foxcpp / maddy

✉️ Composable all-in-one mail server.
https://maddy.email
GNU General Public License v3.0
5.07k stars 244 forks source link

Static IP filter for SMTP #297

Open foxcpp opened 3 years ago

foxcpp commented 3 years ago

Use-case: Permitting messages to be sent only from specific addresses or subnets. Context: https://news.ycombinator.com/item?id=25177676

CanRau commented 3 years ago

I'd like to propose renaming them to blocklist or denylist and allowlist.

More one the topic: https://9to5google.com/2020/06/12/google-android-chrome-blacklist-blocklist-more-inclusive/ https://github.com/rails/rails/issues/33677

😊

foxcpp commented 3 years ago

Well, fine.

foxcpp commented 3 years ago

Trying to think of a generic-enough solution useful beyond the proposed use case.

Something like:

check.ip_filter {
    allow cidr 127.0.0.1/24
    deny cidr 0.0.0.0/0
}

Multiple allow/deny entries? What takes priority in what order? (note that it is typical for maddy config entries to be order-independent, I guess we would want to match that).

foxcpp commented 3 years ago

We are going to omit any advanced functionality for now so lets consider two use cases:

  1. Blocking certain subnets/addresses.
  2. Allowing messages only from certain subnets/addresses.

These could be combined by using multiple config blocks.

check {
  ip_whitelist cidr 10.0.0.0/8
  ip_blacklist cidr 10.0.0.0/24
}

The config above roughly means: reject all messages not from 10.0.0.0/8 but also reject messages from 10.0.0.0/24.

Module behavior can be customized to allow custom action (e.g. quarantine instead of rejection) or allowed IPs to be pulled from an external source.

ip_whitelist {
  table cidr 10.0.0.0/8
  action quarantine
}

Note that cidr is table.cidr, which is basically table.static extended to match IP addresses against CIDR-notation masks.

Speaking of terminology, I am not sure "allowlist" conveys "exclusive" nature of "whitelist" clear enough. Unless someone provides me with a better name - I would go with "whitelist"/"blacklist".

spytheman commented 7 months ago

Is that already implemented?