Uncontrolled Resource Consumption

Summary

The Mailpit SMTP server has a Server.MaxSize int field that controls the maximum allowed DATA payload size, but the field is never assigned anywhere outside test code, leaving it at Go's zero value (0 = "no limit"). The same applies to the HTTP /api/v1/send endpoint, whose request body is decoded with json.NewDecoder(r.Body) and no http.MaxBytesReader. Because Mailpit's default listeners bind [::]:1025 (SMTP) and [::]:8025 (HTTP), with no authentication required on either, a single network-reachable attacker can push an arbitrarily large message into Mailpit and watch RAM consumption spike with a ~7-10x amplification factor (raw frame - enmime envelope tree - search-text index - zstd-encoded write to SQLite). Repeating the attack -- or running it concurrently from multiple connections -- drives the process to OOM-kill. This issue affects versions prior to 1.30.0.