DavMail 6.6.0 Patches a Regex Flaw and Advances Its Microsoft Graph Backend

DavMail serves as a critical bridge that lets legacy mail clients communicate with Microsoft Exchange and Office 365 via standard protocols such as IMAP, SMTP, CalDAV and CardDAV. The 6.6.0 release tackles a code‑scanning alert where a regular expression could be abused for a regular‑expression denial‑of‑service (ReDoS) attack. By swapping the regex for simple substring calls, the project removes a class of performance‑based exploits without altering functionality, reinforcing trust for organizations that rely on DavMail in regulated environments.

The update also resolves a breaking change introduced by Microsoft’s OpenID Connect redirect handling, which previously sent native‑client authentication attempts to a dead‑end URL. DavMail now defaults to the correct localhost endpoint, ensuring seamless single‑sign‑on for Office 365 users. Additional protocol refinements—such as IMAP NOT‑search compliance, proper envelope header encoding, and relaxed duplicate message‑ID restrictions—improve interoperability with a broader range of mail clients. Linux users benefit from JDK 21 compatibility, an updated SWT dependency, and a configuration layout that follows the XDG Base Directory Specification, simplifying deployment across distributions.

Perhaps the most forward‑looking change is the expanded Microsoft Graph API backend. By moving contact sync, calendar handling, LDAP search and people queries onto Graph, DavMail positions itself for a future where Exchange Web Services may be deprecated. Although the backend is still experimental, the breadth of commits signals a long‑term commitment to modern API integration, which could reduce latency and broaden feature parity with native Microsoft clients. Enterprises watching the transition should monitor the Graph module’s maturity as it may become the preferred integration path in the coming years.