Heroku app authenticate requests from Cloudmailin

Question

I use Cloudmailin in a Heroku app

CloudMailin allows you to receive incoming email messages in your web app via an HTTP POST request

In my case, Cloudmailin is configured on receiving emails to POST them to myapp.heroku.com/incoming_url.

I note that anyone can skip the middleman and POST to /incoming_url to stimulate my app to act as if it received an email. Since my app sends an email in consequence, I'm concerned it could be abused to send spam.

I'd like my app to authenticate the HTTP requests were genuinely made from Cloudmailin (or me). Perhaps Cloudmailin could sign its HTTP requests somehow (in a HTTP header or in the querystring)

Answer 1

CloudMailin offers two ways to achieve this:

• Hashing (Discontinued and on the Original format only)
• HTTPS and Basic Authentication (the new recommended approach).

If you are using the original format with CloudMailin then it is signed via a hashing mechanism. CloudMailin shares a secret key with you that's used to hash all of the fields that are sent via the CloudMailin HTTP Post. That way you can validate that the message actually comes from CloudMailin. More details on this hashing can be found here.

However, in the more recent formats this was discontinued in favour of using HTTPS and Basic Authentication. The hashing algorithm can be a little complex and complicated to get setup. For that reason it was recommended that users make requests to their site over HTTPS and pass basic authentication. You can then use something like:

https://username:password@yourdomain.com/target

As the location that you POST your email to. As only CloudMailin and your site know the username and password you can reject this type of attack, it also has the benefit of encrypting your message transfer so no one can snoop on the information.