Added ForbiddenMXIp model

2025-09-06 14:44:20 +08:00 · 2025-07-28 15:20:05 +02:00 · 2025-07-28 15:20:05 +02:00 · 3bef25b764
commit 3bef25b764
parent e8575f5853
3 changed files with 19 additions and 3 deletions
--- a/app/email_utils.py
+++ b/app/email_utils.py
@ -57,6 +57,7 @@ from app.models import (
    InvalidMailboxDomain,
    VerpType,
    available_sl_email,
+    ForbiddenMXIp,
 )
 from app.utils import (
    random_string,
@ -610,6 +611,7 @@ def email_can_be_used_as_mailbox(email_address: str) -> bool:
        LOG.d("No MX record for domain %s", domain)
        return False

+    mx_ips = set()
    for mx_domain in mx_domains:
        if is_invalid_mailbox_domain(mx_domain):
            LOG.d("MX Domain %s %s is invalid mailbox domain", mx_domain, domain)
@ -618,8 +620,12 @@ def email_can_be_used_as_mailbox(email_address: str) -> bool:
        LOG.i(
            f"Found MX Domain {mx_domain} for mailbox {email_address} with a record {a_record}"
        )
-        if a_record is not None and a_record in config.INVALID_MX_IPS:
-            LOG.d(f"MX Domain {mx_domain} has an invalid IP address: {a_record}")
+        if a_record is not None:
+            mx_ips.add(a_record)
+    if len(mx_ips) > 0:
+        forbidden_ip = ForbiddenMXIp.filter(ForbiddenMXIp.ip.in_(list(mx_ips))).all()
+        if forbidden_ip:
+            LOG.i("Found forbidden MX ip %s", forbidden_ip)
            return False

    existing_user = User.get_by(email=email_address)
--- a/app/models.py
+++ b/app/models.py
@ -3611,6 +3611,15 @@ class InvalidMailboxDomain(Base, ModelMixin):
    domain = sa.Column(sa.String(256), unique=True, nullable=False)


+class ForbiddenMXIp(Base, ModelMixin):
+    """MX IPs that we don't allow to create mailboxes for"""
+
+    __tablename__ = "forbidden_mx_ip"
+
+    ip = sa.Column(sa.String(16), unique=True, nullable=False)
+    comment = sa.Column(sa.Text, unique=False, nullable=True)
+
+
 # region Phone
 class PhoneCountry(Base, ModelMixin):
    __tablename__ = "phone_country"
--- a/tests/test_email_utils.py
+++ b/tests/test_email_utils.py
@ -52,6 +52,7 @@ from app.models import (
    AliasGeneratorEnum,
    SLDomain,
    Mailbox,
+    ForbiddenMXIp,
 )

 # flake8: noqa: E101, W191
@ -149,7 +150,7 @@ def test_disabled_user_with_secondary_mailbox_prevents_email_from_being_used_as_
 def test_mx_invalid_ip():
    invalid_mx_ip = "12.2.23.23"
    valid_mx_ip = "1.1.1.1"
-    config.INVALID_MX_IPS = [invalid_mx_ip]
+    ForbiddenMXIp.create(ip=invalid_mx_ip, flush=True)
    dns_client.set_mx_records("testdomain.com", {10: ["mxdomain.com."]})
    dns_client.set_a_record("mxdomain.com", valid_mx_ip)
    assert email_can_be_used_as_mailbox("a@testdomain.com")