Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Static IP filter for SMTP #297

Open
foxcpp opened this issue Nov 22, 2020 · 5 comments
Open

Static IP filter for SMTP #297

foxcpp opened this issue Nov 22, 2020 · 5 comments
Labels
filter Related to message processing middleware ("filters") mta-in Related to incoming message processing part of the MTA functionality (mail exchanger).

Comments

@foxcpp
Copy link
Owner

foxcpp commented Nov 22, 2020

Use-case: Permitting messages to be sent only from specific addresses or subnets.
Context: https://news.ycombinator.com/item?id=25177676
@foxcpp foxcpp added filter Related to message processing middleware ("filters") mta-in Related to incoming message processing part of the MTA functionality (mail exchanger). labels Nov 22, 2020
@CanRau
Copy link

CanRau commented Nov 23, 2020
edited
Loading

I'd like to propose renaming them to blocklist or denylist and allowlist.

More one the topic:
https://9to5google.com/2020/06/12/google-android-chrome-blacklist-blocklist-more-inclusive/
rails/rails#33677

😊

@foxcpp foxcpp changed the title Static IP blacklist/whitelist for SMTP Static IP filter for SMTP Nov 23, 2020
@foxcpp
Copy link
Owner Author

foxcpp commented Nov 23, 2020

Well, fine.

@foxcpp foxcpp mentioned this issue May 31, 2021
Closed
1 task
@foxcpp
Copy link
Owner Author

foxcpp commented May 31, 2021

Trying to think of a generic-enough solution useful beyond the proposed use case.

Something like:

check.ip_filter {
    allow cidr 127.0.0.1/24
    deny cidr 0.0.0.0/0
}

Multiple allow/deny entries? What takes priority in what order? (note that it is typical for maddy config entries to be order-independent, I guess we would want to match that).

@foxcpp
Copy link
Owner Author

foxcpp commented May 31, 2021
edited
Loading

We are going to omit any advanced functionality for now so lets consider two use cases:

  1. Blocking certain subnets/addresses.
  2. Allowing messages only from certain subnets/addresses.

These could be combined by using multiple config blocks.

check {
  ip_whitelist cidr 10.0.0.0/8
  ip_blacklist cidr 10.0.0.0/24
}

The config above roughly means: reject all messages not from 10.0.0.0/8 but also reject messages from 10.0.0.0/24.

Module behavior can be customized to allow custom action (e.g. quarantine instead of rejection) or allowed IPs to be pulled from an external source.

ip_whitelist {
  table cidr 10.0.0.0/8
  action quarantine
}

Note that cidr is table.cidr, which is basically table.static extended to match IP addresses against CIDR-notation masks.

Speaking of terminology, I am not sure "allowlist" conveys "exclusive" nature of "whitelist" clear enough. Unless someone provides me with a better name - I would go with "whitelist"/"blacklist".

@foxcpp foxcpp modified the milestone: 0.5 Jul 5, 2021
@spytheman
Copy link

Is that already implemented?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
filter Related to message processing middleware ("filters") mta-in Related to incoming message processing part of the MTA functionality (mail exchanger).
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@spytheman @CanRau @foxcpp