Raven MDA v0.7.0 Release Notes
What's New
✨ New Features
OAuth Bearer Authentication
Raven now supports OAuth Bearer authentication, allowing clients to authenticate using OAuth tokens against both the SASL and IMAP servers. Highlights:
OAUTHBEARERandXOAUTH2mechanisms advertised during SASL capability negotiation.- New configuration options for OAuth issuer, JWKS URL, audience, and clock skew.
- Shared token validator across SASL and IMAP servers with concurrent JWKS refresh.
- Comprehensive test coverage for the OAuth Bearer SASL flow and error responses.
OAuth2 Role-Based Mailbox Access
Role-based mailbox access has been added to the OAUTHBEARER flow. Role access evaluation uses safe mailbox component checks, enabling fine-grained authorization for shared and role mailboxes.
Role-Based Email Validation in Socketmap
The socketmap user_exists check now performs role-based email validation. Related improvements:
- Socketmap identity resolution integrated into LMTP delivery user lookups.
- Identity resolution enhanced with socketmap and recipient deliveries deduplicated.
Socketmap Service in Docker Release Workflow
The socketmap service is now built and published as part of the Docker release workflow, with corresponding make targets for building and running it locally.
🔧 Improvements
Role Mailbox Refactor
Role mailbox handling has been simplified and unified with user mailbox delivery:
- Message delivery logic now delivers directly to user mailboxes, removing the parallel role mailbox path.
- Role mailbox fields removed from
ClientStateand related tests. - Authentication logic no longer assigns role mailboxes during login.
- Integration tests updated to reflect the consolidated mailbox model.
Documentation
- Added a Thunder API Consumer Contract Guide for Raven to document the contract between Raven and the Thunder IDP.
Test Cleanup
- Removed redundant
ClientStatetests that only exercised Go zero-values and struct field assignment rather than application logic.
🔒 Security
- Bare username rejection: Login attempts with bare usernames (no domain) are now rejected. SASL authentication enforces domain validation and rejects mismatched email addresses.
- Consistent organization unit identifiers: Auth and Thunder integrations now use
ouIdconsistently across the codebase, including group email delivery.
🐛 Bug Fixes
- Email header corruption: Fixed
X-SG-EIDand similar headers bleeding into theSubjectline during ingestion and MIME reconstruction by enforcing RFC 2822 header line validation. Header value unfolding now usesstrings.Replacerfor clarity and performance. - IMAP read-state regressions for Gmail clients: Fixed regressions in IMAP read-state handling that affected Gmail client compatibility.
📦 Dependencies
- Bumped
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstreamfrom 1.7.4 → 1.7.9.
Breaking Changes
- Role mailbox API removed: Role mailbox fields on
ClientStateand the role mailbox delivery path have been removed. Integrations that relied on the previous role mailbox model should migrate to the unified user-mailbox delivery flow and use the new OAuth2 role-based access controls. - Bare-username logins rejected: Clients that previously authenticated with a bare username must now provide a fully-qualified email address whose domain matches the configured domain.
- Organization unit field rename: The organization unit identifier field is now
ouIdacross auth and Thunder integrations. Any external consumers reading this field must update accordingly.
Docker
Pull the latest image:
docker pull ghcr.io/lsflk/raven:latest
The socketmap service is now included in the Docker release workflow and can be started via the entrypoint script alongside the other Raven services.
Contributors
Thank you to everyone who contributed to this release! 🎉
| Contributor | GitHub |
|---|---|
| H.W.K.Aravinda | @Aravinda-HWK |
| M.N Wickramasinghe | @manupawickramasinghe |
| Sakna Rajapakshe | @saknarajapakshe |
| Maneesha | @maneeshaxyz |