Closed cauethenorio closed 1 month ago
niftylettuce
commented
4 years ago You could verify the request came from mx1.forwardemail.net or mx2.forwardemail.net resolved IP addresses. I will add a signature or something as soon I can. Trying to ship the browser extension among other things. Thanks for raising this point @cauethenorio.
m4rvr
commented
4 months ago Hey @niftylettuce, is this still on the roadmap or are there other solutions for that now?
titanism
commented
4 months ago Will see what we can do!
titanism
commented
4 months ago Another solution is to just check that the IP resolved that it's coming from resolves to mx1.forwardemail.net or mx2.forwardemail.net in a reverse lookup. You can get the IP's specifically from dig mx1.forwardemail.net a or dig mx2.forwardemail.net a, so you could hard code it's from those specific IP addresses (or hostname in reverse lookup).
m4rvr
commented
4 months ago Thanks for your fast response. Checking the IP works for me. :)
titanism
commented
1 month ago We now publish our IP addresses at https://forwardemail.net/ips – and they are automatically updated daily.
m4rvr
commented
1 month ago Hey again! Am I right that checking the IP addresses is still the only way to verify?
If so, how often do these IPs change? Do I need to periodically fetch the ips or is hard coding them fine?
titanism
commented
1 month ago @m4rvr we'll implement signatures, one moment
titanism
commented
1 month ago @m4rvr OK it's ready for you. Simply go to My Account → Domains → Settings → Webhook Signature Payload Verification Key. Then you will be able to rotate and copy your webhook key. Use this in comparison against the X-Webhook-Signature header in webhook payloads. An example of how to do the comparison is at https://stackoverflow.com/a/68885281.
Screenshot:
We've tested and confirmed this is working ✅
titanism
commented
1 month ago m4rvr
commented
1 month ago @titanism No way you added it that fast. Thank you very much for that!! 🫶
I've just checked it, but I don't get any X-Webhook-Signature header sent. I'm using Localcan for exposing a public development URL for the webhook. I also tried webhook.site for that, still no signature header. I'm using fastify and logging headers via request.headers.
I had to reset the key at the beginning too, because it was empty for the existing domain. Maybe I need to recreate the domain completely?
titanism
commented
1 month ago @m4rvr can you email us at support@forwardemail.net with which domain this is for?
m4rvr
commented
1 month ago @m4rvr can you email us at
support@forwardemail.netwith which domain this is for?
Sure, done!
titanism
commented
1 month ago This is fixed! We had a small bug in https://github.com/forwardemail/forwardemail.net/commit/cfa18274a2816e11002d5485bf57d531dff16359 that was resolved. Please try again? 🙏
m4rvr
commented
1 month ago This is fixed! We had a small bug in forwardemail/forwardemail.net@cfa1827 that was resolved. Please try again? 🙏
Just checked, I see the header now in the request. Thanks again! :)
titanism
commented
1 month ago Great to hear, keep your feature requests coming!
Currently, when my application receives the webhook payload sent by
free-email-forwardingthere's no way to validate the request authenticity.It would be nice if it has some validation field, like the
signatureone which mailgun uses in their webhooks: https://documentation.mailgun.com/en/latest/user_manual.html?highlight=signature#webhooksThanks for building this awesome project and making it open-source @niftylettuce!