Skip to content

Raven MDA v0.7.0

Latest

Choose a tag to compare

@Aravinda-HWK Aravinda-HWK released this 18 May 05:30
727fb78

Raven MDA v0.7.0 Release Notes

What's New

✨ New Features

OAuth Bearer Authentication

Raven now supports OAuth Bearer authentication, allowing clients to authenticate using OAuth tokens against both the SASL and IMAP servers. Highlights:

  • OAUTHBEARER and XOAUTH2 mechanisms advertised during SASL capability negotiation.
  • New configuration options for OAuth issuer, JWKS URL, audience, and clock skew.
  • Shared token validator across SASL and IMAP servers with concurrent JWKS refresh.
  • Comprehensive test coverage for the OAuth Bearer SASL flow and error responses.

OAuth2 Role-Based Mailbox Access

Role-based mailbox access has been added to the OAUTHBEARER flow. Role access evaluation uses safe mailbox component checks, enabling fine-grained authorization for shared and role mailboxes.

Role-Based Email Validation in Socketmap

The socketmap user_exists check now performs role-based email validation. Related improvements:

  • Socketmap identity resolution integrated into LMTP delivery user lookups.
  • Identity resolution enhanced with socketmap and recipient deliveries deduplicated.

Socketmap Service in Docker Release Workflow

The socketmap service is now built and published as part of the Docker release workflow, with corresponding make targets for building and running it locally.

🔧 Improvements

Role Mailbox Refactor

Role mailbox handling has been simplified and unified with user mailbox delivery:

  • Message delivery logic now delivers directly to user mailboxes, removing the parallel role mailbox path.
  • Role mailbox fields removed from ClientState and related tests.
  • Authentication logic no longer assigns role mailboxes during login.
  • Integration tests updated to reflect the consolidated mailbox model.

Documentation

  • Added a Thunder API Consumer Contract Guide for Raven to document the contract between Raven and the Thunder IDP.

Test Cleanup

  • Removed redundant ClientState tests that only exercised Go zero-values and struct field assignment rather than application logic.

🔒 Security

  • Bare username rejection: Login attempts with bare usernames (no domain) are now rejected. SASL authentication enforces domain validation and rejects mismatched email addresses.
  • Consistent organization unit identifiers: Auth and Thunder integrations now use ouId consistently across the codebase, including group email delivery.

🐛 Bug Fixes

  • Email header corruption: Fixed X-SG-EID and similar headers bleeding into the Subject line during ingestion and MIME reconstruction by enforcing RFC 2822 header line validation. Header value unfolding now uses strings.Replacer for clarity and performance.
  • IMAP read-state regressions for Gmail clients: Fixed regressions in IMAP read-state handling that affected Gmail client compatibility.

📦 Dependencies

  • Bumped github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream from 1.7.4 → 1.7.9.

Breaking Changes

  • Role mailbox API removed: Role mailbox fields on ClientState and the role mailbox delivery path have been removed. Integrations that relied on the previous role mailbox model should migrate to the unified user-mailbox delivery flow and use the new OAuth2 role-based access controls.
  • Bare-username logins rejected: Clients that previously authenticated with a bare username must now provide a fully-qualified email address whose domain matches the configured domain.
  • Organization unit field rename: The organization unit identifier field is now ouId across auth and Thunder integrations. Any external consumers reading this field must update accordingly.

Docker

Pull the latest image:

docker pull ghcr.io/lsflk/raven:latest

The socketmap service is now included in the Docker release workflow and can be started via the entrypoint script alongside the other Raven services.

Contributors

Thank you to everyone who contributed to this release! 🎉

Contributor GitHub
H.W.K.Aravinda @Aravinda-HWK
M.N Wickramasinghe @manupawickramasinghe
Sakna Rajapakshe @saknarajapakshe
Maneesha @maneeshaxyz