mailpit

This release introduces a new side navigation message listing when viewing messages, allowing you to see other messages in the mailbox or current search and easily navigate between them without needing to co back to the inbox first.

As part of this feature, messages status changes (read/unread/deleted/tags) are now also synchronised to all connected browsers (provided you have websockets working).

Another new feature is the option to auto-delete messages based on age (--max-age / MP_MAX_AGE). This can be used together with, or in addition to, the existing --max / MP_MAX_MESSAGES option. See documentation.

Feature

• UI: List messages in side nav when viewing message for easy navigation (#336)
• Add option to control message retention by age (#338)

Chore

• Update caniemail database
• Update Go dependencies
• Update node dependencies
• Make internal tagging methods private

Fix

• Prevent potential JavaScript errors caused by race condition
• Better regexp to detect tags in search
• Prevent Vue race condition to initialize dayjs relativeTime plugin
• API: Return text/plain header for message delete request

This release includes an important security fix, so upgrading is strongly recommended.

A vulnerability was discovered which allowed a bad actor with SMTP access to Mailpit to bypass the Content Security Policy headers using a series of crafted HTML messages which could result in a stored XSS attack via the web UI. A special thanks to @bmodotdev for responsibly disclosing the vulnerability, proving information and an draft fix. Additional preventative measures have also been added (see below).

• The CSP headers have been hardened and require a valid nonce ID to run. This will make it impossible to inject any other local JavaScript files (remote & inline JavaScript was already blocked).
• All message HTML is now sanitized via DOMPurify before rendering in the preview. This will remove all unsupported elements such as<script> & <iframe> (which aren't allowed to run anyway), and make the HTML even safer. There has had significant testing to try ensure regular message previews do not break as a result, but should you experience issues then please report these via the issue tracker.

Changelog

Fix

• Security: Prevent bypass of Contend Security Policy using stored XSS, and sanitize preview HTML data (DOMPurify)

Chore

• Update Go dependencies
• Display nicer <noscript> message when JavaScript is disabled

Fix

• Update Inbox "Delete All" count when new messages are detected (#334)

Chore

• Update Go dependencies

Feature

• Add optional relay recipient blocklist (#333)

Chore

• Update Go dependencies
• Equal column widths in About modal
• Bump esbuild to version 0.23.0
• Bump docker/build-push-action from 5 to 6 (#327)

Feature

• Add ability to rename and delete tags globally
• Add option to disable auto-tagging for plus-addresses & X-Tags (#323)

Chore

• Update node dependencies
• Update Go dependencies

Feature

• Add optional label to identify Mailpit instance (#316)

Chore

• Refactor JavaScript, use arrow functions instead of "self" aliasing
• Handle websocket errors caused by persistent connection failures (#319)

Testing

• Add POP3 integration tests

Chore

• Delete multiple POP3 messages in single action
• Handle POP3 RSET command
• Update caniemail database
• Update node dependencies
• Update Go dependencies

Fix

• POP3 end of file reached error (#315)
• POP3 size output to show compatible sizes (#312)

Feature

• Add pagination & limits to URL parameters (#303)

Chore

• Update node dependencies
• Update Go dependencies

This is a maintenance release to update some Go & JavaScript dependencies (no notable changes), as well as clone new Docker images to ghcr.io. Docker Hub remains the official Docker repository.

Chore

• Update node dependencies
• Update Go dependencies
• Clone new Docker images to ghcr.io (#302)

Feature

• iCalendar (ICS) viewer (#298) - clicking on an *.ics attachment will now open a basic summary view.

Fix

• Add dot stuffing for POP3 (#300)

Chore

• Update Go dependencies
• Update node dependencies

Fix

• Replace invalid Windows username characters in sendmail (#294)

Chore

• Update node dependencies

Feature

• Return queued Message ID in SMTP response (#293)

Chore

• Simplify JSON HTTP responses
• Update node dependencies
• Update Go dependencies

This release introduces three new features:

1. A new API endpoint to send messages to Mailpit via HTTP (thanks to @ryan0x44 for creating a proof of concept and feedback).
2. Search filter support for auto-tagging messages, as well as the ability to set a yaml file for auto-tagging instead of (or in addition to) setting them via a string in the CLI flag or environment variables.
3. A new search filter addressed: to include any messages From, To, Cc, Bcc & Reply-To.

Feature

• API endpoint for sending (#278)
• Set tagging filters via a config file
• Search filter support for auto-tagging
• New search filter prefix addressed: includes From, To, Cc, Bcc & Reply-To

Chore

• Update node dependencies
• Update Go dependencies
• Update go-release-action
• JSON key case-consistency for posted API data (backwards-compatible)
• Remove function duplication - use common tools.InArray()
• Improve tag sorting in web UI, ignore casing
• Replace moment JS library with dayjs
• Auto-update relative received message times

Chore

• Clearer error messages for read/write permission failures (#281)
• Update node dependencies
• Update Go dependencies

Fix

• Prevent error when two identical tags are added at the exact same time (#283)

This release adds a new feature to allow you to only auto-release messages to addressed recipients matching a regular expression.

In relation to this, please note that there is a small change in behavior for the existing --smtp-relay-all which now no longer restricts recipients to the relay config's allowed-recipients expression (if set). If you wish to restrict automatically-relayed messages then you should use the new --smtp-relay-matching flag instead, as allowed-recipients applies only to manually-released messages via the web UI & API.

Feature

• Option to auto relay for matching recipient expression only (#274)
• Add UI settings screen to toggle some settings and override timezone

Chore

• Auto-rotate thumbnail images based on exif data
• Replace disintegration/imaging with kovidgoyal/imaging to fix CVE-2023-36308
• Update API documentation regarding date/time searches & timezones
• Move Link check & HTML check features out of beta
• Remove deprecated --disable-html-check option
• Update Go dependencies
• Update node dependencies
• Update caniemail database

Fix

• Add delay to close database on fatal exit (#280)

This release introduces a few new & exciting features:

1. The option to use a remote rqlite database instead of a local SQLite database (see docs)
2. The ability to specify a tenant ID per Mailpit instance to isolate data when using a shared database (eg: rqlite)
3. Search filtering by before: and after: dates (and times) (see docs)

In relation to the optional integration with rqlite (which is specified using a URL), it did not make any sense to continue with the --db-file flag (MP_DATA_FILE environment). These have been renamed to --database and MP_DATABASE respectively. Don't panic, this is not a breaking change. The old flags/environment keys won't be removed for a long time to ensure backwards compatibility, but those references have been changed in the documentation.

Features

• Option to use rqlite database storage (#254)
• Add optional tenant ID to isolate data in shared databases (#254)
• Search support for before: and after: dates (#252)

Chores

• Update caniemail test database
• Update node dependencies
• Update Go dependencies
• Switch database flag/environment to --database / MP_DATABASE

Fixes

• Remove duplicated authentication check (#276)
• Prevent conditional JS error when global mailbox tag list is modified via auto/plus-address tagging while viewing a message
• Extract plus addresses from email addresses only, not names

Chore

• Code cleanup, remove redundant functionality
• Add labels to Docker image (#267)
• Add readyz subcommand for Docker healthcheck (#270)

Notice

This release adds TLS (or sometimes called "SSL/TLS") support for SMTP. This is easily confused with the default STARTTLS which is an entirely different protocol (and far more widely used). The original Mailpit flag --smtp-tls-required was somewhat confusing because in reality both TLS and STARTTLS use TLS, however both work in very different ways and are incompatible protocols.

As a result of this, --smtp-tls-required has been deprecated and replaced with --smtp-require-starttls to enforce STARTTLS, and a new flag --smtp-require-tls has been added to use TLS. To help prevent issues, the deprecated --smtp-tls-required has been aliased with --smtp-require-starttls and a startup warning is displayed.

Feature

• Add SMTP SSL/TLS option (#265)

Fix

• Enforce SMTP STARTTLS by default if authentication is set in line with RFC 4954

Chore

• Update node dependencies
• Update Go dependencies

Feature

• Allow setting SMTP relay configuration values via environment variables (#262)

Chore

• Update caniemail test data
• Reorder CLI flags to group by related functionality

Deprecation notice

The 'recipient-allowlist option in the SMTP relay configuration file has been replaced with allowed_recipients instead. Existing configuration files will continue to work, but Mailpit will display a startup warning as this will eventually be removed.

Fix

• Prevent crash when calculating deleted space percentage (divide by zero)

Chore

• Update node dependencies
• Update Go dependencies