Authentication

81 views
Skip to first unread message

CloudPress

unread,
Nov 14, 2012, 8:24:37 PM11/14/12
to postmark-ap...@googlegroups.com
I had a few thoughts on authentication I would like to share, I tried ending this earlier but doesn't seem to have worked.

I was coding my inbound processor when I noticed I have no way to validate the message was from postmark. Given the fact that this is not a publicly documented URL for my inbound processor there isn't too much of an issue but some authentication scheme would be nice. Moreover I took a close look at the API for me to send an email and it relies of just a simple api key sent in a header. I think this can be done better. Admittedly the biggest issue is backwards compatibility so you don't have to release a new API version just for this.

My idea for API authentication is to introduce a shared secret. The shared secret would be a random string you would generate for me and show to me when I login to the app. For backwards compatibility I would have to opt to turn on a shared secret for each server I want to use it with. Then with each API call I would send one more header call it whatever you like maybe X-Postmark-Signature. To get the value of this I would take the json request string append the shared secret and make a hash using SHA1, MD5, doesn't matter too much as long as its consistent. When you receive the request by my API key you can see my server has a shared secret, then you can take the json append my shared secret then hash it and compare to the signature header. This verifies both my identity as well as the integrity of the json request.

For inbound processing you would take the same steps to sign the request using the json and my shared secret which I could easily validate on my end.

Milan Gornik

unread,
Nov 15, 2012, 4:47:41 AM11/15/12
to postmark-ap...@googlegroups.com

Hi,

I replied on the other topic you posted, so there already is a way for you to achieve protection of your inbound hook. The way I described there is used to limit access to your hook by requiring username+password. Signing a JSON payload which gets posted to your hook is also an interesting idea. With that scheme, you wouldn't prevent access to your inbound hook, but would make sure if the sender is valid by using provided signature. Right now, I am thinking of pros and cons and I would have to discuss it with the team to see if we should add feature like this to our roadmap. 

Let me know what you think (as for basic auth scheme versus signing) and thanks for the share!

Regards,
Milan Gornik
Postmark developer, Wildbit

CloudPress

unread,
Nov 15, 2012, 2:37:06 PM11/15/12
to postmark-ap...@googlegroups.com
Sorry for posting twice I didn't realize it didn't get posted immediately.

The basic auth would work for the inbound hook. I was just thinking signing would give me a way to verify on the inbound email hook and bounce hooks I would also like to see it implemented to authenticate sending emails as well, which I would have to optionally turn on for backwards compatibility but I personally would prefer the extra security.

Milan Gornik

unread,
Nov 16, 2012, 5:26:27 AM11/16/12
to postmark-ap...@googlegroups.com

Hi!

Glad to know that the basic auth scheme will work for you. Signing our JSON payloads is interesting request and I am posting it as a feature request to our planning docs. For outbound email (email that you send through Postmark), signing is already implemented using DKIM standard (http://www.dkim.org/). You assign DKIM to your domain and tell Postmark your keypair (public, private). That way, your DNS and Postmark has this info and emails you send are DKIM secured. Then, email servers that receive your emails are sure about the origin of the email.

Regards,
Milan

CloudPress

unread,
Nov 16, 2012, 1:07:13 PM11/16/12
to postmark-ap...@googlegroups.com
I know about SKIM but to authenticate from my app to postmark I was saying you could include the ability for me to sign the json that way there is more than just an API key needed for authentication. As it sits its like logging into a website with just a username, one that's not publicly know but I still would like to see some more from the authentication.

Robert Rawlins

unread,
Feb 4, 2013, 11:52:18 AM2/4/13
to postmark-ap...@googlegroups.com
Hi Milan,

I'd be interested to learn a little more about securing the inbound hook in the way you describe here. I'm currently building a hook to receive the inbound requests but can't afford for the URL to not be secure.

Can you explain how I can currently implement security on my inbound hooks.

Thanks,

Robert

JP Toto

unread,
Feb 4, 2013, 12:12:27 PM2/4/13
to postmark-ap...@googlegroups.com
Hey Robert!

We aren't doing a shared secret/key like described by the user above but the method that Milan describes will work great. It's basic http auth but it's embedded into the url.

For example, you can setup your Inbound hook as such: http://username:pass...@mydomain.com/inboundhook

On your server, you would setup a basic http auth for that url. I would recommend using https to secure the transmission as well. Now this way, Postmark is effectively "logging in" to your server for each Inbound POST with the JSON payload.

Would that work out for you?

- JP

Milan Gornik

unread,
Feb 4, 2013, 12:18:52 PM2/4/13
to postmark-ap...@googlegroups.com

Hi Robert,

This should be really simple to setup, let me explain it here. To use this, your inbound web hook should use HTTPS and basic authentication. Make sure that the web server you use to host your inbound web hooks supports this. Then, define username and password which Postmark will use to post JSON data to your application. Your web server should only allow authenticated access to the inbound web hook, using those username and password (you can allow more users, this one will be used by Postmark). Then, in Postmark define your Inbound web hook as following (to set it up go to Your Rack, pick a server and then choose Settings tab):

https://{username}:{password}@{hostname}:{port}/{inboundhook}

For example: https://user:secre...@myserver.com/postmark_inbound

So, username and password are integral part of the inbound hook url setting in Postmark. This username+password combination will be shared secret between Postmark system and you, so no one else could access your inbound hook and post data to it.

Let me know if I can help you with more details,
Milan Gornik
Postmark developer, Wildbit

Reply all
Reply to author
Forward
0 new messages