|
4 | 4 | ## Overview |
5 | 5 | A [Model Context Protocol](https://modelcontextprotocol.io) (MCP) server for [Mailgun](https://mailgun.com), enabling MCP-compatible AI clients to interact with the Mailgun email service. |
6 | 6 |
|
| 7 | +> **Note:** This MCP server runs locally on your machine. Mailgun does not currently offer a hosted version of this server. |
| 8 | +
|
7 | 9 | ### Capabilities |
8 | 10 |
|
9 | 11 | - **Messaging** — Send emails, retrieve stored messages, resend messages |
@@ -143,6 +145,36 @@ In your MCP client config, replace the `npx` command with: |
143 | 145 | "args": ["/path/to/mailgun-mcp-server/src/mailgun-mcp.js"] |
144 | 146 | ``` |
145 | 147 |
|
| 148 | +## Security Considerations |
| 149 | + |
| 150 | +### API key isolation |
| 151 | + |
| 152 | +Your Mailgun API key is passed as an environment variable and is never exposed to the AI model itself — it is only used by the MCP server process to authenticate requests. The server does not log API keys, request parameters, or response data. |
| 153 | + |
| 154 | +### Local execution |
| 155 | + |
| 156 | +The server runs locally on your machine. All communication with the Mailgun API is over HTTPS with TLS certificate validation enforced. No data is sent to third-party services beyond the Mailgun API. |
| 157 | + |
| 158 | +### API key permissions |
| 159 | + |
| 160 | +Use a dedicated Mailgun API key with permissions scoped to only the operations you need. The server exposes read and update operations but does not expose any delete operations, which limits the blast radius of unintended actions. |
| 161 | + |
| 162 | +### Rate limiting |
| 163 | + |
| 164 | +The server does not implement client-side rate limiting. Each tool call from the AI translates directly into a Mailgun API request. The server relies on Mailgun's server-side rate limits to prevent abuse — requests that exceed those limits will return an error to the AI assistant. |
| 165 | + |
| 166 | +### Prompt injection |
| 167 | + |
| 168 | +As with any MCP server, a crafted or adversarial prompt could trick the AI assistant into calling operations you did not intend — for example, modifying tracking settings or reading mailing list members. Review your AI assistant's tool-call confirmations before approving actions, especially in untrusted prompt contexts. |
| 169 | + |
| 170 | +### Webhook URLs |
| 171 | + |
| 172 | +Webhook create and update operations accept arbitrary URLs provided through the AI assistant. The MCP server passes these URLs to the Mailgun API without additional validation. Mailgun is responsible for validating webhook destinations. Ensure your AI assistant does not set webhook URLs to unintended internal or sensitive addresses. |
| 173 | + |
| 174 | +### Input validation |
| 175 | + |
| 176 | +All tool parameters are validated against the Mailgun OpenAPI specification using Zod schemas. However, validation depends on the accuracy of the OpenAPI spec, and some edge-case parameters may fall back to permissive validation. The Mailgun API performs its own server-side validation as an additional layer of protection. |
| 177 | + |
146 | 178 | ## Debugging |
147 | 179 |
|
148 | 180 | The MCP server communicates over stdio. Refer to the [MCP Debugging Guide](https://modelcontextprotocol.io/docs/tools/debugging) for troubleshooting. |
|
0 commit comments