Mailpit

This release includes two important security fixes, so upgrading is recommended.

This is a security release which addresses two separate moderate security advisories (see below). A huge thanks to the security researchers (@omarkurt & @mdisec) who reported this issue responsibly.

The release also includes a few bug fixes, dependency updates, and test improvements.

Security

• Ensure SMTP TO & FROM addresses are RFC 5322 compliant and prevent header injection (GHSA-54wq-72mp-cq7c)
• Prevent Server-Side Request Forgery (SSRF) via HTML Check API (GHSA-6jxm-fv7w-rw5j)

Chore

• Fix formatting and update reporting instructions in SECURITY.md (#614)
• Allow @ character in message tags & set max length to 100 characters per tag
• Update Go dependencies
• Update node dependencies

Fix

• Correctly render default addresses in release modal after settings change (#594)
• Correctly detect macOS group in install.sh (#619)
• Auto-tagging using SMTP username using plain auth (#617)
• Validate maximum lengths of email addresses - RFC5321 (section 4.5.3.1)

Test

• Update tag tests with length limits and @ character
• Add SMTP tests for RFC 5322 address compliance and header injection
• Add maximum email length validation tests - RFC5321 (section 4.5.3.1)