missing translation strings for recent task features

Fixes

• Calendar: Improve date parsing and event normalization, prevent calendar page re-render loops, ensure unique ICal subscription IDs, and create all-day events with correct JSCalendar midnight handling
• Email: Respect the configured mark-as-read delay in EmailViewer and fetch full email content when needed while editing drafts (#60, #95)
• Auth: Improve network error handling, add JMAP rate limiting handling, and enhance settings retrieval and persistence diagnostics (#100, #104)
• UI: Improve mobile layout behavior on contacts and calendar pages (#103)
• Themes: Repair theme ZIP bundle handling and enforce admin theme locks correctly
• Code Quality: Resolve outstanding ESLint warnings across the codebase

v1.4.8 — Email status, sub-addressing, notifications

1.4.8 (2026-03-23)

Features

• Email: Add support for marking emails as answered or forwarded and display status icons in email list and thread views
• Email: Enhance identity selection by supporting sub-addressing (plus addressing) in email composer
• Settings: Add notification settings with sound picker, preview playback, and configurable alert sounds
• Settings: Add default mail program settings with localization support across all locales
• Auth: Implement path prefix handling for OAuth callbacks and login redirects, enabling reverse proxy deployments
• Validation: Add all multi-part TLDs for domain validation in favicon API (#81)

Fixes

• Calendar: Fix bugs in duration parsing, RFC compliance, and event handling across calendar components
• Calendar: Detect tasks created by external CalDAV clients such as Thunderbird
• Settings: Enhance account settings with username and authentication method display (#90)

v1.4.7 — Calendar Tasks, Rich Text Editor, and SSO Login

1.4.7 (2026-03-21)

Features

• Calendar: Add task management features with task creation, editing, and status tracking
• Calendar: Add option to show week numbers in mini-calendar
• Email: Add resizable image component and rich text editor with image upload support
• Files: Support uploading folders via drag-and-drop and toolbar button
• Filters: Add expanded visual view for filter rules
• Auth: Add non-interactive SSO login flow for embedded/iframe deployments (#69)
• DevOps: Add separate Docker build workflow for releases and dev branch images

Fixes

• Calendar: Handle updates and deletions for synthetic JMAP IDs in calendar events with fallback to destroy and recreate
• Security: Extend CryptoEngine to support legacy algorithms and integrate with LinerEngine for decryption
• Auth: Refactor logout to use synchronous flow with full page redirect
• Email: Update iframe sandbox attributes to allow popups to escape sandbox
• i18n: Add missing translation keys across all locales
• Docker: Update .env.example to clarify Docker volume mounting for settings data directory

v1.4.6 — Demo Mode, Guided Tour, and Email Hover Actions

1.4.6 (2026-03-21)

Features

• Demo: Add full demo mode with fixture data for emails, calendars, contacts, files, filters, identities, mailboxes, and vacation responses
• Demo: Implement JMAP client interface abstraction to support demo and live backends
• Contacts: Add no-category filter, drag-and-drop to category, and category combo box in contact form
• Email: Add hover actions for emails with configurable quick-action buttons
• Settings: Implement keyword migration functionality for upgrading legacy email tags
• Security: Enhance S/MIME certificate extraction and add legacy PBE (password-based encryption) support
• Tour: Add interactive guided tour overlay for new user onboarding

Fixes

• Settings: Add missing showTimeInMonthView and showOnMobile type definitions to settings store
• UI: Adjust padding and size of sidebar buttons for improved layout

v1.4.5 — Calendar Navigation, Recurring Events, and Contact Pagination

1.4.5 (2026-03-20)

Features

• Calendar: Add prev/next navigation buttons and date label to desktop calendar toolbar
• Calendar: Add pending event preview functionality to calendar views and event modal
• Calendar: Add setting to show event start time in month view
• Contacts: Implement pagination for fetching contacts with maxObjectsInGet capability
• Email: Add attachment position setting in email settings
• Layout: Add mobile visibility toggle for sidebar apps
• Error: Add NotFound component to handle 404 errors and redirect unauthenticated users

Fixes

• Auth: Enhance account switching logic and clear stores on account change
• Auth: Improve account restoration logic and handle stale accounts
• Auth: Improve draft handling in email composer and enhance session cookie verification
• Calendar: Expand recurring events in CalendarEvent/query so individual occurrences are returned (#65)
• Calendar: Validate event start field when fetching calendar events
• Calendar: Auto-scroll agenda view to today's events and include today's date in groups
• Calendar: Correct JSX syntax in CalendarToolbar component
• Dependencies: Update flatted to 3.4.2
• DevOps: Use native ARM runners instead of QEMU for Docker builds
• DevOps: Enhance health check with detailed memory diagnostics and stable liveness probe

v1.4.4 — CalDAV Discovery, Signature Rendering, and Multi-Account Fixes

1.4.4 (2026-03-19)

Features

• Calendar: Implement CalDAV discovery API with automatic calendar home resolution for multi-account setups
• Calendar: Enhance calendar management settings with mailbox role reassignment controls
• Email: Add signature rendering utilities with HTML-to-text conversion and sanitization

Fixes

• Auth: Fix account session handling to update existing accounts instead of duplicating entries
• Auth: Fix logout redirects and unauthenticated home page rendering
• Calendar: Fix duplicate calendar edits and prevent double-save submissions in event modal
• Calendar: Remove stale calendar ID references in favor of CalDAV-discovered IDs
• Contacts: Improve RFC 9553 compliance for contact birthdays and address formatting
• Email: Fix email signature rendering for identity signatures
• Folders: Improve mailbox role management by clearing roles from all mailboxes before reassigning