January 6, 2026
Inbox Wars: License Panic
Show HN: VaultSandbox – Test your real MailGun/SES/etc. integration
Test real emails at last — devs cheer while license panic and “quantum” side‑eye erupt
TLDR: VaultSandbox lets teams test real emails in their own cloud instead of faking them. The community’s excited but split: one voice says AGPL isn’t a blocker, others worry about licensing and roll their eyes at the “post‑quantum” flex—still, most agree reliable email testing matters.
VaultSandbox promises a fix for the classic dev nightmare: tests pass, real emails fail. Spin it up fast, send emails through real services like Mailgun or Amazon SES, and watch messages arrive in real time. The crowd loved the idea of replacing fake tests with actual delivery inside your own cloud—but then the comments lit up over the open‑source license. The core is AGPLv3 (the one some bosses fear), while the SDK and UI are MIT. Commenter dspillett tried to calm everyone down, saying AGPL shouldn’t block dev use unless you’re truly paranoid about “GPL infection.” Cue the peanut gallery: half nodding along, half clutching pearls.
There’s also spicy debate about the team flaunting NIST’s new post‑quantum crypto (ML‑KEM‑768): some cheered the future‑proofing, others rolled eyes at “quantum buzzword bingo.” Ops folks grumbled about needing port 25 open, while engineers posted memes about the infamous “ignore_tls: true” flag—aka the villain behind so many email outages. Security pitch—only accepts your domains, kills spam early, rate limits—got thumbs up, and terminal lovers were thrilled about live test flows via Server‑Sent Events. Product people asked for audit logs and SSO, got the classic “Enterprise features” line. Net vibe: hype for real‑world email testing, with a side of license war and quantum spice. New to this? Check Mailgun, Amazon SES, and NIST PQC.
Key Points
- •VaultSandbox provides a self-hosted gateway to test real SMTP/TLS/DNS email flows inside a VPC, deployable via a single Docker Compose file.
- •The system includes a REST API, SDKs with SSE for real-time deterministic testing, and a CLI for terminal workflows.
- •Security features include domain whitelisting, RCPT TO rejection for non-existent inboxes, rate limiting with temporary 421 blocks, and configurable resource limits.
- •Data handling is ephemeral for emails by default, while API keys and certificates persist via a volume; inboxes have configurable TTLs.
- •The core gateway is open-source under AGPLv3, SDKs/UI are MIT-licensed, and optional enterprise features (e.g., SSO, Audit Logs) are paid; cryptography includes ML-KEM-768.