Prevent users from registering with throwaway mail providers #464

fnetX commented 2021年06月03日 18:47:09 +02:00

Block throwaway email providers upon creation and not on delivery stage.

Current setup:
We use a list of domains to prevent our mailservers from peering with well-known throwaway email providers. This list is synced from external resources.

Problems:
This approach leads to frequent issues, Although we added a static warning to the registration step, users often don't consider their email service providers as a throwaway email provider - and sometimes it isn't one either.
Also, users who sucessfully validated their email will stop receiving Codeberg news, if their domain was added later - even if they intended to continue using it (especially relevant for aliases)

ToDo:

• prevent users from registering with throwaway email providers (instant user feedback)
• re-allow sending emails to these domains to make sure users receive their email
  • (or: inform users their domain was removed and allow them to unlock their account with a new one - much more complicated!)
• look for a new source of truth for throwaway email providers, because some of the listed domains (gmx.com, googlemail) are probably considered as legitimate use by us, maybe also reconsider deployment (not relying on cron and a text file?)

Might also be relevant: #174 #328 Codeberg/gitea!18

Block throwaway email providers upon creation and not on delivery stage. **Current setup:** We use a list of domains to prevent our mailservers from peering with well-known throwaway email providers. This list is synced from external resources. **Problems:** This approach leads to frequent issues, Although we added a static warning to the registration step, users often don't consider their email service providers as a throwaway email provider - and sometimes it isn't one either. Also, users who sucessfully validated their email will stop receiving Codeberg news, if their domain was added later - even if they intended to continue using it (especially relevant for aliases) **ToDo:** - [ ] prevent users from registering with throwaway email providers (instant user feedback) - [ ] re-allow sending emails to these domains to make sure users receive their email - [ ] (or: inform users their domain was removed and allow them to unlock their account with a new one - much more complicated!) - [ ] look for a new source of truth for throwaway email providers, because some of the listed domains (gmx.com, googlemail) are probably considered as legitimate use by us, maybe also reconsider deployment (not relying on cron and a text file?) ###### Might also be relevant: #174 #328 Codeberg/gitea!18

fnetX commented 2021年12月21日 00:36:23 +01:00

Just noting here: If someone builds a simple bash script / function that

• filters the recipients domain from a mail
• compares this against a list of domains (text file)
• instead sends a "We do not allow this mail provider"

this could also be a very first step if someone gets here but is not interested in working at Gitea code.

Just noting here: If someone builds a simple bash script / function that - filters the recipients domain from a mail - compares this against a list of domains (text file) - instead sends a "We do not allow this mail provider" this could also be a very first step if someone gets here but is not interested in working at Gitea code.

fnetX commented 2022年02月09日 20:45:19 +01:00

Implemented now.

Implemented now.