maddy
maddy copied to clipboard
foxcpp
Static IP filter for SMTP
Use-case: Permitting messages to be sent only from specific addresses or subnets. Context: https://news.ycombinator.com/item?id=25177676
I'd like to propose renaming them to blocklist or denylist and allowlist.
More one the topic: https://9to5google.com/2020/06/12/google-android-chrome-blacklist-blocklist-more-inclusive/ https://github.com/rails/rails/issues/33677
😊
Trying to think of a generic-enough solution useful beyond the proposed use case.
Something like:
check.ip_filter {
allow cidr 127.0.0.1/24
deny cidr 0.0.0.0/0
}
Multiple allow/deny entries? What takes priority in what order? (note that it is typical for maddy config entries to be order-independent, I guess we would want to match that).
We are going to omit any advanced functionality for now so lets consider two use cases:
- Blocking certain subnets/addresses.
- Allowing messages only from certain subnets/addresses.
These could be combined by using multiple config blocks.
check {
ip_whitelist cidr 10.0.0.0/8
ip_blacklist cidr 10.0.0.0/24
}
The config above roughly means: reject all messages not from 10.0.0.0/8 but also reject messages from 10.0.0.0/24.
Module behavior can be customized to allow custom action (e.g. quarantine instead of rejection) or allowed IPs to be pulled from an external source.
ip_whitelist {
table cidr 10.0.0.0/8
action quarantine
}
Note that cidr is table.cidr, which is basically table.static extended to match IP addresses against CIDR-notation masks.
Speaking of terminology, I am not sure "allowlist" conveys "exclusive" nature of "whitelist" clear enough. Unless someone provides me with a better name - I would go with "whitelist"/"blacklist".
