Skip to content

VibMail Open Source v1.3.0 RC1

Pre-release
Pre-release

Choose a tag to compare

@vib-tools vib-tools released this 30 Jun 19:08

VibMail Open Source v1.3.0 RC1

VibMail Open Source v1.3.0 RC1 is the first public release candidate of VibMail, a self-hosted, receive-only team email management platform maintained by Vib Tools.

This release converts the verified private deployment source into a configurable, documented, security-focused open-source project while preserving the existing mailbox application behavior and production architecture.

Release status: Release Candidate
Target platform: Ubuntu Server 24.04 LTS
Runtime: Python 3.12
License: GNU AGPL v3.0 or later
Recommended for: testing, review, development, and isolated VPS evaluation

Overview

VibMail is designed for teams, organizations, and developers who need a self-hosted platform to receive, organize, assign, and manage shared team mailboxes from a web interface.

The reference deployment combines:

  • Django web application
  • Gunicorn application server
  • MariaDB database
  • Postfix virtual mailbox delivery
  • Dovecot LMTP delivery
  • Maildir message storage
  • Maildir ingestion worker
  • Nginx reverse proxy and static file delivery
  • Let's Encrypt TLS support
  • Static public website
  • Rate-limited contact service
  • systemd-managed services
  • Backup, restore, health-check, and verification tooling

Key Features

  • Administrator and standard user accounts
  • Shared team mailbox management
  • Mailbox membership and access isolation
  • Mailbox creation, activation, disabling, and soft deletion
  • Receive-only email delivery model
  • Postfix and Dovecot integration
  • Durable Maildir ingestion
  • Duplicate message protection
  • MIME email parsing
  • Plain-text and sanitized HTML message display
  • Protected attachment storage and download authorization
  • Message search and pagination
  • Read and unread status
  • Mailbox counters
  • Live inbox updates
  • User management
  • Security audit logging
  • Health-check endpoints
  • Public website and contact form service
  • Backup and restore scripts
  • Upgrade and verification utilities
  • Legacy VibMail deployment compatibility

What Is New in v1.3.0 RC1

Open-Source Repository Preparation

  • Added a complete GitHub-ready repository structure
  • Added a professional project README
  • Added full AGPL-3.0-or-later license text
  • Added security, contribution, support, and code-of-conduct policies
  • Added changelog, roadmap, citation metadata, and notice files
  • Added GitHub issue templates and pull request templates
  • Added GitHub Actions workflows
  • Added Dependabot configuration
  • Added repository branding assets
  • Added public documentation for installation, architecture, configuration, maintenance, security, privacy, backup, restore, troubleshooting, and release management

Configurable Deployment

  • Added configurable primary domain
  • Added configurable application hostname
  • Added configurable mail hostname
  • Added configurable public website hostname
  • Added configurable server IP
  • Added configurable storage and deployment paths
  • Added configurable SQL identifiers
  • Added environment templates for the application and contact service
  • Added reusable templates for MariaDB, Postfix, Dovecot, Nginx, and systemd

Ubuntu Installer

  • Added a native Ubuntu Server 24.04 installer
  • Added non-interactive installation mode
  • Added installation plan mode
  • Added installation locking
  • Added phased deployment reporting
  • Added generated secrets and database credentials
  • Added MariaDB provisioning
  • Added Postfix receive-only configuration
  • Added Dovecot LMTP configuration
  • Added Nginx and TLS provisioning
  • Added systemd service installation
  • Added initial administrator creation
  • Added post-install verification and acceptance checks

Security Hardening

  • Added strict validation for hostnames, IP addresses, paths, origins, and SQL identifiers
  • Added least-privilege MariaDB permissions
  • Added SQL SECURITY INVOKER database views
  • Prevented Postfix from receiving write or DDL privileges
  • Prevented Postfix from accessing mailbox password hashes
  • Disabled SMTP submission in the reference deployment
  • Disabled IMAP and POP3 in the reference deployment
  • Kept public registration disabled
  • Added root-only generated credential files
  • Retained Argon2 password hashing
  • Retained CSRF protection and secure cookie settings
  • Retained HTML sanitization
  • Retained protected attachment authorization
  • Retained object-level mailbox access checks
  • Added systemd sandboxing and restricted writable paths
  • Added safe archive extraction and checksum validation
  • Added fail-closed source and release scanning

Release Engineering

  • Added deterministic source package generation
  • Added source manifest generation
  • Added SHA-256 checksum verification
  • Added archive path-safety checks
  • Added release verification tooling
  • Added template validation
  • Added installer contract tests
  • Added operations contract tests
  • Added forensic source scanning

Quality and Verification

The release candidate completed the following automated checks:

  • 189 Django tests passed
  • 0 failed tests
  • 94.99% test coverage
  • 85% minimum coverage requirement satisfied
  • Ruff lint check passed
  • Bandit static security analysis passed
  • Django system checks passed
  • Migration drift check passed
  • Contact service tests passed
  • Installer valid-case tests passed
  • Installer invalid-case tests passed
  • Deployment template validation passed
  • Operations contract tests passed
  • Source secret and private-data scan passed
  • ZIP integrity verification passed
  • Source manifest verification passed
  • Deterministic build verification passed

Compatibility

This release preserves the existing VibMail application behavior, data model, routes, templates, static assets, migrations, mailbox lifecycle, Maildir ingestion, user authorization, message handling, and maintenance utilities.

No functional baseline source file was removed.

Existing VibMail deployments using the original vibmail.my defaults remain supported by the retained compatibility assets and default configuration.

Installation

Clone the repository:

git clone https://github.com/vibtools/vibmail-open-source.git
cd vibmail-open-source
git checkout v1.3.0-rc.1

Review the installation plan before making changes:

chmod +x install.sh

sudo ./install.sh \
  --domain example.com \
  --admin-email admin@example.com \
  --server-ip 203.0.113.10 \
  --non-interactive \
  --plan

Run the installation on a clean Ubuntu Server 24.04 VPS:

sudo ./install.sh \
  --domain example.com \
  --admin-email admin@example.com \
  --server-ip 203.0.113.10 \
  --non-interactive

Read the documentation before installation:

  • docs/QUICKSTART.md
  • docs/INSTALLATION.md
  • docs/CONFIGURATION.md
  • docs/DNS_AND_DELIVERABILITY.md
  • docs/SECURITY_REVIEW.md
  • docs/BACKUP_RESTORE.md
  • docs/TROUBLESHOOTING.md

Important Release Candidate Notice

This version is published as a release candidate and is not yet classified as a fully validated stable production release.

Before production promotion, the following external acceptance checks are still required:

  • Online dependency vulnerability audit with network access
  • Clean Ubuntu Server 24.04 full-stack installation
  • DNS, MX, SPF, DKIM, DMARC, PTR, and firewall validation
  • Let's Encrypt certificate issuance and renewal validation
  • External inbound SMTP delivery validation
  • Postfix unknown-recipient rejection validation
  • Dovecot LMTP delivery validation
  • Maildir ingestion validation
  • Application authorization validation
  • Contact form delivery validation
  • Backup and restore validation
  • Restart and recovery validation
  • Release-owner copyright and third-party license confirmation

Use this release in an isolated or test environment until those checks are completed.

Known Limitations

  • The reference deployment is receive-only.
  • SMTP submission is not enabled.
  • IMAP and POP3 are not enabled.
  • The installer currently targets Ubuntu Server 24.04 LTS.
  • A correctly configured domain, DNS, MX record, and server PTR/rDNS are required for real-world deployment.
  • Public release stability depends on completing the external acceptance checklist.

Upgrade and Future Versions

This is the first public release candidate.

Planned version path:

  • v1.3.0-rc.1 — initial public release candidate
  • v1.3.0-rc.2 — fixes and validation updates if required
  • v1.3.0 — stable release after clean-VPS and external-mail acceptance
  • v1.3.1 — maintenance and security fixes
  • v1.4.0 — backward-compatible feature additions

Future releases may improve repository presentation, onboarding, installation experience, deployment automation, documentation, SEO metadata, and user experience without removing existing functionality.

Security

Do not report security vulnerabilities through public GitHub issues.

Follow the private reporting process documented in SECURITY.md.

Never commit or publish:

  • .env files
  • database credentials
  • API tokens
  • private keys
  • TLS private keys
  • database dumps
  • Maildir content
  • attachments
  • backups
  • application logs
  • generated credentials

License

VibMail is licensed under the GNU Affero General Public License v3.0 or later.

See the LICENSE and NOTICE.md files for complete terms and notices.

Vib Tools Ecosystem

VibMail is maintained under the Vib Tools open-source ecosystem.

Feedback and Contributions

Testing, bug reports, documentation improvements, security reviews, and code contributions are welcome.

Before contributing, read:

  • CONTRIBUTING.md
  • CODE_OF_CONDUCT.md
  • SECURITY.md
  • SUPPORT.md
  • docs/DEVELOPMENT.md
  • docs/CODING_STANDARDS.md

Release Summary

VibMail v1.3.0 RC1 delivers the first complete public, configurable, auditable, and reproducibly packaged version of the VibMail team mailbox platform.

It preserves the verified application feature set while adding the repository structure, documentation, deployment templates, security controls, installer, CI configuration, and release tooling required for responsible public open-source distribution.

This release is suitable for community review, development, security testing, and isolated VPS acceptance testing.