Releases: axllent/mailpit
v1.20.3
v1.20.2
This release adds temporary web UI notifications for both SMTP & POP3 client errors to help alert you when there are issues. Also included is SMTP connection logging in the Mailpit logs (use --verbose
to see all received & sent commands).
Feature
- Web UI notifications of smtpd & POP3 errors (#347)
Chore
- Update Go dependencies
- Update node dependencies
- Add debug database storage logging
- Add smtpd server logging in the CLI (#347)
v1.20.1
v1.20.0
This release introduces a new side navigation message listing when viewing messages, allowing you to see other messages in the mailbox or current search and easily navigate between them without needing to co back to the inbox first.
As part of this feature, messages status changes (read/unread/deleted/tags) are now also synchronised to all connected browsers (provided you have websockets working).
Another new feature is the option to auto-delete messages based on age (--max-age
/ MP_MAX_AGE
). This can be used together with, or in addition to, the existing --max
/ MP_MAX_MESSAGES
option. See documentation.
Feature
- UI: List messages in side nav when viewing message for easy navigation (#336)
- Add option to control message retention by age (#338)
Chore
- Update caniemail database
- Update Go dependencies
- Update node dependencies
- Make internal tagging methods private
Fix
- Prevent potential JavaScript errors caused by race condition
- Better regexp to detect tags in search
- Prevent Vue race condition to initialize dayjs relativeTime plugin
- API: Return
text/plain
header for message delete request
v1.19.3
This release includes an important security fix, so upgrading is strongly recommended.
A vulnerability was discovered which allowed a bad actor with SMTP access to Mailpit to bypass the Content Security Policy headers using a series of crafted HTML messages which could result in a stored XSS attack via the web UI. A special thanks to @bmodotdev for responsibly disclosing the vulnerability, proving information and an draft fix. Additional preventative measures have also been added (see below).
- The CSP headers have been hardened and require a valid nonce ID to run. This will make it impossible to inject any other local JavaScript files (remote & inline JavaScript was already blocked).
- All message HTML is now sanitized via DOMPurify before rendering in the preview. This will remove all unsupported elements such as
<script>
&<iframe>
(which aren't allowed to run anyway), and make the HTML even safer. There has had significant testing to try ensure regular message previews do not break as a result, but should you experience issues then please report these via the issue tracker.
Changelog
Fix
- Security: Prevent bypass of Contend Security Policy using stored XSS, and sanitize preview HTML data (DOMPurify)
Chore
- Update Go dependencies
- Display nicer
<noscript>
message when JavaScript is disabled