v0.16.10

[0.16.10] - 2026-06-21

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• International Domain Names (IDN) support (#207).
• OAuth:
  • OAuth Profile for Open Public Clients (draft-ietf-mailmaint-oauth-public)
  • Client secret verification for confidential clients.
• HTTP: Add redirectRoot option to Http object to allow redirecting requests to the root path to a different path (e.g. /account).
• ACME: reuseKey option to allow reusing private keys in renewals.
• IMAP:
  • IMAP Extension for Object Identifiers (draft-ietf-mailmaint-imap-objectid-bis)
  • GETJMAPACCESS command to discover the JMAP session resource URL (#2736).

Changed

Fixed

• JMAP conformance (pass the jmap-test-suite tests):
  • Methods are only available if their capability is in using.
  • Reject requests that do not specify application/json in the Content-Type header.
  • Require accountId argument on requests.
  • Return unparsable ids in notFound / notUpdated / notDestroyed / notCopied instead of dropping them.
  • Default calendars and address books are not subscribed by default.
  • */set: Unchanged immutable id property is rejected on update.
  • */query and */queryChanges: nullrejected asnotRequest`.
  • Email/query:
    • Improper anchor handling.
    • Total miscount when collapseThreads is enabled.
    • Wrong sort order on hasKeyword, allInThreadHaveKeyword, and someInThreadHaveKeyword conditions.
    • Non-standard header values are not searchable.
  • Email/copy: Take the source message id from the value's id property.
  • Email/set: Bump reference-resolution max_depth from 1 to 2.
  • Email/import: Reject blobs that do not contain valid messages.
  • EmailSubmission/set: return sendAt and undoStatus in the created response.
  • Mailbox/set: Return alreadyExists instead of invalidProperties when creating a mailbox with an existing name.
  • SearchSnippet/get: incorrect response structure.
  • Thread/changes: emit a container delete when a thread becomes empty.
  • VacationResponse/set: incorrect singleton handling.
• IMAP: Discard oversized non-synchronizing literals (#2768).
• DANE: Improper TLSA record validation (#2328 - credits to @vdukhovni).
• OIDC: Add default domain name to groups that are not email addresses.
• RocksDB: Enable blob garbage collection to reclaim disk space from deleted blobs.
• Sieve: include statements ignore capitalisation of sub-script names (#1643)
• Cache: Invalidate negative email caches when an account is created.
• Troubleshoot tool: Use the configured source IP address when connecting to remote servers (#2867).

---

Check binary attestation here