Changed: Improved the flow for forcing a password reset.
Changed: Now account for Let's Encrypt certificates having a shorter expiration date.
Changed: Removed the success toast notification from all grid "refresh" buttons.
Changed: Updated EULA text.
Changed: Updated installers to use .NET 10.0.7.
Changed: Updated Maxmind database.
Changed: Updated to ClamAV 1.5.2 for Windows.
Fixed: "What's New" modal shows a scrollbar when it's not needed.
Fixed: [HA] [HUB] Fresh Hub installs do not create the hub-settings.json file as needed.
Fixed: [HA] [HUB] Log lines can show up out of order.
Fixed: [HA] [HUB] Logs return inconsistent results for searches.
Fixed: [HA] [HUB] When viewing combined hub logs, the truncated view shows the earliest lines instead of the most recent.
Fixed: [HA] AUTH PLAIN not working for IMAP sessions.
Fixed: [HA] Deleting and recreating large domains results in combination of error toasts.
Fixed: [HA] Deleting large domains (100,000+ users) times out resulting in garbled red toast error.
Fixed: [HA] Hub Protocol Proxy session logging lists multiple session ID's per log line during on-going concurrent sessions.
Fixed: [HA] Importing large number of users via CSV results in red toast error.
Fixed: [HA] Incorrect caching on a Backup MX causes deliverability issues.
Fixed: [HA] It's possible to impersonate a broken domain and user from the hub.
Fixed: [HA] MD5 auth methods not respecting app passwords for IMAP, SMTP, XMPP in HA environments.
Fixed: [HA] Plain text authentication methods for all protocols failing for app passwords.
Fixed: [HA] Routing Rule "Enable wildcards" option toggles off upon initial save and for subsequent saves as well.
Fixed: [HA] SmarterMail initiating SSL certificate requests for non-FQDN hostnames.
Fixed: [HA] SMTP Proxy logs aren't providing sufficient data, even when set to trace.
Fixed: [HA] Unable to enable 'Force all traffic over HTTPS'.
Fixed: A connected internet calendar can be set as a default calendar.
Fixed: An issue adding/editing External Senders when using "Add Text to Subject" and "Known External Domains" option.
Fixed: Attaching a base domain path and going back will not allow you to go forward again.
Fixed: AUTH call still appears if no associated authentication methods are enabled.
Fixed: Calendars and Task upload is clickable before any file is selected.
Fixed: Cannot disable ChatGPT in Marketplace.
Fixed: Cannot save an outbound gateway in a disabled state.
Fixed: Changing a username over the Windows character limit presents an untranslated toast notification.
Fixed: Chromium-based browsers show the wrong pointer on filter rules.
Fixed: Contact import hangs when importing a malformed CSV.
Fixed: Content Filters do not show the correct number of conditions or actions when deleted.
Fixed: Content Filters/Routing Rules fail to save 'include system messages..." toggle on initial save operation.
Fixed: Conversion issues when migrating to Linux.
Fixed: Conversion page will set secondary storage url to the domain archive url if archive folder already exists.
Fixed: Creating a Routing Rule for Inbound, then saving, reverts the Rule to Inbound + Outbound.
Fixed: Delegate settings aren't properly syncing between MAPI and EWS clients.
Fixed: Deleting an instance of a recurring all-day calendar event is failing for users in UTC+01:00 time zones.
Fixed: Document servers (OnlyOffice or Collabora) still show as available even if the server address is incorrect.
Fixed: Domain Defaults are not respecting the gateway setting.
Fixed: Exceptions can occur when trying to bind TCP listeners to ports on IPv6.
Fixed: Expire Password shows when an AD/LDAP authenticated user is selected in the Users tab.
Fixed: Extraneous SignalR errors in the browser console.
Fixed: IMAP connections stick around even after IMAP is disabled server side.
Fixed: Importing a large number of Contacts causes webmail to stall.
Fixed: Initial chat message from webmail to eM Client (XMPP) is not being received.
Fixed: Issue with GetUser API endpoint not returning "lastLoginTime".
Fixed: Issues with previewing and downloading attachments in messages that use winmail.dat.
Fixed: Light Mode/Dark Mode menu option has extraneous spacing.
Fixed: MAPI delegation permissions do not sync correctly.
Fixed: Message Archive attachments show "Access Denied".
Fixed: Moving/renaming a folder can break related Auto Cean rules and Content Filters.
Fixed: Not all Delivered and Forwarded messages are triggering for Routing Rules.
Fixed: Notes failing to load or can show a spinner.
Fixed: Online Meetings duplicate links in chat.
Fixed: Rare issue where a server locks up at night when running cleanup tasks.
Fixed: Routing Rules condition doesn't display correctly in some scenarios.
Fixed: S/MIME encrypted e-mail is not being passed to Outlook correctly.
Fixed: Schedule meeting link no longer works after a user rename.
Fixed: Schedule send date discrepancy can occur between typed and icon selected dates.
Fixed: Searching SMTP Logs for an IP with "Display related traffic" selected returns no results.
Fixed: Sent messages are not being delivered if messages are moved out of Sent Items before send notification completes.
Fixed: The image zoom selector does not work well with Chrome and Firefox.
Fixed: The WebDAV incorrectly processing some requests on any path, except when using the API.
Fixed: There's no validation when entering an email address on a Scheduling page.
Fixed: Tool Tip for conditions (in Content Filters, Events, etc.) is displaying javascript.
Fixed: User Status page is missing columns when exported.
Fixed: Validation is choppy when typing a recovery address during the Getting Started process.
Security: Possible link traversal issue when using Plus Addressing.
Security: Upgraded and strengthened encryption across multiple areas, reducing potential for brute force attempts.
Translations: Added Russian language support.
Build 9581 (Mar 26, 2026)
Key Features
Due to significant changes in SmarterMail's encryption, you may not be able to downgrade to previous versions.
Release Notes
Fixed: An issue with attaching a domain if the administrator is accidentally logged out while typing the domain path.
Fixed: Disabled Folders list for attaching domains is hard to read in dark mode.
Fixed: It's not possible to disable a gateway.
Fixed: Message Archiving searches can result in high CPU usage.
Fixed: Messages sent from New Outlook to Microsoft inboxes fails DKIM.
Fixed: Styling issues in the Attach Domain dialog.
Fixed: WHMCS integration is unable to manage users.
Security: App Passwords are now stored with AES.
Security: Changed obfuscated encryption keys.
Build 9575 (Mar 20, 2026)
Added: [API] System Admin -> AttachDomainBatch.
Added: [API] System Admin -> ValidateAttachPath.
Added: An Attach Domains action that allows administrators to Attach All domains from a common parent path.
Changed: API documentation now includes IP restriction and blacklist updates.
Changed: Domain Resource text now uses "disallow" and "allow" instead of "none" and "manage" when assigning users.
Changed: Enable Domain is now greyed out as an Action if a domain is already enabled.
Changed: Expanded the window for Domain Signatures making it easier to see your full signature for review.
Changed: Updated some buttons across the interface for consistency.
Fixed: [HA] Administrators are unable to set a node hostname causing PTR mismatches on outbound SMTP.
Fixed: [HA] There's a display issue when selecting a blank Trusted Sender with another Trusted Sender entry in use.
Fixed: [HA] Using the scroll wheel to change weight in Settings, then saving and undoing multiple times, will cause an auto save.
Fixed: Adding an image to a Contact doesn't always display correctly in the Contacts list.
Fixed: An issue affecting the ability to delete appointments from a shared calendar (WebDAV).
Fixed: An issue setting a profile image in eM Client's chat area.
Fixed: An issue where a Condition set for a Content Filter can change after saving.
Fixed: An issue where an ACME certificate that is manually renewed fails to be added if the same cert existed at one time but was not properly deleted.
Fixed: An issue where backgrounds and logo images fail to display on the login page.
Fixed: An issue with Plesk incorrectly calling a specific SmarterMail API.
Fixed: Background User creation does not show a progress, so administrators are unable to track success.
Fixed: Blacklisting a Class C from IDS blocks does not blacklist .0.
Fixed: Calendar Auto-Clean can fail to remove older calendar entries.
Fixed: Content filter ordering is not saving nor is it being respected.
Fixed: Domain footers that include images are not working properly.
Fixed: eM Client generated Teams meeting invites are not sent (EWS)
Fixed: EWS logs are not being properly sanitized.
Fixed: Online Meeting logins can fail due to failed authentication "Refresh token not valid".
Fixed: Removing attachments in webmail does not actually remove them.
Fixed: Resetting a system administrator's password, using the steps in our KB article, can fail on a second try.
Fixed: Scheduled Emails show in the sent items folder with the compose time and not the sent time.
Fixed: Sessions from a whitelisted IP that bypasses SMTP authentication, that then authenticates with AUTH PLAIN, are incorrectly spam checked.
Fixed: SmarterMail inverts emojis when in Dark mode.
Fixed: System administrators with the username "new" act like the new system administrator button.
Fixed: The error that's displayed to blacklisted IP users when attempting to log in to webmail is incorrect.
Fixed: The Settings fields for IP Rotation can be set with incorrect values.
Fixed: Typos in the Docker README.md.
Fixed: Using CIDR block for system administrator IP restriction can generate errors/exception in Administrative logging.
Security: Hardened a few API calls.
Security: Hardened attachment tokens and 2FA endpoints.
Security: Hardened authenticated and non-authenticated SMTP sessions to avoid spoofing.
Security: Hardened RSS feeds and feed sanitation.
Security: Implemented TokenValidationService to consolidate rules-based token authentication.
Security: Improved memory and size efficiency to reduce potential for DoS attacks.
Security: Improved SMTP authentication to avoid spoofing.
Security: Modified IP Restrictions to avoid possible credential leaks.
Translations: Added a Catalan translation file.
Build 9560 (Mar 5, 2026)
Changed: Added error handling with eM Client XMPP server connections.
Changed: Added the ability to specify the port number to mach the other gateways for domain forwards.
Changed: Copyright text now conforms to other projects.
Changed: Gateway settings were refactored and modified for ease of use, understanding, and configuration.
Changed: Updated Froala to version 5.0.0.
Fixed: "From address must match authenticated address" when sender IP in auth bypass.
Fixed: [API] Integration APIs for eM Client not working when the account has 2FA enabled.
Fixed: [HA] [HUB] An incorrect message is displayed when removing the weight value in RBLs and URIBLs.
Fixed: [HA] [HUB] ClusterAdmin Logout of hub improvements to revoke refresh token.
Fixed: [HA] [HUB] Spam checks do not display correctly the first time saved and re-opened.
Fixed: [HA] Added action to force a node to failover immediately through the Hub.
Fixed: [HA] Adding a hub by hostname (instead of IP address) results in targetHub using 127.0.0.1 as its IP.
Fixed: [HA] Antispam Greylist Filters shows a blank entry when entering a letter in an IP address.
Fixed: [HA] Antispam Spam Checks do not save when values are too large or small.
Fixed: [HA] Antispam Spam Checks do not validate the weight with blank rule name.
Fixed: [HA] Detaching large domains (50,000+ users) from nodes results in a malformed timeout error toast.
Fixed: [HA] Network isolation of a hub could result in having more than one leader.
Fixed: [HA] Password resets fail to present password reset form.
Fixed: [HA] Suspend and Restore for hubs doesn't always work correctly.
Fixed: [HA] Toast notifications display "Action Succeeded" instead of "Success".
Fixed: A small memory leak when encrypting/decrypting strings.
Fixed: Adding a calendar resource to an appointment doesn't call the appropriate JS method.
Fixed: Admin accounts without impersonation rights are logged out when trying to create a new user or alias.
Fixed: An issue when converting from Windows to Linux.
Fixed: Dismissing a reminder for an appointment in Mac Calendar [EWS] clears the response data for all attendees.
Fixed: Entering a space to a new password results in broken error/validation message.
Fixed: Force Password Reset errors could hint at a user's existence on a server.
Fixed: Message ID is not added for authenticated messages that have no local deliveries.
Fixed: Modifying an existing system event action can duplicate it.
Fixed: Online Meeting ending time can be off in different time zones.
Fixed: Online Meetings between different networks does not always show video or audio.
Fixed: OnlyOffice WOPI access tokens occasionally rejected with 401 after an upgrade to Build 9546.
Fixed: Outlook on Mac [EWS] is not showing user availability.
Fixed: Sent message icon does not go away when an email is moved from Sent Items.
Fixed: SmarterMail occasionally attempts to access files on a detached domain.
Fixed: Some recipients are listed with the display address of an alias recipient in Outlook [MAPI].
Fixed: Turn servers are not functioning in rare circumstances.
Fixed: When adding comma-separated values to the IP blacklist from the interface can sometimes duplicate entries.
Fixed: When renaming a domain, the service needs to be restarted before the new name is displayed.
Fixed: When responding to a message sent from SmarterMail using MAPI, Outlook Mac [EWS] adds “On Behalf Of” in the generated header of the original email.
Fixed: When trying to accept a new proposed meeting time, the server can sometimes return a 500 code.
Fixed: XMPP over SSL fails on port 5223.
Efficiency: [HA] HubConnection more gracefully detects when the connection is closed by the hub.
Efficiency: Thread usage during nightly cleanup tasks improved to limit resource usage.
Security: Fixed a few obscure authentication bypass, privilege escalation, denial of service, and path traversal issues we found during our security audit.
Build 9546 (Feb 19, 2026)
Fixed: An issue with Outlook (IMAP) not properly syncing folders with names containing non-ASCII characters.
Fixed: An issue with the legacy SOAP API and obfuscation.
Build 9543 (Feb 16, 2026)
Fixed: IMAP clients sending large emails can trigger IDS blocks.
Fixed: Sending large emails via IMAP/SMTP clients results in an exception related to command length.
Build 9540 (Feb 13, 2026)
IMPORTANT: [SECURITY] Changed how the command-line is utilized across various areas.
Added: [HA] Trusted Senders are now synchronized across a split domain.
Added: SmarterMail codebase is now obfuscated.
Changed: [HA] [HUB] Improved handling of impersonate and manage node errors when pop-ups are blocked by a browser.
Fixed: [HA] [HUB] Impersonating from the accounts grid gives a 401 error.
Fixed: [HA] [HUB] When logging into a hub you will sometimes see a `Fetch Error` instead of the server health grid details.
Fixed: [HA] An issue where certificates can fail to renew for a cluster.
Fixed: [HA] An issue with TypeNameHandling.
Fixed: An EWS push notification issue.
Fixed: An issue where a user is logged out when opening the Reports area.
Fixed: An issue where authenticated users could have the server issue an HTTP request to an arbitrary URL.
Fixed: An upgrade from SmarterMail 15.x to latest fails to detect existing XML configuration files.
Fixed: Certain HTML messages Do not Render Correctly in Webmail.
Fixed: Checking 2FA code is not thread safe.
Fixed: External document servers (e.g., Collabora) fail to load files in email attachments but work for File Storage files.
Fixed: SmarterMail's EXAMINE implementation does not comply with RFCs (IMAP).
Fixed: SmarterMail's EXAMINE implementation for IMAP does not comply with RFCs.
Fixed: Successfully used 2fa tokens are not always cleared from memory correctly.
Fixed: Successfully used 2FA tokens are not always cleared from memory correctly.
Fixed: Users can get logged out of webmail intermittently.
Fixed: Using TAB to move cursor when composing new message in webmail is off.
Security: [HA] Fixed a potential JSON deserialization issue.
Security: Added access restrictions to a system with compromised RSA key.
Security: API access now follows the user whitelist/blacklist as well as System Administrator IP Restrictions for authentication.
Security: Hardened various protocols against complex memory exhaustion issues.
Security: Hardened various syncing protocols against complex entity expansion issues.
Build 9526 (Jan 30, 2026)
Changed: Revised restrictions for file and folder name validation.
Fixed: [API] Users may be able to be impersonated by system administrators who do not have impersonation permissions.
Fixed: [HA] Password Reset CAPTCHA now works as expected.