Smtp Wrapper
БесплатноНе проверенA minimal MCP server that provides a send_email tool for sending HTML email through an SMTP relay.
Описание
A minimal MCP server that provides a send_email tool for sending HTML email through an SMTP relay.
README
A minimal, self-hosted MCP server that exposes a
single send_email tool. It sends real HTML email through an SMTP relay (e.g. Gmail).
The tool is served over the streamable-HTTP MCP transport at /mcp, with an
unauthenticated /healthz liveness route. The implementation is intentionally tiny
(stdlib smtplib) to keep the audit/attack surface small.
⚠️ Security requirement: this server MUST be gated by an authorization service
This server implements no authentication of its own, by design. Anyone who can reach
/mcp can send email. Do not expose it directly to the internet or bind it to a public
port.
It must sit behind an identity-aware authorization proxy — such as
Pomerium in MCP mode, or an
equivalent like Cloudflare Access
or oauth2-proxy — that authenticates and
authorizes every request before it reaches /mcp.
Reference topology:
edge tunnel → reverse proxy (TLS) → Pomerium (SSO + allowlist to a single identity) → smtp-mcp-wrapper
(internal network only)
The provided docker-compose.yml deliberately publishes no host ports and attaches
the container only to the proxy's internal Docker network, so the server is unreachable
except through the authorization proxy.
Defense in depth already built in (these complement, they do not replace, the proxy):
ALLOWED_TOhard-limits recipients, so even a misused tool cannot mail outside the allowlist.- Setting
REQUIRE_POMERIUM_IDENTITY=truemakes the app cryptographically verify Pomerium's identity assertion on every/mcprequest — signature (against Pomerium's JWKS), expiry, and audience. This blocks anything on the shared Docker network from reaching the app directly and bypassing Pomerium. See Enabling app-layer verification.
Configuration
All configuration is via environment variables. Copy .env.example to .env and fill in
real values. .env is git-ignored and must stay that way — it holds the SMTP password.
Nothing secret is baked into the image (credentials are injected at runtime), which is why
the published container image can safely be public.
| Variable | Default | Description |
|---|---|---|
SMTP_HOST |
smtp.gmail.com |
SMTP relay host. |
SMTP_PORT |
587 |
SMTP relay port (STARTTLS). |
SMTP_USER |
— | SMTP username. |
SMTP_PASS |
— | SMTP password. For Gmail, use an App Password. |
MAIL_FROM |
SMTP_USER |
From address. |
MAIL_FROM_NAME |
— | Optional display name for the From header. |
DEFAULT_TO |
— | Recipient used when the tool's to argument is omitted. |
ALLOWED_TO |
— | Comma-separated recipient allowlist. Empty = any recipient allowed. |
STARTUP_TEST_EMAIL |
false |
Send a test email to DEFAULT_TO on startup to verify SMTP. On failure, logs the SMTP error reason (auth/connection); the server keeps running either way. |
REQUIRE_POMERIUM_IDENTITY |
false |
Verify Pomerium's identity assertion on every /mcp request (see below). Requires POMERIUM_JWKS_URL. |
POMERIUM_JWKS_URL |
— | Pomerium's JWKS endpoint, e.g. https://<host>/.well-known/pomerium/jwks.json. Required when the gate is on. |
POMERIUM_AUDIENCE |
— | Expected aud claim (the route host/URL). Verified when set — strongly recommended. |
POMERIUM_ISSUER |
— | Expected iss claim. Verified only when set. |
POMERIUM_IDENTITY_HEADER |
x-pomerium-assertion,x-pomerium-jwt-assertion |
Comma-separated header(s) carrying the assertion JWT. |
HOST / PORT |
0.0.0.0 / 8080 |
Server bind address/port. |
The send_email tool
send_email(subject: str, html: str, to?: str, text?: str) -> str
Sends an HTML email. to falls back to DEFAULT_TO and must be within ALLOWED_TO when
that allowlist is set. text is an optional plain-text alternative for non-HTML clients.
Enabling app-layer verification
This step is optional — Pomerium already gates all access. Enable it only if you also
want the app to reject any request that reaches it without a valid Pomerium identity
(e.g. a compromised neighbor on the shared Docker network hitting email-mcp:8080
directly). When on, the app verifies the assertion JWT's signature, expiry, and audience.
1. Pomerium — set these on the email-mcp route. The critical addition is
pass_identity_headers: true; without it Pomerium forwards no identity header and the app
rejects every request. Pomerium must also have a signing key configured (it serves the
matching public keys at /.well-known/pomerium/jwks.json).
routes:
- from: https://email-mcp.example.com
to: http://email-mcp:8080 # pathless — the /mcp path passes through
name: email-mcp
mcp:
server: {}
pass_identity_headers: true # <-- REQUIRED: sends X-Pomerium-Assertion to the app
policy:
- allow:
and:
- email:
is: [email protected]
2. App — set these in .env:
REQUIRE_POMERIUM_IDENTITY=true
POMERIUM_JWKS_URL=https://email-mcp.example.com/.well-known/pomerium/jwks.json
POMERIUM_AUDIENCE=email-mcp.example.com
Then docker compose up -d. If REQUIRE_POMERIUM_IDENTITY=true but POMERIUM_JWKS_URL is
unset, the server refuses to start (a security gate must not run unable to verify). To turn
the feature off again, set REQUIRE_POMERIUM_IDENTITY=false.
Run
cp .env.example .env # then edit .env with real values
docker compose up -d
Health check:
docker compose exec email-mcp \
python -c "import urllib.request; print(urllib.request.urlopen('http://localhost:8080/healthz').read())"
# -> b'ok'
Then add the email-mcp route to your authorization proxy (pathless upstream, e.g.
to: http://email-mcp:8080, so the /mcp path passes through) and connect your MCP
client to https://<your-host>/mcp.
Maintenance
Patches flow with near-zero manual effort:
- Dependabot (
.github/dependabot.yml) watchesrequirements.txt, the Dockerfile base image, and the workflow's actions, opening upgrade PRs weekly. Also enable Dependabot security updates in the repo's Settings → Code security. - CI (
.github/workflows/build.yml) builds and pushes the image to GHCR on push tomain, on Dependabot PRs, via manual dispatch, and weekly (Mon 06:00 UTC) withno-cacheso the OS and Python patches are genuinely refreshed even without code changes. - On the host, pull the rebuilt image with Watchtower
(the compose file already sets the opt-in label) or a cron running
docker compose pull && docker compose up -d.
Links
- Pomerium — MCP support
- Pomerium — Protect an MCP server
- Dependabot configuration options
Установка Smtp Wrapper
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/JB09/smtp-mcp-wrapperFAQ
Smtp Wrapper MCP бесплатный?
Да, Smtp Wrapper MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Smtp Wrapper?
Нет, Smtp Wrapper работает без API-ключей и переменных окружения.
Smtp Wrapper — hosted или self-hosted?
Доступен hosted-вариант: Unyly запускает сервер в облаке, локальная установка не обязательна.
Как установить Smtp Wrapper в Claude Desktop, Claude Code или Cursor?
Открой Smtp Wrapper на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
Gmail
Read, send and search emails from Claude
автор: GoogleSlack
Send, search and summarize Slack messages
автор: SlackRunbear
No-code MCP client for team chat platforms, such as Slack, Microsoft Teams, and Discord.
Discord Server
A community discord server dedicated to MCP by [Frank Fiegel](https://github.com/punkpeye)
Compare Smtp Wrapper with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории communication
