Merge branch 'release/v1.8.0'

CHANGELOG.md

@@ -2,6 +2,30 @@
 
 Notable changes to Mailpit will be documented in this file.
 
+## [v1.8.0]
+
+### Docs
+- Update brew installation instructions
+
+### Feature
+- HTML check to test & score mail client compatibility with HTML emails
+
+### Fix
+- Add basePath to swagger.json if webroot is specified
+
+### Libs
+- Update node modules
+- Update Go modules
+
+### Swagger
+- Update swagger docs
+
+### UI
+- Add flag to block all access to remote CSS and fonts (CSP)
+- Remove `<base />` tag if set in HTML preview
+- Pagination support for search, all results
+
+
 ## [v1.7.1]
 
 ### Libs

README.md

@@ -20,6 +20,7 @@ Mailpit is inspired by [MailHog](#why-rewrite-mailhog), but modern and much, muc
 - Runs entirely from a single binary, no installation required
 - SMTP server (default `0.0.0.0:1025`)
 - Web UI to view emails (formatted HTML, highlighted HTML source, text, headers, raw source and MIME attachments including image thumbnails)
+- HTML check to test & score mail client compatibility with HTML emails
 - Light & dark web UI theme with auto-detect
 - Mobile and tablet HTML preview toggle in desktop mode
 - Advanced mail search ([see wiki](https://github.com/axllent/mailpit/wiki/Mail-search))
@@ -46,7 +47,7 @@ Mailpit runs as a single binary and can be installed in different ways:
 
 ### Install via Brew (Mac)
 
-Add the repository to your taps with `brew tap axllent/apps`, and then install Mailpit with `brew install mailpit`.
+Install Mailpit with `brew install mailpit`.
 
 
 ### Install via bash script (Linux & Mac)

cmd/root.go

@@ -88,6 +88,8 @@ func init() {
 	rootCmd.Flags().StringVar(&server.AccessControlAllowOrigin, "api-cors", server.AccessControlAllowOrigin, "Set API CORS Access-Control-Allow-Origin header")
 	rootCmd.Flags().BoolVar(&config.UseMessageDates, "use-message-dates", config.UseMessageDates, "Use message dates as the received dates")
 	rootCmd.Flags().BoolVar(&config.IgnoreDuplicateIDs, "ignore-duplicate-ids", config.IgnoreDuplicateIDs, "Ignore duplicate messages (by Message-Id)")
+	rootCmd.Flags().BoolVar(&config.DisableHTMLCheck, "disable-html-check", config.DisableHTMLCheck, "Disable the HTML check functionality (web UI & API)")
+	rootCmd.Flags().BoolVar(&config.BlockRemoteCSSAndFonts, "block-remote-css-and-fonts", config.BlockRemoteCSSAndFonts, "Block access to remote CSS & fonts")
 
 	rootCmd.Flags().StringVar(&config.UIAuthFile, "ui-auth-file", config.UIAuthFile, "A password file for web UI authentication")
 	rootCmd.Flags().StringVar(&config.UITLSCert, "ui-tls-cert", config.UITLSCert, "TLS certificate for web UI (HTTPS) - requires ui-tls-key")
@@ -205,6 +207,12 @@ func initConfigFromEnv() {
 	if getEnabledFromEnv("MP_IGNORE_DUPLICATE_IDS") {
 		config.IgnoreDuplicateIDs = true
 	}
+	if getEnabledFromEnv("MP_DISABLE_HTML_CHECK") {
+		config.DisableHTMLCheck = true
+	}
+	if getEnabledFromEnv("MP_BLOCK_REMOTE_CSS_AND_FONTS") {
+		config.BlockRemoteCSSAndFonts = true
+	}
 	if getEnabledFromEnv("MP_QUIET") {
 		logger.QuietLogging = true
 	}

config/config.go

@@ -69,6 +69,12 @@ var (
 	// IgnoreDuplicateIDs will skip messages with the same ID
 	IgnoreDuplicateIDs bool
 
+	// DisableHTMLCheck used to disable the HTML check in bother the API and web UI
+	DisableHTMLCheck = false
+
+	// BlockRemoteCSSAndFonts used to disable remote CSS & fonts
+	BlockRemoteCSSAndFonts = false
+
 	// SMTPCLITags is used to map the CLI args
 	SMTPCLITags string
 
@@ -91,8 +97,8 @@ var (
 	// Use with extreme caution!
 	SMTPRelayAllIncoming = false
 
-	// ContentSecurityPolicy for HTTP server
-	ContentSecurityPolicy = "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self'; img-src * data: blob:; font-src 'self' data:; media-src 'self'; connect-src 'self' ws: wss:; object-src 'none'; base-uri 'self';"
+	// ContentSecurityPolicy for HTTP server - set via VerifyConfig()
+	ContentSecurityPolicy string
 
 	// Version is the default application version, updated on release
 	Version = "dev"
@@ -127,6 +133,15 @@ type smtpRelayConfigStruct struct {
 
 // VerifyConfig wil do some basic checking
 func VerifyConfig() error {
+	cssFontRestriction := "*"
+	if BlockRemoteCSSAndFonts {
+		cssFontRestriction = "'self'"
+	}
+
+	ContentSecurityPolicy = fmt.Sprintf("default-src 'self'; script-src 'self'; style-src %s 'unsafe-inline'; frame-src 'self'; img-src * data: blob:; font-src %s data:; media-src 'self'; connect-src 'self' ws: wss:; object-src 'none'; base-uri 'self';",
+		cssFontRestriction, cssFontRestriction,
+	)
+
 	if DataFile != "" && isDir(DataFile) {
 		DataFile = filepath.Join(DataFile, "mailpit.db")
 	}

docs/apiv1/Messages.md

@@ -29,7 +29,7 @@ List messages in the mailbox. Messages are returned in the order of latest recei
 {
   "total": 500,
   "unread": 500,
-  "count": 50,
+  "messages_count": 50,
   "start": 0,
   "tags": ["test"],
   "messages": [
@@ -69,7 +69,7 @@ List messages in the mailbox. Messages are returned in the order of latest recei
 
 - `total` - Total messages in mailbox
 - `unread` - Total unread messages in mailbox
-- `count` - Number of messages returned in request
+- `messages_count` - Total number of messages in mailbox
 - `start` - The offset (default `0`) for pagination
 - `Read` - The read/unread status of the message
 - `From` - Name & Address, or null if none

docs/apiv1/Search.md

@@ -25,7 +25,7 @@ Matching messages are returned in the order of latest received to oldest.
 {
   "total": 500,
   "unread": 500,
-  "count": 25,
+  "messages_count": 25,
   "start": 0,
   "messages": [
     {
@@ -63,7 +63,7 @@ Matching messages are returned in the order of latest received to oldest.
 
 - `total` - Total messages in mailbox (all messages, not search)
 - `unread` - Total unread messages in mailbox (all messages, not search)
-- `count` - Number of messages returned in request
+- `messages_count` - Total number of messages matching search
 - `start` - The offset (default `0`) for pagination
 - `From` - Singular Name & Address, or null if none
 - `To`, `CC`, `BCC` - Array of Name & Address

go.mod

@@ -4,8 +4,10 @@ go 1.18
 
 require (
 	github.com/GuiaBolso/darwin v0.0.0-20191218124601-fd6d2aa3d244
+	github.com/PuerkitoBio/goquery v1.8.1
 	github.com/axllent/semver v0.0.1
 	github.com/disintegration/imaging v1.6.2
+	github.com/gomarkdown/markdown v0.0.0-20230716120725-531d2d74bc12
 	github.com/gorilla/mux v1.8.0
 	github.com/gorilla/websocket v1.5.0
 	github.com/jhillyerd/enmime v1.0.0
@@ -20,36 +22,40 @@ require (
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/pflag v1.0.5
 	github.com/tg123/go-htpasswd v1.2.1
+	github.com/vanng822/go-premailer v1.20.2
+	golang.org/x/net v0.12.0
 	golang.org/x/text v0.11.0
 	gopkg.in/yaml.v3 v3.0.1
-	modernc.org/sqlite v1.23.1
+	modernc.org/sqlite v1.24.0
 )
 
 require (
 	github.com/DATA-DOG/go-sqlmock v1.5.0 // indirect
 	github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5 // indirect
+	github.com/andybalholm/cascadia v1.3.2 // indirect
 	github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a // indirect
 	github.com/cznic/ql v1.2.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f // indirect
 	github.com/google/uuid v1.3.0 // indirect
+	github.com/gorilla/css v1.0.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jaytaylor/html2text v0.0.0-20230321000545-74c2419ad056 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/kr/pretty v0.3.0 // indirect
 	github.com/mattn/go-isatty v0.0.19 // indirect
-	github.com/mattn/go-runewidth v0.0.14 // indirect
+	github.com/mattn/go-runewidth v0.0.15 // indirect
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/reiver/go-oi v1.0.0 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
 	github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
+	github.com/vanng822/css v1.0.1 // indirect
 	golang.org/x/crypto v0.11.0 // indirect
 	golang.org/x/image v0.9.0 // indirect
 	golang.org/x/mod v0.12.0 // indirect
-	golang.org/x/net v0.12.0 // indirect
 	golang.org/x/sys v0.10.0 // indirect
 	golang.org/x/tools v0.11.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect