[GH-ISSUE #415] [feature-request] Additional hook on incoming email BEFORE processing #270

New issue

Closed

opened 2026-03-15 13:33:21 +03:00 by kerem · 2 comments

kerem commented 2026-03-15 13:33:21 +03:00

Owner

Copy link

Originally created by @baiomys on GitHub (Dec 31, 2024).
Original GitHub issue: https://github.com/axllent/mailpit/issues/415

Hi, it would be handy to have a possibility of calling a worker to analyze TO, FROM, SIZE (if sent), and make a decision to accept or reject email. This measure can cut about 80% of dumb spam traffic, dramatically reducing VPS load/cost.

Originally created by @baiomys on GitHub (Dec 31, 2024). Original GitHub issue: https://github.com/axllent/mailpit/issues/415 Hi, it would be handy to have a possibility of calling a worker to analyze TO, FROM, SIZE (if sent), and make a decision to accept or reject email. This measure can cut about 80% of dumb spam traffic, dramatically reducing VPS load/cost.

kerem closed this issue 2026-03-15 13:33:27 +03:00

kerem commented 2026-03-15 13:33:32 +03:00

Author

Owner

Copy link

@axllent commented on GitHub (Jan 1, 2025):

Hi @baiomys. The SMTP protocol doesn't work in that way - the message needs to be accepted & received before things like the size can be seen. Furthermore, in order to "filter" by TO and FROM during delivery, then Mailpit would need to interact with a third party API as part of the SMTP process, which in itself would be prone to errors if, for instance, Mailpit can't contact the the API, or Mailpit receives 1000 messages in a second.

Mailpit is designed to accept everything provided it is a valid SMTP transaction, with one exception being the --smtp-allowed-recipients / MP_SMTP_ALLOWED_RECIPIENTS option which can be used to limit addresses and domains (using a regular expression, so not complicated, and probably not what you are needing).

If Mailpit is exposed to the internet, then you are going to get spam at some point I'm afraid, just like any open SMTP server. If you are wanting to filter received messages to remove spam, then I think you should be doing things very differently, either:

1. Your webhook endpoint needs to pull the message and decide whether to "process" (call your Telegram bot) or just delete (or ignore) the message via the API. This allows you to do anything you want, including get the size, from, to, body etc.
2. You need to create a custom SMTP server that sits between the internet and Mailpit which can authenticate against whatever system you want.

I think that the first option is probably the easiest. It still means the spam message is received in Mailpit, however it is potentially just deleted afterwards by your webhook endpoint / API if it fails the checks.

I am curious as to how receiving 80% more messages is drastically increasing your VPS & load. Is this extra load on the Mailpit side (and if so, how many messages are you handling every hour?), or is this on your bot side?

<!-- gh-comment-id:2566932086 --> @axllent commented on GitHub (Jan 1, 2025): Hi @baiomys. The SMTP protocol doesn't work in that way - the message needs to be accepted & received before things like the size can be seen. Furthermore, in order to "filter" by `TO` and `FROM` during delivery, then Mailpit would need to interact with a third party API as part of the SMTP process, which in itself would be prone to errors if, for instance, Mailpit can't contact the the API, or Mailpit receives 1000 messages in a second. Mailpit is designed to accept everything provided it is a valid SMTP transaction, with one exception being the `--smtp-allowed-recipients` / `MP_SMTP_ALLOWED_RECIPIENTS` option which can be used to limit addresses and domains (using a regular expression, so not complicated, and probably not what you are needing). If Mailpit is exposed to the internet, then you are going to get spam at some point I'm afraid, just like any open SMTP server. If you are wanting to filter received messages to remove spam, then I think you should be doing things very differently, either: 1. Your webhook endpoint needs to pull the message and decide whether to "process" (call your Telegram bot) or just delete (or ignore) the message via the API. This allows you to do anything you want, including get the size, from, to, body etc. 2. You need to create a custom SMTP server that sits between the internet and Mailpit which can authenticate against whatever system you want. I think that the first option is probably the easiest. It still means the spam message is received in Mailpit, however it is potentially just deleted afterwards by your webhook endpoint / API if it fails the checks. I am curious as to how receiving 80% more messages is drastically increasing your VPS & load. Is this extra load on the Mailpit side (and if so, how many messages are you handling every hour?), or is this on your bot side?

kerem commented 2026-03-15 13:33:38 +03:00

Author

Owner

Copy link

@baiomys commented on GitHub (Jan 1, 2025):

Hi, thanks for detailed answer.

It is obvious now that I should use workers on Cloudflare side for basic spam filtering.
At least until I get 100 000 messages a day.

In decentralized system, having dozen of pits around the globe and 4 bots it is impossible to touch any messages by core handler just to check validity. Or you need to be META at least. =)

Core handler even does not upload emails by request itself, just validates credentials and redirects browser to corresponding pit that use fancy Caddy templates to get things running.

Planning must be done VERY CAREFULLY, because reengineering of live project is real pain in the ....

<!-- gh-comment-id:2567143755 --> @baiomys commented on GitHub (Jan 1, 2025): Hi, thanks for detailed answer. It is obvious now that I should use workers on Cloudflare side for basic spam filtering. At least until I get 100 000 messages a day. In decentralized system, having dozen of pits around the globe and 4 bots it is impossible to touch any messages by core handler just to check validity. Or you need to be META at least. =) Core handler even does not upload emails by request itself, just validates credentials and redirects browser to corresponding pit that use fancy Caddy templates to get things running. Planning must be done VERY CAREFULLY, because reengineering of live project is real pain in the ....

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

master

v1.29.7

v1.29.6

v1.29.5

v1.29.4

v1.29.3

v1.29.2

v1.29.1

v1.29.0

v1.28.4

v1.28.3

v1.28.2

v1.28.1

v1.28.0

v1.27.11

v1.27.10

v1.27.9

v1.27.8

v1.27.7

v1.27.6

v1.27.5

v1.27.4

v1.27.3

v1.27.2

v1.27.1

v1.27.0

v1.26.2

v1.26.1

v1.26.0

v1.25.1

v1.25.0

v1.24.2

v1.24.1

v1.24.0

v1.23.2

v1.23.1

v1.23.0

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.21.1

v1.21.0

v1.20.7

v1.20.6

v1.20.5

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.18.7

v1.18.6

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.1

v1.15.0

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.0

v1.10.4

v1.10.3

v1.10.2

v1.10.1

v1.10.0

v1.9.10

v1.9.9

v1.9.8

v1.9.7

v1.9.6

v1.9.5

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.1

v1.7.0

v1.6.22

v1.6.21

v1.6.20

v1.6.19

v1.6.18

v1.6.17

v1.6.16

v1.6.15

v1.6.14

v1.6.13

v1.6.12

v1.6.11

v1.6.10

v1.6.9

v1.6.8

v1.6.7

v1.6.6

v1.6.5

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.5

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.0

v1.3.11

v1.3.10

v1.3.9

v1.3.8

v1.3.7

v1.3.6

v1.3.5

v1.3.4

v1.3.3

v1.3.2

v1.3.1

v1.3.0

v1.2.9

v1.2.8

v1.2.7

v1.2.6

1.2.5

1.2.4

1.2.3

1.2.2

1.2.1

1.2.0

1.1.7

1.1.6

1.1.5

1.1.4

1.1.3

1.1.2

1.1.1

1.1.0

1.0.0

1.0.0-beta1

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

0.0.9

0.0.8

0.0.7

0.0.6

0.0.5

0.0.4

0.0.3

0.0.2

0.0.1-beta

Labels

Clear labels   

awaiting feedback

  

bug

  

docker

  

documentation

  

enhancement

  

github_actions

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

wontfix

No labels

awaiting feedback

bug

docker

documentation

enhancement

github_actions

invalid

pull-request

question

stale

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/mailpit#270

No description provided.