emailengine-app 2.68.0 → 2.69.0

package/.github/codeql/codeql-config.yml

@@ -0,0 +1,16 @@
+name: "EmailEngine CodeQL config"
+
+# Exclude code that is not part of the production runtime from analysis.
+# These paths generate only false-positive noise:
+#   - test fixtures intentionally disable TLS verification, build shell
+#     commands from fixed paths, etc.
+#   - vendored third-party browser assets (Bootstrap and other bundles) ship
+#     with their own known patterns and are not maintained here
+#   - developer helper scripts (e.g. test-token refresh) deliberately print
+#     tokens to the console for local debugging
+paths-ignore:
+    - test
+    - '**/test/**'
+    - scripts
+    - static/bootstrap-4.6.2-dist
+    - static/vendor

package/.github/workflows/codeql.yml

@@ -0,0 +1,102 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL Advanced"
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    branches: [ "master" ]
+  schedule:
+    - cron: '40 17 * * 6'
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: actions
+          build-mode: none
+        - language: javascript-typescript
+          build-mode: none
+        # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift'
+        # Use `c-cpp` to analyze code written in C, C++ or both
+        # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
+        # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
+        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
+        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Add any setup steps before running the `github/codeql-action/init` action.
+    # This includes steps like installing compilers or runtimes (`actions/setup-node`
+    # or others). This is typically only required for manual builds.
+    # - name: Setup runtime (example)
+    #   uses: actions/setup-example@v1
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v4
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+        config-file: ./.github/codeql/codeql-config.yml
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+    # If the analyze step fails for one of the languages you are analyzing with
+    # "We were unable to automatically build your code", modify the matrix above
+    # to set the build mode to "manual" for that language. Then modify this step
+    # to build your code.
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+    - name: Run manual build steps
+      if: matrix.build-mode == 'manual'
+      shell: bash
+      run: |
+        echo 'If you are using a "manual" build mode for one or more of the' \
+          'languages you are analyzing, replace this with the commands to build' \
+          'your code, for example:'
+        echo '  make bootstrap'
+        echo '  make release'
+        exit 1
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v4
+      with:
+        category: "/language:${{matrix.language}}"

package/.github/workflows/deploy.yml

@@ -5,6 +5,9 @@ on:
 
 name: Deploy test instance and Docker image
 
+permissions:
+    contents: read
+
 concurrency:
     group: ${{ github.workflow }}-${{ github.ref }}
     cancel-in-progress: true
@@ -13,6 +16,7 @@ jobs:
     deploy:
         name: Deploy Demo App
         runs-on: ubuntu-24.04
+        timeout-minutes: 15
 
         steps:
             - name: Checkout
@@ -60,6 +64,10 @@ jobs:
     docker:
         name: Build Docker Image
         runs-on: ubuntu-24.04
+        timeout-minutes: 30
+        permissions:
+            contents: read
+            packages: write
 
         steps:
             - name: Checkout

package/.github/workflows/release.yaml

@@ -63,6 +63,10 @@ jobs:
         runs-on: ubuntu-latest
         needs: release_please
         if: ${{needs.release_please.outputs.release_created}}
+        # Multi-arch builds run the arm64 leg under QEMU emulation, which can
+        # hang indefinitely on a misbehaving step. A normal build finishes in
+        # ~4 minutes, so fail fast instead of burning the 6-hour default limit.
+        timeout-minutes: 30
         steps:
             - run: echo version v${{needs.release_please.outputs.major}}.${{needs.release_please.outputs.minor}}.${{needs.release_please.outputs.patch}}
 

package/.github/workflows/test.yml

@@ -4,6 +4,9 @@ on:
     push:
     pull_request:
 
+permissions:
+    contents: read
+
 concurrency:
     group: ${{ github.workflow }}-${{ github.ref }}
     cancel-in-progress: true

package/CHANGELOG.md

@@ -1,5 +1,54 @@
 # Changelog
 
+## [2.69.0](https://github.com/postalsys/emailengine/compare/v2.68.1...v2.69.0) (2026-06-09)
+
+
+### Features
+
+* add label/category filtering to message search ([c171c4e](https://github.com/postalsys/emailengine/commit/c171c4e1efe582f7e532b69108110a1c48aa3ede))
+* detect unsafe Redis eviction config in dashboard warnings ([712d5d6](https://github.com/postalsys/emailengine/commit/712d5d69b99cc45c6f3e123a084ef054236e0110))
+* rebuild lost IMAP sync state without replaying messageNew ([9fe391e](https://github.com/postalsys/emailengine/commit/9fe391e9d6350485aded780709305d698a4c65fb))
+* surface token hash for identification in API, UI, and logs ([8e2a5a9](https://github.com/postalsys/emailengine/commit/8e2a5a9f2bb5194e92575c34c0006a8c4e21888d))
+
+
+### Bug Fixes
+
+* avoid 500 on GET /admin/totp without a partial-auth session ([b6f2394](https://github.com/postalsys/emailengine/commit/b6f2394182379d94a05f95c84f5ce04ae6f87a05))
+* bound inbound line length in the IMAP proxy parser ([9fb8a5e](https://github.com/postalsys/emailengine/commit/9fb8a5e301564dee46b48ca32a5b84e4832d96e8))
+* close leaks and a worker crash found in the connection hardening review ([e97950e](https://github.com/postalsys/emailengine/commit/e97950e7e907ac5b5549302b8865c5d2bfb0d6e2))
+* count undecodable export queue entries as skipped ([72e2498](https://github.com/postalsys/emailengine/commit/72e2498390f17ad24d5f7b1577540674d7e1fe09))
+* distinguish SO_REUSEPORT fallback cause in logs and admin UI ([99ad9f3](https://github.com/postalsys/emailengine/commit/99ad9f3359eab5bafc4726535584874d4823f7bd))
+* drain webhook response body on every delivery path ([2cc3e7a](https://github.com/postalsys/emailengine/commit/2cc3e7aef114b5b913dea5c363278e1a883d5a48))
+* extract gettext strings from the decomposed ui-routes modules ([227e60f](https://github.com/postalsys/emailengine/commit/227e60ff4f354c5d0f55534877c8ab6fbdd92c7d))
+* guard cross-thread download streams against early producer errors ([191ec62](https://github.com/postalsys/emailengine/commit/191ec6204887c3abe78da7a9944e3165b19c0b87))
+* guard IMAP notification handlers against malformed events ([0248953](https://github.com/postalsys/emailengine/commit/0248953a5dcccba5d46704bf7113a70fb5ac3150))
+* guard webhook notifications in BullMQ failure handlers ([e90048e](https://github.com/postalsys/emailengine/commit/e90048e7b7bd92916219602f92305342234df4a3))
+* harden IMAP proxy STARTTLS against command injection ([3661ddd](https://github.com/postalsys/emailengine/commit/3661dddbf216b29ec8f074d3f6422dd4db5d9e7b))
+* harden inter-thread IPC (worker-death call rejection, webhook guards, stream cleanup) ([0111a8e](https://github.com/postalsys/emailengine/commit/0111a8e2bf139c3412cc37e5e933fd5316cee8fc))
+* harden message export against data loss and corruption ([540d867](https://github.com/postalsys/emailengine/commit/540d8678ec25f62e8123fc78fa929f4e4713b5d4))
+* harden multiple-API-worker startup and centralize proxy-agent reload ([7f2db9e](https://github.com/postalsys/emailengine/commit/7f2db9e557d960aa1b7523b7d8678598683c2f29))
+* list Outlook folders with slashes in the name ([dd35e7b](https://github.com/postalsys/emailengine/commit/dd35e7b262a47f9395811d75c4bcc1d9ab4c6ec0))
+* only reseed lost IMAP sync state when no stored state exists ([78e0141](https://github.com/postalsys/emailengine/commit/78e0141e9f3478d2a2a1206c805258c6807a45d8))
+* prevent IMAP worker crash on download stream errors ([d9d5396](https://github.com/postalsys/emailengine/commit/d9d539632cc245a8e2a14585fc7918186bee00b6))
+* prevent post-BYE command dispatch in IMAP proxy teardown ([d51e92d](https://github.com/postalsys/emailengine/commit/d51e92d298e9373a6dc5c2eb0919885e161b45c7))
+* re-arm a generous idle timeout for proxied IMAP connections ([627c6d4](https://github.com/postalsys/emailengine/commit/627c6d472e50f6fc3e958e4774226557a526018d))
+* reject in-flight worker calls when a worker thread terminates ([08e7b01](https://github.com/postalsys/emailengine/commit/08e7b0128a4b8e9f9e5a96fefe49110bd032bd2c))
+* release cross-thread download streams on abort and error ([6514249](https://github.com/postalsys/emailengine/commit/65142499d095bbcb5f0bb49755a2e24f6e52fa62))
+* release MessagePort streams when message/attachment downloads fail ([787f4f5](https://github.com/postalsys/emailengine/commit/787f4f5ef6364ec1389c15269c8f7f8eaaa2142a))
+* return 422 for unsupported label search and surface Outlook categories ([d981359](https://github.com/postalsys/emailengine/commit/d981359b78b61d2c8a03e4e35086a4c9674ce53a))
+* return the append destination folder from uploadMessage ([96aed6b](https://github.com/postalsys/emailengine/commit/96aed6b1144e1d3ee9da79b3a1fb03606245f83c))
+* send correctly typed SMTP and IMAP proxy state change notifications ([3fbd27f](https://github.com/postalsys/emailengine/commit/3fbd27fc08bb74f9738a3fc95d4177fa4978c263))
+* tear down subconnections when deleting an IMAP account ([bd81a33](https://github.com/postalsys/emailengine/commit/bd81a33caf9400cbee2781a9180f1a901c1d6e48))
+
+## [2.68.1](https://github.com/postalsys/emailengine/compare/v2.68.0...v2.68.1) (2026-06-01)
+
+
+### Bug Fixes
+
+* harden mergeObjects and tighten CodeQL scanning ([d35025d](https://github.com/postalsys/emailengine/commit/d35025daabf8fe7b3f5200b0000f52c3a012f4eb))
+* prevent IMAP proxy worker crashes and connection leaks ([#596](https://github.com/postalsys/emailengine/issues/596)) ([4453330](https://github.com/postalsys/emailengine/commit/4453330ad38fb3e64692add1357d48227e1956e0))
+* stop referencing prepared password string in error log ([50cdb89](https://github.com/postalsys/emailengine/commit/50cdb8998e27f33f700f267cb39ddba39e7d32d0))
+
 ## [2.68.0](https://github.com/postalsys/emailengine/compare/v2.67.3...v2.68.0) (2026-05-26)
 
 

package/SECURITY.md

@@ -0,0 +1,80 @@
+# Security Policy
+
+EmailEngine is a self-hosted email integration platform that stores email
+account credentials and proxies access to IMAP/SMTP, the Gmail API, and the
+Microsoft Graph API. Because it handles sensitive credentials and message
+content, we take security reports seriously and aim to respond quickly.
+
+## Supported Versions
+
+Security fixes are released only against the latest version. We do not backport
+patches to older releases - upgrading to the current release line is the
+supported way to receive security updates.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 2.x     | :white_check_mark: |
+| < 2.0   | :x:                |
+
+If you are on an older version, please upgrade. See the release notes at
+<https://github.com/postalsys/emailengine/releases> before updating.
+
+## Reporting a Vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues,
+pull requests, or discussions.**
+
+Report privately through one of the following channels:
+
+1. **GitHub Security Advisories (preferred).** Open a private report at
+   <https://github.com/postalsys/emailengine/security/advisories/new>. This keeps
+   the discussion private until a fix is published and lets us credit you.
+2. **Email.** Send details to **andris@postalsys.com** (the contact listed in
+   [`SECURITY.txt`](SECURITY.txt)). Encrypt sensitive details if possible.
+
+When reporting, please include as much of the following as you can:
+
+- The affected version(s) and environment (EmailEngine version, Node.js version,
+  OS, deployment method - npm, Docker, or prebuilt binary).
+- The component involved (e.g. REST API, admin web UI, OAuth2 flows, IMAP/SMTP
+  proxy server, webhook delivery, credential encryption, the export pipeline).
+- A clear description of the issue and its impact (e.g. authentication bypass,
+  privilege escalation, credential disclosure, SSRF, injection, information
+  disclosure, denial of service).
+- A minimal proof of concept or reproduction steps.
+- Any suggested remediation, if you have one.
+
+We are a small team, so there is no guaranteed response time - sometimes reports
+are handled within hours, sometimes they take longer. Accepted issues are fixed
+in a new release and coordinated through a GitHub Security Advisory, and
+reporters who wish to be named are credited.
+
+## CVEs
+
+We track and disclose vulnerabilities through GitHub Security Advisories. We do
+not request or manage CVE identifiers ourselves. If you need a CVE assigned for a
+reported issue, please request one yourself - for example, through GitHub's own
+CVE request flow on the published advisory, or another CNA.
+
+## Scope
+
+In scope: the EmailEngine application source in this repository - the REST API
+and admin web UI (authentication, session and token handling, CSRF protection),
+OAuth2 application handling, credential encryption at rest, the IMAP/SMTP and
+IMAP proxy servers, webhook delivery (including custom filter/transform
+functions), the export pipeline, and inter-worker communication.
+
+Out of scope:
+
+- Vulnerabilities in your own application code that integrates with EmailEngine.
+- Misconfiguration of your deployment - for example, exposing the admin
+  interface or REST API to untrusted networks, weak service secrets, an
+  unauthenticated or publicly reachable Redis instance, or missing TLS.
+- Issues that require an already-compromised host or pre-existing administrator
+  access.
+- Vulnerabilities in third-party email providers and services that EmailEngine
+  connects to (Gmail, Microsoft 365, arbitrary IMAP/SMTP servers).
+- Social-engineering reports and missing security headers without a
+  demonstrated, concrete impact.
+
+Thank you for helping keep EmailEngine and its users safe.

package/SECURITY.txt

@@ -0,0 +1,27 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+Contact: https://github.com/postalsys/emailengine/security/advisories/new
+Contact: mailto:andris@postalsys.com
+Expires: 2027-06-01T00:00:00.000Z
+Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/5D952A46E1D8C931F6364E01DC6C83F4D584D364
+Preferred-Languages: en, et
+Canonical: https://github.com/postalsys/emailengine/blob/master/SECURITY.txt
+Policy: https://github.com/postalsys/emailengine/blob/master/SECURITY.md
+-----BEGIN PGP SIGNATURE-----
+
+iQJPBAEBCAA5FiEEXZUqRuHYyTH2Nk4B3GyD9NWE02QFAmodKpsbFIAAAAAABAAO
+bWFudTIsMi41KzEuMTIsMCwzAAoJENxsg/TVhNNkbcEP/j1v3M9ebklJgaCxkVEl
+xij24q4p+28s1ywf4y/aquBtcVkWd+y6vjG/f4RUUUtaSVChvnI5en14X8QuuSnk
+egsRARvCY9E2dbodMSyDUMWS8slRcFTDczQJhtXBD8Fu+/tWPj1UfQ8xR87ZUZ5b
+nOgCfCFnvSuDh9KBauUKZcSyuLCJ5saBuZ3RACzmz57wpzFE3vi4/q4tQAaBM5Za
+m4293Yx8ioX01S3nR5VRL8dlpdMEFy0dj66v/OFu4p3MjGf+0cpmZ7YKC8U5PhNQ
+FcQMTNkfBtkgc5lj42cKV8BBhCtN2og3u+Bhih0h0XItv4b/o9rWBtivXIQcHdtl
+WyGrrbgfGl503aVj8N0cIQ1eaWAbuRRJVHwF/G11sX6ZvhiLHdHf5YSjOrmyhSmx
+6t2gsKMrrvoODRUOqpu8ll8Rosu6m/EaNWgh9KXJyYqgQqGS+NeQHcC51fWMLjxd
+7zvYrNKqhMEU8e6siyLdJJgqAJCCtl9vS/kLItPz9hBk3KE2/kXfvQc6OF4I4ziU
+3/Edf1v37koEnT07P5HdiGgUo+u4Vo8OUEm5Ih88EWaWijHGLPeJ0NyMfkwsveTw
+n1z7pmCdZ+B9pglRGx3Mae7P8L1s1LeL8cQWo4QZ2nUcA5vtOiWfDAywlrN0mSNv
+lfeE0/subU9kC04LRJ6NUhZp
+=8lqK
+-----END PGP SIGNATURE-----

package/config/default.toml

@@ -1,6 +1,8 @@
 
 [workers]
 imap = 4
+# Number of API/HTTP workers. Values >1 require SO_REUSEPORT (Linux); on other platforms it falls back to 1.
+api = 1
 webhooks = 1
 "imapProxy" = 1
 

package/data/google-crawlers.json

@@ -1,5 +1,5 @@
 {
-    "creationTime": "2026-05-25T14:45:59.000000",
+    "creationTime": "2026-06-09T14:45:50.000000",
     "prefixes": [
         {
             "ipv6Prefix": "2001:4860:4801:2008::/64"
@@ -307,6 +307,12 @@
         {
             "ipv6Prefix": "2001:4860:4801:207d::/64"
         },
+        {
+            "ipv6Prefix": "2001:4860:4801:207e::/64"
+        },
+        {
+            "ipv6Prefix": "2001:4860:4801:207f::/64"
+        },
         {
             "ipv6Prefix": "2001:4860:4801:2080::/64"
         },
@@ -790,6 +796,12 @@
         {
             "ipv4Prefix": "74.125.219.160/27"
         },
+        {
+            "ipv4Prefix": "74.125.219.192/27"
+        },
+        {
+            "ipv4Prefix": "74.125.219.224/27"
+        },
         {
             "ipv4Prefix": "74.125.219.32/27"
         },

package/lib/account.js

@@ -1084,22 +1084,45 @@ class Account {
         };
     }
 
+    // Creates the consumer side of a cross-thread download stream, with a guard listener:
+    // the producer can post {error} before Hapi attaches its own 'error' listeners (or
+    // while the setup call is still pending). Without a listener that emission is an
+    // uncaught exception that kills the API worker.
+    createDownloadStream(failureLogMessage) {
+        const { port1, port2 } = new MessageChannel();
+        const stream = new MessagePortReadable(port1);
+
+        stream.on('error', err => {
+            this.logger.error({ msg: failureLogMessage, account: this.account, err });
+        });
+
+        return { stream, port2 };
+    }
+
     async getRawMessage(message) {
         await this.loadAccountData(this.account, true);
 
-        const { port1, port2 } = new MessageChannel();
-        const stream = new MessagePortReadable(port1);
+        const { stream, port2 } = this.createDownloadStream('Message source stream failed');
 
-        let streamCreated = await this.call(
-            {
-                cmd: 'getRawMessage',
-                account: this.account,
-                message,
-                timeout: this.timeout,
-                port: port2
-            },
-            [port2]
-        );
+        let streamCreated;
+        try {
+            streamCreated = await this.call(
+                {
+                    cmd: 'getRawMessage',
+                    account: this.account,
+                    message,
+                    timeout: this.timeout,
+                    port: port2
+                },
+                [port2]
+            );
+        } catch (err) {
+            // The setup call failed (timeout, worker gone, 404). Destroy the reader so
+            // its MessagePort + listener are released instead of leaking, and so any
+            // late producer data is not buffered forever.
+            stream.destroy();
+            throw err;
+        }
 
         if (streamCreated && streamCreated.headers) {
             stream.headers = streamCreated.headers;
@@ -1111,19 +1134,27 @@ class Account {
     async getAttachment(attachment) {
         await this.loadAccountData(this.account, true);
 
-        const { port1, port2 } = new MessageChannel();
-        const stream = new MessagePortReadable(port1);
+        const { stream, port2 } = this.createDownloadStream('Attachment stream failed');
 
-        let streamCreated = await this.call(
-            {
-                cmd: 'getAttachment',
-                account: this.account,
-                attachment,
-                timeout: this.timeout,
-                port: port2
-            },
-            [port2]
-        );
+        let streamCreated;
+        try {
+            streamCreated = await this.call(
+                {
+                    cmd: 'getAttachment',
+                    account: this.account,
+                    attachment,
+                    timeout: this.timeout,
+                    port: port2
+                },
+                [port2]
+            );
+        } catch (err) {
+            // The setup call failed (timeout, worker gone, 404). Destroy the reader so
+            // its MessagePort + listener are released instead of leaking, and so any
+            // late producer data is not buffered forever.
+            stream.destroy();
+            throw err;
+        }
 
         if (streamCreated && streamCreated.headers) {
             stream.headers = streamCreated.headers;
@@ -1547,14 +1578,20 @@ class Account {
 
                 // download large inline attachments not stored in ES
                 for (let attachment of attachmentsToDownload) {
+                    let downloadStream;
                     try {
-                        let downloadStream = await this.getAttachment(attachment.id);
+                        downloadStream = await this.getAttachment(attachment.id);
                         if (downloadStream) {
                             let content = await download(downloadStream);
                             this.logger.trace({ msg: 'Fetched attachment content', account: this.account, attachment, size: content.length });
                             attachment.content = content.toString('base64');
                         }
                     } catch (err) {
+                        // Release the reader if download() failed mid-stream so its
+                        // MessagePort is not left open (destroy() is idempotent).
+                        if (downloadStream) {
+                            downloadStream.destroy();
+                        }
                         this.logger.error({ msg: 'Failed to fetch attachment content', account: this.account, attachment, err });
                     }
                 }