Skip to content

Releases: axllent/mailpit

v1.20.3

01 Sep 07:57
Compare
Choose a tag to compare

Chore

  • Update caniemail database
  • Update node dependencies
  • Update Go dependencies
  • Do not re-center selected messages in sidebar after every new message

Fix

  • Disable automatic HTML/Text character detection when charset is provided (#348)

v1.20.2

17 Aug 11:19
Compare
Choose a tag to compare

This release adds temporary web UI notifications for both SMTP & POP3 client errors to help alert you when there are issues. Also included is SMTP connection logging in the Mailpit logs (use --verbose to see all received & sent commands).

Feature

  • Web UI notifications of smtpd & POP3 errors (#347)

Chore

  • Update Go dependencies
  • Update node dependencies
  • Add debug database storage logging
  • Add smtpd server logging in the CLI (#347)

v1.20.1

10 Aug 00:08
Compare
Choose a tag to compare

Chore

  • Show icon attachment in new side navigation message listing (#345)
  • Live load up to 100 new messages in sidebar (#336)
  • Shift inbox pagination to inbox component

Fix

  • Correctly decode X-Tags message headers (RFC 2047) (#344)

v1.20.0

06 Aug 06:59
Compare
Choose a tag to compare

This release introduces a new side navigation message listing when viewing messages, allowing you to see other messages in the mailbox or current search and easily navigate between them without needing to co back to the inbox first.

As part of this feature, messages status changes (read/unread/deleted/tags) are now also synchronised to all connected browsers (provided you have websockets working).

Another new feature is the option to auto-delete messages based on age (--max-age / MP_MAX_AGE). This can be used together with, or in addition to, the existing --max / MP_MAX_MESSAGES option. See documentation.

Feature

  • UI: List messages in side nav when viewing message for easy navigation (#336)
  • Add option to control message retention by age (#338)

Chore

  • Update caniemail database
  • Update Go dependencies
  • Update node dependencies
  • Make internal tagging methods private

Fix

  • Prevent potential JavaScript errors caused by race condition
  • Better regexp to detect tags in search
  • Prevent Vue race condition to initialize dayjs relativeTime plugin
  • API: Return text/plain header for message delete request

v1.19.3

26 Jul 10:52
Compare
Choose a tag to compare

This release includes an important security fix, so upgrading is strongly recommended.

A vulnerability was discovered which allowed a bad actor with SMTP access to Mailpit to bypass the Content Security Policy headers using a series of crafted HTML messages which could result in a stored XSS attack via the web UI. A special thanks to @bmodotdev for responsibly disclosing the vulnerability, proving information and an draft fix. Additional preventative measures have also been added (see below).

  • The CSP headers have been hardened and require a valid nonce ID to run. This will make it impossible to inject any other local JavaScript files (remote & inline JavaScript was already blocked).
  • All message HTML is now sanitized via DOMPurify before rendering in the preview. This will remove all unsupported elements such as<script> & <iframe> (which aren't allowed to run anyway), and make the HTML even safer. There has had significant testing to try ensure regular message previews do not break as a result, but should you experience issues then please report these via the issue tracker.

Changelog

Fix

  • Security: Prevent bypass of Contend Security Policy using stored XSS, and sanitize preview HTML data (DOMPurify)

Chore

  • Update Go dependencies
  • Display nicer <noscript> message when JavaScript is disabled

v1.19.2

21 Jul 04:12
Compare
Choose a tag to compare

Fix

  • Update Inbox "Delete All" count when new messages are detected (#334)

Chore

  • Update Go dependencies

v1.19.1

14 Jul 03:14
Compare
Choose a tag to compare

Feature

Chore

  • Update Go dependencies
  • Equal column widths in About modal
  • Bump esbuild to version 0.23.0
  • Bump docker/build-push-action from 5 to 6 (#327)

v1.19.0

29 Jun 11:02
Compare
Choose a tag to compare

Feature

  • Add ability to rename and delete tags globally
  • Add option to disable auto-tagging for plus-addresses & X-Tags (#323)

Chore

  • Update node dependencies
  • Update Go dependencies

v1.18.7

22 Jun 11:36
Compare
Choose a tag to compare

Feature

  • Add optional label to identify Mailpit instance (#316)

Chore

  • Refactor JavaScript, use arrow functions instead of "self" aliasing
  • Handle websocket errors caused by persistent connection failures (#319)

Testing

  • Add POP3 integration tests

v1.18.6

19 Jun 04:26
Compare
Choose a tag to compare

Chore

  • Delete multiple POP3 messages in single action
  • Handle POP3 RSET command
  • Update caniemail database
  • Update node dependencies
  • Update Go dependencies

Fix

  • POP3 end of file reached error (#315)
  • POP3 size output to show compatible sizes (#312)