Mailcow has released its October 2025 update — Mooctober 2025 — with two changes that matter to anyone running their own mail stack: an upgrade to Rspamd 3.13.2 and a Redis security update. It continues the project’s steady maintenance cadence this year, focused on stability and dependency hygiene, after earlier milestones around authentication, filtering and full-text search.
What “mailcow: dockerized” is (and isn’t)
For newcomers, mailcow: dockerized is a self-hosted mail server suite packaged as a set of Docker containers. It isn’t a monolithic black box; it’s an orchestrated bundle of well-known services glued together with a web admin UI and sensible defaults:
- Postfix as the MTA (sending/receiving mail).
- Dovecot for IMAP/POP3 mailbox access.
- Rspamd as the high-performance antispam engine.
- SOGo for webmail and groupware features.
- Nginx as the reverse proxy and TLS terminator.
- MariaDB and Redis as datastore and cache/queues.
- Built-in support for MTA-STS, optional LDAP/OIDC auth, metrics exporters, and an admin panel to manage domains, users and policies.
The value proposition is simple: familiar components, wired for production, with coordinated updates and a manageable control plane. Because everything runs in containers, it’s straightforward to migrate, snapshot/restore, and test changes in parallel before touching production.
What’s in Mooctober 2025
Rspamd 3.13.2
This is a point release within the 3.13 line that rolls up fixes and tuning. In practice, admins should see more predictable classification and fewer edge cases, which often means fewer false positives/negatives and less custom rule-tweaking in busy domains or in environments with strict DMARC/ARC policies.
Redis security update
The release refreshes the Redis image to address a recently disclosed issue. In a typical mailcow deployment, Redis is local-only and authenticated, which limits exposure; even so, the project ships the updated image to remove residual risk and keep the stack aligned with upstream patches. If you’ve customized networking or credentials, it’s worth a quick post-update audit.
Recent context worth noting
Over the past months mailcow added MTA-STS management in the UI, moved SOGo forward to the 5.12.x series and shipped various Nginx/IPv6 and helper improvements — plus a major change to full-text search earlier this year. If you’re several releases behind, plan a chained upgrade and skim the prior notes before you proceed.
Why this release matters to operators
- Spam filtering stability: 3.13.2 consolidates fixes that reduce the need for hand-crafted rules and ad-hoc scores.
- Tidy security posture: even with Redis locked down locally, taking the patched image now avoids audit pain later and keeps baseline images clean.
- Predictable maintenance: the project’s pace favors short windows and a straightforward rollback path if a local customization misbehaves.
An upgrade playbook you can run this week
- Schedule a short window
Notify support/helpdesk, and keep an eye on Postfix queues, Rspamd metrics and container health during and after the update. - Snapshot and back up
If you’re on a VM, take a snapshot. Back up the critical Docker volumes (mail data, MariaDB, Redis, configuration). - Use the official update script
From mailcow’s project root, run the providedupdate.shso image tags and the compose stack stay consistent. This also preserves the ability to revert if needed. - Post-update checks
- Confirm Rspamd’s version and basic responsiveness via
rspamc. - Verify Redis is running the new image and that dependent services authenticate cleanly.
- Watch postscreen/greylisting and spam/ham curves for a few hours; adjust if you see unexpected shifts.
- If you skipped recent months
After the restart, validate MTA-STS, SOGo 5.12.x and any IPv6 specifics, especially if you run custom reverse proxies or non-default Nginx rules.
Good hygiene after you update
- Policy & reputation: a quick pass over SPF/DMARC/DKIM never hurts, particularly if you tuned things around previous Rspamd behavior.
- Rules & scores: document local scores, compare with 3.13.2’s behavior, and consider simplifying where upstream now does the job.
- TLS and ciphers: if you touched Nginx recently, keep cipher suites and curves current to avoid noisy client warnings.
- Alerts & metrics: ensure your Prometheus exporter (and any security token it uses) continues to report after pulling new images.
Why mailcow keeps winning converts in 2025
- Transparent components: admins know exactly what’s running and can audit each service.
- Learnable, not opaque: the UI helps, but doesn’t hide the essentials; when needed, you can drop to files and shell.
- Docker keeps ops sane: isolation reduces friction with the base OS and makes migrations and rehearsals less risky.
- Community & cadence: frequent, modest updates avoid backlog and reduce the chance of “big-bang” upgrade weekends.
Frequently asked questions
Is Mooctober 2025 urgent if everything looks fine?
It’s strongly recommended. The Redis refresh tightens security even in local-only setups, and Rspamd 3.13.2 brings stability you’ll notice over the next few weeks of mail flow.
Will this break my custom Rspamd rules or scores?
It shouldn’t. Still, keep an eye on metrics and false positive/negative rates for 24–48 hours. Many sites use these rollups to retire old local tweaks that upstream now covers.
We run with heavy customizations (proxies, bespoke templates, complex networks). Any caveats?
Stage the update in a test environment if possible, and review this year’s helper changes (compose project names, override handling, IPv6 toggles). The goal is to align your local glue with the current release.
Is mailcow a closed appliance or can we swap pieces?
It’s not a sealed appliance. It’s a curated set of standard services in containers. You can customize and audit every component — a key reason teams pick it when they need control without building from scratch.
Bottom line: Mooctober 2025 is a maintenance step that adds security (Redis refresh) and stability (Rspamd 3.13.2). For teams running their own mail, it’s the kind of update that saves time later: fewer surprises, less tuning, and a steadier baseline.
