Dispatch SMTP Relay handles mail and provider credentials, so security reports are taken seriously and very welcome.
Please report privately - do not open a public issue for a vulnerability.
Use GitHub Security Advisories (Security → Report a vulnerability). That keeps the report private until a fix is available and lets us collaborate on it directly.
If you can, include:
- A description of the issue and its impact
- Steps to reproduce (a minimal proof of concept is ideal)
- Affected version / commit, and your environment (OS, deployment shape - installer, Docker, etc.)
- Any suggested remediation
Please give us a reasonable window to release a fix before public disclosure. We'll acknowledge your report, keep you updated on progress, and credit you in the advisory unless you'd prefer to stay anonymous.
Dispatch is pre-1.0 and moving quickly. Security fixes target the latest release and the default branch. Please reproduce on the latest version before reporting.
In scope - anything that lets an attacker:
- Send mail through Dispatch without authorization (open-relay / allow-list bypass / SMTP AUTH bypass)
- Read or exfiltrate message content, the spool, provider credentials, or API keys
- Bypass the dashboard login, API-key auth, or the source-IP allow-lists
- Escalate privileges via the installers/service, or inject SQL / commands
- Cause persistent denial of service
Generally out of scope: findings that require an already-compromised host or physical access; missing hardening headers with no demonstrated impact; volumetric DoS; and social-engineering reports.
- Source-IP allow-lists:
WebAuthMiddleware,ApiKeyMiddleware,CidrMailboxFilter - Auth & throttling:
AuthEndpoints+LoginThrottle(dashboard),ConfiguredUserAuthenticator+SmtpAuthThrottle(SMTP AUTH),SqlApiKeyRepository(bcrypt, constant-time verify) - Credential encryption at rest:
SecureConfig(AES-256-GCM on Linux/macOS, DPAPI on Windows) - Transport:
WebUi:TlsCertPathenables dashboard HTTPS
See docs/SPEC.md §17 for the full security model.