This is an actual claim if someone is interested: https://www.hmailserver.com/state
On SHA-1: https://en.wikipedia.org/wiki/SHA-1
As of 2020, chosen-prefix attacks against SHA-1 are practical.[6][8] As such, it is recommended to remove SHA-1 from products as soon as possible and instead use SHA-2 or SHA-3. Replacing SHA-1 is urgent where it is used for digital signatures.
Digging further: https://www.hmailserver.com/forum/viewtopic.php?t=40568
Tl;dr: it uses sha256 by default and only has sha1 for backwards compatibility, which is considered insecure today. Critical updates are still there.