Important changes
Go 1.23
maddy now requires Go 1.23 toolchain to build. "go" command in Go 1.21+
will automatically download newer toolchain if necessary.
SASL LOGIN disabled by default
Obsolete SASL LOGIN mechanism is no longer enabled by default. To re-enable
its support, use sasl_login directive in endpoint configuration.
STARTTLS plaintext fallback removed in target.smtp
⚠️ The change is accidentally not included in 0.8, see 0.8.1
If STARTTLS support is requested for connection in target.smtp
and the target server does not support STARTTLS message will not be
sent over plaintext connection.
This change does not affect outbound delivery via MX records/port 25.
The default configuration for these is to require TLS (even if the certificate is invalid)
- this is controlled by
min_tls_level encryptedin configuration.
require_tls directive is deprecated and will be removed in a future release.
attempt_starttls directive is deprecated and is equivalent to
the newly added starttls directive.
STARTTLS plaintext fallback in target.remote is more strict
If STARTTLS command is rejected by the remote server or connection error
happens before STARTTLS completes (that is, no TLS handshake takes place)
then unauthenticated TLS or plaintext fallback is no longer attempted.
New features
PROXY protocol support
Thanks @drdaeman for the work!
maddy now supports HAProxy PROXY protocol for IMAP and SMTP endpoints
via proxy_protocol directive. Both v1 (text) and v2 (binary) versions
are supported. There is also additional support for second TLS layer
between proxy and maddy that can be configured using proxy_protocol.tls
directive.
RFC 2136 libdns provider
Built-in ACME client can be configured to set DNS-01 challenge records
using RFC 2136 protocol.
Support is not compiled-in by default and should be enabled using
libdns_rfc2136 build tag.
ACME-DNS libdns provider
Built-in ACME client can not be configured to delegate DNS-01 challenge
to the https://github.com/joohoi/acme-dns server.
Support should be enabled via libdns_acmedns build tag.
Bug fixes
- check.milter can now connect to milters using Unix sockets (PR #622) (Thanks @mmatous!).
- libdns/gandi: Upgraded to the latest version of gandi libdns, which fixes an issue where new records could not be created (PR #673).
- Add missing global tls_client directive (Issue #674).
- target/remote: Improve handling of stale connections in pool to prevent resource leaks (Issue #675).
- modify/replace_sender: Support replacing empty MAIL FROM addresses.
- target/queue: Fix infinite retries after reducing max_tries (Issue #678).
- imapsql: Fix cross compilation error (Issue #681).
- imapsql: Make modernc.org SQLite driver usable (Issue #723).
- config/tls: Disable TLS session tickets (Issue #730).
- dmarc: Add support for sending from TLD domains (Issue #736).
- tls/acme: Actually use test_ca
Misc improvements
- build: make "build.sh install" reusable (Thanks @oidq!).
- docker: Allow to specify additional build tags via Docker build argument.
- endpoint/smtp: Recipients limit is now advertised via LIMITS SMTP extension
Build attestation
- SLSA Build Attestation for x86_64 linux-muslc build: https://github.com/foxcpp/maddy/attestations/4617983
- SLSA Build Attestation for Docker image: https://github.com/foxcpp/maddy/attestations/4617988