Organizations that run DavMail to bridge standard mail clients to Microsoft Exchange or Office 365 received an update this week. Version 6.6.0 addresses a code-scanning alert tied to a regex vulnerability, adjusts OAuth redirect handling to match a recent Microsoft change, and ships fixes across IMAP, SMTP, CalDAV, and CardDAV subsystems.
A regex replacement closes a security alert
The security change replaces a regular expression in the replaceIcal4Principal method with simple substring calls, resolving a finding flagged in GitHub’s code-scanning system. Regex-based parsing can introduce ReDoS exposure when processing attacker-controlled input; the substring approach eliminates that risk in this code path.
Microsoft’s OAuth redirect broke authentication
Microsoft changed the behavior of the OIDC redirect endpoint used for native client authentication, which now redirects to /common/wrongplace. DavMail 6.6.0 updates the default redirect URI to https://localhost/common/oauth2/nativeclient to restore the authentication flow. The release also merges a community pull request adding device code authenticator support for O365 and moves OAuth scope handling into Settings.getOauthScope().
Protocol fixes across IMAP and SMTP
Two IMAP RFC 3501 compliance bugs were resolved: one affecting complex search queries using a NOT condition, another ensuring envelope header values are always encoded to maintain compatibility with certain mail clients. On the SMTP side, DavMail now allows sending multiple messages sharing the same message ID when addressed to different recipient lists, and the smtpAllowDuplicateSend flag logic was revised.
CalDAV, CardDAV, and configuration changes
CardDAV adds support for the VCARD4 birthday format yyyyMMdd and switches contact photo encoding to RFC 2397 data URL format. CalDAV‘s getCalendarEmail method now resolves shared calendar addresses from the calendar mailbox rather than the connected user’s email.
The default configuration file location is now XDG Base Directory Specification compliant. Users on Linux should verify their config paths after upgrading.
Linux packaging and platform updates
The Debian package now enables JDK 21 and moves the SWT dependency from suggests to depends. SWT was updated to version 4.37 for Windows packages. A new davmail swt command retrieves the latest SWT jar in the platform-independent package, and a davmail.enableTray setting controls tray icon behavior, with the tray disabled by default on Linux. The -notray and -tray command-line flags override that setting.
Graph backend work continues
The largest volume of commits covers the Microsoft Graph API backend, which DavMail is building as a longer-term replacement for its Exchange Web Services layer. Work in this release spans LDAP search, contact sync, CalDAV event handling, recurrence management, and people search via the /search/query endpoint. The backend is not production ready and requires further development before deployment.
Must read:
Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!
