[JAMES-3946] Proposal: DropLists (akka blacklists) - ASF JIRA

XML

Word

Printable

JSON

Details

Type: New Feature
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.9.0
Component/s: data, webadmin
Labels:
None

Description

What?

Blacklist are a classical email related feature.

Having a easy to activate core module to handle this feature would IMO be nice.

Ideally blacklist entries should be added globally, at the domain level, at the user level and should concern individual addresses as well as entire domains.

Disclaimer

We identified this feature while working on TMail.

I am convinced that this is generic enough to land on James. But might consensus reject this, we could still make this a TMail module

Ideally I'd like to have this fully as an option, not activated by default.

How?

Again, proposal here. My first shot was to think of RRTs but they do not take sender into account (saaaaaaaad).

Write in `/server/data/data-api` a `Droplist interfaces.

A drop list entry is comprised of

*ownerScope*: `global | domain | user`
*owner*: String.
For ownerScope global: this is always `ALL`.
For ownerScope domain: this is the domain, eg `domain.tld`
For ownerScope user, this is the users, eg `bob@domain.tld`
*deniedEntityType*: String. One of `address | domain`
*deniedEntity*: String. Either the domain or the address.

interface DropList {
    Mono<void> add(DropListEntry entry);
    Mono<void> remove(DropListEntry entry);
    Flux<DropListEntry> list(OwnerScope ownerSocpe, Owner owner);

   enum Status {
       ALLOWED,
       BLOCKED
   }
    Mono<Status> query(OwnerScope ownerSocpe, Owner owner, MailAddress sender);
}

And provide a memory + a Cassandra implementation of the DropList.

Write a `IsInDropList` matcher: Given `attacker@evil.com` sends a mail to `target@localhost`, the following queries are done:

ownerScope all, owner All, deniedEntityType domain, deniedEntity evil.com
ownerScope all, owner All, deniedEntityType address, deniedEntity attacker@evil.com
ownerScope domain, owner localhost, deniedEntityType domain, deniedEntity evil.com
ownerScope domain, owner localhost, deniedEntityType address, deniedEntity attacker@evil.com
ownerScope user, owner target@localhost, deniedEntityType domain, deniedEntity evil.com
ownerScope user, owner target@localhost, deniedEntityType address, deniedEntity attacker@evil.com

Manage to do only one set of queries at scope global. Manage to do one set of queries at scope domain per domain!

Webadmin APIs to manage the Drop List:

GET /droplist/global?deniedEntityType=null|domain|address
[ "evil.com", "devil.com", "bad_guy@crime.com", "hacker@murder.org" ]

HEAD /droplist/global/evil.com
HEAD /droplist/global/bad_guy@murder.org
204 // 404

PUT /droplist/global/evil.com
PUT /droplist/global/bad_guy@murder.org
-> adds the entry into the droplist

DELETE /droplist/global/evil.com
DELETE /droplist/global/bad_guy@murder.org
-> removes the entry from the droplist

----------------
GET /droplist/domain/target.com?deniedEntityType=null|domain|address
[ "evil.com", "devil.com", "bad_guy@crime.com", "hacker@murder.org" ]

HEAD /droplist/domain/target.com/evil.com
HEAD /droplist/domain/target.com/bad_guy@murder.org
204 // 404

PUT /droplist/domain/target.com/evil.com
PUT /droplist/domain/target.com/bad_guy@murder.org
-> adds the entry into the droplist

DELETE /droplist/domain/target.com/evil.com
DELETE /droplist/domain/target.com/bad_guy@murder.org
-> removes the entry from the droplist

----------------
GET /droplist/user/bob@target.com?deniedEntityType=null|domain|address
[ "evil.com", "devil.com", "bad_guy@crime.com", "hacker@murder.org" ]

HEAD /droplist/user/bob@target.com/evil.com
HEAD /droplist/user/bob@target.com/bad_guy@murder.org
204 // 404

PUT /droplist/user/bob@target.com/evil.com
PUT /droplist/user/bob@target.com/bad_guy@murder.org
-> adds the entry into the droplist

DELETE /droplist/user/bob@target.com/evil.com
DELETE /droplist/user/bob@target.com/bad_guy@murder.org
-> removes the entry from the droplist