ViMbAdmin 4.0.0
Released 2026-06-10— MyGuard fork (github.com/eilandert/ViMbAdmin)
https://deb.myguard.nl/2026/06/vimbadmin-postfix-dovecot-mailbox-admin-panel/
Live demo: https://vimbadmin.myguard.nl/ — demo account is read-only-ish (password + 2FA changes locked, outgoing mail no-op'd); everything else is the real panel.
First tagged release of the modernised fork. PHP 8.5, Doctrine ORM 3, a full security pass, an optional MCP adapter and 2FA.
Minimum requirements
- PHP 8.4.1+ (runs clean on 8.4 / 8.5).
- PHP extensions:
ctype,dom,gd,gettext,iconv,intl,json,mbstring,pdo,pdo_mysql,sodium(2FA secrets are libsodium-encrypted). Optional:apcu(cache),redis(multi-replica cache). - MariaDB / MySQL database.
- Doctrine ORM 3.3+, Smarty 5.0+ (pulled by Composer).
Upgrading: schema migrates itself — run
maintenance.cli-schema-update(the Docker image does this at container start) and applycontrib/migrations/. Note the newUNIQUEindex onmailbox.username. See the README Upgrading & schema migrations section.
Breaking changes
- Doctrine ORM 3. Entity mapping moved XML → PHP 8 attributes, all properties typed,
useResultCache()→enableResultCache(), mapped collections initialised in constructors. - Smarty 4.3 → 5.x; Composer dependencies updated.
application.iniflattened to a section-less base; dead/ZF1 keys stripped; ini defaults flattened.bin/doctrine2-cli.phprenamed tobin/doctrine-cli.php.skipVersionCheck=1is now the default (the upstream version endpoint is dead).- PHP 8.5 deprecation fixes; removed dead
OSS_classes and& ~E_STRICT.
Security
- CSRF protection on every form and destructive link + Smarty HTML auto-escaping (XSS).
- Two-factor auth (TOTP) with brute-force login protection; super-admin can provision/QR/regenerate/force 2FA for others; TOTP replay guard.
- Input validation (non-negative quota); fixed stale-metadata phantom schema;
AccessPermissionspersist fix. - Dovecot owns storage: dropped mailbox uid/gid/homedir/maildir, killed all shell-out.
- Real client IP behind a proxy via
ViMbAdmin_Net+trustedproxy.mode(defaultauto), feeding the brute-force limiter and MCP IP checks.
MCP adapter (optional, off by default)
- Bearer-token + IP-allowlist JSON-RPC endpoint at
/mcp. - Write abilities with per-token destructive rate-limit.
- Token-generate can reuse a name whose token was revoked.
/mcpre-includesfastcgi_paramsand forcesSCRIPT_NAME=/index.php.
Schema
- New
UNIQUEindex onmailbox.username(+ migration). - Mailbox create reuses an existing auto-alias instead of duplicating it.
Performance & cache
- Dropped Memcached, added Redis (
RedisCache) with graceful fallback. - Doctrine cache defaults to
auto(APCu when available, else Array). - Documented OPcache/APCu + Symfony cache.
UI & theming
- Skin-aware asset loading + sample dark skin and guide; dark-skin contrast fixes.
- 2FA enrol pages: centred QR, secret and form.
Deploy / contrib
- Angie: dropped login
limit_reqon/index.php(front-controller funnels all traffic there → throttled browsing / 503 behind a proxy; app handles login brute-force). Allow ZF1 param-pair URLs in the route allowlist. contrib/cron: mail-host archive + maildir-size example scripts and HOWTO; folded SP ini into the FPM pool andfastcgi.incinto the vhost.application.ini.dist: 587/STARTTLS mail default + TLS cert-ignore.- CLI: resolve
APPLICATION_ENVfrom the env var first (containers); silenced framework deprecation noise.
Docs
- README rewrite: Security, Performance, Upgrading & schema migrations, MCP adapter + trusted-proxy sections; PHP badge bumped to 8.4+; deb.myguard.nl write-up linked at the top.