[enhancement]: limit webadmin access by IP range & add robots.txt

[alexmbird]

Which feature or improvement would you like to request?

I'd like to see this feature:

At present, when using Stalwart's (brilliant) feature to get LetsEncrypt certificates its HTTP (+HTTPS?) interfaces must be exposed to the whole world. From a security perspective this is undesirable - Stalwart installations will get indexed by Google et al, so if ever there's a vulnerability they'll be easy to find and exploit.

That's not just a theoretical concern - two people's Stalwart installations already show up on Google:

To prevent this it'd be nice to have:

• A /robots.txt discouraging search engines from indexing Stalwart installations
• A setting to restrict IP ranges that can connect to the web interface

Hits to /.well-known will need to bypass the restriction as LetsEncrypt don't publish the IP ranges their challenges come from.

Is your feature request related to a problem?

I'm having a problem with...

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

[nomadturk]

Obscurity ain't so bad! I wouldn't want to worry about one more attack vector either. Ideally, I wouldn't even want to host the webadmin on the same server.

But there is already a change that is cooking for this exact purpose AFAIK.

;)

[williamdes]

Thank you for adding the robots tkt Ideally and code binding http or https should have it

What about implementing the security.txt spec? Maybe it is already done

[alexmbird]

@mdecimus that was quick, thanks :)