emailengine-app 2.67.3 → 2.68.1

package/.github/codeql/codeql-config.yml

@@ -0,0 +1,16 @@
+name: "EmailEngine CodeQL config"
+
+# Exclude code that is not part of the production runtime from analysis.
+# These paths generate only false-positive noise:
+#   - test fixtures intentionally disable TLS verification, build shell
+#     commands from fixed paths, etc.
+#   - vendored third-party browser assets (Bootstrap and other bundles) ship
+#     with their own known patterns and are not maintained here
+#   - developer helper scripts (e.g. test-token refresh) deliberately print
+#     tokens to the console for local debugging
+paths-ignore:
+    - test
+    - '**/test/**'
+    - scripts
+    - static/bootstrap-4.6.2-dist
+    - static/vendor

package/.github/workflows/codeql.yml

@@ -0,0 +1,102 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL Advanced"
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    branches: [ "master" ]
+  schedule:
+    - cron: '40 17 * * 6'
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: actions
+          build-mode: none
+        - language: javascript-typescript
+          build-mode: none
+        # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift'
+        # Use `c-cpp` to analyze code written in C, C++ or both
+        # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
+        # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
+        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
+        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Add any setup steps before running the `github/codeql-action/init` action.
+    # This includes steps like installing compilers or runtimes (`actions/setup-node`
+    # or others). This is typically only required for manual builds.
+    # - name: Setup runtime (example)
+    #   uses: actions/setup-example@v1
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v4
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+        config-file: ./.github/codeql/codeql-config.yml
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+    # If the analyze step fails for one of the languages you are analyzing with
+    # "We were unable to automatically build your code", modify the matrix above
+    # to set the build mode to "manual" for that language. Then modify this step
+    # to build your code.
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+    - name: Run manual build steps
+      if: matrix.build-mode == 'manual'
+      shell: bash
+      run: |
+        echo 'If you are using a "manual" build mode for one or more of the' \
+          'languages you are analyzing, replace this with the commands to build' \
+          'your code, for example:'
+        echo '  make bootstrap'
+        echo '  make release'
+        exit 1
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v4
+      with:
+        category: "/language:${{matrix.language}}"

package/.github/workflows/deploy.yml

@@ -5,6 +5,9 @@ on:
 
 name: Deploy test instance and Docker image
 
+permissions:
+    contents: read
+
 concurrency:
     group: ${{ github.workflow }}-${{ github.ref }}
     cancel-in-progress: true
@@ -60,6 +63,9 @@ jobs:
     docker:
         name: Build Docker Image
         runs-on: ubuntu-24.04
+        permissions:
+            contents: read
+            packages: write
 
         steps:
             - name: Checkout

package/.github/workflows/test.yml

@@ -4,6 +4,9 @@ on:
     push:
     pull_request:
 
+permissions:
+    contents: read
+
 concurrency:
     group: ${{ github.workflow }}-${{ github.ref }}
     cancel-in-progress: true
@@ -88,3 +91,6 @@ jobs:
                   GMAIL_SERVICE_POSTALSYS_SERVICE_EMAIL: ${{ secrets.GMAIL_SERVICE_POSTALSYS_SERVICE_EMAIL }}
                   GMAIL_SERVICE_POSTALSYS_KEY: ${{ secrets.GMAIL_SERVICE_POSTALSYS_KEY }}
                   GMAIL_SERVICE_POSTALSYS_ACCOUNT_EMAIL: ${{ secrets.GMAIL_SERVICE_POSTALSYS_ACCOUNT_EMAIL }}
+                  GMAIL_WIF_SA_KEY: ${{ secrets.GMAIL_WIF_SA_KEY }}
+                  GMAIL_WIF_AUDIENCE: ${{ secrets.GMAIL_WIF_AUDIENCE }}
+                  GMAIL_WIF_ACCOUNT_EMAIL: ${{ secrets.GMAIL_WIF_ACCOUNT_EMAIL }}

package/CHANGELOG.md

@@ -1,5 +1,41 @@
 # Changelog
 
+## [2.68.1](https://github.com/postalsys/emailengine/compare/v2.68.0...v2.68.1) (2026-06-01)
+
+
+### Bug Fixes
+
+* harden mergeObjects and tighten CodeQL scanning ([d35025d](https://github.com/postalsys/emailengine/commit/d35025daabf8fe7b3f5200b0000f52c3a012f4eb))
+* prevent IMAP proxy worker crashes and connection leaks ([#596](https://github.com/postalsys/emailengine/issues/596)) ([4453330](https://github.com/postalsys/emailengine/commit/4453330ad38fb3e64692add1357d48227e1956e0))
+* stop referencing prepared password string in error log ([50cdb89](https://github.com/postalsys/emailengine/commit/50cdb8998e27f33f700f267cb39ddba39e7d32d0))
+
+## [2.68.0](https://github.com/postalsys/emailengine/compare/v2.67.3...v2.68.0) (2026-05-26)
+
+
+### Features
+
+* accept threadId on the submit reference object ([b1b3dc7](https://github.com/postalsys/emailengine/commit/b1b3dc73ec5870a7a8ab9f0844055822ad046d2a))
+* add direct account registration for email service account apps ([6602b2e](https://github.com/postalsys/emailengine/commit/6602b2ee3f851bcfec00b34e70756007763f5490))
+* add OAuth2 app "Verify setup" diagnostic ([cba9f58](https://github.com/postalsys/emailengine/commit/cba9f58bc58a434c6156cd2e55fee655336a4cf4))
+* add Workload Identity Federation for Gmail service accounts ([1879c5a](https://github.com/postalsys/emailengine/commit/1879c5aaf30ccff1879e74d28b0c76e25b3d77ae))
+* lock Gmail auth method display after app creation ([6ba16c2](https://github.com/postalsys/emailengine/commit/6ba16c2fbca571d500b21be776dbf5eb76fcf8a1))
+* revoke upstream OAuth2 grant on account delete via ?revoke=true ([2a8c8fa](https://github.com/postalsys/emailengine/commit/2a8c8faf7f63acfab31998fb067289d4c6bd2f09))
+* revoke upstream OAuth2 grant on account delete via ?revoke=true ([15bc43a](https://github.com/postalsys/emailengine/commit/15bc43ae0f8dbf70021a1e13de55c80ec7271a15))
+* use tabs for Gmail auth method and lock it after creation ([6c74521](https://github.com/postalsys/emailengine/commit/6c7452138c257ecf0667aa9b44d1fa91186e2302))
+
+
+### Bug Fixes
+
+* clearer error when loading wrong file into WIF config field ([40686d4](https://github.com/postalsys/emailengine/commit/40686d409229347193c1e153e9e47f98b5de86dc))
+* flag WIF support in the gmailService form intro ([61fab27](https://github.com/postalsys/emailengine/commit/61fab2720aa2f289a944ae99629bc47ada8e9e09))
+* force-exit external-account-signer test to unblock CI ([f4a1e4e](https://github.com/postalsys/emailengine/commit/f4a1e4e50ac890d7771e38181a9488837c67757a))
+* let npm run gettext parse object spread and drop non-ASCII from template ([195ce60](https://github.com/postalsys/emailengine/commit/195ce601db50f394164ca05e2efb6de4b784a77a))
+* mask externalAccount in OAuth2 app API responses ([fac18bf](https://github.com/postalsys/emailengine/commit/fac18bfdc11d5d252e0d93980aad7c90d92b246f))
+* pkg config options must be a string array ([6c4702d](https://github.com/postalsys/emailengine/commit/6c4702dbc85171a2987b8cfb6e5a3dc3d656a99d))
+* prefer refresh token and skip gmailService when revoking on delete ([e0dbea8](https://github.com/postalsys/emailengine/commit/e0dbea8a4cd4804bf64d50523c8a1152c2119e26))
+* relax cross-folder assertion in Graph API parentFolderId test ([770279d](https://github.com/postalsys/emailengine/commit/770279ded669efdc5d6a2c33d05290daf91251ea))
+* right-align the service account Add account button ([c6f77b9](https://github.com/postalsys/emailengine/commit/c6f77b9777fb1cb9b1449662d05d4887e36a6ad8))
+
 ## [2.67.3](https://github.com/postalsys/emailengine/compare/v2.67.2...v2.67.3) (2026-04-21)
 
 

package/SECURITY.md

@@ -0,0 +1,80 @@
+# Security Policy
+
+EmailEngine is a self-hosted email integration platform that stores email
+account credentials and proxies access to IMAP/SMTP, the Gmail API, and the
+Microsoft Graph API. Because it handles sensitive credentials and message
+content, we take security reports seriously and aim to respond quickly.
+
+## Supported Versions
+
+Security fixes are released only against the latest version. We do not backport
+patches to older releases - upgrading to the current release line is the
+supported way to receive security updates.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 2.x     | :white_check_mark: |
+| < 2.0   | :x:                |
+
+If you are on an older version, please upgrade. See the release notes at
+<https://github.com/postalsys/emailengine/releases> before updating.
+
+## Reporting a Vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues,
+pull requests, or discussions.**
+
+Report privately through one of the following channels:
+
+1. **GitHub Security Advisories (preferred).** Open a private report at
+   <https://github.com/postalsys/emailengine/security/advisories/new>. This keeps
+   the discussion private until a fix is published and lets us credit you.
+2. **Email.** Send details to **andris@postalsys.com** (the contact listed in
+   [`SECURITY.txt`](SECURITY.txt)). Encrypt sensitive details if possible.
+
+When reporting, please include as much of the following as you can:
+
+- The affected version(s) and environment (EmailEngine version, Node.js version,
+  OS, deployment method - npm, Docker, or prebuilt binary).
+- The component involved (e.g. REST API, admin web UI, OAuth2 flows, IMAP/SMTP
+  proxy server, webhook delivery, credential encryption, the export pipeline).
+- A clear description of the issue and its impact (e.g. authentication bypass,
+  privilege escalation, credential disclosure, SSRF, injection, information
+  disclosure, denial of service).
+- A minimal proof of concept or reproduction steps.
+- Any suggested remediation, if you have one.
+
+We are a small team, so there is no guaranteed response time - sometimes reports
+are handled within hours, sometimes they take longer. Accepted issues are fixed
+in a new release and coordinated through a GitHub Security Advisory, and
+reporters who wish to be named are credited.
+
+## CVEs
+
+We track and disclose vulnerabilities through GitHub Security Advisories. We do
+not request or manage CVE identifiers ourselves. If you need a CVE assigned for a
+reported issue, please request one yourself - for example, through GitHub's own
+CVE request flow on the published advisory, or another CNA.
+
+## Scope
+
+In scope: the EmailEngine application source in this repository - the REST API
+and admin web UI (authentication, session and token handling, CSRF protection),
+OAuth2 application handling, credential encryption at rest, the IMAP/SMTP and
+IMAP proxy servers, webhook delivery (including custom filter/transform
+functions), the export pipeline, and inter-worker communication.
+
+Out of scope:
+
+- Vulnerabilities in your own application code that integrates with EmailEngine.
+- Misconfiguration of your deployment - for example, exposing the admin
+  interface or REST API to untrusted networks, weak service secrets, an
+  unauthenticated or publicly reachable Redis instance, or missing TLS.
+- Issues that require an already-compromised host or pre-existing administrator
+  access.
+- Vulnerabilities in third-party email providers and services that EmailEngine
+  connects to (Gmail, Microsoft 365, arbitrary IMAP/SMTP servers).
+- Social-engineering reports and missing security headers without a
+  demonstrated, concrete impact.
+
+Thank you for helping keep EmailEngine and its users safe.

package/SECURITY.txt

@@ -0,0 +1,27 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+Contact: https://github.com/postalsys/emailengine/security/advisories/new
+Contact: mailto:andris@postalsys.com
+Expires: 2027-06-01T00:00:00.000Z
+Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/5D952A46E1D8C931F6364E01DC6C83F4D584D364
+Preferred-Languages: en, et
+Canonical: https://github.com/postalsys/emailengine/blob/master/SECURITY.txt
+Policy: https://github.com/postalsys/emailengine/blob/master/SECURITY.md
+-----BEGIN PGP SIGNATURE-----
+
+iQJPBAEBCAA5FiEEXZUqRuHYyTH2Nk4B3GyD9NWE02QFAmodKpsbFIAAAAAABAAO
+bWFudTIsMi41KzEuMTIsMCwzAAoJENxsg/TVhNNkbcEP/j1v3M9ebklJgaCxkVEl
+xij24q4p+28s1ywf4y/aquBtcVkWd+y6vjG/f4RUUUtaSVChvnI5en14X8QuuSnk
+egsRARvCY9E2dbodMSyDUMWS8slRcFTDczQJhtXBD8Fu+/tWPj1UfQ8xR87ZUZ5b
+nOgCfCFnvSuDh9KBauUKZcSyuLCJ5saBuZ3RACzmz57wpzFE3vi4/q4tQAaBM5Za
+m4293Yx8ioX01S3nR5VRL8dlpdMEFy0dj66v/OFu4p3MjGf+0cpmZ7YKC8U5PhNQ
+FcQMTNkfBtkgc5lj42cKV8BBhCtN2og3u+Bhih0h0XItv4b/o9rWBtivXIQcHdtl
+WyGrrbgfGl503aVj8N0cIQ1eaWAbuRRJVHwF/G11sX6ZvhiLHdHf5YSjOrmyhSmx
+6t2gsKMrrvoODRUOqpu8ll8Rosu6m/EaNWgh9KXJyYqgQqGS+NeQHcC51fWMLjxd
+7zvYrNKqhMEU8e6siyLdJJgqAJCCtl9vS/kLItPz9hBk3KE2/kXfvQc6OF4I4ziU
+3/Edf1v37koEnT07P5HdiGgUo+u4Vo8OUEm5Ih88EWaWijHGLPeJ0NyMfkwsveTw
+n1z7pmCdZ+B9pglRGx3Mae7P8L1s1LeL8cQWo4QZ2nUcA5vtOiWfDAywlrN0mSNv
+lfeE0/subU9kC04LRJ6NUhZp
+=8lqK
+-----END PGP SIGNATURE-----

package/data/google-crawlers.json

@@ -1,5 +1,5 @@
 {
-    "creationTime": "2026-04-16T14:45:56.000000",
+    "creationTime": "2026-05-29T14:45:42.000000",
     "prefixes": [
         {
             "ipv6Prefix": "2001:4860:4801:2008::/64"
@@ -307,6 +307,9 @@
         {
             "ipv6Prefix": "2001:4860:4801:207d::/64"
         },
+        {
+            "ipv6Prefix": "2001:4860:4801:207e::/64"
+        },
         {
             "ipv6Prefix": "2001:4860:4801:2080::/64"
         },
@@ -790,6 +793,9 @@
         {
             "ipv4Prefix": "74.125.219.160/27"
         },
+        {
+            "ipv4Prefix": "74.125.219.192/27"
+        },
         {
             "ipv4Prefix": "74.125.219.32/27"
         },

package/lib/account.js

@@ -977,9 +977,32 @@ class Account {
         return { account: this.account, state };
     }
 
-    async delete() {
+    async delete(opts) {
+        opts = opts || {};
+
         let accountData = await this.loadAccountData(this.account);
 
+        if (opts.revoke && accountData.oauth2?.provider) {
+            // Prefer refresh token over access token: revoking either invalidates the grant per Google's docs,
+            // but the stored access token may be expired (a 400 from the provider would leave the grant intact),
+            // while the refresh token is long-lived. Skip gmailService - Workspace service accounts have no
+            // per-user grant to revoke.
+            let token = accountData.oauth2.refreshToken || accountData.oauth2.accessToken;
+            if (token) {
+                try {
+                    let oauth2App = await oauth2Apps.get(accountData.oauth2.provider);
+                    if (oauth2App && oauth2App.provider !== 'gmailService') {
+                        let oauthClient = await oauth2Apps.getClient(accountData.oauth2.provider, { logger: this.logger });
+                        if (oauthClient && typeof oauthClient.revokeToken === 'function') {
+                            await oauthClient.revokeToken(token);
+                        }
+                    }
+                } catch (err) {
+                    this.logger.warn({ msg: 'Failed to revoke OAuth2 grant before account delete', account: this.account, err });
+                }
+            }
+        }
+
         const dateKeyTdy = new Date().toISOString().substring(0, 10).replace(/-/g, '');
         const dateKeyYdy = new Date(Date.now() - 24 * 3600 * 1000).toISOString().substring(0, 10).replace(/-/g, '');
 

package/lib/api-routes/account-routes.js

@@ -530,7 +530,7 @@ async function init(args) {
             });
 
             try {
-                return await accountObject.delete();
+                return await accountObject.delete({ revoke: request.query.revoke });
             } catch (err) {
                 request.logger.error({ msg: 'API request failed', err });
                 if (Boom.isBoom(err)) {
@@ -545,7 +545,7 @@ async function init(args) {
         },
         options: {
             description: 'Remove account',
-            notes: "Stop processing and clear the account's cache",
+            notes: "Stop processing and clear the account's cache. Pass revoke=true to also attempt revocation of the upstream OAuth2 grant at the provider before the account is removed.",
 
             tags: ['api', 'Account'],
 
@@ -567,6 +567,16 @@ async function init(args) {
 
                 params: Joi.object({
                     account: accountIdSchema.required()
+                }),
+
+                query: Joi.object({
+                    revoke: Joi.boolean()
+                        .truthy('Y', 'true', '1')
+                        .falsy('N', 'false', 0)
+                        .default(false)
+                        .description(
+                            'If true, EmailEngine attempts to revoke the upstream OAuth2 grant at the provider before deleting the account. Currently supported for individual Gmail OAuth grants. For Gmail Workspace service-account integrations (gmailService), Outlook, and non-OAuth2 accounts the flag is a no-op. Revoke failures are logged and do not block deletion.'
+                        )
                 })
             },
 

package/lib/email-client/base-client.js

@@ -1687,8 +1687,8 @@ class BaseClient {
                     data.reference.update = true;
                 }
 
-                // Preserve thread ID
-                if (referencedMessage.threadId) {
+                // Preserve thread ID, but let a caller-supplied threadId win
+                if (!data.reference.threadId && referencedMessage.threadId) {
                     data.reference.threadId = referencedMessage.threadId;
                 }
 
@@ -1906,15 +1906,18 @@ class BaseClient {
                 messageId
             };
 
-            if (data.reference && data.reference.message) {
-                response.reference = {
-                    message: data.reference.message,
-                    documentStore: documentStoreUsed,
-                    success: referencedMessage ? true : false
-                };
-
-                if (!referencedMessage) {
-                    response.reference.error = 'Referenced message was not found';
+            if (data.reference && (data.reference.message || data.reference.threadId)) {
+                response.reference = {};
+                if (data.reference.message) {
+                    response.reference.message = data.reference.message;
+                    response.reference.documentStore = documentStoreUsed;
+                    response.reference.success = referencedMessage ? true : false;
+                    if (!referencedMessage) {
+                        response.reference.error = 'Referenced message was not found';
+                    }
+                }
+                if (data.reference.threadId) {
+                    response.reference.threadId = data.reference.threadId;
                 }
             }
 
@@ -2069,15 +2072,18 @@ class BaseClient {
             queueId
         };
 
-        if (data.reference && data.reference.message) {
-            response.reference = {
-                message: data.reference.message,
-                documentStore: documentStoreUsed,
-                success: referencedMessage ? true : false
-            };
-
-            if (!referencedMessage) {
-                response.reference.error = 'Referenced message was not found';
+        if (data.reference && (data.reference.message || data.reference.threadId)) {
+            response.reference = {};
+            if (data.reference.message) {
+                response.reference.message = data.reference.message;
+                response.reference.documentStore = documentStoreUsed;
+                response.reference.success = referencedMessage ? true : false;
+                if (!referencedMessage) {
+                    response.reference.error = 'Referenced message was not found';
+                }
+            }
+            if (data.reference.threadId) {
+                response.reference.threadId = data.reference.threadId;
             }
         }
 

package/lib/email-client/gmail-client.js

@@ -1502,9 +1502,8 @@ class GmailClient extends BaseClient {
             raw: raw.toString('base64url')
         };
 
-        // Maintain thread if replying
-        if (referencedMessage?.threadId) {
-            payload.threadId = referencedMessage.threadId;
+        if (data.reference?.threadId) {
+            payload.threadId = data.reference.threadId;
         }
 
         let uploadInfo;
@@ -1533,15 +1532,18 @@ class GmailClient extends BaseClient {
             messageId
         };
 
-        if (data.reference && data.reference.message) {
-            response.reference = {
-                message: data.reference.message,
-                documentStore: documentStoreUsed,
-                success: referencedMessage ? true : false
-            };
-
-            if (!referencedMessage) {
-                response.reference.error = 'Referenced message was not found';
+        if (data.reference && (data.reference.message || data.reference.threadId)) {
+            response.reference = {};
+            if (data.reference.message) {
+                response.reference.message = data.reference.message;
+                response.reference.documentStore = documentStoreUsed;
+                response.reference.success = referencedMessage ? true : false;
+                if (!referencedMessage) {
+                    response.reference.error = 'Referenced message was not found';
+                }
+            }
+            if (data.reference.threadId) {
+                response.reference.threadId = data.reference.threadId;
             }
         }
 

package/lib/imapproxy/imap-core/lib/imap-command.js

@@ -369,7 +369,7 @@ class IMAPCommand {
     countBadResponses() {
         this.connection._badCount++;
         if (this.connection._badCount > MAX_BAD_COMMANDS) {
-            this.clearNotificationListener();
+            this.connection.clearNotificationListener();
             this.connection.send('* BYE Too many protocol errors');
             setImmediate(() => this.connection.close(true));
             return false;

package/lib/imapproxy/imap-core/lib/imap-connection.js

@@ -210,6 +210,13 @@ class IMAPConnection extends EventEmitter {
             this._socket.setTimeout(0, this._onTimeoutHandler);
         }
 
+        // After handoff to proxy mode the connection's own close/end handlers are gone,
+        // so _onClose can never run to remove this connection from the server set.
+        // Drop it from the set when the handed-off socket finally closes to avoid a leak.
+        this._socket.once('close', () => {
+            this._server.connections.delete(this);
+        });
+
         return { socket: this._socket };
     }
 

package/lib/imapproxy/imap-core/lib/imap-server.js

@@ -258,7 +258,7 @@ class IMAPServer extends EventEmitter {
                                     },
                                     'PROXY from %s through %s (%s)',
                                     params[1].trim().toLowerCase(),
-                                    params[2].trim().toLowerCase(),
+                                    (params[2] || '').trim().toLowerCase(),
                                     JSON.stringify(params)
                                 );
                             }