feat: Block specific outgoing mail servers (#1971)

doublethink · web-flow · commit 091aef945a76 · 2025-04-01T13:05:23.000-07:00
## What kind of change does this PR introduce?

Feature that gives configuration option to block an email address event
if the mx server of the domain is on a blocklist

## What is the current behavior?

Existing behavior only checks for syntax issues and single email
addresses against a message stream.

## What is the new behavior?

This is called on every sent email event, the mx server of the email
addresses domain is queried and checked against a hard-coded blocklist

## Additional context

Functionality to allow for the long term blocking of bot and spam
behavior.

Resolves SEC-245
diff --git a/internal/conf/configuration.go b/internal/conf/configuration.go
@@ -411,8 +411,10 @@ type MailerConfiguration struct {
 	EmailValidationExtended       bool   `json:"email_validation_extended" split_words:"true" default:"false"`
 	EmailValidationServiceURL     string `json:"email_validation_service_url" split_words:"true"`
 	EmailValidationServiceHeaders string `json:"email_validation_service_headers" split_words:"true"`
+	EmailValidationBlockedMX      string `json:"email_validation_blocked_mx" split_words:"true"`
 
-	serviceHeaders map[string][]string `json:"-"`
+	serviceHeaders   map[string][]string `json:"-"`
+	blockedMXRecords map[string]bool     `json:"-"`
 }
 
 func (c *MailerConfiguration) Validate() error {
@@ -428,13 +430,35 @@ func (c *MailerConfiguration) Validate() error {
 	if len(headers) > 0 {
 		c.serviceHeaders = headers
 	}
+
+	// EmailValidationBlockedMX is a JSON array in the config string for brevity.
+	var blockedMXRecords map[string]bool
+	if c.EmailValidationBlockedMX != "" {
+		var blockedMXArray []string
+		err := json.Unmarshal([]byte(c.EmailValidationBlockedMX), &blockedMXArray)
+		if err != nil {
+			return fmt.Errorf("conf: email_validation_blocked_mx is not a valid JSON array: %w", err)
+		}
+		blockedMXRecords = make(map[string]bool, len(blockedMXArray)*2)
+		for _, record := range blockedMXArray {
+			blockedMXRecords[record] = true
+			blockedMXRecords[record+"."] = true
+		}
+	}
+
+	c.blockedMXRecords = blockedMXRecords
+
 	return nil
 }
 
 func (c *MailerConfiguration) GetEmailValidationServiceHeaders() map[string][]string {
 	return c.serviceHeaders
 }
 
+func (c *MailerConfiguration) GetEmailValidationBlockedMXRecords() map[string]bool {
+	return c.blockedMXRecords
+}
+
 type PhoneProviderConfiguration struct {
 	Enabled bool `json:"enabled" default:"false"`
 }
diff --git a/internal/mailer/validate.go b/internal/mailer/validate.go
@@ -74,19 +74,22 @@ var (
 	ErrInvalidEmailAddress = errors.New("invalid_email_address")
 	ErrInvalidEmailFormat  = errors.New("invalid_email_format")
 	ErrInvalidEmailDNS     = errors.New("invalid_email_dns")
+	ErrInvalidEmailMX      = errors.New("invalid_email_mx")
 )
 
 type EmailValidator struct {
-	extended       bool
-	serviceURL     string
-	serviceHeaders map[string][]string
+	extended         bool
+	serviceURL       string
+	serviceHeaders   map[string][]string
+	blockedMXRecords map[string]bool
 }
 
 func newEmailValidator(mc conf.MailerConfiguration) *EmailValidator {
 	return &EmailValidator{
-		extended:       mc.EmailValidationExtended,
-		serviceURL:     mc.EmailValidationServiceURL,
-		serviceHeaders: mc.GetEmailValidationServiceHeaders(),
+		extended:         mc.EmailValidationExtended,
+		serviceURL:       mc.EmailValidationServiceURL,
+		serviceHeaders:   mc.GetEmailValidationServiceHeaders(),
+		blockedMXRecords: mc.GetEmailValidationBlockedMXRecords(),
 	}
 }
 
@@ -253,20 +256,34 @@ func (ev *EmailValidator) validateProviders(name, host string) error {
 }
 
 func (ev *EmailValidator) validateHost(ctx context.Context, host string) error {
-	_, err := validateEmailResolver.LookupMX(ctx, host)
+	mxs, err := validateEmailResolver.LookupMX(ctx, host)
 	if !isHostNotFound(err) {
-		return nil
+		return ev.validateMXRecords(mxs, nil)
 	}
 
-	_, err = validateEmailResolver.LookupHost(ctx, host)
+	hosts, err := validateEmailResolver.LookupHost(ctx, host)
 	if !isHostNotFound(err) {
-		return nil
+		return ev.validateMXRecords(nil, hosts)
 	}
 
 	// No addrs or mx records were found
 	return ErrInvalidEmailDNS
 }
 
+func (ev *EmailValidator) validateMXRecords(mxs []*net.MX, hosts []string) error {
+	for _, mx := range mxs {
+		if ev.blockedMXRecords[mx.Host] {
+			return ErrInvalidEmailMX
+		}
+	}
+	for _, host := range hosts {
+		if ev.blockedMXRecords[host] {
+			return ErrInvalidEmailMX
+		}
+	}
+	return nil
+}
+
 func isHostNotFound(err error) bool {
 	if err == nil {
 		// We had no err, so we treat it as valid. We don't check the mx records
diff --git a/internal/mailer/validate_test.go b/internal/mailer/validate_test.go
@@ -242,6 +242,9 @@ func TestValidateEmailExtended(t *testing.T) {
 		{email: "test@invalid.example.com", err: "invalid_email_dns"},
 		{email: "test@no.such.email.host.supabase.io", err: "invalid_email_dns"},
 
+		// test blocked mx records
+		{email: "test@hotmail.com", err: "invalid_email_mx"},
+
 		// this low timeout should simulate a dns timeout, which should
 		// not be treated as an invalid email.
 		{email: "validemail@probablyaaaaaaaanotarealdomain.com",
@@ -255,7 +258,14 @@ func TestValidateEmailExtended(t *testing.T) {
 		EmailValidationExtended:       true,
 		EmailValidationServiceURL:     "",
 		EmailValidationServiceHeaders: "",
+		EmailValidationBlockedMX:      `["hotmail-com.olc.protection.outlook.com"]`,
+	}
+
+	// Ensure the BlockedMX transformation occurs by calling Validate
+	if err := cfg.Validate(); err != nil {
+		t.Fatalf("failed to validate MailerConfiguration: %v", err)
 	}
+
 	ev := newEmailValidator(cfg)
 
 	for idx, tc := range cases {
