Security Fix: Swiftmailer 5.2.1 released

Swiftmailer 5.2.1 has just been released and it contains a security fix.

Prior to 5.2.1, the sendmail transport (Swift_Transport_SendmailTransport) was vulnerable to an arbitrary shell execution if the “From” header came from a non-trusted source and no “Return-Path” is configured. This has been fixed in 5.2.1. If you are using sendmail as a transport, you are encouraged to upgrade as soon as possible.

I’d like to thank Tim Starling who reported this security issue and provided a way to reproduce it very easily.

You can easily check if your project is vulnerable by uploading your composer.lock file on

Swiftmailer 5.2.0 released

Swiftmailer 5.2.0 has just been released; it contains the following changes:

  • fixed Swift_ByteStream_FileByteStream::read() to match to the specification
  • fixed from-charset and to-charset arguments in mbstring_convert_encoding() usages
  • fixed infinite loop in StreamBuffer
  • fixed NullTransport to return the number of ignored emails instead of 0
  • Use phpunit and mockery for unit testing (realityking)

PEAR packages won’t be published anymore

Now that Composer is the de-facto standard for dependency management in PHP, it’s time to stop releasing new PEAR packages for Swiftmailer.

So, from now on, I won’t publish PEAR packages for new versions of Swiftmailer. That said, the current PEAR channel will continue to work, and I don’t expect to close it anytime soon (you just won’t get any new versions).

More information on my personal blog.

Swiftmailer 5.1.0 released

Swiftmailer 5.1.0 has just been released; it contains the following changes:

  • fixed data writing to stream when sending large messages
  • added support for libopendkim (
  • merged SignedMessage and Message
  • added Gmail XOAuth2 authentication
  • updated the list of known mime types
  • added NTLM authentication

Swiftmailer 5.0.3 released

Swiftmailer 5.0.3 is out. It fixes a long-standing issue about double-dots. Thanks to Xavier de Cock for the fix.

Swiftmailer 5.0.1 released

Swiftmailer 5.0.1 contains some minor bug fixes and fixes the main license file that was still referring to the LGPL license instead of the MIT one.

Swiftmailer 5.0.0 released

Swiftmailer 5.0.0 has just been released.

This release is the same as 4.3.1 feature-wise. So, why a major version? Because we have changed the license of Swiftmailer from LGPL to MIT.

Swiftmailer 4.3.1 released

Swiftmailer 4.3.1 has just been released.

Here is the changelog:

  • removed usage of the native QP encoder when the charset is not UTF-8
  • fixed usage of uniqid to avoid collisions
  • made a performance improvement when tokenizing large headers
  • fixed usage of the PHP native QP encoder on PHP 5.4.7+

Swiftmailer 4.3.0 released

Swiftmailer 4.3.0 has just been released. It contains one big new feature: signed and encrypted messages. Read the documentation for more information.

Swiftmailer 4.2.2 released

I’ve just released Swiftmailer 4.2.2.

If you are using PHP 5.4.7+, you will benefit from a huge performance boost as Swiftmailer will automatically switch to use the PHP native QP encoder function instead of its own PHP-based encoder.

To better integrate with Amazon SES, you can now throttle messages per second (instead of minutes) thanks to ThrottlerPlugin.

The RedirectingPlugin has also been enhanced as it now allows you to specify a whitelist with regular expressions.