Introduction to the Modern Email DevRoom
There are almost half a dozen new opensource webmail systems that you can host yourself now, after a decade of little development. One of them is so good that after testing it for my work, I've grown to use it almost every day privately. Several of their developers attend FOSDEM this year and may talk about their software in depth, this talk covers them as a group. It's mostly for an audience that (may) want to self-host (again).
What sets the new webmail systems apart from the old ones, how do they compare to Google's and Microsoft's polished offerings, how do they compare to each other? I'll talk about all of that, and since I am a standards wonk there is a risk that I may digress into how well or badly they use the standards.
OpenCloud is a production-ready Open Source "Drive" solution for storing and sharing files, and we are adding a Groupware stack to all that.
We'd like to present our concept (especially regarding the integration of the other services in our stack, namely OpenCloud Drive and OpenTalk) as well as what we have so far in terms of our implementation, which extensively uses JMAP in its middleware, in combination with a Stalwart backend that does a lot of the heavy lifting.
The whole stack is Open Source, implemented in Go and TypeScript.
Parula: Updates on the progress
A fast-forward dialog about the state of email and security.
In our talk we will point out real examples and funny stories as well as some interesting tools and how to combine them into a holistic mail security concept.
We will cover famous things like the need of unencrypted Pop3, FOM~~O~~E - the fear of missing email, postmasters nightmare with dmarc, dkim, spf in between security and comfort focused users, arc - the layered chain of postmasters of trust - and many more. Yes, something with AI.
It's not as bad as it maybe sounds.
Additionally we will talk about the perfect Ratatouille for mail infrastructures - covering various established and exciting new flavors and spices. In other words, how to tie up open source components for a perfect mail security infrastructure.
Even Signal took years to get it right, and Matrix is not quite there yet: Implementing a multi-device chat system that supports not only reliable encryption, but also reliable deletion of messages also known as "Forward Secrecy".
In this talk we'll present a new "Autocrypt 2 certificate" specification draft, that originated from the chatmail community and its supporters. The draft is built upon the modern RFC9850 OpenPGP standard and aims to to supports encryption that is safe against attackers that collect all in-transit traffic and then
try to use a prospective future Quantum computer to decrypt all collected messages, or
try to recover deleted messages after they get hold of a device/private key.
The draft Autocrypt2 certificate specification is designed to be usable by any Internet Messaging system and is intended for submission to IETF early 2026.
This talk covers Rspamd development from March to December 2025, focusing on four major areas. First, HTML fuzzy hashing - a new algorithm that generates structural fingerprints from DOM trees, enabling detection of phishing emails that reuse legitimate templates with modified links. Second, multi-class Bayesian classification that extends the traditional spam/ham model to support up to 20 categories (newsletters, transactional mail, promotions) with single-call Redis lookups. Third, protocol improvements including TCP transport for fuzzy queries and encrypted ZIP archive handling via libarchive. Fourth, neural network refactoring into a provider-based architecture for combining multiple feature sources. We'll also discuss practical experience using LLM tools for code generation, documentation, and PR review during this development cycle - what worked, what didn't, and where human judgment remains essential.
Cascading Style Sheets (CSS) enable visual customization of HTML emails. However, this flexibility comes at a cost: in this talk, we reveal how CSS creates serious privacy and security vulnerabilities. We demonstrate that CSS facilitates fingerprinting and tracking in HTML emails, even undermining the privacy protections offered by email clients that use proxy services to access remote resources. These tracking capabilities enable targeted phishing and spam campaigns.
More critically, we present a novel scriptless attack that exploits container queries, lazy-loading fonts, and adaptive ligatures to exfiltrate arbitrary plaintext from PGP-encrypted emails. The attack targets mixed-context scenarios—cases where email clients render both trusted (encrypted) and untrusted (attacker-controlled) HTML content within the same message view. We successfully demonstrate end-to-end exfiltration of PGP-encrypted text from Thunderbird, along with two other major email clients that permit such content mixing.
These findings expose fundamental gaps in current isolation mechanisms, demonstrating that post-Efail mitigations remain insufficient against CSS-based attacks.
Email service is at the core of a collaborative suite. And, good news, FOSS solutions for all collaborative uses have an unprecedented maturity. But Europe still faces a critical dependence on Office 365, with strategic and financial costs that are now undeniable.
The challenge is no longer functional, FOSS solutions suffer from an architectural limitation : a simple SSO does not create a platform. To offer a true Smart Platform Experience around the mail, we must go beyond silos solutions and build deep, consistent, cross-functional integration between independent services.
Based on the integration of DINUM's LaSuite into Twake.AI, we will analyze what is missing to offer a “Smart Platform Experience”: a standardized cross-functional layer that brings together independent services.
Samuel Paccoud, director of lasuite.numerique.gouv.fr, will comment this integration and the perspectives he identifies.
We will see how such a standard can enable a modular ecosystem, where each application remains independent but can interoperate deeply, forming a credible and sustainable sovereign workplace. This is the mission of the Open Buro consortium: to create an open foundation where architecture becomes a political act.
Messages is a project from ANCT, a French government agency that aims to bring secure and modern tools to small rural towns.
In this talk we'll introduce the MIT-licensed project and explain how the specific requirements of public servant inboxes led to a unique design, breaking free to legacy protocols like IMAP.
Ever wondered how Gmail, Yahoo, and Apple iCloud manage to host hundreds of millions of email accounts reliably? How do they store petabytes of messages, survive hardware failures without losing data, and keep spam at bay across billions of daily deliveries?
This talk explores how to design and operate a large-scale email system using Stalwart, an open-source mail server built from the ground up for distributed deployments. Using a 1,024-node cluster as a concrete example, we will examine the architectural patterns that make planet-scale email possible, and how similar approaches are used by providers such as Apple iCloud.
The session covers the full stack of distributed email challenges: storing and indexing messages across a cluster, running spam and phishing filtering at scale without becoming a bottleneck, managing distributed MTA queues for reliable delivery, and load balancing IMAP, JMAP, and SMTP traffic across nodes. We will also look at how Stalwart handles cluster coordination, orchestration, and autoscaling, how to reason about failure scenarios before they occur, and how to adapt a deployment to fluctuating load in dynamic environments.
Attendees will leave with a practical understanding of how modern distributed email systems are built and operated, and how to apply these principles using open-source technology.
Traditional email servers were designed for a different era. They work great for small deployments but struggle at scale: Maildir breaks at 100k+ users, configuration changes require service reloads, and a single blacklisted IP blocks everyone on the server.
WildDuck takes a different approach. Built on MongoDB and Node.js, it treats email as a modern distributed systems problem. This talk explores the architectural decisions behind WildDuck and the lessons learned running it in production with 100,000+ accounts.
Dovecot 2.4 removed one of the mail server's most outstanding features: being able to replicate between two servers, even in an active-active scenario if desired. The actual sync code stays in place, but the replication orchestrator was removed.
On the other hand, the same release introduces improvements to two APIs: the event API now allows reacting to pretty much anything happening in Dovecot using an HTTP server, while the doveadm HTTP allows to trigger synchronization with another server.
We'll have a look on Dovecot 2.3's implementation of replication, checking out alternative solutions to replication to finally look into a Golang-based solution that does not require forking the mail server codebase.
The talk presents a mail migration project at the University of Bonn where more than 60 000 mail accounts have been migrated from a monolithic proprietary mail system to a modular FOSS-based solution. The used components for the new setup include amongst others: * Postfix * Dovecot * Rspamd * SOGo * OpenLDAP * MariaDB Galera * KeyDB * keepalived * memcached
The presentation provides an insight into the motivation, planning, chosen migration approach, overcome difficulties and first operational experience with the new system. Finally an outlook is given on upcoming planned developments.
Gatling is a framework for performance testing and Apache James contributors had been providing a DSL (Domain Specific Language) for easily writing IMAP performance tests. We also wrote JMAP benchmarks using Gatling.
This talk will cover the inner working of Gatling, the architecture of the IMAP DSL, key contributions to Yahoo's imapnio library, the toolbox for performance testing Apache James (including provisionning data), and present related results.
We will also present how it completes other performance-related tools of the Apache James eco-system: Grafana metrics, async-profiler flame graphs (and contributions to the FOSS eco-system it did lead to!), JMH (Java Micro-benchmark Harness) tests for MIME4J...