🐝🐮 Mooay 2026 | Just another security update - Revision C

What's Changed

• [Nginx] Update to 1.30.2 by @FreddleSpl0it in #7259
• fix unbound CVE-2026-33278 by @SYNLINQ in #7252
• Update actions/stale action to v10.3.0 by @renovate[bot] in #7242
• Translations update from Weblate by @milkmaker in #7245
• Update devops-infra/action-pull-request action to v1.1.2 by @renovate[bot] in #7247
• Update devops-infra/action-pull-request action to v1.1.3 by @renovate[bot] in #7253
• Update devops-infra/action-pull-request action to v1.2.0 by @renovate[bot] in #7254

New Contributors

• @SYNLINQ made their first contribution in #7252

Full Changelog: 2026-05b...2026-05c

🐝🐮 Mooay 2026 | Just another security update - Revision B

What's Changed

• [Nginx] Update to 1.30.1 by @FreddleSpl0it in #7240
• escape HTML in quarantine table by @FreddleSpl0it in #7241
• Translations update from Weblate by @milkmaker in #7228
• Add Uzbek language by @Jahongir-Qurbonov in #7224
• Update devops-infra/action-pull-request action to v1.1.1 by @renovate[bot] in #7234

New Contributors

• @Jahongir-Qurbonov made their first contribution in #7224

Full Changelog: 2026-05a...2026-05b

🐝🐮 Mooay 2026 | Just another security update - Revision A

What's Changed

This release updates SOGo to version 5.12.8, addressing 4 security issues:
https://www.sogo.nu/news/2026/sogo-v5128-released.html

We strongly recommend updating to this version.

• [SOGo] Update to 5.12.8 by @FreddleSpl0it in #7226

Full Changelog: 2026-05...2026-05a

🐝🐮 Mooay 2026 | Just another security update

What's Changed

This is a small but important update that fixes a security-related issue.
We strongly recommend updating to this version.
The associated CVE identifier will be published at a later time.

• [Postfix] update postscreen_access.cidr by @milkmaker in #7177
• [Postfix] update postscreen_access.cidr by @milkmaker in #7209
• Translations update from Weblate by @milkmaker in #7190
• Translations update from Weblate by @milkmaker in #7218
• [Web] escape HTML in sieve filter edit view and queue manager by @FreddleSpl0it in #7220

Full Changelog: 2026-03b...2026-05

🍀🐮 Moorch 2026 | forced 2FA, DNS-01, SOGo & Rspamd Updates - Revision B

What's Changed

This is a small but important update that fixes several security-related issues.
We recommend updating to this version.
Associated CVE identifiers will be published later.

• [Web][Dovecot] Improve input validation and escaping by @FreddleSpl0it in #7173

Full Changelog: 2026-03a...2026-03b

🍀🐮 Moorch 2026 | forced 2FA, DNS-01, SOGo & Rspamd Updates - Revision A

What's Changed

This is a small update that fixes issues related to LDAP and Keycloak authentication, as well as problems with the new ACME DNS-01 challenge feature.

Full release: https://github.com/mailcow/mailcow-dockerized/releases/tag/2026-03

• [Web] Fix LDAP/Keycloak login TypeError - missing JSON decode for attributes by @FreddleSpl0it in #7123
• [ACME] Fix wildcard certificate conflict with MAILCOW_HOSTNAME by @FreddleSpl0it in #7124
• Fix theme localStorage collision with rspamd UI by @rezzorix in #7121
• Translations update from Weblate by @milkmaker in #7130
• [ACME] Skip autodiscover/mta-sts subdomains covered by wildcard certificates by @FreddleSpl0it in #7134

New Contributors

• @rezzorix made their first contribution in #7121

Full Changelog: 2026-03...2026-03a

🍀🐮 Moorch 2026 | forced 2FA, DNS-01, SOGo & Rspamd Updates

What's Changed

New Features

• [Web] Add forced 2FA setup and password update enforcement by @FreddleSpl0it in #7077
• Add skip feature to mailcow admin password reset script by @HichemAK in #7078
• feat: Implement passwordless autodiscover endpoint by @DerLinkman in #6976
• acme: add DNS challenges by @cjlapao in #6912 (Documentation)
• [SOGo] Build SOGo from source with security patches by @FreddleSpl0it in #7086
• [SOGo] Update to 5.12.5 by @FreddleSpl0it in #7098
• [Rspamd] Update to 3.14.3-1 by @FreddleSpl0it in #7100

Bug Fixes

• Fix lua script sub-addressing by @DocFraggle in #7037
• Document qitem endpoint in openapi.yaml for editing quarantine mails by @jonprocter in #7047
• check_dns: better time measurement by @maxi322 in #6695
• fix: show stopped and failed containers in dashboard and API by @JeremieCrinon in #7082
• Bump alpine version of netfilter by @jovobe in #7060
• [Web] Add missing EAS and DAV protocol options to mailbox bulk actions by @FreddleSpl0it in #7088
• [Web] switch from GET to POST for datatable requests by @FreddleSpl0it in #7089
• [SOGo][Web] use incremental updates for mailbox/alias/resource sync in sogo_static_view by @FreddleSpl0it in #7093

Other

• Translations update from Weblate by @milkmaker in #7040
• Translations update from Weblate by @milkmaker in #7055
• Translations update from Weblate by @milkmaker in #7069
• Translations update from Weblate by @milkmaker in #7091
• Translations update from Weblate by @milkmaker in #7095
• [Postfix] update postscreen_access.cidr by @milkmaker in #7042
• [Postfix] update postscreen_access.cidr by @milkmaker in #7084
• Update actions/stale action to v10.2.0 by @renovate[bot] in #7062
• Update docker/build-push-action action to v7 by @renovate[bot] in #7097
• chore(deps): update dependency composer/composer to v2.9.5 by @renovate[bot] in #6457
• chore(deps): update docker/setup-qemu-action action to v4 by @renovate[bot] in #7092
• chore(deps): update docker/login-action action to v4 by @renovate[bot] in #7094
• chore(deps): update docker/setup-buildx-action action to v4 by @renovate[bot] in #7096

Notes

Special thanks to Philipps-Universität Marburg for sponsoring the development of the forced 2FA setup feature in this release and supporting the continued security improvements of mailcow.

New Contributors

• @HichemAK made their first contribution in #7078
• @jonprocter made their first contribution in #7047
• @JeremieCrinon made their first contribution in #7082
• @jovobe made their first contribution in #7060
• @cjlapao made their first contribution in #6912

Full Changelog: 2026-01...2026-03

🐄🛡️ January 2026 Update | Limited EAS/DAV Access and Restricted Alias Sending

What's Changed

New

• Support for PBKDF2-SHA512 hash algorithm in verify_hash() (FreeIPA compatibility) (issue 6646) by @Ashitaka57 in #6905
• rspamd: upgrade to 3.14.1, trixie rebuild + bcc forwarded hosts fix by @DerLinkman in #6958
• Add MTA-STS support for alias domains by @Copilot in #6972
• Configurable displayName(s) - Fixes issue #6489 by @bluewalk in #6980
• [Web] Disable login UI on autoprotocol domains by @DiscoNova in #6867
• [Web] Allow admins to limit EAS and DAV access for mailbox users by @FreddleSpl0it in #7022
• feat: allow preset of passwords via environment vars by @moregeek in #7007
• [Postfix] Configurable send permissions for alias addresses by @FreddleSpl0it in #7021

Fixes

• ui: fix global filters ui tickbox reappearing by @DerLinkman in #6966
• Prevent duplicate/plaintext login announcement rendering by @Copilot in #6963
• fix: Password for mobileconfig that conforms to password-complexity policy by @psuet in #6990

Updates

• [Postfix] update postscreen_access.cidr by @milkmaker in #6987
• Translations update from Weblate by @milkmaker in #6965
• Translations update from Weblate by @milkmaker in #7002
• Translations update from Weblate by @milkmaker in #7014
• Translations update from Weblate by @milkmaker in #7020
• chore(deps): update peter-evans/create-pull-request action to v8 by @renovate[bot] in #6953
• chore(deps): update dependency krakjoe/apcu to v5.1.28 by @renovate[bot] in #6947
• chore(deps): update dependency imagick/imagick to v3.8.1 by @renovate[bot] in #6927
• chore(deps): update dependency phpredis/phpredis to v6.3.0 by @renovate[bot] in #6901
• chore(deps): update dependency php-memcached-dev/php-memcached to v3.4.0 by @renovate[bot] in #6837
• chore(deps): update dependency tianon/gosu to v1.19 by @renovate[bot] in #6710

New Contributors

• @Ashitaka57 made their first contribution in #6905
• @Copilot made their first contribution in #6963
• @DiscoNova made their first contribution in #6867
• @moregeek made their first contribution in #7007

Full Changelog: 2025-12a...2026-01

🎄🐮 Moocember 2025 | Just another bugfix update - Revision A

Important

If you already use docker compose v5, please run these commands once to fetch the update script which would break otherwise while trying to update mailcow:
git fetch followed by git checkout origin/master update.sh

What's fixed:

• Prevent duplicate/plaintext login announcement rendering in c11ed5d
• ofelia: revert fixed cron syntax for sa-rules download by @DerLinkman in e76f523
• backup: add image prefetch function to verify latest image is used by @DerLinkman in d977ddb
• Support for PBKDF2-SHA512 hash algorithm in verify_hash() (FreeIPA compatibility) by @Ashitaka57 in e8d9315

🎄🐮 Moocember 2025 | Just another bugfix update

Important

If you already use docker compose v5, please run these commands once to fetch the update script which would break otherwise while trying to update mailcow:
git fetch followed by git checkout origin/master update.sh

What's Changed

• chore(deps): update devops-infra/action-pull-request action to v1 by @renovate[bot] in #6840
• chore(deps): update devops-infra/action-pull-request action to v1.0.2 by @renovate[bot] in #6850
• Add Vietnamese language by @milkmaker in #6854
• chore(deps): update alpine docker tag to v3.22 by @renovate[bot] in #6417
• Translations update from Weblate by @milkmaker in #6861
• Disable PHP opcache.jit by @patschi in #6847
• Update 2025-10a Hotfix by @FreddleSpl0it in #6874
• Translations update from Weblate by @milkmaker in #6880
• [Web] Correct order of Dansk/Danish in UI by @PseudoResonance in #6887
• [Postfix] update postscreen_access.cidr by @milkmaker in #6886
• Translations update from Weblate by @milkmaker in #6898
• Translations update from Weblate by @milkmaker in #6906
• Translations update from Weblate by @milkmaker in #6908
• Replace pigz with zstd for backup compression by @cl445 in #6897
• compose: changes cronjobs to regular cron syntax + fixed sogo creds for cronjobs by @DerLinkman in #6866
• Update backup container to trixie by @MAGICCC in #6907
• Remove deprecated 'X-XSS-Protection' header by @patschi in #6871
• Hide nginx version in http context for all sites by @patschi in #6873
• Allow making spam aliases permanent by @PseudoResonance in #6888
• Translations update from Weblate by @milkmaker in #6916
• chore(deps): update actions/checkout action to v6 by @renovate[bot] in #6920
• Translations update from Weblate by @milkmaker in #6924
• Translations update from Weblate by @milkmaker in #6930
• [Postfix] update postscreen_access.cidr by @milkmaker in #6933
• Translations update from Weblate by @milkmaker in #6936
• chore(deps): update actions/stale action to v10.1.1 by @renovate[bot] in #6937
• chore(deps): update alpine docker tag to v3.23 by @renovate[bot] in #6940
• Translations update from Weblate by @milkmaker in #6941
• Translations update from Weblate by @milkmaker in #6943
• fix(api): add missing break in CORS switch block causing save to hang by @khurram-saeed-malik in #6926
• pf-tlspol: upgrade to 1.8.22 by @DerLinkman in #6951

New Contributors

• @cl445 made their first contribution in #6897
• @khurram-saeed-malik made their first contribution in #6926

Full Changelog: 2025-10...2025-12