%global forgeurl https://github.com/stalwartlabs/stalwart %global tag v%{version} Name: stalwart-mail Version: 0.13.4 Release: 1%{?dist} Summary: Secure, scalable mail & collaboration server with comprehensive protocol support License: AGPL-3.0-only OR LicenseRef-SEL URL: https://stalw.art Source0: %{forgeurl}/archive/%{tag}/stalwart-%{version}.tar.gz BuildRequires: rust >= 1.70 BuildRequires: cargo BuildRequires: gcc BuildRequires: gcc-c++ BuildRequires: openssl-devel BuildRequires: systemd-devel BuildRequires: systemd-rpm-macros BuildRequires: pkgconfig(openssl) BuildRequires: pkgconfig(systemd) BuildRequires: make # Only build on supported architectures for Rust ExcludeArch: i686 s390 %{power64} # For COPR compatibility %if 0%{?fedora} >= 36 || 0%{?rhel} >= 9 %bcond_without check %else %bcond_with check %endif Requires: glibc Requires: openssl Requires: systemd Requires(pre): shadow-utils Requires(post): systemd Requires(preun): systemd Requires(postun): systemd %description Stalwart is an open-source mail & collaboration server with JMAP, IMAP4, POP3, SMTP, CalDAV, CardDAV and WebDAV support and a wide range of modern features. It is written in Rust and designed to be secure, fast, robust and scalable. Key features include complete email server with JMAP, IMAP4rev2/IMAP4rev1, POP3, SMTP with built-in DMARC, DKIM, SPF and ARC support, CalDAV/CardDAV server for contacts and calendars, WebDAV server for file storage, built-in spam and phishing filter, LDAP and SQL authentication, encryption at rest, clustering support, and web-based administration interface. %prep %autosetup -n stalwart-%{version} %build # Set build environment for optimal compilation export CARGO_TARGET_DIR=%{_builddir}/stalwart-%{version}/target export RUSTFLAGS="-Ccodegen-units=1 -Clink-dead-code=off" export CARGO_PROFILE_RELEASE_BUILD_OVERRIDE_DEBUG=false # Configure cargo for offline builds if available %if 0%{?fedora} >= 32 || 0%{?rhel} >= 9 export CARGO_NET_OFFLINE=true %endif # Ensure we have a proper Cargo.lock [ -f Cargo.lock ] || cargo generate-lockfile # Build with default features (rocks and enterprise) # Use single codegen unit for smaller binaries cargo build --release --verbose --locked %install # Create directory structure install -d %{buildroot}%{_bindir} install -d %{buildroot}%{_sysconfdir}/stalwart install -d %{buildroot}%{_sharedstatedir}/stalwart install -d %{buildroot}%{_localstatedir}/log/stalwart install -d %{buildroot}%{_unitdir} install -d %{buildroot}%{_docdir}/%{name} # Install binary install -D -m 755 %{_builddir}/stalwart-%{version}/target/release/stalwart %{buildroot}%{_bindir}/stalwart # Create and install systemd service file cat > %{buildroot}%{_unitdir}/stalwart-mail.service << 'EOF' [Unit] Description=Stalwart Mail Server Conflicts=postfix.service sendmail.service exim4.service ConditionPathExists=%{_sysconfdir}/stalwart/config.toml After=network-online.target [Service] Type=simple LimitNOFILE=65536 KillMode=process KillSignal=SIGINT Restart=on-failure RestartSec=5 ExecStart=%{_bindir}/stalwart --config=%{_sysconfdir}/stalwart/config.toml SyslogIdentifier=stalwart User=stalwart Group=stalwart AmbientCapabilities=CAP_NET_BIND_SERVICE [Install] WantedBy=multi-user.target EOF # Install configuration file install -m 640 resources/config/config.toml %{buildroot}%{_sysconfdir}/stalwart/config.toml # Install documentation install -m 644 README.md %{buildroot}%{_docdir}/%{name}/ install -m 644 CHANGELOG.md %{buildroot}%{_docdir}/%{name}/ install -m 644 CONTRIBUTING.md %{buildroot}%{_docdir}/%{name}/ install -m 644 UPGRADING.md %{buildroot}%{_docdir}/%{name}/ install -m 644 SECURITY.md %{buildroot}%{_docdir}/%{name}/ # Install license files install -m 644 LICENSES/AGPL-3.0-only.txt %{buildroot}%{_docdir}/%{name}/ install -m 644 LICENSES/LicenseRef-SEL.txt %{buildroot}%{_docdir}/%{name}/ %files %license %{_docdir}/%{name}/AGPL-3.0-only.txt %license %{_docdir}/%{name}/LicenseRef-SEL.txt %doc %{_docdir}/%{name}/README.md %doc %{_docdir}/%{name}/CHANGELOG.md %doc %{_docdir}/%{name}/CONTRIBUTING.md %doc %{_docdir}/%{name}/UPGRADING.md %doc %{_docdir}/%{name}/SECURITY.md %config(noreplace) %{_sysconfdir}/stalwart/config.toml %{_bindir}/stalwart %{_unitdir}/stalwart-mail.service %attr(0750,stalwart,stalwart) %dir %{_sharedstatedir}/stalwart %attr(0750,stalwart,stalwart) %dir %{_localstatedir}/log/stalwart %attr(0750,stalwart,stalwart) %dir %{_sysconfdir}/stalwart %pre # Create stalwart user and group getent group stalwart >/dev/null || groupadd -r stalwart getent passwd stalwart >/dev/null || useradd -r -g stalwart -s /usr/sbin/nologin -M -d %{_sharedstatedir}/stalwart -c "Stalwart Mail Server" stalwart %post # Initialize configuration if this is a fresh install if [ $1 -eq 1 ]; then # Run stalwart --init to create initial configuration (run as root, then fix ownership) %{_bindir}/stalwart --init %{_sharedstatedir}/stalwart >/dev/null 2>&1 || true # Ensure proper ownership of data directories chown -R stalwart:stalwart %{_sharedstatedir}/stalwart %{_localstatedir}/log/stalwart 2>/dev/null || true chmod 640 %{_sysconfdir}/stalwart/config.toml 2>/dev/null || true chown stalwart:stalwart %{_sysconfdir}/stalwart/config.toml 2>/dev/null || true fi %systemd_post stalwart-mail.service %preun %systemd_preun stalwart-mail.service %postun %systemd_postun_with_restart stalwart-mail.service # Remove user and group on complete removal if [ $1 -eq 0 ]; then # Clean up data directories on uninstall rm -rf %{_sharedstatedir}/stalwart/* 2>/dev/null || true getent passwd stalwart >/dev/null && userdel stalwart >/dev/null 2>&1 || true getent group stalwart >/dev/null && groupdel stalwart >/dev/null 2>&1 || true fi %changelog * Mon Sep 30 2024 mdecimus - 0.13.4-1 - Security fix: IMAP unbounded memory allocation in request parser (CVE-2025-61600) - Security fix: CalDAV limit recurrence expansions in calendar reports (CVE-2025-59045) - Fixed IMAP wrong permission checked for GETACL - Fixed JMAP references to previous method fail when there are no results - Fixed JMAP enforce quota checks on Blob/copy - Fixed JMAP Mailbox/get fails without accountId argument - Fixed iTIP include date properties in REPLY messages - Fixed OIDC do not set username field if same as email field - Fixed telemetry calculateMetrics housekeeper task - Changed JMAP protocol layer rewrite for zero-copy deserialization * Mon Sep 09 2024 mdecimus - 0.13.3-1 - Added CLI health checks - Changed WebDAV assisted discovery v2 - Fixed iTIP do not send REPLY when deleting unaccepted events - Fixed OIDC do not overwrite locally defined aliases - Fixed HTTP scan ban should only be triggered by HTTP parse errors - Fixed JMAP do not allow roles to be removed from system mailboxes - Fixed SMTP do not send EHLO twice when STARTTLS unavailable - Fixed IMAP allow ENABLE UTF8 in IMAPrev1 - Fixed IMAP increase maximum quoted argument size * Sun Jul 28 2024 mdecimus - 0.13.2-1 - Added ACME DeSEC and OVH cloud DNS provider support - Added CalDAV Scheduling Catalan language support - Added MTA allow sending emails as group member - Added OIDC allow local access tokens with third-party OIDC backends - Fixed MTA do not convert email local parts to lowercase - Fixed Sieve fileinto should override spam filter - Fixed JMAP incorrect accountId used in email set and import methods - Fixed LDAP only set account name if not returned in LDAP query * Tue Jul 16 2024 mdecimus - 0.13.1-1 - Added ACME DigitalOcean cloud DNS provider support - Fixed migration old queue events not deleted causing high CPU usage - Fixed MTA mta-sts setting parsing issue - Fixed JMAP sortOrder should not be null - Fixed invalid TOML parsing in database settings * Mon Jul 15 2024 mdecimus - 0.13.0-1 - Added MTA queue enhancements with breaking changes - Added Danish locale support - Added DKIM support for stalwart-cli - Changed invalidate access token caches using pub/sub - Fixed WebDAV return all shared resources in calendar-home-set - Fixed CalDAV Scheduling include DTSTART/DTEND in iMIP CANCEL messages - Fixed IMAP custom name for shared folders and subfolders under INBOX * Wed Jun 26 2024 mdecimus - 0.12.5-1 - Added Calendar Scheduling Extensions to CalDAV (RFC6368) - Added Calendar Email Notifications with limited i18n support - Added assisted CalDAV/CardDAV shared resource discovery - Fixed WebDAV return NOTFOUND error instead of MULTISTATUS on empty PROPFIND - Fixed JMAP do not include email address in identity names - Fixed antispam skip card-is-ham override when sender does not pass DMARC * Mon Jun 03 2024 mdecimus - 0.12.4-1 - Added LDAP authentication enhancements - Added MTA return Queue IDs during message acceptance - Fixed DNS hickory-resolver bug hitting 100% CPU usage when resolving DNSSEC records - Fixed IMAP return the message UID in the destination mailbox if the message already exists - Fixed MTA TLS reports being issued for sent TLS reports (infinite loop) - Fixed WebDAV return CTag on /dav/cal/account resources to force iOS synchronize - Fixed CardDAV strict vCard parsing - Fixed WebDAV dead property updates * Thu May 30 2024 mdecimus - 0.12.3-1 - Added store vanished IMAP UIDs and WebDAV paths in the changelog - Fixed XML CDATA injection - Fixed macro references are replaced with their content when writing config file - Fixed double nested CalDAV and CardDAV property tags - Fixed allow empty properties in PROPPATCH requests * Mon May 27 2024 mdecimus - 0.12.2-1 - Added CardDAV legacy vCard 2.1 and 3.0 serialization support - Added WebDAV SRV Records to help DAV autodiscovery - Fixed report list attempts to deserialize empty values - Fixed refresh expired FoundationDB transactions while retrieving large blobs * Sun May 26 2024 mdecimus - 0.12.1-1 - Fixed migration tool to generate the correct next id - Fixed failed to parse setting dav.lock.max-timeout - Fixed failed to build OpenTelemetry span exporter: no http client specified * Sun May 26 2024 mdecimus - 0.12.0-1 - Major release: Added collaboration features (CalDAV, CardDAV, WebDAV) - Added peer-to-peer cluster coordination with Kafka, NATS, Redis support - Added incremental caching and zero-copy deserialization - Added XOAUTH2 SASL mechanism and RFC9698 JMAPACCESS extension for IMAP - Added spam training when sender is in user's address book - Breaking changes: Deprecated gossip protocol, renamed settings - Fixed allow undiscovered UIDs in IMAP COPY/MOVE operations - Fixed MySQL TLS support and nested transactions issue * Tue Apr 30 2024 mdecimus - 0.11.8-1 - Fixed allow undiscovered UIDs to be used in COPY/MOVE operations * Sun Mar 24 2024 mdecimus - 0.11.7-1 - Added LDAP attribute to indicate password change - Changed lazy DKIM key parsing - Changed enable edns0 for system resolver by default - Changed bump FoundationDB to 7.3 - Fixed incorrect UIDNEXT when mailbox is empty - Fixed sender variable not set when evaluating must-match-sender - Fixed do not panic when mailboxId is not found - Fixed prioritize local over span keys when serializing webhook payloads - Fixed allow TLS name mismatch as per RFC7671 Section 5.1 - Fixed try with implicit MX when no MX records are found - Fixed SQL secrets directory query * Thu Feb 01 2024 mdecimus - 0.11.5-1 - Changed open source third party OIDC support - Fixed case insensitive flag parsing - Fixed BCC not removed from JMAP EmailSubmissions - Fixed group pipelined IMAP FETCH and STATUS operations * Mon Jan 29 2024 mdecimus - 0.11.4-1 - Added RFC 9208 - IMAP QUOTA Extension - Changed session.throttle.* is now queue.limiter.inbound.* - Changed queue.throttle.* is now queue.limiter.outbound.* - Changed DNSBL error level to debug - Fixed creating a mailbox in a shared folder results in wrong hierarchy - Fixed IMAP LIST-STATUS (RFC 5819) returns items in wrong order - Fixed avoid non-RFC SMTP status codes - Fixed do not DNSBL check invalid domains - Fixed Sieve message flag parser - Fixed Sieve script import case insensitivity - Fixed mailto: parsing in HTMLs * Thu Jan 17 2024 mdecimus - 0.11.3-1 - Same as 0.11.2, fixes a build issue with Docker images * Wed Jan 17 2024 mdecimus - 0.11.2-1 - Added automatic revoking of access tokens when secrets, permissions, ACLs or group memberships change - Added increased concurrency for local message delivery (configurable via queue.threads.local) - Added cluster node roles - Added config_get expression function - Changed queue.outbound.concurrency is now queue.threads.remote - Changed lookup.default.hostname is now server.hostname - Changed lookup.default.domain is now report.domain - Fixed distributed locking issues in non-Redis stores - Fixed S3 incorrect backoff wait time after failures - Fixed panic parsing broken HTMLs - Fixed update CLI response serializer to v0.11.x - Fixed histogram bucket counts - Fixed do not rate limit trusted IPs - Fixed avoid double encrypting PGP parts encoded as plain text - Fixed return empty SASL challenge rather than "" * Sat Jan 06 2024 mdecimus - 0.11.1-1 - Same as 0.11.0 * Mon Jan 06 2024 mdecimus - 0.11.0-1 - Major release: Spam filter rewritten in Rust for performance improvement - Added spam/ham training when moving between inbox and spam folders - Added improved distributed locking and large SMTP queue handling - Added ASN and GeoIP lookups, bulk operations REST endpoints - Added faster S3-FIFO caching and Delivered-To header support - Added semver compatibility checks and sharded in-memory store - Breaking changes to configuration file - Fixed OpenPGP EOF error and LDAP email mapping issues * Wed Dec 04 2024 mdecimus - 0.10.7-1 - Added delivery and DMARC troubleshooting support - Added external email addresses on mailing lists support - Added Azure blob storage support - Fixed mails cannot be moved out of junk folder - Fixed UTF8 support in IMAP4rev1 and Sieve script issues - Fixed missing User-Agent header for ACME * Thu Nov 07 2024 mdecimus - 0.10.6-1 - Added Enterprise license automatic renewals before expiration (disabled by default) - Added allow to LDAP search using bind dn instead of auth bind connection when bind auth is enabled - Fixed include preferred_username and email in OIDC id_token - Fixed verify roles and permissions when creating or modifying accounts * Thu Oct 17 2024 mdecimus - 0.10.5-1 - Added data store CLI - Fixed tokenizer performance issue - Fixed incorrect AI model endpoint setting * Tue Oct 08 2024 mdecimus - 0.10.4-1 - Added port scanner and abuse detection with auto-ban - Added ACME External Account Binding support - Changed server.fail2ban.* settings to server.auto-ban.* - Fixed SPF failure reports to local domains - Fixed OAuth nonce in code requests * Sun Oct 06 2024 mdecimus - 0.10.3-1 - Added AI-powered Spam filtering and Sieve scripting (Enterprise feature) - Changed the untrusted Sieve interpreter now has the vnd.stalwart.expressions extension enabled by default - Fixed S3-compatible backends: Retry on 5xx errors - Fixed OIDC: Include nonce parameter in id_token response * Wed Oct 02 2024 mdecimus - 0.10.2-1 - Added OpenID Connect server and dynamic client registration - Added OAuth 2.0 token introspection (RFC7662) - Added contact form submission handling - Fixed missing LIST-STATUS from RFC5819 in IMAP capability - Fixed tenant domain deletion with active members * Thu Sep 26 2024 mdecimus - 0.10.1-1 - Added OAUTHBEARER SASL support in all services - Fixed migrate_directory range scan * Sat Sep 21 2024 mdecimus - 0.10.0-1 - Major release: Added multi-tenancy and branding (Enterprise features) - Added roles and permissions system - Added full-text search re-indexing and partial database backups - Breaking changes to account storage format - Fixed IMAP IDLE support for command pipelining (Apple Mail iOS 18 bug) - Fixed case insensitive INBOX fileinto * Mon Sep 09 2024 mdecimus - 0.9.4-1 - Added support for global Sieve scripts that can be used by users to filter their incoming mail - Added allow localhost to override HTTP access controls to prevent lockouts - Changed Sieve runtime error default log level is now debug - Fixed ignore INBOX case on Sieve's fileinto - Fixed local keys parsing and retrieval issues - Fixed lookup reload does not include database settings - Fixed account count is incorrect * Thu Aug 29 2024 mdecimus - 0.9.3-1 - Added Dashboard (Enterprise feature) - Added Alerts (Enterprise feature) - Added SYN Flood (session "loitering") attack protection - Added Mailbox brute force protection - Added Mail from is allowed (session.mail.is-allowed) expression - Changed authentication.fail2ban setting renamed to server.fail2ban.authentication - Changed added elapsed times to message filtering events * Wed Aug 21 2024 mdecimus - 0.9.2-1 - Added Message delivery history (Enterprise feature) - Added Live tracing and logging (Enterprise feature) - Added SQL Read Replicas (Enterprise feature) - Added Distributed S3 Blob Store (Enterprise feature) - Fixed Autodiscover request parser issues - Fixed do not create tables when using SQL as an external directory - Fixed do not hardcode logger id - Fixed include Forwarded-For IP address in http.request-url event * Thu Aug 08 2024 mdecimus - 0.9.1-1 - Added metrics support with OpenTelemetry and Prometheus exporters - Added HTTP endpoint access controls - Fixed Forwarded and X-Forwarded-For header parsing - Fixed DKIM macro resolution in DNS record generation - Fixed is_local_domain Sieve function * Thu Aug 01 2024 mdecimus - 0.9.0-1 - Added improved and faster tracing and logging - Added customizable event logging levels - Breaking changes to Webhooks configuration and log output - Fixed ManageSieve STARTTLS capability response - Fixed Milter macro authentication handling * Sun Jul 07 2024 mdecimus - 0.8.5-1 - Added restore deleted emails (Enterprise Edition) - Added Kubernetes livenessProbe and readinessProbe endpoints - Fixed refresh old FoundationDB read transactions - Fixed subscribing shared mailboxes * Thu Jul 04 2024 mdecimus - 0.8.4-1 - Fixed TOTP validation order - Fixed increase Jemalloc page size on armv7 builds * Mon Jul 01 2024 mdecimus - 0.8.3-1 - Added two-factor authentication with TOTP - Added application passwords and account disable option - Fixed ManageSieve GETSCRIPT response formatting - Fixed POP3 QUIT response requirement * Sat Jun 22 2024 mdecimus - 0.8.2-1 - Added webhooks and MTA hooks support - Added manual spam classifier training and testing - Added configurable default mailbox names and roles - Enhanced Milter support on all SMTP stages - Fixed incoming reports storage and ManageSieve SASL authentication * Fri May 24 2024 mdecimus - 0.8.1-1 - Added POP3 support and DKIM signature length exploit protection - Added faster email deletion and auto-expunge for Junk/Trash folders - Added IP allowlists and HTTP Strict Transport Security - Fixed IP address false positives in spam detection - Fixed JMAP identity signature handling * Mon May 13 2024 mdecimus - 0.8.0-1 - Major release: Added clustering with auto-discovery and failure detection - Added autoconfig and MS Autodiscover support - Added MTA-STS policy management and TLSA records for DANE - Added master user support and queued message visualization - Breaking changes: Different database layout, incompatible with previous versions - Fixed MySQL TLS support and SMTP AUTH=LOGIN compatibility