Moohoo everyone, Niklas here with the latest changelog for our beloved mailcow email software!

This month there is a big chunk of changes, some of them even very important regarding 2FA, but more about that later.

First of all we would like to thank you for your loyalty and cooperation, because without you the mailcow project wouldn’t be where it is now ❤️

We would also like to apologize for the fact that we are only now releasing a new update (master branch release), because some of the fixes included in this update (SOGo e.g. with the greyed out save button in the redirects or the Olefy Ping fix, which solves a console spam) should have been fixed already… We promise improvement at this point!

You probably already think: "Shorter please?"… it’s alright! Here are the changes (in short!)


Very Important changes:

With the January 2022 update, the previously used U2F API (for 2-factor authentication) will be replaced by the newer WebAuthn API.

What does this mean for you?
Well, if you have already registered a FIDO2 security key as 2FA via U2F and you apply the update, you will be greeted by a message saying that your FIDO2 key is still running via U2F and will therefore be removed from the account as 2FA. But don’t worry! As soon as you are back in the admin administration you can simply register the same key again, but this time as WebAuthn (not U2F).

The process is the same, even the position of the button to start the registration is the same, so you should be able to set up and use your key without any problems.

Thanks to @FreddleSpl0it for the implementation!

In our documentation you will find more detailed information about this.

Important changes:

  • Sogo was updated to version 5.5.0. Yay, finally no more grayed out buttons in the submenus!
  • The log4j fix (in Solr) has been improved again. On the advice of the German Federal Office for Information Security, we have removed the affected log4j class. The Solr container was not accessible from the Internet at any time.
  • On the advice of the German Federal Office for Information Security we updated ClamAV to 0.103.5 because it was vulnerable to a Denial of Service attack.
  • In the Olefy container, the annoying ping error (spam from Olefy in the console) has finally been fixed! Thanks to @16bitsysop for the fix! –> Fixing issue #4401
  • Due to the update to Alpine 3.15 or higher the acme container has changed the SSL folder (Also already sporadically with acme-mailcow 1:79), this was fixed by @mkuron. Thanks for that. –> Fixing issue #4392
  • We have fixed the bugs regarding GeoIP and netfilter (or rather @marcvorwerk did) –> Fixing issue #2668

There were many more! But that would go beyond the scope here, just have a look at the pull request for this update, then you will see the whole extent.

Once again, thank you to all the contributors and donors.

On behalf of the Servercow/mailcow/tinc team we wish you (wherever you are) a pleasant morning, noon or evening and stay healthy!

🇺🇸 English/Englisch

Moohoo everyone!
Due to the recent accidents regarding the Java library log4j we would like to inform you, that your mailcow is NOT affected directly by this.

Yes, it is true, that the Solr Container is a Java application which is affected by the log4j security breach. BUT solr is NOT accessible from the outside of the mailcow stack!

For those who are worried we released a Solr Hotfix which is fixing the log4j issue with the simple flag +EXTRA_ARGS+=('-Dlog4j2.formatMsgNoLookups=true') which closed this issue.

To activate it please update your mailcow with the update.sh script

Stay safe everyone!

Niklas, Servercow Team


🇩🇪 Deutsch/German

Moohoo an alle!
Aufgrund der jüngsten Vorfälle mit der Java-Bibliothek log4j möchten wir euch mitteilen, dass eure mailcow NICHT direkt davon betroffen ist.

Ja, es ist wahr, dass der Solr Container eine Java Anwendung ist, die von der log4j Sicherheitslücke betroffen ist. Aber Solr ist NICHT von außerhalb des mailcow-Stacks zugänglich!

Für diejenigen, die besorgt sind, haben wir einen Solr Hotfix veröffentlicht, der das log4j-Problem mit dem einfachen Flag +EXTRA_ARGS+=('-Dlog4j2.formatMsgNoLookups=true') behebt, welches dieses Problem schließt.

Um es zu aktivieren, aktualisiert bitte eure mailcow mit dem update.sh Skript

Bleibt alle gesund!

Niklas, Servercow Team

Moohoo everyone! Niklas here to present you the latest news around our lovely mailcow 🙂

Let’s get started, shall we?


Major changes from November 2021 for the mailcow stack:

  • SOGo update to 5.3.0
  • Dovecot update to 2.3.17
  • ClamAV update to 0.103.4
  • [Web] Auto-generated app passwords for Apple configuration profiles

Please consider updating your mailcow stack to ensure a stable environment.


All changes from November 2021 for the mailcow stack (newest to oldest):

30th November 2021:

  • [SOGo] Update Image (Docker Image for mailcow stack)

29th November 2021:

  • Translations update from Weblate (Pull request: #4351)

28th November 2021:

  • [web] Fix several raw html flags in twig (Pull request: #4325)
  • [web] fixed html in alerts
  • [README] Separate build badges
  • Translations update from Weblate (Pull requests: #4347 & #4346)

27th November 2021:

  • Translations update from Weblate (Pull request: #4345)
  • [README] Added build + translation badge
  • [Web] Updated lang.de.json (Pull request: #4344)
  • [CI] Run tests on staging branch
  • [API] Updated docs for transport route
  • [Web] Updated lang.de.json (Pull request: #4343)

26th November 2021:

  • [Web] Fix lang strings
  • [Web] Change lang strings inding in 0
  • [web] Delete XMPP references from langfiles (#4338)

22th November 2021:

  • Update SOGo to 5.3.0 (Pull request: #4330)

18th November 2021:

  • [MariaDB] Further increase connections
  • [Rspamd] Return CAB to archive_extensions
  • [Rspamd] Adjust CAB score detection

15th November 2021:

  • [Config] Fix link, fixes (Issue: #4322)

14th November 2021:

  • [ClamAV] Change mirror for Dockerfile
  • [Dovecot] v2.3.17
  • [Web] Auto-generated app passwords for Apple configuration profiles (Pull request: #4316)

12th November 2021:

  • Add missing API endpoint to openapi.yaml (Pull request: #4320)

11th November 2021:

  • [ClamAV] Update to 0.103.4 (Pull request: #4314)

As this is our last changelog for 2021, the whole tinc (The Infrastructure Company) team wishes you a 🎄 Merry Christmas 🎁 and a 🎆 Happy New Year 2022 🥂.

May the next year be with you!