Mailcow has rolled out a September 2025 release that puts outbound email security front and centre. The update adds a new container to enforce MTA-STS on outgoing mail, improves spam-filtering for aliases, and introduces fresh monitoring tools for self-hosters.
The headline change is the postfix-tlspol-mailcow container. It forces outbound mail to use encrypted connections in line with MTA-STS, closing off downgrade attacks that try to push servers back to plain text. For domains that don’t publish DANE records, it’s a practical safeguard against misdelivery and interception.
Other additions include better alias handling in Rspamd, which should cut down on false positives for users juggling multiple addresses, and a Prometheus exporter with a Grafana dashboard to visualise performance and security metrics. Together these give administrators a clearer view of what their server is doing in real time.
Routine updates round out the release: new versions of SOGo and Rspamd, database optimisations, and TLS bug fixes. While incremental, these changes strengthen stability and fit into the project’s broader “Email Security Year 2025” theme.
For self-hosters looking for a secure and transparent mail stack, this release is one of the more significant steps Mailcow has taken in recent years.
