High-risk tools in TrekMail MCP Server
14 of the 216 tools in TrekMail MCP Server are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
dns_recheckExecuteTrigger an asynchronous DNS verification check for a domain. Returns a check ID that can be polled with get_dns_check.
-
drive_device_rotateExecuteAtomic credential rotation: revoke the old row and mint a new one inheriting label, scopes, and mailbox binding. The new plaintext password is returned in data.password (one-tim...
-
resume_bulk_migrationExecuteResume a paused bulk migration batch (e.g., paused due to storage limits). Set confirm_resume=true to proceed.
-
retry_bulk_migrationExecuteRetry all failed jobs in a bulk migration batch. Requires TREKMAIL_ALLOW_MIGRATION=true and confirm_retry=true.
-
retry_domain_dkimExecuteRestart DKIM key provisioning for a domain. Use this if DKIM provisioning failed or needs to be regenerated.
-
retry_migrationExecuteRetry a failed or cancelled email migration. Set confirm_retry=true to proceed.
-
send_messageExecuteSend an email from the mailbox. Requires a message token with messages:send scope. Both TREKMAIL_ALLOW_SENDING=true and confirm_send=true are required as safety gates. The messa...
-
start_bulk_migrationExecuteStart a bulk migration batch. IMPORTANT: Run preview_bulk_migration first to validate your data. Creates one migration job per valid row. Requires TREKMAIL_ALLOW_MIGRATION=true ...
-
start_migrationExecuteStart migrating emails from a source IMAP server to a TrekMail mailbox. This is a long-running operation. Both TREKMAIL_ALLOW_MIGRATION=true and confirm_start=true are required.
-
test_domain_smtpExecuteTest a domain
-
test_smtpExecuteTest an SMTP connection with the provided credentials. Returns a job_id to poll for results.
-
update_smtp_configExecuteUpdate the SMTP configuration. Switch between platform and custom SMTP, or update custom SMTP settings. Requires TREKMAIL_ALLOW_DESTRUCTIVE=true.
-
upload_sieve_scriptExecuteUpload and activate a custom Sieve script for a mailbox. This replaces any visual filters. The server validates syntax before activating. Agency plan only. Dangerous extensions ...
-
verify_domain_branding_dnsExecuteQueue a DNS check + SSL provisioning for this domain
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.