This is the stable release of the next major version 1.6 of Roundcube webmail.

With this milestone we cleaned up the codebase and bring full support for PHP 8.1. The most noteworthy changes, as already announced with the beta release, are:

• PHP 8.1 support
• Dropped support for PHP < 7.3
• Support responses (snippets) in HTML format
• Option to purge deleted mails older than 30, 60 or 90 days
• Unified and simplified services connection config options
• Removed the Classic and Larry skins from the release packages
• SQLite: Use foreign keys, require SQLite >= 3.6.19

See the full changelog below.

Breaking Changes to 1.5 and prior versions

The following config options have either been removed or renamed:

1. IMAP:
   • renamed default_host to imap_host
   • removed default_port option (non-standard port can be set via imap_host)
   • set "localhost:143" as a default for imap_host
2. SMTP:
   • renamed smtp_server to smtp_host
   • removed smtp_port option (non-standard port can be set via smtp_host)
   • set "localhost:587" as a default for smtp_host
3. LDAP:
   • removed port option from ldap_public array (non-standard port can be set via host)
   • removed use_tls option from ldap_public array (use tls:// prefix in host)
4. Managesieve:
   • removed managesieve_port option (non-standard port can be set via managesieve_host)
   • removed managesieve_usetls option (set tls:// prefix to managesieve_host)

The skins Larry and Classic are no longer part of the release packages. If you used them in your deployment, you need to install them manually. That can easily be done via Composer:

$ composer require roundcube/larry

This release is considered stable and we encourage you to update your productive installations after carefully testing the upgrade scenario. Download it from roundcube.net.

With the release of Roundcube 1.6.0, the previous stable release branches 1.5.x and 1.5.x will change into LTS low maintenance mode which means they will only receive important security updates. The 1.3.x series is no longer supported and maintained.

CHANGELOG (since 1.6-rc)

• Fix SMTP XCLIENT extension when not using STARTTLS (#8581)
• Fix call to undefined method rcube_ldap_generic::option_set() (#8564)
• Fix PHP Fatal error on incompatible method declaration of rcmail_output_json::command() and rcmail_output::command() (#8579)
• Fix support for DSN specification without host e.g. pgsql:///dbname (#8558)
• Fix TinyMCE configuration for handling styles of pasted content in webkit browsers (#8555)
• Fix bug where some checkboxes could be selected unintentinally (#8565)
• Fix css styles of the email recipient element while dragging (#8580)
• Fix PHP 8.1 warnings in the LDAP backend code (#8572)
• Fix various PHP 8.1 warnings (#8584)
• Fix bug where a recipient address containing UTF-8 characters was ignored when sending an email (#8493, #8546)
• Fix so rcmail::contact_exists() works with IDNA addresses (#8545)
• Fix password option in storage_init hook after refreshing oauth access token (#8436)
• Fix attachment Options popover menu after attachment delete (#8602)
• Fix so "Found unconstructed Spoofchecker" error is not fatal (#8537)

This is the second service release to update the new stable version 1.5. It provides a bunch of small fixes and improvements for the PHP8 compatibility.

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Enigma: Fix initial synchronization of private keys
• Enigma: Fix double quoted-printable encoding of pgp-signed messages with no attachments (#8413)
• Fix various PHP8 warnings (#8392)
• Fix mail headers injection via the subject field on mail compose (#8404)
• Fix bug where small message/rfc822 parts could not be decoded (#8408)
• Fix setting HTML mode on reply/forward of a signed message (#8405)
• Fix handling of RFC2231-encoded attachment names inside of a message/rfc822 part (#8418)
• Fix bug where some mail parts (images) could have not be listed as attachments (#8425)
• Fix bug where attachment icons were stuck at the top of the messages list in Safari (#8433)
• Fix handling of message/rfc822 parts that are small and are multipart structures with a single part (#8458)
• Fix bug where session could time out if DB and PHP timezone were different (#8303)
• Fix bug where DSN flag state wasn't stored with a draft (#8371)
• Fix broken encoding of HTML content encapsulated in a RTF attachment (#8444)
• Fix problem with aria-hidden=true on toolbar menus in the Elastic skin (#8517)
• Fix bug where title tag content was displayed in the body if it contained HTML tags (#8540)
• Fix support for DSN specification without host e.g. pgsql:///dbname (#8558)

This is the release candidate for the next major version 1.6 of Roundcube webmail.

It includes a small number of improvements and fixes in comparison to 1.6-beta release.

We believe it is production ready, but we recommend to test it on a separate environment. And don't forget to backup your data before installing it.

CHANGELOG

• Update to jQuery-UI 1.13.1 (#8455)
• Added possibility to make the logo image a link via the 'skin_logo' option (#8501)
• Use navigator.pdfViewerEnabled for PDF viewer detection
• Remove use of unreliable charset detection (#8344)
• Don't list images attached to multipart/related part as attachments (#7184)
• Password: Add support for ssha256 algorithm (#8459)
• Fix so unix:// URI is supported in various host spec. options again (#8468)
• Fix slow loading of long HTML content into the HTML editor (#8108)
• Fix bug where SMTP password didn't work if it contained '%p' (#8435)
• Enigma: Fix initial synchronization of private keys
• Enigma: Fix double quoted-printable encoding of pgp-signed messages with no attachments (#8413)
• Fix handling of message/rfc822 parts that are small and are multipart structures with a single part (#8458)
• Fix bug where session could time out if DB and PHP timezone were different (#8303)
• Fix bug where DSN flag state wasn't stored with a draft (#8371)
• Fix broken encoding of HTML content encapsulated in a RTF attachment (#8444)
• Fix problem with aria-hidden=true on toolbar menus in the Elastic skin (#8517)
• Fix so links (e.g. www.some.page or http://some.page) are not considered mispellings (#8527)
• Fix bug where title tag content was displayed in the body if it contained HTML tags (#8540)

This is a beta release for the next major version 1.6 of Roundcube webmail. With this milestone we cleaned up the codebase and bring full support for PHP 8.1. The most noteworthy changes are:

• PHP 8.1 support
• Dropped support for PHP < 7.3
• Support responses (snippets) in HTML format
• Option to purge deleted mails older than 30, 60 or 90 days
• Unified and simplified services connection config options
• Removed the Classic and Larry skins from the release packages
• SQLite: Use foreign keys, require SQLite >= 3.6.19

Adding support for PHP 8.1 again required some refactoring of the Roundcube codebase and removing/replacing now deprecated PHP code. We also used this cleaning efforts and simplified Roundcube's config options a bit.

Breaking Changes

The following config options have either been removed or renamed:

1. IMAP:
   • renamed default_host to imap_host
   • removed default_port option (non-standard port can be set via imap_host)
   • set "localhost:143" as a default for imap_host
2. SMTP:
   • renamed smtp_server to smtp_host
   • removed smtp_port option (non-standard port can be set via smtp_host)
   • set "localhost:587" as a default for smtp_host
3. LDAP:
   • removed port option from ldap_public array (non-standard port can be set via host)
   • removed use_tls option from ldap_public array (use tls:// prefix in host)
4. Managesieve:
   • removed managesieve_port option (non-standard port can be set via managesieve_host)
   • removed managesieve_usetls option (tls:// prefix in managesieve_host have to be used)

If you used the Larry or the Classic skin in your deployment, you need to install them manually as they are no longer part of the release packages. They can easily be installed via Composer:

$ composer require roundcube/larry

This is a beta release and we recommend to test it on a separate environment. Migrate existing configs with eiither the installto.sh or the update.sh scripts. And don't forget to backup your data before installing it.

CHANGELOG

• Unified and simplified services connection options (#8310)
• Plugin API: Removed smtp_port parameter in smtp_connect hook
• Plugin API: Renamed smtp_server parameter to smtp_host in smtp_connect hook
• Plugin API: Removed port parameter in managesieve_connect hook
• Plugin API: Removed usetls parameter in managesieve_connect hook
• Added support for PHP 8.1 (#8151)
• Dropped support for PHP < 7.3 (#7976)
• Dropped support for strftime-like format (with % sign) in date and time format configuration
• Moved the Classic and Larry skins to their own repository (#8271)
• SQLite: Use foreign keys, require SQLite >= 3.6.19
• Replace Endroid QrCode with BaconQrCode (#8173)
• Support responses (snippets) in HTML format (#5315)
• Purge also subfolders of Trash (and/or messages in them) on logout (#1037)
• Add support for encryption with AEAD ciphers, e.g. aes-256-gcm (#7097)
• Add option to purge deleted mails older than 30, 60 or 90 days (#5493)
• Add ability to mark multiple messages as not deleted at once (#5133)
• Add possibility to disable line-wrapping of sent mail body (#5101)
• Improve/Fix wrapping of plain text messages on preview and reply (#6974, #8391, #8378, #8289)
• Improve searching by sender/recipient headers, support Reply-To and Followup-To (#6582)
• Add option to control links handling behavior on html to text conversion (#6485)
• Add 'loginform_content' plugin hook (#8273, #6569)
• SMTP: If requested use TLS also without authentication (#4590, #8111)
• Display a generic error page on initial DB/configuration errors (#8222)
• Display telephone numbers as tel: links (#8240)
• Elastic: Move scrollbar settings to variables (#8352)
• Elastic: Use thin scrollbars in both light and dark mode
• Elastic: Make the scrollbar color lighter in dark mode (#8345)
• Autologout: A new plugin to auto log out users with a POST request (#8270)
• Enigma: Upgrade to OpenPGP.js v5.0
• Identicon: Make background color of the image to match the current skin colors (#8256)
• Newmail_notifier: Update favicon to match the current favicon style and size (#7826)
• Password: Remove password_blowfish_cost option, in favor of password_algorithm_options
• Password: Remove support for password_algorithms crypt, hash and cram-md5
• Password: Remove support for %c, %d, %n, %q variables in password_query
• Password: Add support for passwords based on PHP's password_hash() function (#7724)
• Password: Verify current password with IMAP (#8142)
• Password: Improve handling errors on executed commands (#8200)
• Password: Add Mailcow driver (#8291)
• Fix compatibility with Referrer-Policy: "strict-origin" (#8170)
• Fix locked SQLite database for the CLI tools (#8035)
• Fix Makefile on Linux (#8211)
• Fix so PHP warnings are ignored when resizing a malformed image attachment (#8387)
• Fix various PHP8 warnings (#8392)
• Fix mail headers injection via the subject field on mail compose (#8404)
• Fix bug where small message/rfc822 parts could not be decoded (#8408)
• Fix setting HTML mode on reply/forward of a signed message (#8405)
• Fix handling of RFC2231-encoded attachment names inside of a message/rfc822 part (#8418)
• Fix bug where some mail parts (images) could have not be listed as attachments (#8425)
• Fix bug where attachment icons were stuck at the top of the messages list in Safari (#8433)

This is the second service release to update the new stable version 1.5. It provides a bunch of small fixes and improvements to the OAuth feature as well as a security fix to a recently reported XSS vulnerability. See the full changelog below.

Security fix

• Cross-site scripting (XSS) via HTML messages with malicious CSS content

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• OAuth: pass 'id_token' to 'oauth_login' plugin hook (#8214)
• OAuth: fix expiration of short-lived oauth tokens (#8147)
• OAuth: fix relative path to assets if /index.php/foo/bar url is used (#8144)
• OAuth: no auto-redirect on imap login failures (#8370)
• OAuth: refresh access token in 'refresh' plugin hook (#8224)
• Fix so folder search parameters are honored by subscriptions_option plugin (#8312)
• Fix password change with Directadmin driver (#8322, #8329)
• Fix so css files in plugins/jqueryui/themes will be minified too (#8337)
• Fix handling of unicode/special characters in custom From input (#8357)
• Fix some PHP8 compatibility issues (#8363)
• Fix chpass-wrapper.py helper compatibility with Python 3 (#8324)
• Fix scrolling and missing Close button in the Select image dialog in Elastic/mobile (#8367)
• Security: fix cross-site scripting (XSS) via HTML messages with malicious CSS content

This is a security update to the stable version 1.4 of Roundcube Webmail. It provides a fix to a recently reported XSS vulnerability:

• Cross-site scripting (XSS) via HTML messages with malicious CSS content

This version is considered stable and we recommend to update all productive installations of Roundcube 1.4.x with it. Please do backup your data before updating!

CHANGELOG

• Security: fix cross-site scripting (XSS) via HTML messages with malicious CSS content

This is the first service release to update the new stable version 1.5. It provides a bunch of small fixes and improvements after getting your feedback from the 1.5.0 release. See the full changelog below.

Important note for MySQL and MariaDB database backends

The change to full UTF-8 support in MySQL/MariaDB didn't work for everybody migrating an existing DB. Hence here's an important notice from the UPGRADING instructions:

If you use MySQL < 5.7.7 or MariaDB < 10.2.2 make sure to configure it with:

  innodb_large_prefix=1
  innodb_file_per_table=1
  innodb_file_format=Barracuda

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Fix importing contacts with no email address (#8227)
• Fix so session's search scope is not used if search is not active (#8199)
• Fix some PHP8 warnings (#8239)
• Fix so dark mode state is retained after closing the browser (#8237)
• Fix bug where new messages were not added to the list on refresh if skip_deleted=true (#8234)
• Fix colors on "Show source" page in dark mode (#8246)
• Fix handling of dark_mode_support:false setting in skins meta.json - also when devel_mode=false (#8249)
• Fix database initialization if db_prefix is a schema prefix (#8221)
• Fix undefined constant error in Installer on Windows (#8258)
• Fix installation/upgrade on MySQL 5.5 - Index column size too large (#8231)
• Fix regression in setting of contact listing name (#8260)
• Fix bug in Larry skin where headers toggle state was reset on full page preview (#8203)
• Fix bug where \u200b characters were added into the recipient input preventing mail delivery (#8269)
• Fix charset conversion errors on PHP < 8 for charsets not supported by mbstring (#8252)
• Fix bug where adding a contact to trusted senders via "Always allow from..." button didn't work (#8264, #8268)
• Fix bug with show_images setting where option 1 and 3 were swapped (#8268)
• Fix PHP fatal error on an undefined constant in contacts import action (#8277)
• Fix fetching headers of multiple message parts at once in rcube_imap_generic::fetchMIMEHeaders() (#8282)
• Fix bug where attachment download could sometimes fail with a CSRF check error (#8283)
• Fix an infinite loop when parsing environment variables with float/integer values (#8293)
• Fix so 'small-dark' logo has more priority than the 'small' logo (#8298)

This is a service and security update to the stable version 1.4 of Roundcube Webmail. It provides fixes for two recently discovered SQL injection and XSS vulnerabilities as well a some general improvements from our issue tracker. See the full changelog below.

Security fixes

• Fix XSS issue in handling attachment filename extension in mimetype mismatch warning
• Fix possible SQL injection via some session variables

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Enigma: Fix bug where signature verification could fail for non-ascii bodies (#7919)
• Fix bug where contacts search didn't work with addressbook_search_mods set to an empty array (#7974)
• Fix bug causing some HTML message content to be not centered in Elastic skin (#7911)
• Fix bug where consecutive LDAP searches could return wrong results (#8064)
• Fix bug where plus characters in attachment filename could have been ignored (#8074)
• Fix displaying HTML body with inline images encapsulated using TNEF format (winmail.dat)
• Fix handling of custom sender addresses with names (#8106)
• Fix shift + drag'n'drop menu not working in Elastic skin with Chrome browser (#8107)
• Fix Firefox infinite loading display on mail screen (#8128)
• Fix XSS issue in handling attachment filename extension in mimetype mismatch warning (#8193)
• Fix SQL injection via some session variables

This is a security update to the LTS version 1.3. It fixes two recently discovered vulnerabilities:

• Fix XSS issue in handling attachment filename extension in mimetype mismatch warning
• Fix possible SQL injection via some session variables

This version in considered stable and we strongly recommend to update all productive installations of Roundcube 1.3.x with it. Please do backup your data before updating!

This is the stable release of the next major version of Roundcube webmail. With this milestone we introduce new features and full PHP 8.0 support. The most noteworthy additions are:

• Dark mode for Elastic skin
• OAuth2/XOauth support (with plugin hooks)
• Collected recipients and trusted senders
• Moving recipients between inputs with drag & drop
• Full unicode support with MySQL database
• Support of IMAP LITERAL- extension [RFC 7888]
• Support of RFC 2231 encoded names
• Cache refactoring

See the full changelog below.

We also disabled the spell checking feature using spell.roundcube.net by default because some privacy concerns were raised. It now needs to be enabled explicitly by setting the enable_spellcheck config option to true.

In case you're running Roundcube directly from source or if you're not using the complete package, you need to install 3rd party javascript modules using the bin/install-jsdeps.sh script. In the 1.5.x series the toolchain required to build a functional package has changed a bit:

• bin/jsshrink.sh: replaced google-closure-compiler with UglifyJS
• bin/cssshrink.sh: replaced yuicompressor with csso
• Elastic theme: require lessc >= 2.5.2 (and add support for v4) with less-plugin-clean-css

This release is considered stable and we encourage you to update your productive installations after carefully testing the upgrade scenario.

With the release of Roundcube 1.5.0, the previous stable release branches 1.4.x and 1.3.x will change into LTS low maintenance mode which means they will only receive important security updates but no longer any regular improvement updates. The 1.2.x series is no longer supported and maintained.

CHANGELOG (since 1.5-rc)

• Support displaying RTF content (including encapsulated HTML) from a TNEF attachment
• Disable the default spellchecker option using spell.roundcube.net (#8182)
• Newmail_notifier: Improved the notification sound (#8155)
• Fix size of Mailvelope iframe for PGP-inlined mail, again (#8126)
• Fix handling of group names with @ character in autocomplete and contacts widget (#8098)
• Fix Firefox infinate loading display on mail screen (#8128)
• Fix converting >1MB of HTML content into plain text (#8137)
• Fix bug where expanding a group in the recipient input could corrupt the input content (#7569)
• Fix fatal error/warning on invalid input to user parameter (#8152)
• Fix changing password with dovecot_passwdfile driver (#8145)
• Fix handling of headers that occur multiple times by show_additional_headers plugin (#8157)
• Fix bug where vertical scrollbar in new HTML message bounced back on scroll (#8046)
• Fix displaying inline images with incorrectly declared content-type (#8158)
• Fix so addr-spec with missing closing angle bracket can be parsed (#8164)
• Fix handling of spellcheck connection errors (#8172)
• Fix a couple of PHP8 warnings (#8175, #8176)
• Fix bug where "from my contacts" and "from trusted senders" values were mixed up (#8177)
• Fix password/token length check on OAuth login (#8178)
• Fix XSS issue in handling attachment filename extension in mimetype mismatch warning (#8193)
• Fix SQL injection via some session variables
• Fix handling of dark_mode_support:false setting in skins meta.json (#8186)
• Fix security issues regarding server name and trusted_host_patterns setting

This is the release candidate for the next major version 1.5 of Roundcube webmail. Based on the feedback we received from the beta release and some new features from the backlog, we have now finalized the development branch to prepare the final version. See the changelog below for details.

Some noteworthy additions since 1.5-beta are

• Support of XOAUTH2 in Managesieve plugin
• Support of IMAP LITERAL- extension [RFC 7888]
• Support of RFC 2231 encoded names
• Plugin hooks for OAuth events

We believe it is production ready, but we recommend to test it on a separate environment. And don't forget to backup your data before installing it.

CHANGELOG

• Upgrade to TinyMCE 5.8.2
• SMTP XCLIENT support (#7893, #6411)
• Add IDN homograph attack (spoofing) detection [CVE-2019-15237] (#6891)
• Add configuration options for subject prefixes (#7929, #4981)
• Support IMAP LITERAL- extension [RFC 7888] (#6878)
• Warn the user about a potential data leak on mail bounce or forward (#7993)
• Make the Empty action available for every non-empty folder, not only Trash (#7948)
• Remove (incorrect) use of Return-Receipt-To header (#8069)
• Submit various simple dialog forms with the Enter key (#7133)
• Add RFC2231 support to rcube_mime_decode (#7390)
• Plugin API: Allow modification of 'error' argument in message_send_error hook (#7914)
• OAuth: add plugin hooks oauth_login and oauth_refresh_token for oauth events (#8028, #8040)
• Debug_logger: Fix the main plugin functionality and documentation (#8041)
• Enigma: Fix bug where signature verification could fail for non-ascii bodies (#7919)
• Enigma: Fix invalid expiration dates of PGP keys on a 32bit system (#7531)
• Enigma: Display an information that public and private keys are stored on the server (#7941)
• Enigma: Optional support for passwordless keys (#7265)
• Managesieve: Fix removing nested rules in scripts (#8011)
• Managesieve: Support XOAUTH2, requires Net_Sieve 1.4.5 (#7925)
• Managesieve: Added ability to remove 'redirect' option from UI (#7922)
• New_user_dialog: Use the identity_update hook (#8023)
• Password: Fix broken 'hmail' driver (#7966)
• Password: Set password_minimum_length to 8 by default (#8003)
• Vcard_attachments: Improve handling of multiple contacts (#7027)
• Fix inserting a group from non-default source using the Insert contact(s) dialog (#8095)
• Fix invalid search fields after search scope change (#6919)
• Fix so "Always allow from..." button appears also when allow_images=3 (#7961)
• Fix Elastic's pretty select scroll position in Chrome (#7964)
• Fix bug where invalid non-unicode characters in JSON output could make the UI unresponsive (#7955)
• Fix PHP 8 fatal error when allowing images in an email (#7968)
• Fix so session expiration is more precise and do not depend on the garbage collector (#7576)
• Fix bug where imap_conn_options settings were ignored (#7912)
• Fix bug causing some HTML message content to be not centered in Elastic skin (#7911)
• Fix bug when sending an email and recipient's email address contains a trailing dot (#7899)
• Fix bug where the list page wasn't reset when changing a folder on mail view page (#7932)
• Fix so selecting the same folder to reset search resets also the page number (#7125)
• Fix login page rendering after oauth failure (#7812,#7923)
• Fix bug where assigning users to groups via menu (not drag'n'drop) could fail in Elastic theme (#7973)
• Fix HTML5 parser issue with a messy HTML code from Outlook (#7356)
• Fix handling of multiple link references with the same index in plain text message (#8021)
• Fix various actions on folders with angle brackets in name (#8037)
• Fix inconsistent fowarding actions statuses on drafts (#8039)
• Fix bug where start and reversed attributes of ol tag were ignored (#8059)
• Fix bug where consecutive LDAP searches could return wrong results (#8064)
• Fix bug where plus characters in attachment filename could have been ignored (#8074)
• Fix displaying HTML body with inline images encapsulated using TNEF format (winmail.dat)
• Fix handling of custom sender addresses with names (#8106)
• Fix shift + drag'n'drop menu not working in Elastic skin with Chrome browser (#8107)

This is a beta release for the next major version 1.5 of Roundcube webmail. With this milestone we introduce new features and long-awaited improvements. The most noteworthy additions are:

• PHP 8.0 support
• OAuth2/XOauth support
• Dark mode for Elastic skin
• Collected recipients and trusted senders
• Moving recipients between inputs with drag & drop
• Full unicode support with MySQL database
• Cache refactoring

Adding support for PHP 8 required some deep refactoring of the Roundcube codebase which started with early PHP 5 versions. However, this refactoring also was a bit of a cleaning procedure and resulted in more testable components.

In case you're running Roundcube directly from source or if you're not using the complete package, you need to install 3rd party javascript modules using the bin/install-jsdeps.sh script. With this release the toolchain required to build a functional package has changed a bit:

• bin/jsshrink.sh: replaced google-closure-compiler with UglifyJS
• bin/cssshrink.sh: replaced yuicompressor with csso
• Elastic theme: require lessc >= 2.5.2 (and add support for v4) with less-plugin-clean-css

This is a beta release and we recommend to test it on a separate environment. And don't forget to backup your data before installing it.

CHANGELOG

• Require PHP >= 5.5
• Support PHP 8.0 (#7625)
• Require php-intl
• Remove use of Net_IDNA2 package
• Require GuzzleHttp\Client
• Upgrade to TinyMCE 5.5.1
• Upgrade to jQuery 3.5.1 (#7464)
• Update build tools (#7800, #7804, #7497):
  • jsshrink.sh: Replace google-closure-compiler with UglifyJS
  • cssshrink.sh: Replace yuicompressor with csso
  • require lessc >= 2.5.2 (and add support for v4) with less-plugin-clean-css for Less files compilation
• Automatically collected recipients and trusted senders (#6904)
  • Added configurable Collected Recipients addressbook source (#4971)
  • Added configurable Trusted Senders addressbook source (#5046)
  • Added 'contact_exists' hook
  • Added separate "trusted senders" options for show_images and mdn_request preferences (#7614)
• Contact form mode: private/business (#7630)
• OAuth/XOauth support (#7425, #6933)
• Cache refactoring (#6312)
• Added special value 'email' to login_username_filter, it changes also logon input type (#7179)
• Allow array in smtp_host config (#7296)
• Support proxy for server-side HTTP requests (#7658)
• By default do not set the User-Agent header (#7731)
• Add posibility to (re-)define field mapping on contacts import from a CSV file (#7045, #6668)
• Move "On request for return receipt" from "Mailbox View" to "Displaying Messages" (#7614)
• Support RFC8438: IMAP STATUS=SIZE - for faster folder size calculation (#7269)
• MySQL: Use utf8mb4 charset and utf8mb4_unicode_ci collation (#6535, #7113)
• Allow NULL in users.preferences column in postgres and sqlite db, the same as for other engines (#7767)
• Support for language codes up to 16 chars long (e.g. es-419) in database schema (#6851)
• Relaxed domain name validation for extended TLDs support (#5588)
• Allow opening application/octet-stream attachments according to filename extension (#6821)
• Added support for INSERT OR REPLACE queries (#6771)
• Allow skins to define which layout options they support (#7235)
• Extract RFC2231 attachment name from message headers (#6729, #6783)
• Add support for SameSite cookie attribute via session_samesite option (req PHP >= 7.3.0) (#6772)
• Change folders sorting so shared/other users namespaces are listed last (#5012)
• Display a warning and do not try to open empty attachments (#7332)
• Return 204 rather than 404 on missing contact photo (#7777)
• Add 'reconnect' plugin to retry IMAP connection (#7844)
• Plugin API: Added 'message' argument to 'message_compose_body' hook
• Plugin API: Added 'preferences' parameter to 'user_create' hook (#7692)
• Elastic: Dark mode (#6709)
• Elastic: Display email size on the list of messages (#7162)
• Elastic: Replace properties sidebar with a dialog on the attachment preview page (#7635)
• Elastic: Minimize forms/colors blink on page load
• Elastic: Improve mail header "detailed mode" (#7224)
• Elastic: Moving single recipients between recipient inputs with drag-n-drop (#5069)
• Elastic: Display a special icon for other users and shared namespace roots (#5012)
• Elastic: Support space-separated email addresses in recipient input (#6529, #6457)
• Elastic: Remember list checkbox selection state (#7148)
• Elastic: Add "Open in new window" in mail compose (#7260)
• Elastic: Make custom less files optional (#7497)
• Elastic: Prevent from opening mail preview in a new window on touch devices using double tap (#7732)
• Templates: Add support for expressions in object attributes (#7237)
• Templates: Add support for nested if conditions (#6818)
• Templates: Make [space][slash] ending of condition objects optional (#6954)
• Mailvelope: Fix size of iframe for PGP-inlined mail (#7348)
• Mailvelope: Add config option to use Main Keyring (#7348, #7157)
• Mailvelope: Add config option to set the size for new keys (#7348)
• Mailvelope: Always ask before discarding email currently being composed (#7348)
• Mailvelope: Fix unnecessary warning to re-add attachments when restoring a draft (#7348)
• Archive: Added options to split archive by year or year+month and folder (#7216)
• Enigma: Support ECC key generation - when using GnuPG >= 2.1.7 (#6853)
• Managesieve: Add support for 'spamtest' extension - RFC3685 (#6950)
• Managesieve: Allow display name with email address in vacation :from field (#6760)
• Managesieve: Improve UX on custom header input (#7207)
• Managesieve: Fix bug where activation of forward/vacation rule could activate a wrong script (#7423)
• Managesieve: Fix bug where forward/vacation rule could end up being duplicated (#7349)
• new_user_identity: Fix missing password for user-specific LDAP operations (#7667)
• Password: Added 'pwned' password strength driver (#7274)
• Password: Added Mail-in-a-Box (miab) driver (#7824)
• Password: Added TinyCP driver (#7510)
• Password: Added httpapi driver to connect to generic HTTP/HTTPS APIs (#7439)
• Password: Added dovecot_passwdfile driver (#5786)
• Password: Removed old 'cpanel' driver, 'cpanel_webmail' driver renamed to 'cpanel' (#7780)
• Fix handling of address groups in email headers by ignoring their names (#7663)
• Fix so message flags are updated on refresh also for multifolder search results (#7774)
• Fix so IMAP ID command is send only after authentication (#7517)
• Fix bug where it wasn't possible to save Spanish (Latin America) locale preference (#7784)
• Fix mail search error on invalid search_mods definition (#7789)
• Fix error when dealing with message/rfc822 attachments using Gmail IMAP (#6854)
• Fix ISO-2022-JP-MS encoding issues (#7091)
• Fix so messages in threads with no root aren't displayed separately (#4999)
• Fix so anchor tags without href attribute are not modified (#7413)
• Fix invalid IMAP SEARCH command in some rare case on messages cache synchronization (#7895)
• Fix so allowing remote resources does not add an entry to browser history (#6620)

This is a service and security update to the stable version 1.4 of Roundcube Webmail. It provides a fix for a recently reported stored XSS vulnerability as well a some general improvements from our issue tracker. See the full changelog below.

Security fix

• Fix cross-site scripting (XSS) via HTML messages with malicious CSS content

Credits for this finding go to Mateusz Szymaniec (CERT Polska).

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Display a nice error informing about no PHP8 support
• Elastic: Fix compatibility with Less v3 and v4 (#7813)
• Fix bug with managesieve_domains in Settings > Forwarding form (#7849)
• Fix errors in MSSQL database update scripts (#7853)
• Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content

This is a service and security update to the stable version 1.4 of Roundcube Webmail. It contains a fix for a recently reported stored XSS vulnerability as well a small number of general improvements from our issue tracker. See the full changelog below.

Security fix

• Stored cross-site scripting (XSS) via HTML or plain text messages with malicious content [CVE-2020-35730]

Credits for this finding go to Alex Birnberg.

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Fix extra angle brackets in In-Reply-To header derived from mailto: params (#7655)
• Fix folder list issue when special folder is a subfolder (#7647)
• Fix Elastic's folder subscription toggle in search result (#7653)
• Fix state of subscription toggle on folders list after changing folder state from the search result (#7653)
• Security: Fix cross-site scripting (XSS) via HTML or plain text messages with malicious content

This is a security update to the LTS version 1.3. It fixes a recently reported stored cross-site scripting (XSS) vulnerability via HTML or plain text messages with malicious content [CVE-2020-35730].

Credits for this finding go to Alex Birnberg.

This version in considered stable and we strongly recommend to update all productive installations of Roundcube 1.3.x with it. Please do backup your data before updating!

This is a security update to the LTS version 1.2. It fixes a recently reported stored cross-site scripting (XSS) vulnerability via HTML or plain text messages with malicious content [CVE-2020-35730].

Credits for this finding go to Alex Birnberg.

We strongly recommend to update all productive installations of Roundcube 1.2.x if you cannot upgrade to a more recent version. Please do backup your data before updating!

This is a service update to the stable version 1.4 of Roundcube Webmail. It contains fixes and general improvements from our issue tracker, mainly related to email composition and UI oddities in Elastic skin and with the TinyMCE richtext editor. See the full changelog below.

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Fix HTML editor in latest Chrome 85.0.4183.102, update to TinyMCE 4.9.11 (#7615)
• Add missing localization for some label/legend elements in userinfo plugin (#7478)
• Fix importing birthday dates from Gmail vCards (BDAY:YYYYMMDD)
• Fix restoring Cc/Bcc fields from local storage (#7554)
• Fix jstz.min.js installation, bump version to 1.0.7
• Fix incorrect PDO::lastInsertId() use in sqlsrv driver (#7564)
• Fix link to closure compiler in bin/jsshrink.sh script (#7567)
• Fix bug where some parts of a message could have been missing in a reply/forward body (#7568)
• Fix empty space on mail printouts in Chrome (#7604)
• Fix empty output from HTML5 parser when content contains XML tag (#7624)
• Fix scroll jump on key press in plain text mode of the HTML editor (#7622)
• Fix so autocompletion list does not hide on scroll inside it (#7592)

This is a service and security update to the stable version 1.4 of Roundcube Webmail. It contains fixes for recently reported security vulnerabilities as well a small number of general improvements from our issue tracker. See the full changelog below.

Security fixes

• Fix potential XSS issue in HTML editor of the identity signature input
• Fix cross-site scripting (XSS) via HTML messages with malicious svg content [CVE-2020-16145]
• Fix cross-site scripting (XSS) via HTML messages with malicious math content

Credits for the latter two findings go to Łukasz Pilorz from Pentesters.

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Managesieve: Fix too-small input field in Elastic when using custom headers (#7498)
• Fix support for an error as a string in message_before_send hook (#7475)
• Elastic: Fix redundant scrollbar in plain text editor on mail reply (#7500)
• Elastic: Fix deleted and replied+forwarded icons on messages list (#7503)
• Managesieve: Allow angle brackets in out-of-office message body (#7518)
• Fix bug in conversion of email addresses to mailto links in plain text messages (#7526)
• Fix format=flowed formatting on plain text part derived from the HTML content (#7504)
• Fix incorrect rewriting of internal links in HTML content (#7512)
• Fix handling links without defined protocol (#7454)
• Fix paging of search results on IMAP servers with no SORT capability (#7462)
• Fix detecting special folders on servers with both SPECIAL-USE and LIST-STATUS (#7525)
• Security: Fix potential XSS issue in HTML editor of the identity signature input (#7507)
• Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg content [CVE-2020-16145]
• Security: Fix cross-site scripting (XSS) via HTML messages with malicious math content

This is a security update to the LTS version 1.3. It fixes two recently reported cross-site scripting (XSS) vulnerabilities via HTML messages with malicious svg and math contents.

Credits for these findings go to Łukasz Pilorz from Pentesters.

This version in considered stable and we strongly recommend to update all productive installations of Roundcube 1.3.x with it. Please do backup your data before updating!

This is a security update to the LTS version 1.2. It fixes two recently reported cross-site scripting (XSS) vulnerabilities via HTML messages with malicious svg and math contents.

Credits for these findings go to Łukasz Pilorz from Pentesters.

We strongly recommend to update all productive installations of Roundcube 1.2.x if you cannot upgrade to a more recent version. Please do backup your data before updating!

This is a service and security update to the stable version 1.4 of Roundcube Webmail. It contains a fix for recently reported security vulnerability as well a small number of general improvements from our issue tracker. See the full changelog below.

Security fix

Prevent cross-site scripting (XSS) via HTML messages with malicious svg/namespace (CVE-2020-15562)

Credits for this finding go to SSD Secure Disclosure.

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Fix bug where subfolders of special folders could have been duplicated on folder list
• Increase maximum size of contact jobtitle and department fields to 128 characters
• Fix missing newline after the logged line when writing to stdout (#7418)
• Elastic: Fix context menu (paste) on the recipient input (#7431)
• Fix problem with forwarding inline images attached to messages with no HTML part (#7414)
• Fix problem with handling attached images with same name when using database_attachments/redundant_attachments (#7455)
• Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace

This is a security update to the LTS version 1.3. It fixes a recently reported cross-site scripting (XSS) vulnerability via HTML messages with malicious svg/namespace (CVE-2020-15562).

Credits for this finding go to SSD Secure Disclosure.

This version in considered stable and we strongly recommend to update all productive installations of Roundcube 1.3.x with it. Please do backup your data before updating!

This is a security update to the LTS version 1.2. It fixes a recently reported cross-site scripting (XSS) vulnerability via HTML messages with malicious svg/namespace (CVE-2020-15562).

Credits for this finding go to SSD Secure Disclosure.

We strongly recommend to update all productive installations of Roundcube 1.2.x if you cannot upgrade to a more recent version. Please do backup your data before updating!

This is a follow-up release to the recently published version 1.4.5 of Roundcube Webmail.

It contains a single fix for the installer's test step which was broken with the last release. The update is therefore only relevant for new installations which use the installer to set up Roundcube.

CHANGELOG

• Installer: Fix regression in SMTP test section (#7417)

This is a follow-up release to the recently published version 1.3.12 of Roundcube Webmail.

It contains a single fix for the installer's test step which was broken with the last release. The update is therefore only relevant for new installations which use the installer to set up Roundcube.

CHANGELOG

• Installer: Fix regression in SMTP test section (#7417)

This is a service and security update to the LTS version 1.3 of Roundcube Webmail. It contains four fixes for recently reported security vulnerabilities as well a small number of general improvements backported from the latest stable version. See the full changelog below.

Security fixes

• Fix XSS issue in template object 'username' (#7406)
• Fix cross-site scripting (XSS) via malicious XML attachment
• Fix a couple of XSS issues in Installer (#7406)
• Better fix for CVE-2020-12641

The latter two vulnerabilities again are related to public access to the Roundcube installer and are therefore classified minor.

This version in considered stable and we recommend to update all productive installations of Roundcube 1.3.x with it. Please do backup your data before updating!

CHANGELOG

• Security: Better fix for CVE-2020-12641
• Security: Fix XSS issue in template object 'username' (#7406)
• Security: Fix couple of XSS issues in Installer (#7406)
• Security: Fix cross-site scripting (XSS) via malicious XML attachment

This is a service and security update to the stable version 1.4 of Roundcube Webmail. It contains fixes for recently reported security vulnerabilities as well a number of general improvements from our issue tracker. See the full changelog below.

Security fixes

• Fix XSS issue in template object 'username' (#7406)
• Fix cross-site scripting (XSS) via malicious XML attachment
• Fix a couple of XSS issues in Installer (#7406)
• Better fix for CVE-2020-12641

The latter two vulnerabilities again are related to public access to the Roundcube installer and are therefore classified minor.

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Fix bug in extracting required plugins from composer.json that led to spurious error in log (#7364)
• Fix so the database setup description is compatible with MySQL 8 (#7340)
• Markasjunk: Fix regression in jsevent driver (#7361)
• Fix missing flag indication on collapsed thread in Larry and Elastic (#7366)
• Fix default keyservers (use keys.openpgp.org), add note about CORS (#7373, #7367)
• Password: Fix issue with Modoboa driver (#7372)
• Mailvelope: Use sender's address to find pubkeys to check signatures (#7348)
• Mailvelope: Fix Encrypt button hidden in Elastic (#7353)
• Fix PHP warning: count(): Parameter must be an array or an object... in ID command handler (#7392)
• Fix error when user-configured skin does not exist anymore (#7271)
• Elastic: Fix aspect ratio of a contact photo in mail preview (#7339)
• Fix bug where PDF attachments marked as inline could have not been attached on mail forward (#7382)
• Security: Fix a couple of XSS issues in Installer (#7406)
• Security: Fix XSS issue in template object 'username' (#7406)
• Security: Fix cross-site scripting (XSS) via malicious XML attachment
• Security: Better fix for CVE-2020-12641

This is a service and security update to the stable version 1.4 of Roundcube Webmail. It contains four fixes for recently reported security vulnerabilities as well a number of general improvements from our issue tracker. See the full changelog below.

Security fixes

• Cross-Site Scripting (XSS) via malicious HTML content
• CSRF attack can cause an authenticated user to be logged out
• Remote code execution via crafted config options
• Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option

The latter two vulnerabilities are classified minor because they only affect Roundcube installations with public access to the Roundcube installer. That's generally a high-risk situation and is expected to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done in core in order to also prevent from future and yet unknown attack vectors.

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Fix bug where attachments with Content-Id were attached to the message on reply (#7122)
• Fix identity selection on reply when both sender and recipient addresses are included in identities (#7211)
• Elastic: Fix text selection with Shift+PageUp and Shift+PageDown in plain text editor when using Chrome (#7230)
• Elastic: Fix recipient input bug when using click to select a contact from autocomplete list (#7231)
• Elastic: Fix color of a folder with recent messages (#7281)
• Elastic: Restrict logo size in print view (#7275)
• Fix invalid Content-Type for messages with only html part and inline images - Mail_Mime-1.10.7 (#7261)
• Fix missing contact display name in QR Code data (#7257)
• Fix so button label in Select image/media dialogs is "Close" not "Cancel" (#7246)
• Fix regression in testing database schema on MSSQL (#7227)
• Fix cursor position after inserting a group to a recipient input using autocompletion (#7267)
• Fix string literals handling in IMAP STATUS (and various other) responses (#7290)
• Fix bug where multiple images in a message were replaced by the first one on forward/reply/edit (#7293)
• Fix handling keyservers configured with protocol prefix (#7295)
• Markasjunk: Fix marking as spam/ham on moving messages with Move menu (#7189)
• Markasjunk: Fix bug where moving to Junk was failing on messages selected with Select > All (#7206)
• Fix so imap error message is displayed to the user on folder create/update (#7245)
• Fix bug where a special folder couldn't be created if a special-use flag is not supported (#7147)
• Mailvelope: Fix bug where recipients with name were not handled properly in mail compose (#7312)
• Fix characters encoding in group rename input after group creation/rename (#7330)
• Fix bug where some message/rfc822 parts could not be attached on forward (#7323)
• Make install-jsdeps.sh script working without the file program installed (#7325)
• Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331)
• Fix so Print button for PDF attachments works on Firefox >= 75 (#5125)
• Security: Fix XSS issue in handling of CDATA in HTML messages
• Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
• Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
• Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)

This is a service and security update to the LTS version 1.3 of Roundcube Webmail. It contains four fixes for recently reported security vulnerabilities as well a small number of general improvements backported from the latest stable version. See the full changelog below.

Security fixes

• Cross-Site Scripting (XSS) via malicious HTML content
• CSRF attack can cause an authenticated user to be logged out
• Remote code execution via crafted config options
• Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option

The latter two vulnerabilities are classified minor because they only affect Roundcube installations with public access to the Roundcube installer. That's generally a high-risk situation and is expected to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done in core in order to also prevent from future and yet unknown attack vectors.

This version in considered stable and we recommend to update all productive installations of Roundcube 1.3.x with it. Please do backup your data before updating!

CHANGELOG

• Enigma: Fix compatibility with Mail_Mime >= 1.10.5
• Fix permissions on some folders created by bin/install-jsdeps.sh script (#6930)
• Fix bug where inline images could have been ignored if Content-Id header contained redundant spaces (#6980)
• Fix PHP Warning: Use of undefined constant LOG_EMERGE (#6991)
• Fix PHP warning: "array_merge(): Expected parameter 2 to be an array, null given in sendmail.inc (#7003)
• Security: Fix XSS issue in handling of CDATA in HTML messages
• Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
• Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
• Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)

This is a security update to the LTS version 1.2. It fixes four recently reported security vulnerabilities:

• Cross-Site Scripting (XSS) via malicious HTML content
• CSRF attack can cause an authenticated user to be logged out
• Remote code execution via crafted config options
• Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option

The latter two vulnerabilities are classified minor because they only affect Roundcube installations with public access to the Roundcube installer. That's generally a high-risk situation and is expected to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done in core in order to also prevent from future and yet unknown attack vectors.

We strongly recommend to update all productive installations of Roundcube 1.2.x. if you cannot upgrade to a more recent version. Please do backup your data before updating!

CHANGELOG

• Fix missing message-htmlpart1 class breaking inline CSS (#6493)
• Security: Fix XSS issue in handling of CDATA in HTML messages
• Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
• Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
• Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)