eric/mailpit
1
0
Fork 0
mirror of https://github.com/axllent/mailpit.git synced 2026-06-28 06:56:06 +00:00
Code Issues Packages Projects Releases Wiki Activity
1,867 Commits 2 Branches 191 Tags
9dbb092447ef86ba5bfaf5bd9cd354006e87c852
Commit Graph

247 Commits

Author SHA1 Message Date
Ralph Slooten
c160224ad7 Fix: Correctly parse after/before datetimes with timestamp in search query (#704) 2026-06-17 16:12:46 +12:00
Ralph Slooten
f1c325c5c3 Fix formatting 2026-06-17 15:28:20 +12:00
Ralph Slooten
a88dadbbe1 Security: Fix incomplete SSRF protection in IsInternalIP() detection for IPv6 transition mechanisms (GHSA-w4mc-hhc6-xp28) 2026-06-14 08:09:59 +12:00
Ralph Slooten
1e549eab06 Test: Add readyz tests 2026-06-11 16:32:14 +12:00
Ralph Slooten
ed26e0a879 Chore: Update caniemail test database 2026-05-28 21:58:51 +12:00
Ralph Slooten
fdf3cde030 Explicitly ignore errors on search text extraction 2026-05-26 16:47:55 +12:00
Ralph Slooten
24f898ac67 Chore: Change log level to Info for database vacuuming message (#688) 2026-05-26 16:46:42 +12:00
Ralph Slooten
93d2222d62 Chore: Enhance schema application logging (#688) 2026-05-24 11:40:39 +12:00
Ralph Slooten
3b65ee936a Chore: Update caniemail test database 2026-05-14 16:40:11 +12:00
Ralph Slooten
8041eac509 Cleanup 2026-05-14 16:23:29 +12:00
Ralph Slooten
b7e4146dbf Chore: Add message dump max-message-size flag and refactor message handling 2026-05-14 16:23:21 +12:00
Ralph Slooten
5ec074208c Use httpClient for HTTP requests in loadIDs and saveMessages functions 2026-05-14 15:13:52 +12:00
Ralph Slooten
35079d182c Security: Fix for path traversal & arbitrary file write in mailpit dump --http via attacker-controlled message IDs (GHSA-qx5x-85p8-vg4j) 
This fix also adds HTTP data limits to prevent excessively large files being transmitted by an attacker-controlled server (fake Mailpit).
 2026-05-14 15:02:07 +12:00
Ralph Slooten
04c779994b Security: Block internal IP access by default in HTML check (GHSA-j3fj-qppj-fmmc) 
This addresses an incomplete fix for GHSA-6jxm-fv7w-rw5j which did not restrict access to internal IP addresses.
 2026-05-14 15:02:07 +12:00
Ralph Slooten
bcd1bc71ee Security: Include CGNAT (Carrier-Grade NAT) in internal IP checks (GHSA-j3fj-qppj-fmmc) 
CGNAT (Carrier-Grade NAT) is a technique used by ISPs to conserve IPv4 addresses. Instead of assigning a unique public IP to every customer, the ISP places many customers behind a shared NAT, then gives them all addresses from the reserved 100.64.0.0/10 range (RFC 6598) on their internal network.

This means traffic from multiple customers exits through a small pool of public IPs - a second layer of NAT on top of whatever NAT the customer's own router does (hence "double NAT").
 2026-05-14 15:01:36 +12:00
Ralph Slooten
136bdde953 Security: Set a default 50MB p/m limit to prevent DoS via unlimited SMTP DATA and /api/v1/send body sizes (GHSA-fpxj-m5q8-fphw) 
This is a configurable limit (in MB's) which can optionally be disabled by setting it to 0.
 2026-05-12 17:22:00 +12:00
Ralph Slooten
0702241fa5 Fix test expectations and handle Strip function return values in html2text tests 2026-05-09 17:26:15 +12:00
Ralph Slooten
8d72191704 Prevent duplicate extraction calls in the extract function 2026-05-09 17:22:51 +12:00
Ralph Slooten
052afdf929 Rename variable for clarity in extract function 2026-05-09 17:22:07 +12:00
Ralph Slooten
c1fbbffded Refactor html2text.Strip to return an error and handle it in storage and tools packages 2026-05-09 17:21:36 +12:00
Ralph Slooten
6e2c42d2bc Improve error handling in autoForwardMessage and ensure proper client closure in createForwardingSMTPClient 2026-05-09 17:16:52 +12:00
Ralph Slooten
da8eb3ece8 Fix: Validate SMTP XCLIENT args before processing 2026-05-09 17:13:22 +12:00
Ralph Slooten
034a480a39 Chore: Refactor addMessageTag function to remove mutex and ensure safe concurrent inserts 2026-05-09 16:48:05 +12:00
Ralph Slooten
f575b53854 Chore: Refactor pruneMessages function to eliminate duplicate ID checks using a map 2026-05-09 16:43:40 +12:00
Ralph Slooten
d469aac87c Chore: Optimize MarkRead and MarkUnread functions to reduce database calls and improve performance 2026-05-09 16:40:27 +12:00
Ralph Slooten
e4c3442e39 Chore: Enhance SetMessageTags function to improve tag handling and batch deletions 2026-05-09 16:35:21 +12:00
Ralph Slooten
f11fc1ffe0 Chore: Optimize tag retrieval by batching message IDs in List and Search functions 2026-05-09 16:27:58 +12:00
Ralph Slooten
40c5936f79 Chore: Refactor MarkRead and MarkUnread functions to only broadcast changes of modified messages 2026-05-09 16:13:05 +12:00
Ralph Slooten
8bc966e618 Chore: Refactor Prometheus metrics implementation and remove unused dependencies 2026-05-06 16:28:43 +12:00
Ralph Slooten
878c68bb49 Chore: Replace lithammer/shortuuid with custom shortuuid implementation and update tests 2026-05-05 17:09:55 +12:00
Ralph Slooten
123ec9a354 Chore: Remove logrus dependency and implement slog-based logging 2026-05-05 16:48:33 +12:00
Ralph Slooten
794077a836 Use strings.TrimSuffix instead of strings.TrimRight for schema ID extraction 2026-04-04 12:20:33 +13:00
Ralph Slooten
3a4c7766e9 Feature: Add option to disable auto-VACUUMing of the SQLite database (#661) 2026-03-29 17:29:02 +13:00
Ralph Slooten
ee9863289a Chore: Refactor timezone handling in searchQueryBuilder 2026-03-10 12:07:52 +13:00
Ralph Slooten
fc0b016549 Chore: Improve transaction handling in pruneMessages and fix loop continuation in InitDB 2026-03-10 11:53:36 +13:00
Ralph Slooten
c1db706677 Update inline TLS verification docs for healthcheck and link checks 2026-03-09 12:44:39 +13:00
Ralph Slooten
51e327f259 Fix: Update SQL query to use tenant when using is:tagged filter 2026-03-09 11:37:40 +13:00
Ville Skyttä
ba00ea5a21 Chore: Switch to math/rand/v2 
Insignificant as in tests only, but there's no particular reason not to.
 2026-03-07 22:54:04 +13:00
Ville Skyttä
2afc52c6fe Chore: Refactor code with go fix 
Done with `go fix ./...` using go 1.26.0.
 2026-03-03 16:03:28 +13:00
Ralph Slooten
4f651e4f14 Chore: Update caniemail test database 2026-02-25 12:10:33 +13:00
Ralph Slooten
10ad4df8cc Security: Prevent Server-Side Request Forgery (SSRF) via Link Check API ([GHSA-mpf7-p9x7-96r3](https://github.com/axllent/mailpit/security/advisories/GHSA-mpf7-p9x7-96r3)) 
By default all internal HTTP requests are now blocked, unless mailpit is started with the `--allow-internal-http-requests` flag (env  `MP_ALLOW_INTERNAL_HTTP_REQUESTS=true`).
 2026-02-24 14:22:02 +13:00
Ralph Slooten
632113fcc5 Fix: Include 8BITMIME in SMTPD EHLO response (#648) 2026-02-24 11:25:19 +13:00
Ralph Slooten
e2b1b2d0fe Code cleanup 2026-02-01 15:58:31 +13:00
Ralph Slooten
5414695508 Test: Add message summary attachment checksum tests 2026-02-01 15:34:06 +13:00
Ralph Slooten
0bfbb4cc5f Feature: Include message attachment checksums (MD5, SHA1 & SHA254) in API message summary 2026-02-01 15:34:05 +13:00
Ralph Slooten
464ff68c34 Fix: Prevent nested MAIL command during an active SMTP transaction (#623) 2026-01-25 10:05:28 +13:00
Ralph Slooten
9383c5876b Fix: Ensure SMTP HELO/EHLO command is issued before MAIL FROM as per RFC 5321 (#621) 2026-01-23 17:27:13 +13:00
Ralph Slooten
a3616e52d9 Chore: Increase allowed SMTP email address length to 1024 chars & return clearer SMTP responses for failures (#620) 
This goes against the RFC5321 recommendation, however enforcing the recommended limits is clearly causing issues with users, and it appears no investigated SMTP servers enforce the strict limits either.
 2026-01-23 16:46:29 +13:00
Ralph Slooten
1679a0aba5 Security: Prevent Server-Side Request Forgery (SSRF) via HTML Check API ([GHSA-6jxm-fv7w-rw5j](https://github.com/axllent/mailpit/security/advisories/GHSA-6jxm-fv7w-rw5j)) 2026-01-18 11:58:24 +13:00
Ralph Slooten
4a4c149eed Formatting 2026-01-18 11:57:23 +13:00