- Fix command injection in relay config: use shlex.quote() on all
subprocess arguments passed to mailUtilities.py
- Fix XSS in email reply/forward: html.escape() on From/To/Date/Subject
headers before embedding in quoted HTML
- Fix attachment filename traversal: use os.path.basename() and strip
null bytes from attachment filenames
- Fix Sieve script name injection: sanitize names to alphanumeric chars
- Fix SSRF in image proxy: resolve hostname to IP and check against
ipaddress.is_private/is_loopback/is_link_local/is_reserved
- Remove internal error details from user-facing responses
- Update Access Webmail link from /snappymail/ to /webmail/
Replace SnappyMail link with a custom Django webmail app that provides:
- Full IMAP/SMTP integration (Dovecot + Postfix) with master user SSO
- 3-column responsive UI matching CyberPanel design system
- Compose with rich text editor, attachments, reply/forward
- Contact management with auto-collect from sent messages
- Sieve mail filter rules with ManageSieve protocol support
- Standalone login page for direct webmail access
- Account switcher for admins managing multiple email accounts
- HTML email sanitization (whitelist-based, external image proxy)
- Draft auto-save and per-user settings
