public inbox for pmg-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pmg-devel] [PATCH pmg-api/gui] add quarantine self service button
@ 2020-11-17 14:57 Dominik Csapak
  2020-11-17 14:57 ` [pmg-devel] [PATCH pmg-api v2 1/3] refactor domain_regex to Utils Dominik Csapak
                   ` (6 more replies)
  0 siblings, 7 replies; 17+ messages in thread
From: Dominik Csapak @ 2020-11-17 14:57 UTC (permalink / raw)
  To: pmg-devel

adds an option/api call to request an quarantine link for an
email whose domain is in the relay domains

for now, we do not expose that option to the ui, but this can easily be
added if wanted

NOTES on security:

this adds a world reachable api call, that can potentially send e-mails
to users that belong to a relay domain

this is ok, since anybody can already send e-mails to the users
via normal smtp, and since the content of the e-mail cannot be
controlled, the only thing a potential attacker can do is a dos attack
(which can always be done via resource exhaustion, e.g. send a lot of mail)

we could add more checks to make it more secure, but not so convenient:
* add an option for a admin-settable shared secret that users must enter
  (makes it harder for the user to self-service, since the user has to
  know the secret)
* only allow it from 'trusted networks' (this makes probably no sense)
* add an option to allow it from a specific subnet (similar to above,
  but seperate from mail flow, which could make sense, but is also
  not as convenient)

for now all text is hardcoded, templates could be used later on
(if users want that)

also i am open for alternate wordings for all texts, i basically chose
what came to mind first...

changes from v1:
* move config to 'spamquar' section
* show button also on admin interface

pmg-api:

Dominik Csapak (3):
  refactor domain_regex to Utils
  add 'quarantinelink' to spamquar config
  api2/quarantine: add global sendlink api call

 src/PMG/API2/Quarantine.pm  | 87 +++++++++++++++++++++++++++++++++++++
 src/PMG/CLI/pmgqm.pm        | 29 +------------
 src/PMG/Config.pm           |  6 +++
 src/PMG/HTTPServer.pm       |  1 +
 src/PMG/Service/pmgproxy.pm |  4 ++
 src/PMG/Utils.pm            | 26 +++++++++++
 6 files changed, 126 insertions(+), 27 deletions(-)

pmg-gui:

Dominik Csapak (1):
  add 'Request Quarantine Link' Button to LoginView

 js/LoginView.js   | 31 +++++++++++++++++++++++++++++++
 pmg-index.html.tt |  3 ++-
 2 files changed, 33 insertions(+), 1 deletion(-)

-- 
2.20.1





^ permalink raw reply	[flat|nested] 17+ messages in thread
* [pmg-devel] [PATCH pmg-api/gui] add quarantine self service button
@ 2020-11-17  8:05 Dominik Csapak
  2020-11-17 13:16 ` Stoiko Ivanov
  0 siblings, 1 reply; 17+ messages in thread
From: Dominik Csapak @ 2020-11-17  8:05 UTC (permalink / raw)
  To: pmg-devel

adds an option/api call to request an quarantine link for an
email whose domain is in the relay domains

for now, we do not expose that option to the ui, but this can easily be
added if wanted

NOTES on security:

this adds a world reachable api call, that can potentially send e-mails
to users that belong to a relay domain

this is ok, since anybody can already send e-mails to the users
via normal smtp, and since the content of the e-mail cannot be
controlled, the only thing a potential attacker can do is a dos attack
(which can always be done via resource exhaustion, e.g. send a lot of mail)

we could add more checks to make it more secure, but not so convenient:
* add an option for a admin-settable shared secret that users must enter
  (makes it harder for the user to self-service, since the user has to
  know the secret)
* only allow it from 'trusted networks' (this makes probably no sense)
* add an option to allow it from a specific subnet (similar to above,
  but seperate from mail flow, which could make sense, but is also
  not as convenient)

for now all text is hardcoded, templates could be used later on
(if users want that)

also i am open for alternate wordings for all texts, i basically chose
what came to mind first...

pmg-api:

Dominik Csapak (3):
  refactor domain_regex to Utils
  add 'quarantinelink' to admin config
  api2/quarantine: add global sendlink api call

 src/PMG/API2/Quarantine.pm  | 87 +++++++++++++++++++++++++++++++++++++
 src/PMG/CLI/pmgqm.pm        | 29 +------------
 src/PMG/Config.pm           |  6 +++
 src/PMG/HTTPServer.pm       |  1 +
 src/PMG/Service/pmgproxy.pm |  4 ++
 src/PMG/Utils.pm            | 26 +++++++++++
 6 files changed, 126 insertions(+), 27 deletions(-)

pmg-gui:

Dominik Csapak (1):
  add 'Request Quarantine Link' Button to LoginView

 js/LoginView.js   | 33 +++++++++++++++++++++++++++++++++
 pmg-index.html.tt |  3 ++-
 2 files changed, 35 insertions(+), 1 deletion(-)

-- 
2.20.1





^ permalink raw reply	[flat|nested] 17+ messages in thread

end of thread, other threads:[~2020-11-18  8:13 UTC | newest]

Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-17 14:57 [pmg-devel] [PATCH pmg-api/gui] add quarantine self service button Dominik Csapak
2020-11-17 14:57 ` [pmg-devel] [PATCH pmg-api v2 1/3] refactor domain_regex to Utils Dominik Csapak
2020-11-17 14:57 ` [pmg-devel] [PATCH pmg-api v2 2/3] add 'quarantinelink' to spamquar config Dominik Csapak
2020-11-17 14:57 ` [pmg-devel] [PATCH pmg-api v2 3/3] api2/quarantine: add global sendlink api call Dominik Csapak
2020-11-17 14:57 ` [pmg-devel] [PATCH pmg-gui v2 1/1] add 'Request Quarantine Link' Button to LoginView Dominik Csapak
2020-11-17 15:29 ` [pmg-devel] [PATCH pmg-api/gui] add quarantine self service button Thomas Lamprecht
2020-11-17 15:53   ` Dominik Csapak
2020-11-17 16:11     ` Thomas Lamprecht
2020-11-17 16:00 ` Stoiko Ivanov
2020-11-17 16:27 ` Dietmar Maurer
2020-11-17 16:38   ` Dietmar Maurer
2020-11-18  7:44     ` Thomas Lamprecht
2020-11-18  7:56       ` Dominik Csapak
2020-11-18  8:01         ` Thomas Lamprecht
2020-11-18  8:13           ` Dominik Csapak
  -- strict thread matches above, loose matches on Subject: below --
2020-11-17  8:05 Dominik Csapak
2020-11-17 13:16 ` Stoiko Ivanov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal