I added a comment at the end of a line in my config file like this:

              IPs:
                        - X.X.X.X # BAD

Running mox then fails:

l=fatal m="http: listen" err="listen tcp: lookup X.X.X.X # BAD: no such host" pkg=http addr="X.X.X.X # BAD:8010"

I didn't look at the config parsing code but shouldn't it be doing the equivalent of a foo.split("#")[0] for each line?

Note this leads to some weird results if you use it in places like:

DataDir: ../data # FOO

because it leads to things like:

drwxr-s--- 6 mox  root     4096 Aug 29 01:52 'data # FOO'

This suggests you might want to also sanitize inputs in the filesystem handling code because that in some cases can lead to weird exploits being possible/easier.