Django-anymail

----

*2018-05-30*

This is an extended support release. Anymail v3.x will receive security updates
and fixes for any breaking ESP API changes through at least April, 2019.

Breaking changes
~~~~~~~~~~~~~~~~

* Drop support for Python 3.3 (see `99`_).
* **SendGrid:** Fix a problem where Anymail's status tracking webhooks didn't always
receive the same `event.message_id` as the sent `message.anymail_status.message_id`,
due to unpredictable behavior by SendGrid's API. Anymail now generates a UUID for
each sent message and attaches it as a SendGrid custom arg named anymail_id. For most
users, this change should be transparent. But it could be a breaking change if you
are relying on a specific message_id format, or relying on message_id matching the
*Message-ID* mail header or SendGrid's "smtp-id" event field. (More details in the
`docs <https://anymail.dev/en/stable/esps/sendgrid/#sendgrid-message-id>`__;
also see `108`_.) Thanks to `joshkersey`_ for the report and the fix.

Features
~~~~~~~~

* Support Django 2.1 prerelease.

Fixes
~~~~~

* **Mailjet:** Fix tracking webhooks to work correctly when Mailjet "group events"
option is disabled (see `106`_).

Deprecations
~~~~~~~~~~~~

* This will be the last Anymail release to support Django 1.8, 1.9, and 1.10
(see `110`_).
* This will be the last Anymail release to support the legacy SendGrid v2 EmailBackend
(see `111`_). (SendGrid's newer v3 API has been the default since Anymail v0.8.)

If these deprecations affect you and you cannot upgrade, set your requirements to
`django-anymail~=3.0` (a "compatible release" specifier, equivalent to `>=3.0,==3.*`).

----

*2018-04-16*

Fixes
~~~~~

* Fix a breaking change accidentally introduced in v2.1: The boto3 package is no
longer required if you aren't using Amazon SES.

----

*2018-04-11*

**NOTE:** v2.1 accidentally introduced a **breaking change:** enabling Anymail webhooks
with `include('anymail.urls')` causes an error if boto3 is not installed, even if you
aren't using Amazon SES. This is fixed in v2.2.

Features
~~~~~~~~

* **Amazon SES:** Add support for this ESP
(`docs <https://anymail.dev/en/stable/esps/amazon_ses/>`__).
* **SparkPost:** Add SPARKPOST_API_URL setting to support SparkPost EU and SparkPost
Enterprise
(`docs <https://anymail.dev/en/stable/esps/sparkpost/#std:setting-ANYMAIL_SPARKPOST_API_URL>`__).
* **Postmark:** Update for Postmark "modular webhooks." This should not impact client
code. (Also, older versions of Anymail will still work correctly with Postmark's
webhook changes.)

Fixes
~~~~~

* **Inbound:** Fix several issues with inbound messages, particularly around non-ASCII
headers and body content. Add workarounds for some limitations in older Python email
packages.

Other
~~~~~

* Use tox to manage Anymail test environments (see contributor
`docs <https://anymail.dev/en/stable/contributing/#testing>`__).

Deprecations
~~~~~~~~~~~~

* This will be the last Anymail release to support Python 3.3. See `99`_ for more
information.

----

*2018-03-08*

Breaking changes
~~~~~~~~~~~~~~~~

* Drop support for deprecated WEBHOOK_AUTHORIZATION setting. If you are using webhooks
and still have this Anymail setting, you must rename it to WEBHOOK_SECRET. See the
`v1.4`_ release notes.
* Handle *Reply-To,* *From,* and *To* in EmailMessage `extra_headers` the same as
Django's SMTP EmailBackend if supported by your ESP, otherwise raise an unsupported
feature error. Fixes the SparkPost backend to be consistent with other backends if
both `headers["Reply-To"]` and `reply_to` are set on the same message. If you are
setting a message's `headers["From"]` or `headers["To"]` (neither is common), the
new behavior is likely a breaking change. See
`docs <https://anymail.dev/en/stable/sending/django_email/#additional-headers>`__
and `91`_.
* Treat EmailMessage `extra_headers` keys as case-\ *insensitive* in all backends, for
consistency with each other (and email specs). If you are specifying duplicate
headers whose names differ only in case, this may be a breaking change. See
`docs <https://anymail.dev/en/stable/sending/django_email/#additional-headers>`__.

Features
~~~~~~~~

* **SendinBlue:** Add support for this ESP
(`docs <https://anymail.dev/en/stable/esps/sendinblue/>`__).
Thanks to `RignonNoel`_ for the implementation.
* Add EmailMessage `envelope_sender` attribute, which can adjust the message's
*Return-Path* if supported by your ESP
(`docs <https://anymail.dev/en/stable/sending/anymail_additions/#anymail.message.AnymailMessage.envelope_sender>`__).
* Add universal wheel to PyPI releases for faster installation.

Other
~~~~~

* Update setup.py metadata, clean up implementation. (Hadn't really been touched
since original Djrill version.)
* Prep for Python 3.7.

----

*2018-02-08*

Security
~~~~~~~~

* Fix a low severity security issue affecting Anymail v0.2–v1.3: rename setting
WEBHOOK_AUTHORIZATION to WEBHOOK_SECRET to prevent inclusion in Django error
reporting.
(`CVE-2018-1000089 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000089>`__)

*More information*

Django error reporting includes the value of your Anymail WEBHOOK_AUTHORIZATION
setting. In a properly-configured deployment, this should not be cause for concern.
But if you have somehow exposed your Django error reports (e.g., by mis-deploying
with DEBUG=True or by sending error reports through insecure channels), anyone who
gains access to those reports could discover your webhook shared secret. An
attacker could use this to post fabricated or malicious Anymail tracking/inbound events
to your app, if you are using those Anymail features.

The fix renames Anymail's webhook shared secret setting so that Django's error
reporting mechanism will
`sanitize <https://docs.djangoproject.com/en/stable/ref/settings/#debug>`__ it.

If you are using Anymail's event tracking and/or inbound webhooks, you should upgrade
to this release and change "WEBHOOK_AUTHORIZATION" to "WEBHOOK_SECRET" in the ANYMAIL
section of your settings.py. You may also want to
`rotate the shared secret <https://anymail.dev/en/stable/tips/securing_webhooks/#use-a-shared-authorization-secret>`__
value, particularly if you have ever exposed your Django error reports to untrusted
individuals.

If you are only using Anymail's EmailBackends for sending email and have not set up
Anymail's webhooks, this issue does not affect you.

The old WEBHOOK_AUTHORIZATION setting is still allowed in this release, but will issue
a system-check warning when running most Django management commands. It will be removed
completely in a near-future release, as a breaking change.

Thanks to Charlie DeTar (`yourcelf`_) for responsibly reporting this security issue
through private channels.

`v1.2.1`_ release notes, below, if you are using Anymail's tracking webhooks.

Features
~~~~~~~~

* **Inbound handling:** Add normalized inbound message event, signal, and webhooks
for all supported ESPs. (See new
`Receiving mail <https://anymail.dev/en/stable/inbound/>`__ docs.)
This hasn't been through much real-world testing yet; bug reports and feedback
are very welcome.
* **API network timeouts:** For Requests-based backends (all but SparkPost), use a
default timeout of 30 seconds for all ESP API calls, to avoid stalling forever on
a bad connection. Add a REQUESTS_TIMEOUT Anymail setting to override. (See `80`_.)
* **Test backend improvements:** Generate unique tracking `message_id` when using the
`test backend <https://anymail.dev/en/stable/tips/test_backend/>`__;
add console backend for use in development. (See `85`_.)


.. _release_1_2_1: