[GH-ISSUE #545] limit external access to only use the proxy #351

New issue

Closed

opened 2026-03-15 14:02:33 +03:00 by kerem · 4 comments

kerem commented 2026-03-15 14:02:33 +03:00

Owner

Copy link

Originally created by @bradfordbulger-nasa on GitHub (Jul 29, 2025).
Original GitHub issue: https://github.com/axllent/mailpit/issues/545

Is there a way to configure the access so that Apache can reach Mailpit at the direct IP:port URL (which I guess is the only way to do it?) but that nobody coming in from other IPs would have access to http://the.ip.address:mailpit_port_number? (Sorry for poor description, I am still trying to understand the subject.)

For example, a user coming from outside of the server (eg web client on their laptop) would be able to go to https://myserver.com/mailpit but not to http://237.42.666.15:8025

Our intent is to use the proxy to set some headers in the response that we can do with Apache, but if our IT security people can still access IP-address:portnumber directly, they won't see the headers they want.

Originally created by @bradfordbulger-nasa on GitHub (Jul 29, 2025). Original GitHub issue: https://github.com/axllent/mailpit/issues/545 Is there a way to configure the access so that Apache can reach Mailpit at the direct IP:port URL (which I guess is the only way to do it?) but that nobody coming in from other IPs would have access to http://the.ip.address:mailpit_port_number? (Sorry for poor description, I am still trying to understand the subject.) For example, a user coming from outside of the server (eg web client on their laptop) would be able to go to https://myserver.com/mailpit but not to http://237.42.666.15:8025 Our intent is to use the proxy to set some headers in the response that we can do with Apache, but if our IT security people can still access IP-address:portnumber directly, they won't see the headers they want.

kerem closed this issue 2026-03-15 14:02:38 +03:00

kerem commented 2026-03-15 14:02:44 +03:00

Author

Owner

Copy link

@axllent commented on GitHub (Jul 29, 2025):

Hi @bradfordbulger-nasa. If I understand your question correctly (sorry, it's not 100% clear to me), yes, this should be easily possible, with the exception that your IT people would then need to access it via http://237.42.666.15:8025/mailpit if your apache proxy is set up to use the /mailpit webroot (this path is set within Mailpit too in relation to the responses it gives the browser, so you can't [easily] mix webroots).

Your IT people would need to ensure that the external port 8025 is open only to them (blocked to the rest of the world), and port 80 for HTTP (and presumably 443 for HTTPS) is open to the world to access via the domain name (apache). I don't know how your infrastructure is set up, but that's not a question for me, that's a question for your IT people. There are some examples of proxy configurations on the website, although I suspect they know what they are doing too if they also want to include extra headers etc.

<!-- gh-comment-id:3133821003 --> @axllent commented on GitHub (Jul 29, 2025): Hi @bradfordbulger-nasa. If I understand your question correctly (sorry, it's not 100% clear to me), yes, this should be easily possible, with the exception that your IT people would then need to access it via `http://237.42.666.15:8025/mailpit` if your apache proxy is set up to use the `/mailpit` webroot (this path is set within Mailpit too in relation to the responses it gives the browser, so you can't [easily] mix webroots). Your IT people would need to ensure that the external port 8025 is open only to them (blocked to the rest of the world), and port 80 for HTTP (and presumably 443 for HTTPS) is open to the world to access via the domain name (apache). I don't know how your infrastructure is set up, but that's not a question for me, that's a question for your IT people. There are some examples of proxy configurations on [the website](https://mailpit.axllent.org/docs/configuration/proxy/), although I suspect they know what they are doing too if they also want to include extra headers etc.

kerem commented 2026-03-15 14:02:49 +03:00

Author

Owner

Copy link

@bradfordbulger-nasa commented on GitHub (Jul 29, 2025):

Yeah, I didn't put it clearly. A remote group in IT security is dinging us for having a vulnerability because mailpit at port 8025 is not encrypted and doesn't have the Strict-Transport-Security header set. If I proxy it to our Apache webserver, then I'm thinking I can take care of that in Apache. But that just adds a point of access - they will still be able to get the original response on port 8025.

What I thought I might be able to do is restrict acceptable hosts to use the UI on port 8025 to the localhost. So that in practice, only Apache is allowed to access it.

A scenario:
After installation and configuration, I can access the Mailpit UI at http://123.12.12.12:8025
Our security people say that's a vulnerability.
I configure a proxy in Apache to https://myserver.com/mailpit (http is redirected to https, etc - normal stuff)
[unknown things happen]
Our security people try to access http://123.12.12.12:8025 - it's as if there's nothing listening to that port
They can only see https://myserver.com/mailpit and now they are happy.

I am trying to get the socket based interface to work, that seems like it might be the way to get to where I want to end up.

I think I get what you're saying about the webroot, that should be fine.

<!-- gh-comment-id:3134081316 --> @bradfordbulger-nasa commented on GitHub (Jul 29, 2025): Yeah, I didn't put it clearly. A remote group in IT security is dinging us for having a vulnerability because mailpit at port 8025 is not encrypted and doesn't have the Strict-Transport-Security header set. If I proxy it to our Apache webserver, then I'm thinking I can take care of that in Apache. But that just adds a point of access - they will still be able to get the original response on port 8025. What I thought I might be able to do is restrict acceptable hosts to use the UI on port 8025 to the localhost. So that in practice, only Apache is allowed to access it. A scenario: After installation and configuration, I can access the Mailpit UI at http://123.12.12.12:8025 Our security people say that's a vulnerability. I configure a proxy in Apache to https://myserver.com/mailpit (http is redirected to https, etc - normal stuff) **[unknown things happen]** Our security people try to access http://123.12.12.12:8025 - it's as if there's nothing listening to that port They can only see https://myserver.com/mailpit and now they are happy. I am trying to get the socket based interface to work, that seems like it might be the way to get to where I want to end up. I think I get what you're saying about the webroot, that should be fine.

kerem commented 2026-03-15 14:02:54 +03:00

Author

Owner

Copy link

@axllent commented on GitHub (Jul 30, 2025):

If Mailpit is configured to listen on "localhost" (127.0.0.1) and Apache is running on the same server then this should achieve what you want, with the exception of the HTTPS. Apache can then be configured to handle the https.

There's a section in the link I posted earlier which covers the proxing of websockets.

Edit: sorry, rewrote the above in English.... I was trying to write that while boarding a plane, and failed miserably 😜

<!-- gh-comment-id:3134516564 --> @axllent commented on GitHub (Jul 30, 2025): If Mailpit is configured to listen on "localhost" (127.0.0.1) and Apache is running on the same server then this should achieve what you want, with the exception of the HTTPS. Apache can then be configured to handle the https. There's a section in the link I posted earlier which covers the proxing of websockets. Edit: sorry, rewrote the above in English.... I was trying to write that while boarding a plane, and failed miserably 😜

kerem commented 2026-03-15 14:02:59 +03:00

Author

Owner

Copy link

@bradfordbulger-nasa commented on GitHub (Jul 30, 2025):

I read it on the train and I thought it was me :)

Yes, explicitly listening on 127.0.0.1 restricts it to be visible only on the server itself, so they won't get a response from http://123.12.12.12:8025, using the example scenario above. Meanwhile that's proxied to https://myserver.com/mailpit and we can set all our various headers in the Apache config.

I haven't been able to get the sockets to work yet, but that's just curiosity for possible future use.

<!-- gh-comment-id:3137071275 --> @bradfordbulger-nasa commented on GitHub (Jul 30, 2025): I read it on the train and I thought it was me :) Yes, explicitly listening on 127.0.0.1 restricts it to be visible only on the server itself, so they won't get a response from http://123.12.12.12:8025, using the example scenario above. Meanwhile that's proxied to https://myserver.com/mailpit and we can set all our various headers in the Apache config. I haven't been able to get the sockets to work yet, but that's just curiosity for possible future use.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

master

v1.29.7

v1.29.6

v1.29.5

v1.29.4

v1.29.3

v1.29.2

v1.29.1

v1.29.0

v1.28.4

v1.28.3

v1.28.2

v1.28.1

v1.28.0

v1.27.11

v1.27.10

v1.27.9

v1.27.8

v1.27.7

v1.27.6

v1.27.5

v1.27.4

v1.27.3

v1.27.2

v1.27.1

v1.27.0

v1.26.2

v1.26.1

v1.26.0

v1.25.1

v1.25.0

v1.24.2

v1.24.1

v1.24.0

v1.23.2

v1.23.1

v1.23.0

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.21.1

v1.21.0

v1.20.7

v1.20.6

v1.20.5

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.18.7

v1.18.6

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.1

v1.15.0

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.0

v1.10.4

v1.10.3

v1.10.2

v1.10.1

v1.10.0

v1.9.10

v1.9.9

v1.9.8

v1.9.7

v1.9.6

v1.9.5

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.1

v1.7.0

v1.6.22

v1.6.21

v1.6.20

v1.6.19

v1.6.18

v1.6.17

v1.6.16

v1.6.15

v1.6.14

v1.6.13

v1.6.12

v1.6.11

v1.6.10

v1.6.9

v1.6.8

v1.6.7

v1.6.6

v1.6.5

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.5

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.0

v1.3.11

v1.3.10

v1.3.9

v1.3.8

v1.3.7

v1.3.6

v1.3.5

v1.3.4

v1.3.3

v1.3.2

v1.3.1

v1.3.0

v1.2.9

v1.2.8

v1.2.7

v1.2.6

1.2.5

1.2.4

1.2.3

1.2.2

1.2.1

1.2.0

1.1.7

1.1.6

1.1.5

1.1.4

1.1.3

1.1.2

1.1.1

1.1.0

1.0.0

1.0.0-beta1

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

0.0.9

0.0.8

0.0.7

0.0.6

0.0.5

0.0.4

0.0.3

0.0.2

0.0.1-beta

Labels

Clear labels   

awaiting feedback

  

bug

  

docker

  

documentation

  

enhancement

  

github_actions

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

wontfix

No labels

awaiting feedback

bug

docker

documentation

enhancement

github_actions

invalid

pull-request

question

stale

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/mailpit#351

No description provided.