Page MenuHomePhabricator
Files F13981109

D19025.id45621.diff
No OneTemporary
Actions

D19025.id45621.diff
View Options

diff --git a/src/applications/metamta/adapter/PhabricatorMailImplementationPostmarkAdapter.php b/src/applications/metamta/adapter/PhabricatorMailImplementationPostmarkAdapter.php
--- a/src/applications/metamta/adapter/PhabricatorMailImplementationPostmarkAdapter.php
+++ b/src/applications/metamta/adapter/PhabricatorMailImplementationPostmarkAdapter.php
@@ -73,12 +73,24 @@
$options,
array(
'access-token' => 'string',
+ 'inbound-addresses' => 'list<string>',
));
+
+ // Make sure this is properly formatted.
+ PhutilCIDRList::newList($options['inbound-addresses']);
}
public function newDefaultOptions() {
return array(
'access-token' => null,
+ 'inbound-addresses' => array(
+ // Via Postmark support circa February 2018, see:
+ //
+ // https://postmarkapp.com/support/article/800-ips-for-firewalls
+ //
+ // "Configuring Outbound Email" should be updated if this changes.
+ '50.31.156.6/32',
+ ),
);
}
diff --git a/src/applications/metamta/controller/PhabricatorMetaMTAPostmarkReceiveController.php b/src/applications/metamta/controller/PhabricatorMetaMTAPostmarkReceiveController.php
--- a/src/applications/metamta/controller/PhabricatorMetaMTAPostmarkReceiveController.php
+++ b/src/applications/metamta/controller/PhabricatorMetaMTAPostmarkReceiveController.php
@@ -20,6 +20,21 @@
return new Aphront404Response();
}
+ $remote_address = $request->getRemoteAddress();
+ $any_remote_match = false;
+ foreach ($mailers as $mailer) {
+ $inbound_addresses = $mailer->getOption('inbound-addresses');
+ $cidr_list = PhutilCIDRList::newList($inbound_addresses);
+ if ($cidr_list->containsAddress($remote_address)) {
+ $any_remote_match = true;
+ break;
+ }
+ }
+
+ if (!$any_remote_match) {
+ return new Aphront400Response();
+ }
+
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
$raw_input = PhabricatorStartup::getRawInput();
diff --git a/src/docs/user/configuration/configuring_inbound_email.diviner b/src/docs/user/configuration/configuring_inbound_email.diviner
--- a/src/docs/user/configuration/configuring_inbound_email.diviner
+++ b/src/docs/user/configuration/configuring_inbound_email.diviner
@@ -141,6 +141,10 @@
https://<phabricator.yourdomain.com>/mail/postmark/
```
+See also the Postmark section in @{article:Configuring Outbound Email} for
+discussion of the remote address whitelist used to verify that requests this
+endpoint receives are authentic requests originating from Postmark.
+
= SendGrid Setup =
diff --git a/src/docs/user/configuration/configuring_outbound_email.diviner b/src/docs/user/configuration/configuring_outbound_email.diviner
--- a/src/docs/user/configuration/configuring_outbound_email.diviner
+++ b/src/docs/user/configuration/configuring_outbound_email.diviner
@@ -157,6 +157,23 @@
To use this mailer, set `type` to `postmark`, then configure these `options`:
- `access-token`: Required string. Your Postmark access token.
+ - `inbound-addresses`: Optional list<string>. Address ranges which you
+ will accept inbound Postmark HTTP webook requests from.
+
+The default address list is preconfigured with Postmark's address range, so
+you generally will not need to set or adjust it.
+
+The option accepts a list of CIDR ranges, like `1.2.3.4/16` (IPv4) or
+`::ffff:0:0/96` (IPv6). The default ranges are:
+
+```lang=json
+[
+ "50.31.156.6/32"
+]
+```
+
+The default address ranges were last updated in February 2018, and were
+documented at: <https://postmarkapp.com/support/article/800-ips-for-firewalls>
Mailer: Amazon SES

File Metadata

Mime Type
text/plain
Expires
Sun, Oct 20, 2:18 PM (4 w, 12 h ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
6736668
Default Alt Text
D19025.id45621.diff (3 KB)

Event Timeline

Phabricator · Built by Phacility