github axllent/mailpit v1.30.0
on GitHub

8 hours ago

This release includes an important security fixes, so upgrading is strongly recommended.

This release introduces a default message size limit for both SMTP and api/v1/send to prevent DoS attacks via unbounded message sizes. This limit can be configured or disabled as needed, but the default is set to 50MB to provide a reasonable safeguard against abuse and align with some common email server limits.

A big thanks to the security researchers who reported these issues and helped improve Mailpit's security!

Security

  • Set a default 50MB per message limit to prevent DoS via unlimited SMTP DATA and /api/v1/send body sizes (GHSA-fpxj-m5q8-fphw)
  • Include CGNAT (Carrier-Grade NAT) in internal IP checks (GHSA-j3fj-qppj-fmmc)
  • Block internal IP access by default in HTML check (GHSA-j3fj-qppj-fmmc)
  • Fix for path traversal & arbitrary file write in mailpit dump --http <instance> via attacker-controlled message IDs (GHSA-qx5x-85p8-vg4j)
  • Fix concurrent map read & write in proxy CSS rewriter (GHSA-w4vj-r5pg-3722)

Feature

  • New UI loading indicator, reduce flash during message transitions (#682)

Chore

  • Bump vue-router from 4.6.4 to 5.0.4
  • Bump axios version to 1.15.0
  • Update Go dependencies
  • Update node dependencies
  • Remove gorilla/mux dependency and replace with stdlib routing
  • Remove logrus dependency and implement slog-based logging
  • Remove go-telnet dependency and implement TCP/Unix socket handling for SMTP
  • Replace lithammer/shortuuid with custom shortuuid implementation and update tests
  • Improve iframe height adjustment with optional chaining
  • Bump axios version to v1.16.0
  • Refactor Prometheus metrics implementation and remove unused dependencies
  • Refactor MarkRead and MarkUnread functions to only broadcast changes of modified messages
  • Optimize tag retrieval by batching message IDs in List and Search functions
  • Enhance SetMessageTags function to improve tag handling and batch deletions
  • Optimize MarkRead and MarkUnread functions to reduce database calls and improve performance
  • Refactor pruneMessages function to eliminate duplicate ID checks using a map
  • Refactor addMessageTag function to remove mutex and ensure safe concurrent inserts
  • Refactor Hub to use atomic clientCount for safe concurrent client tracking
  • Ensure websocket connection is closed on client unregistration
  • Simplify writePump by using WriteMessage and remove unnecessary newline handling
  • Add message dump --max-message-size flag and refactor message handling
  • Add message ingest --max-message-size flag and refactor message handling
  • Update Go dependencies
  • Update node dependencies
  • Update caniemail test database

Fix

  • Validate SMTP XCLIENT args before processing

Build

  • Update CI actions to use npm ci
  • Tag Docker edge build with next patch versions
Check out latest releases or
releases around axllent/mailpit v1.30.0

Don't miss a new mailpit release

NewReleases is sending notifications on new releases.

Get notifications