[0.16.12] - 2026-07-06
If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.
Added
- DKIM2 implementation (draft-ietf-dkim-dkim2-spec-03).
- DMARCbis implementation:
Changed
Fixed
- DANE: Treat DNSSEC
bogusas a temporary failures to prevent downgrade attacks. - OIDC provider:
ECDSAprivate key support forSEC1format.- Allow ports in
redirect_urifor loopback addresses.
- OIDC directory:
- Removing a user from all groups does not sync the changes correctly.
- Fetch
nameandgroupclaims from userinfo endpoint when missing from the JWT token.
- PostgreSQL: Include error chain in error messages.
- Prometheus: event counters are exported with incorrect metric names.
- Registry: Changing the type of an existing account from
usertogrouppanics. - Masked emails: Return
UnknownRecipientonly for disabled or expired masked emails. - IDN:
sanitize_emailrejects valid Punycode domains. - Auto-ban: IP block expiration ignores per-reason ban durations.
- Meilisearch: Limit the text search scope using
attributesToSearchOn. - CalDAV:
calendar-queryREPORT returns invalid HTTP404when no events match the query. - Snowflake past id generation fails when the provided duration is longer than 4 years.
- Calendar scheduling: Wrong RSVP base URL is used.
- Network listener: Accept loop spins all CPU cores with no back-off when the process hits
EMFILE(too many open files). - Cluster: Broadcast MTA queue refresh events to all nodes.