v1.5.3 - Theme API v2, Anonymous Instance Telemetry, and Extension Preview

1.5.3 (2026-04-28)

New: Help shape Bulwark Webmail. Each instance now sends a lightweight daily heartbeat (version, platform, bucketed account counts, feature toggles - never message data or PII) so we can see which platforms and features actually get used and prioritize fixes where they matter most. You're in control: opt out any time from Admin → Telemetry or by setting BULWARK_TELEMETRY=off. Full schema in the privacy notice.

Features

• Telemetry: Anonymous instance telemetry, on by default. Reports schema version, platform, bucketed account counts, and feature toggles only - disable from the admin UI, with BULWARK_TELEMETRY=off, or by clearing the endpoint
• Telemetry: Track unique logins (HMAC'd per instance, 90-day retention) so the heartbeat can report bucketed account totals without storing usernames
• Plugins: Theme API v2 with token compiler and skin slot
• Plugins: Extension preview page and detailed extension info API
• Calendar: Right-click context menu on empty calendar space
• Docker: Persistent named volume for telemetry data so the instance id and admin's consent choice survive container upgrades

Fixes

• Security: Block telemetry endpoint from pointing at internal/loopback hosts (validation + DNS-rebind re-check at fetch time)
• Security: Harden plugin config, TOTP token exchange, and branding file serving
• Mail: Batch shortcuts now act on the multi-selection when one is present (#228)

v1.5.2 - Composer Sidebar Plugins, Calendar & Contacts Sharing, and Czech Support

1.5.2 (2026-04-27)

Features

• Plugins: New composer-sidebar slot and ui:composer-sidebar permission — plugins can now render a panel on either side of the New Message dialog. See repos/subway-surfers for an example
• Plugins: Manifests can declare frameOrigins — a strictly-validated list of https://host origins the plugin needs to embed. The proxy reads the union from enabled plugins and merges it into the host CSP frame-src, so the host CSP no longer needs to know about specific embed providers
• Calendar/Contacts: JMAP sharing for calendars and address books
• i18n: Czech language support

Fixes

• Security: Validate URLs before outbound fetch
• Calendar: Prevent drag creation on touch events in the time grid
• Contacts: Emit RFC 9553 name kinds and decode QUOTED-PRINTABLE in vCard import (#224, #187)
• Mail: Hide preview line in compact density to match settings preview (#223)
• Proxy: Inline matcher for Next.js proxy and drop unnecessary Node.js runtime config
• i18n: Portuguese fixes for "ficheiro" and "contactos" variants

v1.5.1 - OAuth Auto-Setup, Folder Context Menu, and Admin Panel Restore

1.5.1 (2026-04-25)

Features

• Stalwart: OAuth auto-setup with dialog and validation for origin and issuer URLs
• Mail: Right-click context menu on the folders sidebar
• Mail: Replace folder prompt() calls with a proper modal dialog
• Calendar: Add 'Today' button to the desktop calendar toolbar
• Junk: Setting to show avatars in the Junk folder

Fixes

• Admin: Restore admin panel after Stalwart v0.16 REST API removal
• Viewer: Restore broken viewer toolbar actions and improve the mobile menu (#220)
• Folders: Stop flicker on background folder refresh
• Email: Preserve search/filter on batch move and archive
• Email: Preserve search/filter when moving emails via drag-drop
• i18n: Improve Korean flag

v1.5.0 - JMAP Admin API, Contacts Detail Redesign, and Settings Reorganization

1.5.0 (2026-04-23)

Breaking Changes

• Self-service portal now needs Stalwart 0.16+: Stalwart dropped its self-service HTTP API in 0.16.0 and replaced it with JMAP. Bulwark Webmail only talks to the new JMAP endpoint, so the self-service portal (account settings, app passwords, API keys) requires Stalwart 0.16 or newer. STALWART_API_URL is deprecated, these actions go through the normal JMAP session.

Features

• Stalwart: Migrate Stalwart management API to JMAP x: methods for Stalwart 0.16
• Admin: Add API Keys management and IP allowlist for App Passwords
• Contacts: Revamp contact detail view with filters, photo, print, and duplicate actions
• Contacts: Add contact activity component showing recent emails and upcoming events
• Contacts: Add right-click context menu
• Contacts: Group contacts by first letter with sticky section headers, toggleable in settings
• Calendar: Support resizing events from the top edge
• Calendar: Add timezone-aware formatting for event start times and update utcEnd on duration change
• Calendar: Optimize layout of overlapping events
• Calendar: Add collapsible details to calendar invitation banner
• Email: Implement batch archiving and bulk moving of emails
• Email: Show full folder path in move/drop toast
• Settings: Reorganize settings into 6 groups with clearer tabs
• Navigation: Add account-addition button to the navigation rail
• Mobile: Streamline email viewer header layout
• Mobile: Pass isMobile through calendar views and time-grid interactions

Fixes

• Mailbox: Retry mailbox fetch on first login to handle lazy provisioning (#217)
• Mailbox: Use fresh state in archive handling to avoid stale mailbox data
• Mailbox: Improve error message on mailbox creation failure
• Auth: Skip checkAuth on route change when already authenticated
• Auth: Clean up unused imports and improve TOTP QR code rendering
• UI: Align hover styles and selection-toggle target with focused item
• UI: Read matchMedia synchronously on client to prevent layout flicker

Refactor

• Settings: Remove Stalwart API URL configuration (now derived via JMAP)

Chore

• i18n: Add missing translation keys
• Deps: Bump dependencies to latest compatible versions

v1.4.14 - Unified Mailbox, iMIP Calendar Invitations, External Sieve Rules, and PWA Branding

1.4.14 (2026-04-16)

Thank you for your donations:

• You? Become a sponsor!

One-time

• @mkorthaus-private
• @boris22100

Monthly

• @pr0ton11

Features

• Email: Add unified mailbox across accounts and sidebar icons toggle
• Email: Enhance email deletion and spam handling with improved parameterization
• Sieve: Enhance external rule handling in parser and store (#201)
• Plugins: Add i18n API, render hooks, and new intercept hooks to plugin system
• PWA: Dynamic PWA manifest with configurable name, description, and icons
• PWA: Show app name and logo in install prompt
• i18n: Add Ukrainian language with flags and missing translation keys
• i18n: Configurable locale prefix via NEXT_PUBLIC_LOCALE_PREFIX
• API: Add apiFetch helper for mount-prefix-aware API calls

Fixes

• Calendar: Send iMIP invitation emails when creating or updating calendar events (#192)
• Calendar: RFC 5545/6047 compliance for outgoing iMIP calendar emails
• Calendar: Add calendarAddress and replyTo to participants for Stalwart compatibility (#189, #192)
• Calendar: Improve CalDAV task detection for external clients like Thunderbird (#84)
• Email: Hide ICS attachments from attachment list when invitation banner is shown
• Email: Send before storing in Sent via onSuccessUpdateEmail (#188)
• Email: Standardize tag naming and fix unknown keyword display (#184, #185)
• i18n: Skip intl middleware for paths already containing a locale prefix
• Docs: Document PWA and branding env vars in .env.example
• Docs: Use company consistently in .env.example branding comments

v1.4.13 — Trusted Senders, Tag Management, Attachment Guard, and Secret File Support

1.4.13 (2026-04-12)

Thank you for your donations:

One-time

• @boris22100
• @mkorthaus-private

Monthly

• You? Become a sponsor!

Features

• Contacts: Store trusted senders in a dedicated JMAP address book (#176)
• Email: Warn on send when attachment keyword found but no file attached (#172)
• Email: Enable keyword reordering (#174) and multi-tag support per email (#173)
• PWA: Add "don't remind me again" option to install prompt
• Auth: Add SESSION_SECRET_FILE and OAUTH_CLIENT_SECRET_FILE environment variable support
• Plugins: Add onAvatarResolve plugin hook
• Docker: Publish main and dev branches as separate GHCR packages

Fixes

• Email: Style links in plain text emails
• Email: Seed list history entry when app initializes on an email view
• Email: Remount composer on draft edit and preserve identity (#60)
• Contacts: Display contact names stored in name.full (#179)
• Contacts: Fix category dropdown blocking Save button in contact form (#177)
• Contacts: Resolve TS error from optional name.components in vCard parser
• Search: Search all folders when filtering emails by tag (#175)
• Auth: Include mount prefix in SSO redirect URI when app is served under a subpath
• PWA: Correct PWA icons with proper sizing, transparency, and dark/light mode support

v1.4.12 — PWA Support, Birthday Calendar, Identity Sync, and multiple New Locales

1.4.12 (2026-04-09)

Thank you for your donations:

One-time

• @mkorthaus-private

Monthly

• You? Become a sponsor!

Features

• PWA: Add PWA support with service worker and install prompt
• Calendar: Add birthday calendar feature with settings and localization
• Calendar: Clamp February 29 birthdays in non-leap years
• Identity: Add automatic identity synchronization (#167)
• Plugins: Disable plugins by default and require admin approval
• Plugins: Replace auth header exposure with a secure HTTP proxy API for plugins
• Auth: Add configurable OAuth scopes and cookie security via environment variables
• Email: Sync mail view to browser history for back/forward navigation
• Contacts: Add ability to rename address books (#152)
• UI: Add version badge in settings
• i18n: Add Latvian (lv) locale support
• i18n: Add Polish language support
• i18n: Add Korean language support
• i18n: Add Simplified Chinese (zh_CN) locale support

Fixes

• Email: Show recipient instead of sender in Sent and Drafts folder lists
• Email: Embed dropped images as data URLs and prevent duplicate attachments (#163)
• Email: Fix logic for marking email as read in EmailViewer
• Email: Fix archive action passing MouseEvent as argument
• Mailbox: Preserve search filters on push-triggered mailbox refresh (#164)
• Mailbox: Align shared account folders with primary folders (#151)
• Mailbox: Fetch mailboxes on mount in FolderSettings when store is empty
• Mailbox: Improve mailbox deletion error handling
• Calendar: Improve calendar event retrieval by batching requests to avoid server limits (#141)
• Calendar: Compute per-occurrence UTC start/end in recurrence expansion (#116)
• Calendar: Guard against undefined trigger in calendar event alert popover (#143)
• Files: Stream WebDAV PUT uploads to avoid buffering in memory (#162)
• Files: Prune recent files against server nodes on refresh (#146)
• Files: Fix file deletion logic to update recent files and handle errors (#146)
• Files: Extend file drop zone to fill remaining viewport height
• Files: Fallback to application/octet-stream for long MIME types
• Security: Replace unguarded crypto.randomUUID() with safe generateUUID() utility
• Security: Validate plugin HTTP post URL against origin with regression tests
• Security: Allow blob images in CSP for inline drag-and-drop (#163)
• Auth: Resolve settings sync identity mismatch for OAuth/SSO sessions (#127)
• Contacts: Fix address book ID namespacing for shared contacts in create and update operations (#133)
• UI: Fix focused mode expanding beyond screen bounds (#156)
• API: Handle 403 on principal fetch without console error
• API: Enhance error handling in Stalwart API responses

v1.4.11 — Logging Categories, Proxy & Plugin Security, and Mailbox Fixes

1.4.11 (2026-03-31)

Features

• Logging: Add logging categories for better log management

Fixes

• Security: Harden security with CSP enforcement, SSRF redirect validation, reenabled S/MIME chain verify, IP spoofing prevention, and PDF iframe sandbox
• Security: Harden proxy authentication and SSRF defenses
• Security: Block plugins with dangerous JS patterns and enforce strict session secret length validation
• S/MIME: Add self-signed certificate detection and update status messages for S/MIME signatures
• Email: Auto-focus input fields in email composer for improved user experience (#126)
• Mailbox: Prevent orphaning of nested mailboxes by restricting deduplication to root-level folders
• JMAP: Strip server-immutable fields from updates before sending to JMAP (#128)
• Files: Update file feature disabled messages and add stability warnings
• i18n: Add missing translation keys to all non-English locales

v1.4.10 — Plugin Configuration, iCal Subscriptions, and Security Hardening

1.4.10 (2026-03-31)

Features

• Plugins: Add plugin configuration UI with schema-driven admin config page, calendar event action slot, and Jitsi Meet plugin
• Calendar: Implement client-side recurrence expansion for calendar events
• Calendar: Add iCal subscription editing and batch event import
• Calendar: Add hover preview settings and functionality
• Calendar: Add virtual location input for calendar events (#121)
• Email: Add reply-to addresses support in email composer
• Email: Add mail layout settings and update email list components
• Email: Add auto-select reply identity feature with settings and localization
• Email: Enhance compose functionality with button integration and translations
• Filters: Preserve activation state when updating or creating Sieve scripts to avoid deactivating server-managed vacation scripts
• Filters: Skip server-managed vacation script in Sieve script handling
• Settings: Add support for custom JMAP server endpoints in login and settings
• Settings: Add folder expansion state management and settings navigation
• UI: Add options to hide account switcher and show account avatars on navigation rail
• i18n: Add JMAP server endpoint labels and hints in multiple languages
• i18n: Add missing translation keys to all non-English locales

Fixes

• Security: Patch critical auth bypass and credential leak vulnerabilities
• Security: Support 3DES S/MIME decryption by importing legacy RSAES-PKCS1-v1_5 keys and add diagnostic logging (#35)
• Security: Account isolation, auto-import signer certs, and no-key error handling (#35)
• Calendar: Fix JSCalendar 2.0 recurrenceRule single-object compatibility (#116)
• Calendar: Enhance calendar event handling to distinguish between events and tasks
• Calendar: Link existing events to target calendar during iCal import instead of skipping (#113)
• Calendar: Deduplicate UIDs during iCal import to prevent mass failures (#113)
• Calendar: Fix events disappearing after iCal import/subscription refresh
• Calendar: Enhance calendar event handling with full-day detection and layout adjustments
• Calendar: Use UTC timestamps for timed event rendering
• Calendar: Work around Stalwart not returning Task objects via CalendarEvent/query
• Email: Enhance email loading and deduplication logic in email store (#119)
• Email: Ensure draft editing function is called correctly in EmailViewer component (#60)
• Email: Match hover action background to selected row state
• Email: Align tag counts with mailbox folder counts in sidebar
• Auth: Handle 2FA/TOTP session expiry with basic auth (#117)
• Mailbox: Improve mailbox tree logic and enhance mailbox handling with logging (#118)
• UI: Improve dark mode handling for media elements and background images
• UI: Adjust account list spacing and remove push connection indicator
• UI: Fix nested button in theme card

v1.4.9 — Admin Controls, Vacation Responder, and Plugin Policy Upgrades Latest

1.4.9 (2026-03-27)

Features

• Admin: Add Stalwart admin authentication, sidebar access, and a reorganized dashboard with dedicated policy sections
• Plugins: Add plugin/theme admin dashboard, harness tooling, forced enable or disable controls, managed policy enforcement, and a resizable detail sidebar
• Filters: Add vacation responder management with Sieve generation and parsing, UI integration, and improved sync preservation
• Email: Add plain text only composer mode, optional conversation threading disable, configurable hover action placement, and OAuth app password support
• UI: Add drag-and-drop customization for sidebar apps
• Files: Use dynamic server-configured maximum upload sizes
• i18n: Add Russian locale support and complete missing translation strings for recent task features

Fixes

• Calendar: Improve date parsing and event normalization, prevent calendar page re-render loops, ensure unique ICal subscription IDs, and create all-day events with correct JSCalendar midnight handling
• Email: Respect the configured mark-as-read delay in EmailViewer and fetch full email content when needed while editing drafts (#60, #95)
• Auth: Improve network error handling, add JMAP rate limiting handling, and enhance settings retrieval and persistence diagnostics (#100, #104)
• UI: Improve mobile layout behavior on contacts and calendar pages (#103)
• Themes: Repair theme ZIP bundle handling and enforce admin theme locks correctly
• Code Quality: Resolve outstanding ESLint warnings across the codebase