The latest HestiaCP update finally resolves webmail DNS alias inconsistencies that previously broke email routing for domains using custom overrides. Server admins will also notice that rebuilding mail domains no longer wipes out existing SSL certificates, which saves hours of manual certificate reimporting. The release bumps Roundcube to version 1.6.16 to deliver standard stability improvements without adding unnecessary feature bloat. These targeted fixes address the most common daily hosting headaches while keeping active mail services completely uninterrupted during installation.

HestiaCP 1.9.6 Update Fixes Webmail SSL Glitches and Roundcube Version Bump

The latest HestiaCP update rolls out to patch several webmail configuration headaches that popped up after version 1.9.5. Server administrators will finally get stable DNS alias handling, proper SSL retention when rebuilding mail domains, and a fresh Roundcube release. This breakdown covers what actually changed and why those fixes matter for daily hosting workflows.

HestiaCP Update Resolves Webmail DNS and SSL Config Problems

The patch addresses three specific pain points that have been causing unnecessary downtime for mail server administrators. Webmail DNS records with alias inconsistencies used to break email routing for domains using CNAME or MX overrides, which meant users could not access their inbox until manual zone edits were applied. Rebuilding mail domains previously wiped out custom SSL configurations, forcing admins to reapply certificates every time a domain structure was refreshed. That behavior often happened after routine maintenance scripts ran or when migrating between server nodes. The update also bumps Roundcube to version 1.6.16, which brings standard security patches and minor interface stability improvements without introducing new feature bloat.

Security Transparency Remains a Concern After Previous Releases

The release notes skip over two security issues, one of which is a remote code execution vulnerability that surfaced in version 1.9.4 when the built in web terminal was left enabled. The flaw allowed unauthenticated users to execute system commands directly on the host machine. Real world reports confirm attackers have been using this exact weakness to compromise servers since mid May with fully automated payloads. Anyone running HestiaCP with the web terminal enabled should check their system immediately, because there is a good chance that machine is already compromised. Security advisories for those issues never appeared in official changelogs, which leaves administrators guessing about what actually got patched in earlier builds. The current update focuses strictly on webmail stability rather than addressing the broader security posture that previous releases overlooked.

What Administrators Should Check After Upgrading

Running the standard package manager upgrade will apply these changes without interrupting active mail services. Administrators should verify that DNS zones for affected domains resolve correctly after the patch installs, since stale alias records can still cause delivery delays if cached locally. Checking the Roundcube version through the webmail interface confirms whether the update actually applied to the frontend layer. The rebuild command for mail domains now preserves existing SSL certificates, which removes the need to manually reimport chain files or regenerate private keys after routine maintenance. Keeping terminal access disabled by default remains the safest approach until future releases provide clearer security documentation.

Release HestiaCP 1.9.6

Bug fixes Fix: Webmail DNS record with alias inconsistencies (#5074) Fix: Rebuilding mail domains removes webmail SSL config (#5354) Bump Roundcube to version 1.6.16 (#5357)

Release [1.9.6] - Service Release · hestiacp/hestiacp

Keep those server configs tidy and check your mail routing before the next automated backup runs.