Hello all,

this blog here has been a long-lasting constant in the course of the mailcow project, but is coming to an end (at least as far as current articles are concerned).

The new site is currently available at news.mailcow.email, but will be moved to the current mailcow.email domain in the near future.

Until that date, the articles here will still be accessible, as this site goes back further than the new site.

See you on the other (new) site!

Hallo zusammen,

dieser Blog hier ist eine lang anhaltende Konstante im Verlauf des mailcow Projektes gewesen, kommt jedoch ab sofort zu einem Ende (zumindest, was aktuelle Artikel angeht).

Die neue Seite ist aktuell unter news.mailcow.email erreichbar, wird aber in naher Zukunft auf die aktuelle mailcow.email Domain umgezogen.

Bis zu dem Datum werden die Artikel hier noch aufrufbar sein, da diese Seite hier weiter zurückreicht als die neue Seite.

Wir sehen uns auf der anderen (neuen) Seite!

🇺🇸 English:

Hello all,

We´ve received an important tip about a critical security vulnerability in mailcow IMAPSYNC (again…) it is pretty similar to the first one.

With this update we have disabled the SyncJob ACL for new users by default. What does this mean? Well, an administrator now has to set the ACLs for brand new users once in order for them to use the SyncJobs again.

All existing users can still use the SyncJobs.

The exploit is fixed with the 2022-06a update but also for existing users.

Right now there is no official CVE Number but once there is one we´ll post the Link in here.

It is strongly recommended to install the update as soon as possible to prevent exploitation.

As always please take a look at the GitHub Release: https://github.com/mailcow/mailcow-dockerized/releases/tag/2022-06a

🇩🇪 Deutsch

Hallo zusammen,

wir haben einen wichtigen Hinweis auf eine kritische Sicherheitslücke in mailcow IMAPSYNC erhalten (mal wieder…) es ist ziemlich ähnlich wie beim ersten Mal.

Mit diesem Update haben wir die SyncJob ACL für neue User standardmäßig deaktiviert. Was bedeutet das? Nun, ein Administrator muss nun die ACLs für brandneue Benutzer einmalig setzen, damit dieser die SyncJobs wieder nutzen kann.

Alle bestehenden User können nach wie vor die SyncJobs nutzen.

Der Exploit ist mit dem 2022-06a Update aber auch bei bestehenden Usern gefixt

Im Moment gibt es noch keine offizielle CVE-Nummer, aber sobald es eine gibt, werden wir den Link hier posten.

Es wird dringend empfohlen, das Update so schnell wie möglich zu installieren, um eine Ausnutzung zu verhindern.

Wie immer werft bitte auch einen Blick auf den GitHub Release: https://github.com/mailcow/mailcow-dockerized/releases/tag/2022-06a

Moohoo everybody!

Today we have put together a big fat update package for you again, which besides general container updates brings one big change:

Docker Compose v2 support!!!

But let’s start with the small stuff first:

Minor changes

  • ClamAV is now using version 0.105 (the latest at release time).
  • Postfix has been updated to version 3.5.6.
  • netfilter, acme, dockerapi, olefy, watchdog, unbound and phpfpm have been updated to Alpine Linux 3.16.

Major changes

  • As promised, with the 2022-06 update comes a small but nice UI update that improves general UI performance. Note: The noticeability of the improvements may vary depending on mailbox/domain count.
  • The mailcow now supports Docker Compose v2! More details to come:

Docker Compose v2 (finally)

Yep, read that right, finally the mailcow is compatible with Docker Compose v2! But why Docker Compose v2 now? Some of you might be wondering.
Well the thing is pretty simple and quickly explained: "Docker Compose v1 old (deprecated), Docker Compose v2 new (maintained by Docker itself)".

The installation of Compose v2 can be taken from the modified documentation (click here).

Docker Compose v1 will lose its official support from Docker in October 2022, but mailcow will continue to support Compose v1 until December 2022 (the 2022-12 update).

Thats why Compose v2 Part 1 update. Psst it´s a secret.

Beginning with December, an update to Compose v2 is mandatory, if you want to continue using mailcow.

Anything else? Oh yes! There is also an important change regarding IPv6. From now on (until December) the web interface will only be accessible via IPv4 by default.
But don’t worry, with the help of the manual you can restore the accessibility.

Why it has to be done this way and not (like everything else) plug and play? Well quite simple: The two Compose versions interpret the docker-compose.yml partly a bit different. Actually, everything has remained the same and this also works wonderfully, however, with the aforementioned IPv6 binding, there were unfortunately problems to maintain this option in dual support.
From December 2022, IPv6 connectivity will then be enabled again by default (as before).

How much text do you want to write?
Answer: Yes

Ok that’s it for this time.

If you want to read the complete changelog you can do that (as always) on GitHub.

Stay healthy.

Your mailcow Team

🇺🇸 English:

Hello all,

Yesterday we received an important tip about a critical security vulnerability in mailcow (thanks again for that). It affects IMAPSYNC and gives access to administration rights in the mailcow UI and API.

It is strongly recommended to install the update as soon as possible to prevent exploitation.

As always please take a look at the GitHub Release: https://github.com/mailcow/mailcow-dockerized/releases/tag/2022-05d

The update does not remove any important functionality from mailcow or IMAPSYNC!

🇩🇪 Deutsch

Hallo zusammen,

wir haben gestern einen wichtigen Hinweis bezüglich einer kritischen Sicherheitslücke in der mailcow zugespielt bekommen (Danke nochmal dafür). Diese betrifft IMAPSYNC und verschafft zugriff auf Administrationsrechte im mailcow UI sowie der API.

Es wird dringend empfohlen das Update so schnell wie möglich zu installieren um so eine Ausnutzung der Lücke auszuschließen.

Schaut euch bitte auch wieder die GitHub Release Page an um genauere Änderungen sehen zu können: https://github.com/mailcow/mailcow-dockerized/releases/tag/2022-05d

Das Update entfernt keine wichtigen Funktionen aus der mailcow bzw. dem IMAPSYNC!


It´s us again again!

This time we´ve published the 2022-05c Update which is a very small one.

It changed the API a bit again. This time for security reasons.

Head over to GitHub to see the full changelog:

Stay healthy


It´s us again!

Today we have a small API Fix Update which focus mainly on the UI.

As some of you reported the API Calls for Domains/Mailboxes don´t work anymore if there is no Tag set.

This is now fixed.

Additionaly, we´ve added a small tweak for the UI. Did you know that there was a little plus symbol at the left of a Domain/Mailbox? No? Don´t worry it was a little hard to see… until now 🙂

That´s all basically… oh no wait one more thing!
We´ve now included the mailcow Version to our Bug Reporting Formular on GitHub. So if you want to report a Bug please also fill out the Version row on the Issue form.

Now that´s all!

Thanks again for all of the contributors and mailcow users/admins.

Your mailcow Team


Hello again folks,

we´ve just released the first Hotfix for 2022-05.

It fixes a critical UI Bug which caused a inaccessability for the UI after the Update 2022-05.

The issue was a missing placeholder which caused a important folder to be deleted from the Git Repository, which is needed to display the UI.

Sorry for that.


Here, the new mailcow update 2022-05 is!
Yoda, in a parallel universe

Anyway… this month we have new stuff for your mailcow again.
So let´s get started, shall we?

What is new?


Thanks to the help of @FredleSpl0it the mailcow now has tags. Tags? Yes tags! These can be used for filtering and searching. You can add them either by editing a domain/mailbox or by creating a new one. In both cases the tags section will show itself to you.

SOGo 5.6.0

Heard there is a new SOGo version? Yep, and we already have it on board. For more information please read the official changelogs from inverse (the SOGo developers): https://github.com/inverse-inc/sogo/releases/tag/SOGo-5.6.0

Accessibility (screen readers)

@mkuron has made the mailcow a bit more accessible for blind people. (Respect at this point for all who have fun in the IT world despite this limitation).

Update.sh changed

We have implemented a new parameter for the Update.sh script, which skips the online check at the beginning of the update process. This could not be executed for some people because all ICMP connections to and from the mailcow were blocked. Now just use the –skip-ping-check parameter when you run the Update.sh script (but please only use it if you really don’t allow ICMP connections to and from your mailcow).

New API functions

We or the community has extended the API. Now you can also search domains by tags. Furthermore we added an API interface with the versioning of the mailcow. For more detailed API information just have a look at the extra API page of your mailcow (your.mailcow.domain/api).

Thanks to @lars-net and @FredleSpl0it for that.

For a more detailed or granular structure of the update, feel free to check out the GitHub page: https://github.com/mailcow/mailcow-dockerized/releases/tag/2022-05

That’s it for this month.

See you again in June or earlier (should there be critical bugs…).

Stay healthy


Yesterday we released the 2022-04 update (Moopril) which included a change in the NGINX configuration. During the same day we received a message that SOGo would not work since the update, more precisely the login.

So we released an update yesterday evening around 23:00 (German summertime) which solves this problem in most cases.

Please update your mailcow via the update.sh Script as soon as possible to use SOGo as usual again.

We apologize for this error.

Kind regards
The mailcow team


Gestern haben wir das 2022-04 Update (Moopril) veröffentlicht, welches eine Änderung in der NGINX Konfiguration enthielt. Im Verlauf des selbigen Tages erhielten wir vermehrt Meldungen darüber, dass SOGo seit dem Update nicht mehr funktionieren würde, genauer gesagt der Login.

So wurde am gestrigen Abend gegen 23:00 Uhr (Deutscher Sommerzeit) von uns ein Update veröffentlicht, welcher dieses Problem in den meisten Fällen löst.

Bitte Updated eure mailcow so schnell es geht via dem update.sh Skript um SOGo wieder wie gewohnt nutzen zu können.

Wir entschuldigen uns für diesen Fehler.

Liebe Grüße
Das mailcow Team

If you encounter problems with Nginx, please see the following comment on GitHub.

Moohoo everyone!

The April update is here with a bunch of new stuff for your flawless E-Mail Flow.

This month we have 3 component updates (ClamAV, SOGo and Rspamd) and a few minor fixes which are as follows:

Major Changes

  • We have updated SOGo in the mailcow stack to 5.5.1. Besides the SOGo fixes (see here) the mailcow database structure has been tweaked a bit to be ready for the upcoming 5.5.2 update!
    Note: The 5.5.2 update will be part of the 2022-04a update as soon as it is released by inverse (most likely).

  • We have updated Rspamd to 3.2.1. (More detailed patch notes can be found here).

  • The ClamAV components in mailcow now use the official container of ClamAV itself. For this reason there is now another volume (clamd-db-vol-1) in which the signatures of ClamAV are stored during freshclam. This allows us to roll out future ClamAV versions faster and in a more space efficient way. Note: ClamAV still uses version 0.104.2. Version 0.105 will be part of the mailcow as soon as it is released.

Minor Changes

  • Autodiscover is now compatible with App Passwords.
  • The Postmap Access List has been updated to a newer state.
  • New French translations.

Take a look at the full release page of the Update at Github: Click here

We hope you are all safe and sound.

No matter where you are, take care of yourselves.

Moohoo everyone!

We have released an impromptu bug fix update that fixes a few minor bugs and graphical issues.

These are only minor changes this time, but as the saying goes, "Every little bit helps".

  • We have moved the version footer back to the correct position. Faithful to the motto: Stay were you are!
  • We have improved the release tag handling with the version footer.
  • The backup and restore script now uses Debian Bullseye instead of Buster.
  • We fixed the bug that the spam alias of an alias domain was not deleted.
  • We updated Twig + dependencies to 3.3.8 to close a security hole concerning Twig.

For detailed information please visit: the 2022-03a Release Page.

That’s about it. We hope you are all well and healthy.

See you at the next update!

Stay healthy

Tach zusammen!

Mal kein Update Log sondern eine Empfehlung unsererseits an alle, die neu in die mailcow Welt einsteigen oder ihr Wissen auffrischen wollen.

Solltet ihr eines der Sachen mit Ja beantwortet haben wird die folgende Video Reihe für euch interessant sein:

Schaut generell einfach mal rein, wenn ihr mögt und lasst ein bisschen Liebe da, als dank der Vorstellung unseres mailcow Projektes.

Wir bedanken uns an dieser Stelle noch einmal ganz herzlich bei dir Dennis, wenn du das liest fühl dich gedrückt!
(Ist ja aktuell schwer möglich wegen Corona, aber träumen darf man ja wohl 🥰)

Hinweis: Eure Cookies bezüglich Youtube werden nur dann gespeichert, wenn Ihr das Video hier anschaut, der Youtube Player ist im Datenschutzmodus eingebunden.

Moohoo everyone, March is here and by the end of the month it will be spring again.
Surely the last few days were as scary for you as they were for us.

🇺🇦 Ukraine, we are standing with you!

Let’s move on to the March update of our mailcow.
Spoilers ahead, the March update is not that full and extensive but there are some nice updates included in terms of long term (I’m looking at you ClamAV and Olefy!).

So let’s get to it!

Docker Image Changes:

  • Dovecot has been updated to 1.161 (Imapsync + Dovecot update).
  • Olefy was updated to 1.9 (Olefy Update)
  • Rspamd was updated to 1.80 (Olefy update)
  • ClamAV was updated to 1.44

Important changes:

  • ClamAV has been updated to version 0.104.2, with this version we are secured for the long term (bye bye 0.103.X). Actually only the Docker image process has changed, the rest is running as usual. If not please open an issue on GitHub!
  • Dovecot has been updated to 2.3.18. This also brings us closer to moving from Solr to Xapian, more on that when we get to a viable point.
  • IMAPSync has been updated to version 2.178 (within Dovecot).
  • Oletools have been changed to a new upstream (now uses @decalage2’s repository).

Minor changes:

  • The changed doc paths (internal) were not adjusted in the mailcow UI, so you saw a 404 page. This has been fixed.
  • The WATCHDOG_NOTIFY_EMAIL string had been giving a warning in the console (when starting the stack) if the variable was empty, this has been removed as the string is now set to NULL (if empty).
  • We´ve Updated the nsyslog-ng Version to 3.28 (fixes a warning in console right after Dovecot started)

Currently, the following has never been more important: stay healthy and even more important: take care of you!