Bot releases are hidden (Show)
This release introduces a new side navigation message listing when viewing messages, allowing you to see other messages in the mailbox or current search and easily navigate between them without needing to co back to the inbox first.
As part of this feature, messages status changes (read/unread/deleted/tags) are now also synchronised to all connected browsers (provided you have websockets working).
Another new feature is the option to auto-delete messages based on age (--max-age
/ MP_MAX_AGE
). This can be used together with, or in addition to, the existing --max
/ MP_MAX_MESSAGES
option. See documentation.
text/plain
header for message delete requestA vulnerability was discovered which allowed a bad actor with SMTP access to Mailpit to bypass the Content Security Policy headers using a series of crafted HTML messages which could result in a stored XSS attack via the web UI. A special thanks to @bmodotdev for responsibly disclosing the vulnerability, proving information and an draft fix. Additional preventative measures have also been added (see below).
<script>
& <iframe>
(which aren't allowed to run anyway), and make the HTML even safer. There has had significant testing to try ensure regular message previews do not break as a result, but should you experience issues then please report these via the issue tracker.<noscript>
message when JavaScript is disabledThis is a maintenance release to update some Go & JavaScript dependencies (no notable changes), as well as clone new Docker images to ghcr.io. Docker Hub remains the official Docker repository.
This release introduces three new features:
addressed:
to include any messages From, To, Cc, Bcc & Reply-To.addressed:
includes From, To, Cc, Bcc & Reply-ToThis release adds a new feature to allow you to only auto-release messages to addressed recipients matching a regular expression.
In relation to this, please note that there is a small change in behavior for the existing --smtp-relay-all
which now no longer restricts recipients to the relay config's allowed-recipients
expression (if set). If you wish to restrict automatically-relayed messages then you should use the new --smtp-relay-matching
flag instead, as allowed-recipients
applies only to manually-released messages via the web UI & API.
This release introduces a few new & exciting features:
before:
and after:
dates (and times) (see docs)In relation to the optional integration with rqlite (which is specified using a URL), it did not make any sense to continue with the --db-file
flag (MP_DATA_FILE
environment). These have been renamed to --database
and MP_DATABASE
respectively. Don't panic, this is not a breaking change. The old flags/environment keys won't be removed for a long time to ensure backwards compatibility, but those references have been changed in the documentation.
--database
/ MP_DATABASE
This release adds TLS (or sometimes called "SSL/TLS") support for SMTP. This is easily confused with the default STARTTLS which is an entirely different protocol (and far more widely used). The original Mailpit flag --smtp-tls-required
was somewhat confusing because in reality both TLS and STARTTLS use TLS, however both work in very different ways and are incompatible protocols.
As a result of this, --smtp-tls-required
has been deprecated and replaced with --smtp-require-starttls
to enforce STARTTLS, and a new flag --smtp-require-tls
has been added to use TLS. To help prevent issues, the deprecated --smtp-tls-required
has been aliased with --smtp-require-starttls
and a startup warning is displayed.
The 'recipient-allowlist
option in the SMTP relay configuration file has been replaced with allowed_recipients
instead. Existing configuration files will continue to work, but Mailpit will display a startup warning as this will eventually be removed.