Skip to content

feat: Block specific outgoing mail servers#1971

Merged
doublethink merged 5 commits into
masterfrom
feat/mx-blocklist
Apr 1, 2025
Merged

feat: Block specific outgoing mail servers#1971
doublethink merged 5 commits into
masterfrom
feat/mx-blocklist

Conversation

@doublethink

@doublethink doublethink commented Mar 27, 2025

Copy link
Copy Markdown
Contributor

What kind of change does this PR introduce?

Feature that gives configuration option to block an email address event if the mx server of the domain is on a blocklist

What is the current behavior?

Existing behavior only checks for syntax issues and single email addresses against a message stream.

What is the new behavior?

This is called on every sent email event, the mx server of the email addresses domain is queried and checked against a hard-coded blocklist

Additional context

Functionality to allow for the long term blocking of bot and spam behavior.

Resolves SEC-245

@doublethink
doublethink requested a review from a team as a code owner March 27, 2025 02:55
@doublethink doublethink changed the title Feature: Block specific outgoing mail servers feat: Block specific outgoing mail servers Mar 27, 2025
Comment thread internal/mailer/validate.go Outdated
Comment thread internal/mailer/validate.go Outdated
Comment thread internal/mailer/validate_test.go Outdated
moved blocked mx records to configuration
append period to mx records as per RFC
@linear

linear Bot commented Mar 28, 2025

Copy link
Copy Markdown

@coveralls

coveralls commented Mar 28, 2025

Copy link
Copy Markdown

Pull Request Test Coverage Report for Build 14163310705

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

Details

  • 29 of 35 (82.86%) changed or added relevant lines in 2 files are covered.
  • 883 unchanged lines in 34 files lost coverage.
  • Overall coverage increased (+0.05%) to 67.541%

Changes Missing Coverage Covered Lines Changed/Added Lines %
internal/conf/configuration.go 15 17 88.24%
internal/mailer/validate.go 14 18 77.78%
Files with Coverage Reduction New Missed Lines %
internal/reloader/reloader.go 1 99.28%
internal/api/password.go 2 65.85%
internal/api/audit.go 3 77.78%
internal/api/helpers.go 4 80.49%
internal/api/logout.go 4 81.58%
internal/api/anonymous.go 6 70.0%
internal/api/reauthenticate.go 6 48.57%
internal/api/api.go 7 83.56%
internal/api/pkce.go 7 80.33%
internal/api/recover.go 8 67.39%
Totals Coverage Status
Change from base Build 14063281414: 0.05%
Covered Lines: 10246
Relevant Lines: 15170

💛 - Coveralls

@doublethink
doublethink requested a review from cstockton March 28, 2025 06:54

@cstockton cstockton left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Almost there, just a couple small changes.

Comment thread internal/mailer/validate.go Outdated
Comment thread internal/mailer/validate.go
also check host against blocklist per SMTP spec
@doublethink
doublethink requested a review from cstockton March 31, 2025 19:07

@cstockton cstockton left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, thanks!

@doublethink
doublethink enabled auto-merge (squash) April 1, 2025 18:38
@doublethink
doublethink merged commit 091aef9 into master Apr 1, 2025
@doublethink
doublethink deleted the feat/mx-blocklist branch April 1, 2025 20:05
hf pushed a commit that referenced this pull request Apr 15, 2025
🤖 I have created a release *beep* *boop*
---


##
[2.171.0](v2.170.0...v2.171.0)
(2025-04-14)


### Features

* add sign in with solana (EIP-4361) support
([#1918](#1918))
([d121546](d121546))
* allow invalid config directories
([#1969](#1969))
([6b842f6](6b842f6))
* allow limiting lifespan of low-aal sessions
([#1942](#1942))
([d7a9ca6](d7a9ca6))
* Block specific outgoing mail servers
([#1971](#1971))
([091aef9](091aef9))
* refactor hooks out of api package
([#1976](#1976))
([c5904c0](c5904c0))
* separate web3 rate limits from other `/token?grant_type=...`
([#1985](#1985))
([8b23382](8b23382))


### Bug Fixes

* explicit permisions on actions
([#1978](#1978))
([06e9ead](06e9ead))
* propagate error when when confirming phone
([#1939](#1939))
([e882b42](e882b42))
* redirects must not be to ip addresses
([#1984](#1984))
([347e23a](347e23a))
* sanitize redirect URL (remove fragment, query) before pattern matching
([#1974](#1974))
([ccf20d7](ccf20d7))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
wdoppenberg pushed a commit to wdoppenberg/supabase-auth that referenced this pull request Jun 5, 2025
## What kind of change does this PR introduce?

Feature that gives configuration option to block an email address event
if the mx server of the domain is on a blocklist

## What is the current behavior?

Existing behavior only checks for syntax issues and single email
addresses against a message stream.

## What is the new behavior?

This is called on every sent email event, the mx server of the email
addresses domain is queried and checked against a hard-coded blocklist

## Additional context

Functionality to allow for the long term blocking of bot and spam
behavior.

Resolves SEC-245
wdoppenberg pushed a commit to wdoppenberg/supabase-auth that referenced this pull request Jun 5, 2025
🤖 I have created a release *beep* *boop*
---


##
[2.171.0](supabase/auth@v2.170.0...v2.171.0)
(2025-04-14)


### Features

* add sign in with solana (EIP-4361) support
([supabase#1918](supabase#1918))
([d121546](supabase@d121546))
* allow invalid config directories
([supabase#1969](supabase#1969))
([6b842f6](supabase@6b842f6))
* allow limiting lifespan of low-aal sessions
([supabase#1942](supabase#1942))
([d7a9ca6](supabase@d7a9ca6))
* Block specific outgoing mail servers
([supabase#1971](supabase#1971))
([091aef9](supabase@091aef9))
* refactor hooks out of api package
([supabase#1976](supabase#1976))
([c5904c0](supabase@c5904c0))
* separate web3 rate limits from other `/token?grant_type=...`
([supabase#1985](supabase#1985))
([8b23382](supabase@8b23382))


### Bug Fixes

* explicit permisions on actions
([supabase#1978](supabase#1978))
([06e9ead](supabase@06e9ead))
* propagate error when when confirming phone
([supabase#1939](supabase#1939))
([e882b42](supabase@e882b42))
* redirects must not be to ip addresses
([supabase#1984](supabase#1984))
([347e23a](supabase@347e23a))
* sanitize redirect URL (remove fragment, query) before pattern matching
([supabase#1974](supabase#1974))
([ccf20d7](supabase@ccf20d7))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
cemalkilic pushed a commit that referenced this pull request Aug 7, 2025
## What kind of change does this PR introduce?

Feature that gives configuration option to block an email address event
if the mx server of the domain is on a blocklist

## What is the current behavior?

Existing behavior only checks for syntax issues and single email
addresses against a message stream.

## What is the new behavior?

This is called on every sent email event, the mx server of the email
addresses domain is queried and checked against a hard-coded blocklist

## Additional context

Functionality to allow for the long term blocking of bot and spam
behavior.

Resolves SEC-245
cemalkilic pushed a commit that referenced this pull request Aug 7, 2025
🤖 I have created a release *beep* *boop*
---


##
[2.171.0](v2.170.0...v2.171.0)
(2025-04-14)


### Features

* add sign in with solana (EIP-4361) support
([#1918](#1918))
([d121546](d121546))
* allow invalid config directories
([#1969](#1969))
([6b842f6](6b842f6))
* allow limiting lifespan of low-aal sessions
([#1942](#1942))
([d7a9ca6](d7a9ca6))
* Block specific outgoing mail servers
([#1971](#1971))
([091aef9](091aef9))
* refactor hooks out of api package
([#1976](#1976))
([c5904c0](c5904c0))
* separate web3 rate limits from other `/token?grant_type=...`
([#1985](#1985))
([8b23382](8b23382))


### Bug Fixes

* explicit permisions on actions
([#1978](#1978))
([06e9ead](06e9ead))
* propagate error when when confirming phone
([#1939](#1939))
([e882b42](e882b42))
* redirects must not be to ip addresses
([#1984](#1984))
([347e23a](347e23a))
* sanitize redirect URL (remove fragment, query) before pattern matching
([#1974](#1974))
([ccf20d7](ccf20d7))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
fadymak pushed a commit that referenced this pull request Sep 30, 2025
## What kind of change does this PR introduce?

Feature that gives configuration option to block an email address event
if the mx server of the domain is on a blocklist

## What is the current behavior?

Existing behavior only checks for syntax issues and single email
addresses against a message stream.

## What is the new behavior?

This is called on every sent email event, the mx server of the email
addresses domain is queried and checked against a hard-coded blocklist

## Additional context

Functionality to allow for the long term blocking of bot and spam
behavior.

Resolves SEC-245
fadymak pushed a commit that referenced this pull request Sep 30, 2025
🤖 I have created a release *beep* *boop*
---


##
[2.171.0](v2.170.0...v2.171.0)
(2025-04-14)


### Features

* add sign in with solana (EIP-4361) support
([#1918](#1918))
([d121546](d121546))
* allow invalid config directories
([#1969](#1969))
([6b842f6](6b842f6))
* allow limiting lifespan of low-aal sessions
([#1942](#1942))
([d7a9ca6](d7a9ca6))
* Block specific outgoing mail servers
([#1971](#1971))
([091aef9](091aef9))
* refactor hooks out of api package
([#1976](#1976))
([c5904c0](c5904c0))
* separate web3 rate limits from other `/token?grant_type=...`
([#1985](#1985))
([8b23382](8b23382))


### Bug Fixes

* explicit permisions on actions
([#1978](#1978))
([06e9ead](06e9ead))
* propagate error when when confirming phone
([#1939](#1939))
([e882b42](e882b42))
* redirects must not be to ip addresses
([#1984](#1984))
([347e23a](347e23a))
* sanitize redirect URL (remove fragment, query) before pattern matching
([#1974](#1974))
([ccf20d7](ccf20d7))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants