Add SMTP authentication failure blocking system with admin dashboard by lucaforni · Pull Request #66 · modalsource/postal

lucaforni · 2026-02-01T21:31:56Z

This commit implements a comprehensive system to protect against brute force attacks on SMTP authentication by automatically blocking IPs after repeated failed authentication attempts.

Features:

Automatic IP blocking after X failed auth attempts (default: 5, configurable)
Configurable block duration Y minutes (default: 120, configurable)
Blocks persist across all SMTP auth methods (PLAIN, LOGIN, CRAM-MD5)
Counter resets automatically on successful authentication
Admin web dashboard to view, search, and manage blocked IPs
Manual block/unblock capabilities for individual or all IPs
Prometheus metrics integration for monitoring
Detailed logging for security auditing

Technical Implementation:

AuthFailureTracker class manages blocking logic using Rails.cache
SHA-256 hashed cache keys for security
Efficient indexing system for listing blocked IPs
RESTful admin routes for IP management
HAML-based responsive UI integrated with existing admin interface

Testing:

39 unit tests for AuthFailureTracker
14 integration tests for SMTP client auth blocking
7 controller tests for admin dashboard
All 60 new tests passing

Configuration (via postal.yml or environment variables):

smtp_server.auth_failure_threshold (default: 5)
smtp_server.auth_failure_block_duration (default: 120 minutes)

Documentation:

Complete user guide (doc/SMTP_AUTH_BLOCKING.md)
Configuration examples for various security levels
Technical documentation for developers
Updated main configuration documentation

Files Modified:

app/lib/smtp_server/client.rb - Integrated blocking checks
app/views/layouts/application.html.haml - Added menu link
config/routes.rb - Added admin routes
lib/postal/config_schema.rb - Added configuration options
doc/config/configuration.md - Documented new feature

Files Created:

app/lib/smtp_server/auth_failure_tracker.rb (323 lines)
app/controllers/admin_blocked_ips_controller.rb (74 lines)
app/views/admin_blocked_ips/index.html.haml (118 lines)
3 comprehensive test files (520+ lines)
3 documentation files

This commit implements a comprehensive system to protect against brute force attacks on SMTP authentication by automatically blocking IPs after repeated failed authentication attempts. Features: - Automatic IP blocking after X failed auth attempts (default: 5, configurable) - Configurable block duration Y minutes (default: 120, configurable) - Blocks persist across all SMTP auth methods (PLAIN, LOGIN, CRAM-MD5) - Counter resets automatically on successful authentication - Admin web dashboard to view, search, and manage blocked IPs - Manual block/unblock capabilities for individual or all IPs - Prometheus metrics integration for monitoring - Detailed logging for security auditing Technical Implementation: - AuthFailureTracker class manages blocking logic using Rails.cache - SHA-256 hashed cache keys for security - Efficient indexing system for listing blocked IPs - RESTful admin routes for IP management - HAML-based responsive UI integrated with existing admin interface Testing: - 39 unit tests for AuthFailureTracker - 14 integration tests for SMTP client auth blocking - 7 controller tests for admin dashboard - All 60 new tests passing Configuration (via postal.yml or environment variables): - smtp_server.auth_failure_threshold (default: 5) - smtp_server.auth_failure_block_duration (default: 120 minutes) Documentation: - Complete user guide (doc/SMTP_AUTH_BLOCKING.md) - Configuration examples for various security levels - Technical documentation for developers - Updated main configuration documentation Files Modified: - app/lib/smtp_server/client.rb - Integrated blocking checks - app/views/layouts/application.html.haml - Added menu link - config/routes.rb - Added admin routes - lib/postal/config_schema.rb - Added configuration options - doc/config/configuration.md - Documented new feature Files Created: - app/lib/smtp_server/auth_failure_tracker.rb (323 lines) - app/controllers/admin_blocked_ips_controller.rb (74 lines) - app/views/admin_blocked_ips/index.html.haml (118 lines) - 3 comprehensive test files (520+ lines) - 3 documentation files

lucaforni merged commit d919a1c into main-modalsource Feb 1, 2026
10 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add SMTP authentication failure blocking system with admin dashboard#66

Add SMTP authentication failure blocking system with admin dashboard#66
lucaforni merged 1 commit into
main-modalsourcefrom
feat--smtp-block-after-ripetute-wrong-password

lucaforni commented Feb 1, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

lucaforni commented Feb 1, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant