Rspamd 3.14.3

Main features:
* Task registry for safe Lua task reference validation
* PDF text extraction with UTF-16 detection and quality analysis
* Extra tables API for clickhouse plugin
* WebUI backend API interaction error log

Critical fixes:
* Neural: by default include symbols with no flags
* Symcache: make FINE propagation deterministic
* URL: Prevent false positives in mailto URLs
* Prevent use-after-free in Redis callbacks

Rspamd 3.14.2

Features:
- DMARC: Add --recheck-rua option for RUA filtering at send time
- Metadata exporter: Add multipart and msgpack formatters
- Milter headers: Add remove_ar_from option for selective A-R removal

Fixes:
- Security: Backport security fixes from libucl 0.9.3
- HTTP: Handle early server responses during request write
- MIME: Prevent splitting UTF-8 sequences in header encoding
- URL: Normalize URLs with multiple slashes between host and path
- Aliases: Enable plugin by default to restore plus-addressing
- Multiple Lua 5.4 compatibility fixes
- Build: FreeBSD 15 inotify compatibility
- Build: Remove deprecated OpenSSL engine.h include
- Various plugin fixes (DCC, Neural, Reputation, Milter headers)

Release 3.14.1

* [Feature] Composites: Add inverted index for fast composite rule evaluation
* [Feature] Composites: Add bloom filter for fast negative symbol lookups
* [Feature] Composites: Add statistics tracking and control protocol command
* [Feature] Composites: Precompute atom types at config time
* [Feature] Multimap: Add combinator option for selector rules
* [Feature] SPF: Add rspamadm spf_flatten tool with macro preservation
* [Feature] URL: Add deep processing architecture with C-to-Lua filter consultation
* [Feature] URL: Add obfuscated URL detection to url_suspect plugin
* [Feature] URL: Add rspamd_util.decode_html_entities for HTML entity decoding
* [Feature] lua_shape: Add new validation library as tableshape replacement
* [Feature] lua_shape: Add T.callable() type for function validation
* [Feature] lua_shape: Add callable defaults support
* [Feature] Whitelist: Auto-mark symbols with SYMBOL_TYPE_FINE flag
* [Fix] url_suspect: Fix plugin causing massive false positives
* [Fix] url_suspect: Optimize for high URL volume messages
* [Fix] Network: Prevent infinite loop in split_networks_into_chunks()
* [Fix] Memory: Fix leak in custom tokenizer result handling
* [Fix] Composites: Fix group matchers handling in inverted index
* [Fix] Composites: Improve atom polarity detection in inverted index
* [Fix] Composites: Copy expression string to memory pool for Lua composites
* [Fix] lua_shape: Fix transform logic and tableshape compatibility
* [Fix] lua_shape: Fix registry to recursively resolve nested schemas
* [Fix] lua_shape: Improve error safety
* [Fix] Settings: Keep groups_*/symbols_* fields for runtime processing
* [Fix] URL: Encode redirect URLs to handle unencoded spaces and special characters
* [Fix] external_relay: Fix mixins and confighelp
* [Fix] RBL: Fix plugin transform schemas
* [WebUI] Update D3 libs with bug fixes and validation
* [WebUI] Restore hover colors for symbols
* [WebUI] Fix hover behavior outside status tables
* [Minor] Whitelist: Use contemporary API for maps
* [Minor] Migrate all plugins and libraries from tableshape to lua_shape
* [Minor] Simplify configuration by removing use_*_map flags
* [Minor] Add plugins registry with reworked mixins
* [Test] Add comprehensive tests for URL deep processing
* [Test] Isolate url_suspect tests with symbols_enabled

Release 3.14.0

* [Feature] Fuzzy check: Add HTML fuzzy hashing for structural similarity matching
* [Feature] Fuzzy check: Add per-rule text_hashes toggle for HTML-only fuzzy rules
* [Feature] Fuzzy check: Add structured checks configuration with backward compatibility
* [Feature] Fuzzy storage: Implement full TCP protocol support with auto-switch
* [Feature] Fuzzy check: Add TCP connection management and error handling
* [Feature] URL: Add task:get_cta_urls() API for proper CTA domain extraction
* [Feature] URL: Move CTA processing into dedicated module
* [Feature] URL: Add url:get_hash() method for efficient deduplication without string conversion
* [Feature] GPT: Add web search context support with Redis caching
* [Feature] HTML: Add infrastructure for async URL rewriting with Lua bindings
* [Feature] HTML: Add task:rewrite_html_urls() and task:get_html_urls() Lua API
* [Feature] WebUI: Implement dark mode with theme toggle and auto detection
* [Feature] Aliases: Add advanced resolution with loop detection for converging paths
* [Feature] Milter: Add ESMTP argument parsing with Lua API access
* [Feature] Milter: Add per-recipient ESMTP args parsing and metadata access
* [Feature] Milter: Support array of positions for remove_headers operations
* [Feature] Proxy: Add client IP preservation in message headers through chain
* [Feature] Rspamc: Add milter.add_headers object format support to --mime
* [Feature] Configwizard: Add Postfix integration wizard using postconf utility
* [Feature] Build: Add comprehensive BSD workflows (FreeBSD, NetBSD, OpenBSD) with Lua version selection
* [Feature] Build: Add automated code review GitHub Actions workflow with Rspamd-specific guidelines
* [Feature] Build: Add Docker-based integration test suite with ASAN and real corpus
* [Feature] Build: Add automatic public suffix list synchronization
* [Feature] Multimap: Add support for symbols with leading numerals
* [Feature] DMARC: Add Auto-Reply-To and Precedence headers to prevent out-of-office replies
* [Feature] Platform: Add NetBSD memory usage tracking support
* [Feature] Utilities: Add fuzzy Redis migration utility
* [Feature] Bayes: Allow skipping local/authenticated mail in autolearn condition
* [Feature] ARC: Add DKIM signing key API for flexible ARC signing
* [Feature] Logger: Add type specifiers support for better formatting
* [Feature] Heap: Add rspamd_heap_push_slot to eliminate double allocation
* [Fix] DNS: Preserve req->pos during reply validation to prevent packet truncation on UDP-to-TCP retransmits
* [Fix] DNS: Regenerate transaction ID before copying to TCP buffer to avoid collisions
* [Fix] DNS: Fix nameserver round-robin when using /etc/resolv.conf
* [Fix] DNS: Fix TCP uninitialized memory leak
* [Fix] DMARC: Add batching and forced GC for Redis connections to prevent pool exhaustion
* [Fix] DMARC: Validate and normalize batch_size to prevent fractional indexing and loop errors
* [Fix] DMARC: Refactor reporting to use helper functions and async maps
* [Fix] Allocator: Fix jemalloc/system malloc mixing in getline() to prevent crashes
* [Fix] Allocator: Fix allocator mismatches in hiredis
* [Fix] Allocator: Fix allocator mismatches in libucl
* [Fix] Hyperscan: Use runtime version instead of compile-time for database validation
* [Fix] Hyperscan: Auto-recreate invalid unserialized cache files on version mismatch
* [Fix] Memory: Fix leaks in fuzzy storage khash tables
* [Fix] Memory: Fix leaks in upstream address parsing
* [Fix] Memory: Fix leaks in *-any address parsing
* [Fix] Memory: Fix OpenSSL providers cleanup
* [Fix] Memory: Fix UCL object memory leak in Lua integration
* [Fix] Memory: Fix stat metadata tokenization leak
* [Fix] Fuzzy TCP: Fix double-release in fuzzy_tcp_session
* [Fix] Fuzzy TCP: Fix refcount leak in destructor
* [Fix] Fuzzy TCP: Fix timeout handling and buffer overflow
* [Fix] Fuzzy TCP: Fix endianness mismatch in framing protocol
* [Fix] Fuzzy TCP: Fix race conditions and fd reuse bugs
* [Fix] Fuzzy TCP: Use pure ev_timer for session timeouts
* [Fix] Fuzzy TCP: Fix server replies and client event handling
* [Fix] Shutdown: Keep srv events active during shutdown to track auxiliary processes
* [Fix] ARC: Restore strict header ordering to comply with RFC 8617
* [Fix] ARC: Add ed25519 key support
* [Fix] Composites: Implement two-phase evaluation for postfilter dependencies
* [Fix] Composites: Use null-terminated string for symbol lookup
* [Fix] URL: Refactor extraction to prevent DoS with hash-based deduplication
* [Fix] URL: Add 50k URL limit with warning for DoS protection
* [Fix] URL: Skip HTML_DISPLAYED URLs in CTA detection
* [Fix] URL: Fix CTA priority preservation in extract_specific_urls
* [Fix] Bayes: Improve Redis server discovery
* [Fix] Bayes: Only bypass learn when header value matches
* [Fix] ESMTP: Robust per-recipient parsing in milter with safe cursor advance
* [Fix] ESMTP: Refcount ESMTP args in proxy_session_refresh to avoid use-after-free
* [Fix] ESMTP: Correct Lua stack cleanup in lua_task_get_rcpt_esmtp_args
* [Fix] HTML: Correct attribute value offset calculation for URL rewriting
* [Fix] HTML: Add HTML entity encoding for URL rewriting
* [Fix] HTML: Fix segfault due to incorrect HTML features access
* [Fix] HTML: Fix frequency-based ordering in domain hashing
* [Fix] HTML: Fix shingles hash generation bugs
* [Fix] HTML: Fix memory leaks in shingles generation
* [Fix] HTML: Fix memory management in html_cta.process_html_links
* [Fix] HTML: Fix CSS class normalization in fuzzy tokens
* [Fix] HTML: Fix cache key collision between text and HTML fuzzy hashes
* [Fix] OpenBSD: Fix kinfo_proc structure member names
* [Fix] OpenBSD: Disable Hyperscan (not available)
* [Fix] FreeBSD: Fix zstd package name
* [Fix] FreeBSD: Add IGNORE_OSVERSION for package version mismatches
* [Fix] NetBSD: Setup pkgin and PKG_PATH before installing packages
* [Fix] NetBSD: Fix missing dependencies and package names
* [Fix] BSD: Remove -j flag from ninja in all BSD workflows
* [Fix] Multimap: Handle symbols with leading numerals
* [Fix] Aliases: Prevent creation of malformed email addresses
* [Fix] Aliases: Fix alias loop detection for converging paths
* [Fix] Aliases: Fix is_local_domain to support backend objects
* [Fix] Aliases: Correct to_local when no recipients present
* [Fix] Aliases: Fix set_addr validation to prevent malformed addresses
* [Fix] MIME: Remove Authentication-Results and anonymize envelope-from in Received headers
* [Fix] Mempool: Prevent double-free in destructor cleanup
* [Fix] Rspamadm: Unbreak dnstool command
* [Fix] Integration tests: Fix ASAN configuration and startup diagnostics
* [Minor] Replace GHashTable with khash in fuzzy_check.c and lua_textpart_get_cta_urls
* [Minor] Update cache key prefix to match module name in llm_search_context
* [Minor] Fix llm_search_context to follow Rspamd idioms
* [Minor] Refactor llm_search_context to use lua_cache module
* [Minor] Address review comments in various modules
* [Minor] Fix droid usage
* [Minor] Use GPT-5 Codex for code reviews
* [Minor] Update libucl with automatic stack management
* [Rework] Prioritize CTA URLs in redirector and Lua helpers
* [Rework] RBL configuration: Add new from selectors, content_urls checks, and lower_utf8 for hashed domains
* [Rework] Make Bayes learn guards configurable
* [Rework] Refactor element visibility control to use Bootstrap classes
* [Rework] Use postconf utility for Postfix configuration in configwizard
* [Rework] Remove Lua-level HTTP header parsing in ESMTP args getters
* [Rework] Add CFG_REF_* macros with debug logging for config refcounting
* [Rework] Move OpenSSL providers from global to libs_ctx
* [Rework] Convert heap to fully intrusive kvec-based implementation
* [Rework] Add specialized pool types for long-lived and short-lived allocations
* [Rework] Improve memory pool destructors with smart preallocation based on pool type
* [Project] Restrict code review workflow to authorized maintainers
* [Project] Add Claude Code and Cursor AI assistant configuration
* [WebUI] Replace Glyphicons with FontAwesome SVG icons
* [WebUI] Update CodeJar to version 4.3.0
* [WebUI] Update Node.js and ESLint
* [WebUI] Update D3-based visualization libs
* [WebUI] Replace deprecated alert-error class with alert-danger
* [WebUI] Add search syntax hint to history table filter input
* [WebUI] Fix theme toggle default to auto
* [WebUI] Keep classifiers list when request is skipped
* [WebUI] Repopulate classifier dropdown
* [WebUI] Add comment for removeEventListener
* [WebUI] Fix icon rendering race condition in tab initialization
* [Test] Add comprehensive Lua unit tests for HTML URL rewriting
* [Test] Add unit tests for HTML URL rewriting patch engine
* [Test] Add functional tests for HTML fuzzy hashing
* [Test] Add ARC chain verification tests with multiple signatures
* [Test] Add e2e for classifier dropdown population
* [Test] Multimap symbol with leading numerals
* [Test] Sync public suffix list automatically
* [Test] Update JS linters
* [Test] Fix integration test environment variable passing
* [Test] Add detailed error output for integration test failures

Rspamd 3.13.2

Feature update with enhanced security and performance improvements.

Main features:
* Separate encryption keys for fuzzy check read/write operations
* ED25519 support for DKIM signing and verification
* HashiCorp Vault KV v2 support for DKIM key management
* MetaDefender Cloud integration for anti-malware scanning
* LLM-based classification with user/domain context support
* DMARC RUA address exclusion configuration

Critical fixes:
* DKIM relaxed bodyhash calculation compliance with RFC 6376
* HTTP map interval enforcement and overflow prevention
* Once received plugin duplicate symbol fix
* Redis Sentinel options propagation
* Multiple fuzzy check decryption and key handling fixes

This release introduces significant security enhancements, modern cryptographic support, improved infrastructure integration, and enhanced anti-malware capabilities.

Rspamd 3.13.1

This release introduces archive module extensibility with full encrypted archive support including AES, new map distribution capabilities, secure integration options with Redis TLS, robust email and message processing improvements, and bugfixes for broader platform compatibility.

Main features:
* Archive module: Full support for encrypted ZIP archives (ZipCrypto and AES)
* Encrypted maps for new distribution scenarios
* Redis TLS support for secure connections
* Major MIME encoding refactoring and UTF-8 improvements
* Learning system fixes and multiclass learning improvements

Critical fixes:
* Fixed bug when converting zero-length strings to numbers
* Fixed XML prolog detection in lua_magic module
* Fixed build issues on 32-bit platforms
* Improved compatibility with Lua versions above 5.1

This is recommended as a major stability and feature update.

[Minor] Fix naughty warning

Release 3.12.1

* [Feature] Add /bayes/classifiers HTTP endpoint
* [Feature] Further improvements in scheduling next checks
* [Fix] Another fix for maps concurrent load
* [Fix] Do not add log tag header in milter logic
* [Fix] Do not explicitly add Connection header if it's there
* [Fix] Fix proxy headers duplication
* [Fix] Fix several issues with the lua_logger
* [Fix] Make logger more graceful when dealing with format arguments
* [Fix] Try to avoid incomplete writes
* [Rework] Eliminate maps locking

Release 3.12.0

* [CritFix] In lua-ucl disable macros and file variables by default
* [Feature] Add keep-alive support
* [Feature] Add some convenience methods
* [Feature] Add support for separate read and write servers in fuzzy check
* [Feature] Allow CDB files as external maps
* [Feature] Allow to specify Redis version
* [Feature] Allow to specify extra headers in Rspamd proxy
* [Feature] Allow to specify log tag in proxy
* [Feature] Allow to specify max log tag length for all log messages
* [Feature] Allow to use HTTPS when connection to backends in proxy
* [Feature] Output content for all maps
* [Feature] Plugin to integrate with Contextal platform
* [Feature] Show all maps status
* [Fix] Add fail check for cfg transform for some corner cases
* [Fix] Add header with reason everytime (not only for ham) and use correct value for header
* [Fix] Add null check for master_conn->up in proxy backend error handler
* [Fix] Allow 'Hash' in Access-Control-Allow-Headers
* [Fix] Arc: Use tonumber when comparing
* [Fix] As we have replxx library, always use it
* [Fix] Backport some issues from libucl
* [Fix] Filter invalid domains in fuzzy extra data
* [Fix] Fix maps ids
* [Fix] Fix race condition in maps loading by unlocking backend on switch
* [Fix] Fix static maps description passing
* [Fix] Fix variable propagation (no functional change)
* [Fix] Fix various issues
* [Fix] Greylist: Improve body hash calculations
* [Fix] Known senders: More recipients test logic
* [Fix] Known senders: Use the same logic as in the replies module
* [Fix] Prevent crashes when accessing upstream address in self-scan mode
* [Fix] Really fix local objects filtering, sigh...
* [Fix] Update default URL for openphish
* [Fix] Use bundled libfmt everywhere
* [Fix] Use safe parsers everywhere except configuration
* [Fix] correct logic error in milter_headers.lua: skip_wanted()
* [Fix] initialize ollama result table
* [Fix] libmime: declare comparators const for doctest 2.4.12 compatibility
* [Project] Modernize cmake
* [Project] Rework OSDep
* [Rework] Replies: consider all recipients and use smtp ones
* [Rework] Store shared maps data separately
* [Rework] Use locks/loaded per backend for all maps

Release 3.11.1

* [Feature] Add 'noop' redis backend for scripts running
* [Feature] Add Redis caching framework
* [Feature] Add UTF8 `sub` and `len` variants for rspamd_text
* [Feature] Allow adding timers to task (respecting symbols)
* [Feature] Allow additional categories to be defined in GPT
* [Feature] Allow fine-grained control on keys permissions
* [Feature] Allow individual `read_only` flag per key
* [Feature] Allow multiple lua scripts for fuzzy storage
* [Feature] Allow to add periodic functions in Lua API
* [Feature] Allow to disable rbls from map
* [Feature] Allow to hash any Lua types
* [Feature] Allow to store shingles as opaque Lua data
* [Feature] Cache LLM replies
* [Feature] GPT: Add ollama support
* [Feature] GPT: Support reason adding
* [Feature] Improve prompt and use plaintext instead of JSON
* [Feature] Lua_task: Allow to load data into the existing task
* [Feature] More additions
* [Feature] Pass shingles to Lua scripts
* [Feature] Preliminary implementation of LLM based anonymizing
* [Feature] Support LLM models consensus
* [Feature] Try to check maps earlier if their expires is too long
* [Feature] Use debug module name from caller in lua_cache
* [Fix] Add timer update before timer setting
* [Fix] Allow to work with no ratelimits
* [Fix] Always create ratelimit buckets
* [Fix] Avoid collision hacks in mempool variables hash
* [Fix] Expire neural ham and spam sets so they not hangup in redis indefinitely
* [Fix] Fix crash on FreeBSD when Rspamd is built without hyperscan
* [Fix] Make table digests consistent
* [Fix] RBL: fix use of `content_urls` and `images` inside `checks`
* [Fix] Verify key type to match DKIM signature type
* [Fix] connIP is not correctly added to request
* [Fix] properly close multipart/related boundary when adding text footer
* [Rework] GPT: Use cache framework