Releases: anymail/django-anymail
v4.3
v4.2
v4.1
v4.0
v3.0
Changes
- Breaking change: Python 3.3 is no longer supported (see #99).
- Mailjet: Fix tracking webhooks to work correctly when Mailjet "group events" option is disabled (see #106).
- SendGrid: Fix a problem where Anymail's status tracking webhooks didn't always receive the same
event.message_idas the sentmessage.anymail_status.message_id, due to unpredictable behavior by SendGrid's API. Anymail now generates a UUID for each sent message and attaches it as a SendGrid custom arg named anymail_id. For most users, this change should be transparent. But it could be a breaking change if you are relying on a specific message_id format, or relying on message_id matching the Message-ID mail header or SendGrid's "smtp-id" event field. (More details in the docs; also see #108.) Thanks to @joshkersey for the report and the fix. - Support Django 2.1 prerelease.
Deprecations
- This will be the last Anymail release to support Django 1.8, 1.9, and 1.10 (see #110).
- This will be the last Anymail release to support the legacy SendGrid v2 EmailBackend (see #111). (SendGrid's newer v3 API has been the default since Anymail v0.8.)
- Anymail v3.x will receive security updates and fixes for any breaking ESP API changes through at least April, 2019.
- If these deprecations affect you and you cannot upgrade, set your requirements to
django-anymail~=3.0(a "compatible release" specifier, equivalent to>=3.0,==3.*).
v2.2
v2.1
NOTE: v2.1 accidentally introduced a breaking change: enabling Anymail webhooks with include('anymail.urls') causes an error if boto3 is not installed, even if you aren't using Amazon SES. This is fixed in v2.2.
New features
- Amazon SES: Newly-supported ESP (docs).
- SparkPost: Add SPARKPOST_API_URL setting to support SparkPost EU and SparkPost Enterprise (docs).
Other changes
- Inbound: Fix several issues with inbound messages, particularly around non-ASCII headers and body content. Add workarounds for some limitations in older Python email packages.
- Postmark: Update for Postmark "modular webhooks." This should not impact client code. (Also, older versions of Anymail will still work correctly with Postmark's webhook changes.)
- Use tox to manage Anymail test environments (see contributor docs).
Notice
This will be the last Anymail release to support Python 3.3. See #99 for more information.
v2.0
Important updates
- Breaking change: Drop support for deprecated WEBHOOK_AUTHORIZATION setting. If you are using webhooks and still have this Anymail setting, you must rename it to WEBHOOK_SECRET. See the v1.4 release notes.
New features
- SendinBlue: Add new ESP (docs). Thanks to @RignonNoel for the implementation.
- Add EmailMessage
envelope_senderattribute, which can adjust the message's Return-Path if supported by your ESP (docs). - Add universal wheel to PyPI releases for faster installation.
Other changes
- Handle Reply-To, From, and To in EmailMessage
extra_headersthe same as Django's SMTP EmailBackend if supported by your ESP, otherwise raise an unsupported feature error. Fixes the SparkPost backend to be consistent with other backends if bothheaders["Reply-To"]andreply_toare set on the same message. If you are setting a message'sheaders["From"]orheaders["To"](neither is common), the new behavior is likely a breaking change. See docs and #91. - Treat EmailMessage
extra_headerskeys as case-insensitive in all backends, for consistency with each other (and email specs). If you are specifying duplicate headers whose names differ only in case, this may be a breaking change. See docs. - Update setup.py metadata, clean up implementation. (Hadn't really been touched since original Djrill version.)
- Prep for Python 3.7.
v1.4
Security fix
This fixes a low severity security issue affecting Anymail v0.2–v1.3. (CVE-2018-1000089)
Django error reporting includes the value of your Anymail WEBHOOK_AUTHORIZATION setting. In a properly-configured deployment, this should not be cause for concern. But if you have somehow exposed your Django error reports (e.g., by mis-deploying with DEBUG=True or by sending error reports through insecure channels), anyone who gains access to those reports could discover your webhook shared secret. An attacker could use this to post fabricated or malicious Anymail tracking/inbound events to your app, if you are using those Anymail features.
The fix renames Anymail's webhook shared secret setting so that Django's error reporting mechanism will sanitize it.
If you are using Anymail's event tracking and/or inbound webhooks, you should upgrade to this release and change "WEBHOOK_AUTHORIZATION" to "WEBHOOK_SECRET" in the ANYMAIL section of your settings.py. You may also want to rotate the shared secret value, particularly if you have ever exposed your Django error reports to untrusted individuals.
If you are only using Anymail's EmailBackends for sending email and have not set up Anymail's webhooks, this issue does not affect you.
The old WEBHOOK_AUTHORIZATION setting is still allowed in this release, but will issue a system-check warning when running most Django management commands. It will be removed completely in a near-future release, as a breaking change.
Thanks to Charlie DeTar (@yourcelf) for responsibly reporting this security issue through private channels.
v1.3
Security fix
v1.3 includes the v1.2.1 security fix released at the same time. Please review the v1.2.1 release notes, below, if you are using Anymail's tracking webhooks.
New features
- Inbound handling: Add normalized inbound message event, signal, and webhooks for all supported ESPs. (See new Receiving mail docs.) This hasn't been through much real-world testing yet; bug reports and feedback are very welcome.
- API network timeouts: For Requests-based backends (all but SparkPost), use a default timeout of 30 seconds for all ESP API calls, to avoid stalling forever on a bad connection. Add a REQUESTS_TIMEOUT Anymail setting to override. (See #80.)
- Test backend improvements: Generate unique tracking
message_idwhen using the test backend; add console backend for use in development. (See #85.)