Cross reference: Discussion at Stalwart repository
While doing verification tests for solved feature request #96 we found this severe bug in Stalwart:
When users upload files to Stalwart 0.15.5 (current version as of April 4th 2026) via JMAP, it uses blob storage to save them to disk. See https://stalw.art/docs/storage/blob/ for details.
Unfortunately even after users delete their files from their Stalwart account these files stay in the storage forever. The maintenace run and the api calls to these endpoints do nothing about that:
This being said, any user can kill your Stalwart installation by uploading like thousands of files even though the max upload size is set to a low value (default is 50M bytes ~ 47.68 MB). Just upload, delete, upload delete, ...
⬇️ Endpoint tests done
Purge blob storage and get a successful return message JSON:
# curl -X GET -u 'admin:pasword>' https://stalwart.domain.com/api/store/purge/blob
{"data":null}See your blob storage stay unchanged:
These files with GB in size are from the tests of one user account. The files inside this account are already deleted before maintenance run took place at night and after calling all the purge methods of the various storage backends.
Means: Even unreferenced blob data is being kept forever!
Cross reference: Discussion at Stalwart repository
While doing verification tests for solved feature request #96 we found this severe bug in Stalwart:
When users upload files to Stalwart 0.15.5 (current version as of April 4th 2026) via JMAP, it uses blob storage to save them to disk. See https://stalw.art/docs/storage/blob/ for details.
Unfortunately even after users delete their files from their Stalwart account these files stay in the storage forever. The maintenace run and the api calls to these endpoints do nothing about that:
This being said, any user can kill your Stalwart installation by uploading like thousands of files even though the max upload size is set to a low value (default is 50M bytes ~ 47.68 MB). Just upload, delete, upload delete, ...
⬇️ Endpoint tests done
Purge blob storage and get a successful return message JSON:
See your blob storage stay unchanged:
These files with GB in size are from the tests of one user account. The files inside this account are already deleted before maintenance run took place at night and after calling all the purge methods of the various storage backends.
Means: Even unreferenced blob data is being kept forever!