[pmg-devel] applied: [PATCH pmg-api/gui v3] add quarantine self service button

[Thomas Lamprecht <t.lamprecht@proxmox.com>]

On 18.11.20 11:59, Dominik Csapak wrote:
> adds an option/api call to request an quarantine link for an
> email whose domain is in the relay domains
> 
> for now, we do not expose that option to the ui, but this can easily be
> added if wanted
> 
> NOTES on security:
> 
> this adds a world reachable api call, that can potentially send e-mails
> to users that belong to a relay domain
> 
> we ratelimit 1 request/5sec and 1 request/user/hour so that a dos is infeasible
> 
> for now all text is hardcoded, templates could be used later on
> (if users want that)
> 
> changes from v2:
> * introduce ratelimit
> * factor out the sending sub (for readability)
> * change the gui window to only have an 'OK' button (without reset)
> 
> changes from v1:
> * move config to 'spamquar' section
> * show button also on admin interface
> 
> pmg-api:
> 
> Dominik Csapak (3):
>   refactor domain_regex to Utils
>   add 'quarantinelink' to spamquar config
>   api2/quarantine: add global sendlink api call
> 
>  src/PMG/API2/Quarantine.pm  | 126 ++++++++++++++++++++++++++++++++++++
>  src/PMG/CLI/pmgqm.pm        |  29 +--------
>  src/PMG/Config.pm           |   6 ++
>  src/PMG/HTTPServer.pm       |   1 +
>  src/PMG/Service/pmgproxy.pm |   4 ++
>  src/PMG/Utils.pm            |  26 ++++++++
>  6 files changed, 165 insertions(+), 27 deletions(-)
> 
> pmg-gui:
> 
> Dominik Csapak (1):
>   add 'Request Quarantine Link' Button to LoginView
> 
>  js/LoginView.js   | 33 +++++++++++++++++++++++++++++++++
>  pmg-index.html.tt |  3 ++-
>  2 files changed, 35 insertions(+), 1 deletion(-)
> 



applied, with some followups:
* use built-in time() to get seconds since epoch
* sleep a bit, especially more on the rate limit cases
* code consitency

one thing which feels a bit "flawed" is the fact that if one knows or guesses
correctly a valid domain, the can DOS this requester for all other valid ones by
simply looping and sending a request for "$name++@$domain" where $name gets changed
slightly each round - this way others race with them to get in between the small
timeframe where the mtime is old enough again and the "attacker" gets through a
request again.

But, this can be somewhat solved by fail2ban and it's opt-in anyway.