[GH-ISSUE #108] Allowlist recipients #72

New issue

Closed

opened 2026-03-15 12:23:36 +03:00 by kerem · 9 comments

kerem commented 2026-03-15 12:23:36 +03:00

Owner

Copy link

Originally created by @gliwka on GitHub (May 4, 2023).
Original GitHub issue: https://github.com/axllent/mailpit/issues/108

I would like to restrict the possible email recipients of the SMTP relay feature, i.e. using regex to match certain domains. Only mails matching the allowlist can be relayed.

@axllent Would this be something you‘d accept a pull request for?

Implementation wise I could filter out all recipients not matching the regex in the send function and just return, if the list is empty after that: github.com/axllent/mailpit@f2bce03e9e/server/smtpd/smtp.go (L12)

I would add a new field to the existing relay config allowing users to specify the regex used to whitelist recipients.

Originally created by @gliwka on GitHub (May 4, 2023). Original GitHub issue: https://github.com/axllent/mailpit/issues/108 I would like to restrict the possible email recipients of the SMTP relay feature, i.e. using regex to match certain domains. Only mails matching the allowlist can be relayed. @axllent Would this be something you‘d accept a pull request for? Implementation wise I could filter out all recipients not matching the regex in the send function and just return, if the list is empty after that: https://github.com/axllent/mailpit/blob/f2bce03e9e57a32b7aa83c815e540fe2d112075a/server/smtpd/smtp.go#L12 I would add a new field to the existing relay config allowing users to specify the regex used to whitelist recipients.

kerem closed this issue 2026-03-15 12:23:41 +03:00

kerem commented 2026-03-15 12:23:47 +03:00

Author

Owner

Copy link

@axllent commented on GitHub (May 4, 2023):

@gliwka Definitely interested. Ideally there would be some frontend message to tell the user the email(s) is invalid, so maybe the detection logic is better placed in the API route as this would apply to manually released messages only. The reason is that the other use of the Send() is used via --smtp-relay-all (which implies that ALL emails should be auto-forwarded).

<!-- gh-comment-id:1535283074 --> @axllent commented on GitHub (May 4, 2023): @gliwka Definitely interested. Ideally there would be some frontend message to tell the user the email(s) is invalid, so maybe the detection logic is better placed in the API route as this would apply to manually released messages only. The reason is that the other use of the `Send()` is used via `--smtp-relay-all` (which implies that ALL emails should be auto-forwarded).

kerem commented 2026-03-15 12:23:52 +03:00

Author

Owner

Copy link

@gliwka commented on GitHub (May 4, 2023):

@axllent Makes sense, will look into how to provide feedback to the user in the API handler as well. I can also add the whitelist regex to the webgui handler, so I can display it to the user in the MessageRelease modal similar to the return path.

Would it be fine to add a --smtp-relay-whitelist as well? I have the need to restrict it both for the manual release, as well as the auto-forwarding.

<!-- gh-comment-id:1535289487 --> @gliwka commented on GitHub (May 4, 2023): @axllent Makes sense, will look into how to provide feedback to the user in the API handler as well. I can also add the whitelist regex to the webgui handler, so I can display it to the user in the MessageRelease modal similar to the return path. Would it be fine to add a --smtp-relay-whitelist as well? I have the need to restrict it both for the manual release, as well as the auto-forwarding.

kerem commented 2026-03-15 12:23:57 +03:00

Author

Owner

Copy link

@axllent commented on GitHub (May 4, 2023):

Good point. Hmm, I haven't had enough coffee yet to think this one properly through 😂 I actually take back my previous comment - I think that if whitelisting is enabled, it should apply to both the manually and auto-forwarded messages, and not overcomplicate things by having two separate flags, at least not at this stage.

So ideally:

• auto-forwarding silents drops addresses not matching the whitelist (logged in debug), and sending all other matching addresses (if any). A disallowed address should not block any others from being sent.
• API / frontend will not allow any sending the address list contains invalid addresses, and return an error if any addresses are not allowed
• Frontend would ideally warn beforehand when entering the address (it sounds like you have some ideas)

For starters I would focus on the yaml settings only, not a cli flag, and we could always introduce that down the track if needed.

Does this make sense to you too?

<!-- gh-comment-id:1535317838 --> @axllent commented on GitHub (May 4, 2023): Good point. Hmm, I haven't had enough coffee yet to think this one properly through 😂 I actually take back my previous comment - I think that if whitelisting is enabled, it should apply to both the manually and auto-forwarded messages, and not overcomplicate things by having two separate flags, at least not at this stage. So ideally: - auto-forwarding silents drops addresses not matching the whitelist (logged in debug), and sending all other matching addresses (if any). A disallowed address should not block any others from being sent. - API / frontend will not allow any sending the address list contains invalid addresses, and return an error if any addresses are not allowed - Frontend would ideally warn beforehand when entering the address (it sounds like you have some ideas) For starters I would focus on the yaml settings only, not a cli flag, and we could always introduce that down the track if needed. Does this make sense to you too?

kerem commented 2026-03-15 12:24:02 +03:00

Author

Owner

Copy link

@gliwka commented on GitHub (May 4, 2023):

Awesome, that sounds exactly like what I have on my local branch. Will open a PR later.

<!-- gh-comment-id:1535342300 --> @gliwka commented on GitHub (May 4, 2023): Awesome, that sounds exactly like what I have on my local branch. Will open a PR later.

kerem commented 2026-03-15 12:24:07 +03:00

Author

Owner

Copy link

@axllent commented on GitHub (May 5, 2023):

@gliwka Thanks again for all your hard work and your PR! This feature has been released in v1.6.7.

<!-- gh-comment-id:1536050221 --> @axllent commented on GitHub (May 5, 2023): @gliwka Thanks again for all your hard work and your PR! This feature has been released in v1.6.7.

kerem commented 2026-03-15 12:24:12 +03:00

Author

Owner

Copy link

@gliwka commented on GitHub (May 5, 2023):

@axllent Awesome, thanks so much :-)
Minor correction: seems the version it was released in is v1.6.8

<!-- gh-comment-id:1536115873 --> @gliwka commented on GitHub (May 5, 2023): @axllent Awesome, thanks so much :-) Minor correction: seems the version it was released in is v1.6.8

kerem commented 2026-03-15 12:24:17 +03:00

Author

Owner

Copy link

@axllent commented on GitHub (May 5, 2023):

🤦‍♂️ You're totally right, typo!

<!-- gh-comment-id:1536132819 --> @axllent commented on GitHub (May 5, 2023): :man_facepalming: You're totally right, typo!

kerem commented 2026-03-15 12:24:22 +03:00

Author

Owner

Copy link

@zmweske commented on GitHub (Jul 5, 2024):

Would you consider creating a blocklist as well? I can look at setting up a dev environment but seeing as it is the inverse of a allowlist, it shouldn't be much work maybe? I think that one simple reason for this would be to block all emails sent to admin@admin.lan for some services so they don't spam a downstream SMTP provider (and prevent spam filtering).

<!-- gh-comment-id:2211320831 --> @zmweske commented on GitHub (Jul 5, 2024): Would you consider creating a blocklist as well? I can look at setting up a dev environment but seeing as it is the inverse of a allowlist, it shouldn't be much work maybe? I think that one simple reason for this would be to block all emails sent to admin@admin.lan for some services so they don't spam a downstream SMTP provider (and prevent spam filtering).

kerem commented 2026-03-15 12:24:27 +03:00

Author

Owner

Copy link

@axllent commented on GitHub (Jul 6, 2024):

@zmweske I believe what you are looking for is almost the opposite of --smtp-relay-matching (docs)? I'm not sure that would work though from a configuration perspective, for example if a user specifies just this new flag, does that imply to relay all non-matching emails should be sent, or if the same match is found on both the --smtp-relay-matching and this new flag. This will need a lot of thought as it gets really complicated, but before I do, please open a new issue, as requesting this in a 14 month old closed issue will likely mean it gets forgotten about, thanks 👍

<!-- gh-comment-id:2211743872 --> @axllent commented on GitHub (Jul 6, 2024): @zmweske I believe what you are looking for is almost the opposite of `--smtp-relay-matching` ([docs](https://mailpit.axllent.org/docs/configuration/smtp-relay/#automatically-relay-some-messages))? I'm not sure that would work though from a configuration perspective, for example if a user specifies just this new flag, does that imply to relay all non-matching emails should be sent, or if the same match is found on both the `--smtp-relay-matching` and this new flag. This will need a lot of thought as it gets really complicated, but before I do, please open a new issue, as requesting this in a 14 month old closed issue will likely mean it gets forgotten about, thanks :+1:

kerem referenced this issue 2026-03-15 12:56:28 +03:00

[GH-ISSUE #249] Suggestion: IMAP/POP server #165

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

master

v1.29.7

v1.29.6

v1.29.5

v1.29.4

v1.29.3

v1.29.2

v1.29.1

v1.29.0

v1.28.4

v1.28.3

v1.28.2

v1.28.1

v1.28.0

v1.27.11

v1.27.10

v1.27.9

v1.27.8

v1.27.7

v1.27.6

v1.27.5

v1.27.4

v1.27.3

v1.27.2

v1.27.1

v1.27.0

v1.26.2

v1.26.1

v1.26.0

v1.25.1

v1.25.0

v1.24.2

v1.24.1

v1.24.0

v1.23.2

v1.23.1

v1.23.0

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.21.1

v1.21.0

v1.20.7

v1.20.6

v1.20.5

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.18.7

v1.18.6

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.1

v1.15.0

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.0

v1.10.4

v1.10.3

v1.10.2

v1.10.1

v1.10.0

v1.9.10

v1.9.9

v1.9.8

v1.9.7

v1.9.6

v1.9.5

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.1

v1.7.0

v1.6.22

v1.6.21

v1.6.20

v1.6.19

v1.6.18

v1.6.17

v1.6.16

v1.6.15

v1.6.14

v1.6.13

v1.6.12

v1.6.11

v1.6.10

v1.6.9

v1.6.8

v1.6.7

v1.6.6

v1.6.5

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.5

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.0

v1.3.11

v1.3.10

v1.3.9

v1.3.8

v1.3.7

v1.3.6

v1.3.5

v1.3.4

v1.3.3

v1.3.2

v1.3.1

v1.3.0

v1.2.9

v1.2.8

v1.2.7

v1.2.6

1.2.5

1.2.4

1.2.3

1.2.2

1.2.1

1.2.0

1.1.7

1.1.6

1.1.5

1.1.4

1.1.3

1.1.2

1.1.1

1.1.0

1.0.0

1.0.0-beta1

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

0.0.9

0.0.8

0.0.7

0.0.6

0.0.5

0.0.4

0.0.3

0.0.2

0.0.1-beta

Labels

Clear labels   

awaiting feedback

  

bug

  

docker

  

documentation

  

enhancement

  

github_actions

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

wontfix

No labels

awaiting feedback

bug

docker

documentation

enhancement

github_actions

invalid

pull-request

question

stale

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/mailpit#72

No description provided.