chore(deps): update stalwartlabs/stalwart docker tag to v0.16.6

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
stalwartlabs/stalwart	Kustomization	patch	v0.16.4 → v0.16.6

---

Release Notes

stalwartlabs/stalwart (stalwartlabs/stalwart)

v0.16.6

Compare Source

[0.16.6] - 2026-05-20

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• Added 58 new DNS provider integrations (see dns-update crate for details).
• DNS updater: Log DNS record types and values.
• Sieve: Allow User Sieve scripts to access orcpt.
• MTA: Log when messages are rejected or discarded by the spam classifier.

Changed

• Bump JMAP File Storage to draft-ietf-jmap-filenode-14.
• Accept password hashes with $ or { prefixes as secure secrets.

Fixed

• DAV: acl-principal-prop-set REPORT enforced the wrong privilege.
• JMAP: Thread/get did not filter by per-mailbox ACLs on shared accounts.
• IMAP: UID FETCH N:* could miss messages moved into a SELECTed mailbox by another connection.
• DNS updater:
  • Skip v=spf1 a -all records for apex domains.
  • RFC2136 TSIG: regression related to multiplexer.
  • Route53: Chunk TXT records when they exceed 255 characters.
• ACME:
  • Update defaultCertificateId when renewing a certificate that is currently set as default.
  • Perform DNS-01 authorizations sequentially to avoid race conditions in some DNS providers.
• Allow internal TLDs and special characters in e-mail addresses.
• Websocket: Perform case insensitive matching during upgrade.
• LDAP: Synchronize accounts when expanding mailing list recipients.
• Sieve: replace action adds an extra From header.
• ACL: Orphaned ACL entries for deleted accounts cause JMAP session errors.

---

Check binary attestation here

v0.16.5

Compare Source

[0.16.5] - 2026-05-11

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• is_ip_in_cidr expression function for CIDR matching.

Changed

• Bump mail-auth to 0.9 (which bumps hickory-resolver to 0.26).
• Deprecated RFC2136 SIG(0) support as it is no longer supported by hickory.

Fixed

• JMAP:
  • Patching ids containing digits in JSON Pointers fails.
  • Patching nested objects with null values fails.
• External directories:
  • SQL: Return Failed instead of Error when the query returns no results.
  • LDAP: Impersonation fails when the user has not logged in before.
• Network: Attempt binding to IPv4 when binding to IPv6 fails with EAFNOSUPPORT error.
• Bootstrap: Timeout after 30 seconds when probing the data store.
• HTTP: Use permissive CORS headers for .well-known endpoints.
• ACME:
  • Include apex domains when requesting certificates for subdomains.
  • Use the public suffix list to determine the zone name when no origin is provided.
• MTA:
  • Allow rescheduling recipients with permanent failures.
  • Process reports using original RCPT before rewriting.
• Autodiscover v2 endpoint unreachable.
• DNS update (via dns-update crate):
  • OVH + Google Cloud DNS: Fix FQDN handling for MX and SRV records.
  • Route53: Fix changeset error resolution.
  • deSEC: Use empty subname for apex records instead of @, which the API rejects.
  • Cloudflare: Wrap TXT record content in double quotes (RFC 1035) to suppress dashboard warnings.
• iCalendar/JSCalendar (via calcard crate):
  • Support STATUS:CANCELLED mapping from VTODO to JSCalendar.
  • Fixed duration parsing for zero duration PT0S.

---

Check binary attestation here

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[goingdark-sync]

Kubechecks Report

ArgoCD Application Checks: platform-mail ❗

running pre-upgrade check Error ❗

⚠️ Error while running pre-upgrade check ⚠️

Invalid Semantic Version

Check kubechecks application logs for more information.

---

generating diff for app

⚠️ Error while generating diff for app ⚠️

Object 'Kind' is missing in '{}'

Check kubechecks application logs for more information.

---

Show kubeconform report: Failed 🔴

Validated against Kubernetes Version: v1.33.10.0

• 🔴 Error: v1 ConfigMap stalwart-config-ffttgb55th - could not find schema for ConfigMap
• 🔴 Error: v1 Service staliaswarden - could not find schema for Service
• 🔴 Error: v1 Service stalwart - could not find schema for Service
• 🔴 Error: v1 Service stalwart-headless - could not find schema for Service
• 🔴 Error: v1 Service stalwart-mail - could not find schema for Service
• 🔴 Error: v1 Service stalwart-nats - could not find schema for Service
• 🔴 Error: scheduling.k8s.io/v1 PriorityClass mail-critical - could not find schema for PriorityClass
• 🔴 Error: apps/v1 Deployment staliaswarden - could not find schema for Deployment
• 🔴 Error: apps/v1 Deployment stalwart-nats - could not find schema for Deployment
• 🔴 Error: apps/v1 StatefulSet stalwart - could not find schema for StatefulSet
• ✅ Passed: barmancloud.cnpg.io/v1 ObjectStore stalwart-cnpg-backup
• ✅ Passed: cert-manager.io/v1 Certificate stalwart-goingdark-tls
• ✅ Passed: cert-manager.io/v1 Certificate stalwart-tls
• ✅ Passed: cilium.io/v2 CiliumNetworkPolicy stalwart-ingress
• ✅ Passed: external-secrets.io/v1 ExternalSecret stalwart-blob-s3
• ✅ Passed: external-secrets.io/v1 ExternalSecret stalwart-cnpg-s3
• ✅ Passed: external-secrets.io/v1 ExternalSecret stalwart-secret
• ✅ Passed: gateway.networking.k8s.io/v1 HTTPRoute staliaswarden-route
• ✅ Passed: gateway.networking.k8s.io/v1 HTTPRoute stalwart-admin
• ✅ Passed: gateway.networking.k8s.io/v1 HTTPRoute stalwart-autodiscover
• ✅ Passed: monitoring.coreos.com/v1 PodMonitor stalwart-postgresql
• ✅ Passed: postgresql.cnpg.io/v1 Cluster stalwart-postgresql

Done. CommitSHA: c9d15a6

[goingdark-sync]

Kubechecks Report

ArgoCD Application Checks: platform-mail ❗

running pre-upgrade check Error ❗

⚠️ Error while running pre-upgrade check ⚠️

Invalid Semantic Version

Check kubechecks application logs for more information.

---

generating diff for app

⚠️ Error while generating diff for app ⚠️

Object 'Kind' is missing in '{}'

Check kubechecks application logs for more information.

---

Show kubeconform report: Failed 🔴

Validated against Kubernetes Version: v1.33.10.0

• 🔴 Error: v1 ConfigMap stalwart-config-ffttgb55th - could not find schema for ConfigMap
• 🔴 Error: v1 Service staliaswarden - could not find schema for Service
• 🔴 Error: v1 Service stalwart - could not find schema for Service
• 🔴 Error: v1 Service stalwart-headless - could not find schema for Service
• 🔴 Error: v1 Service stalwart-mail - could not find schema for Service
• 🔴 Error: v1 Service stalwart-nats - could not find schema for Service
• 🔴 Error: scheduling.k8s.io/v1 PriorityClass mail-critical - could not find schema for PriorityClass
• 🔴 Error: apps/v1 Deployment staliaswarden - could not find schema for Deployment
• 🔴 Error: apps/v1 Deployment stalwart-nats - could not find schema for Deployment
• 🔴 Error: apps/v1 StatefulSet stalwart - could not find schema for StatefulSet
• ✅ Passed: barmancloud.cnpg.io/v1 ObjectStore stalwart-cnpg-backup
• ✅ Passed: cert-manager.io/v1 Certificate stalwart-goingdark-tls
• ✅ Passed: cert-manager.io/v1 Certificate stalwart-tls
• ✅ Passed: cilium.io/v2 CiliumNetworkPolicy stalwart-ingress
• ✅ Passed: external-secrets.io/v1 ExternalSecret stalwart-blob-s3
• ✅ Passed: external-secrets.io/v1 ExternalSecret stalwart-cnpg-s3
• ✅ Passed: external-secrets.io/v1 ExternalSecret stalwart-secret
• ✅ Passed: gateway.networking.k8s.io/v1 HTTPRoute staliaswarden-route
• ✅ Passed: gateway.networking.k8s.io/v1 HTTPRoute stalwart-admin
• ✅ Passed: gateway.networking.k8s.io/v1 HTTPRoute stalwart-autodiscover
• ✅ Passed: monitoring.coreos.com/v1 PodMonitor stalwart-postgresql
• ✅ Passed: postgresql.cnpg.io/v1 Cluster stalwart-postgresql

Done. CommitSHA: c9d15a6

[goingdark-sync]

Kubechecks Report

ArgoCD Application Checks: platform-mail ❗

running pre-upgrade check Error ❗

⚠️ Error while running pre-upgrade check ⚠️

Invalid Semantic Version

Check kubechecks application logs for more information.

---

generating diff for app

⚠️ Error while generating diff for app ⚠️

Object 'Kind' is missing in '{}'

Check kubechecks application logs for more information.

---

Show kubeconform report: Failed 🔴

Validated against Kubernetes Version: v1.33.10.0

• 🔴 Error: v1 ConfigMap stalwart-config-ffttgb55th - could not find schema for ConfigMap
• 🔴 Error: v1 Service staliaswarden - could not find schema for Service
• 🔴 Error: v1 Service stalwart - could not find schema for Service
• 🔴 Error: v1 Service stalwart-headless - could not find schema for Service
• 🔴 Error: v1 Service stalwart-mail - could not find schema for Service
• 🔴 Error: v1 Service stalwart-nats - could not find schema for Service
• 🔴 Error: scheduling.k8s.io/v1 PriorityClass mail-critical - could not find schema for PriorityClass
• 🔴 Error: apps/v1 Deployment staliaswarden - could not find schema for Deployment
• 🔴 Error: apps/v1 Deployment stalwart-nats - could not find schema for Deployment
• 🔴 Error: apps/v1 StatefulSet stalwart - could not find schema for StatefulSet
• ✅ Passed: barmancloud.cnpg.io/v1 ObjectStore stalwart-cnpg-backup
• ✅ Passed: cert-manager.io/v1 Certificate stalwart-goingdark-tls
• ✅ Passed: cert-manager.io/v1 Certificate stalwart-tls
• ✅ Passed: cilium.io/v2 CiliumNetworkPolicy stalwart-ingress
• ✅ Passed: external-secrets.io/v1 ExternalSecret stalwart-blob-s3
• ✅ Passed: external-secrets.io/v1 ExternalSecret stalwart-cnpg-s3
• ✅ Passed: external-secrets.io/v1 ExternalSecret stalwart-secret
• ✅ Passed: gateway.networking.k8s.io/v1 HTTPRoute staliaswarden-route
• ✅ Passed: gateway.networking.k8s.io/v1 HTTPRoute stalwart-admin
• ✅ Passed: gateway.networking.k8s.io/v1 HTTPRoute stalwart-autodiscover
• ✅ Passed: monitoring.coreos.com/v1 PodMonitor stalwart-postgresql
• ✅ Passed: postgresql.cnpg.io/v1 Cluster stalwart-postgresql

Done. CommitSHA: c9d15a6

[goingdark-sync]

Kubechecks Report

ArgoCD Application Checks: platform-mail ❗

running pre-upgrade check Error ❗

⚠️ Error while running pre-upgrade check ⚠️

Invalid Semantic Version

Check kubechecks application logs for more information.

---

generating diff for app

⚠️ Error while generating diff for app ⚠️

Object 'Kind' is missing in '{}'

Check kubechecks application logs for more information.

---

Show kubeconform report: Failed 🔴

Validated against Kubernetes Version: v1.33.10.0

• 🔴 Error: v1 ConfigMap stalwart-config-ffttgb55th - could not find schema for ConfigMap
• 🔴 Error: v1 Service staliaswarden - could not find schema for Service
• 🔴 Error: v1 Service stalwart - could not find schema for Service
• 🔴 Error: v1 Service stalwart-headless - could not find schema for Service
• 🔴 Error: v1 Service stalwart-mail - could not find schema for Service
• 🔴 Error: v1 Service stalwart-nats - could not find schema for Service
• 🔴 Error: scheduling.k8s.io/v1 PriorityClass mail-critical - could not find schema for PriorityClass
• 🔴 Error: apps/v1 Deployment staliaswarden - could not find schema for Deployment
• 🔴 Error: apps/v1 Deployment stalwart-nats - could not find schema for Deployment
• 🔴 Error: apps/v1 StatefulSet stalwart - could not find schema for StatefulSet
• ✅ Passed: barmancloud.cnpg.io/v1 ObjectStore stalwart-cnpg-backup
• ✅ Passed: cert-manager.io/v1 Certificate stalwart-goingdark-tls
• ✅ Passed: cert-manager.io/v1 Certificate stalwart-tls
• ✅ Passed: cilium.io/v2 CiliumNetworkPolicy stalwart-ingress
• ✅ Passed: external-secrets.io/v1 ExternalSecret stalwart-blob-s3
• ✅ Passed: external-secrets.io/v1 ExternalSecret stalwart-cnpg-s3
• ✅ Passed: external-secrets.io/v1 ExternalSecret stalwart-secret
• ✅ Passed: gateway.networking.k8s.io/v1 HTTPRoute staliaswarden-route
• ✅ Passed: gateway.networking.k8s.io/v1 HTTPRoute stalwart-admin
• ✅ Passed: gateway.networking.k8s.io/v1 HTTPRoute stalwart-autodiscover
• ✅ Passed: monitoring.coreos.com/v1 PodMonitor stalwart-postgresql
• ✅ Passed: postgresql.cnpg.io/v1 Cluster stalwart-postgresql

Done. CommitSHA: c9d15a6