fix(backend): exempt inbound MTA endpoints from SSL redirect

[rielzzapps]

The SECURE_REDIRECT_EXEMPT setting was missing the inbound MTA router endpoints, causing internal HTTP calls from the MTA-in service to be redirected to HTTPS with a 301 response.

This caused the milter to timeout when checking recipients and delivering mail, resulting in "451 4.7.1 Service unavailable" errors.

The MTA-in service calls:

• /api/v1.0/inbound/mta/check/ (for recipient validation)
• /api/v1.0/inbound/mta/deliver/ (for mail delivery)

These internal endpoints must accept HTTP requests and should not be redirected to HTTPS.

Changed:

• Added "^api/v1.0/inbound/mta/" to SECURE_REDIRECT_EXEMPT

This follows the existing pattern for the alias endpoints at /api/v1.0/mta/* which were already exempted.

Fixes: MTA milter timeout and mail delivery failures

Summary by CodeRabbit

• Bug Fixes
  • Updated security configuration to enable proper handling of inbound API requests in production environments.

[coderabbitai]

Walkthrough

A new exempt path "^api/v1\.0/inbound/mta/" is added to the SECURE_REDIRECT_EXEMPT list in the Production configuration class, allowing an additional API endpoint to bypass secure redirect enforcement.

Changes

Cohort / File(s)	Summary
Configuration update src/backend/messages/settings.py	Added "^api/v1\.0/inbound/mta/" to the SECURE_REDIRECT_EXEMPT list in the Production class

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A path through the mta, now clearer it seems,
The inbound requests flow through secure HTTPS dreams,
One line added, exempt from redirects so grand,
Configuration whispers across the digital land! 🌿

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The pull request title "fix(backend): exempt inbound MTA endpoints from SSL redirect" directly and accurately describes the main change in the changeset. The code modification adds the pattern "^api/v1\.0/inbound/mta/" to the SECURE_REDIRECT_EXEMPT list to prevent SSL redirects for internal MTA endpoints, which is precisely what the title conveys. The title is concise, uses a clear semantic prefix ("fix"), and is specific enough that a teammate scanning the commit history would immediately understand the primary change without vagueness or unnecessary noise.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 Pylint (4.0.1)

src/backend/messages/settings.py

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

src/backend/messages/settings.py (1)

986-986: LGTM with a suggested refactor for line length compliance.

The addition of "^api/v1\\.0/inbound/mta/" correctly exempts the inbound MTA endpoints from SSL redirect, addressing the timeout and mail delivery failures described in the PR objectives. The pattern follows the existing convention used for MTA alias endpoints.

However, the line exceeds the 100-character limit specified in the coding guidelines.

Consider wrapping the list across multiple lines for better readability and compliance:

-    SECURE_REDIRECT_EXEMPT = ["^__lbheartbeat__", "^__heartbeat__", "^api/v1\\.0/mta/", "^api/v1\\.0/inbound/mta/"]
+    SECURE_REDIRECT_EXEMPT = [
+        "^__lbheartbeat__",
+        "^__heartbeat__",
+        "^api/v1\\.0/mta/",
+        "^api/v1\\.0/inbound/mta/",
+    ]

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bf77b07 and eb26d10.

📒 Files selected for processing (1)

• src/backend/messages/settings.py (1 hunks)

🧰 Additional context used

📓 Path-based instructions (3)

src/backend/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/django-python.mdc)

src/backend/**/*.py: Follow Django/PEP 8 style with a 100-character line limit
Use descriptive, snake_case names for variables and functions
Use Django ORM for database access; avoid raw SQL unless necessary for performance
Use Django’s built-in user model and authentication framework
Prefer try-except blocks to handle exceptions in business logic and views
Log expected and unexpected actions with appropriate log levels
Capture and report exceptions to Sentry; use capture_exception() for custom errors
Do not log sensitive information (tokens, passwords, financial/health data, PII)

Files:

• src/backend/messages/settings.py

src/backend/**/{settings.py,middleware.py}

📄 CodeRabbit inference engine (.cursor/rules/django-python.mdc)

Use middleware judiciously for cross-cutting concerns (authentication, logging, caching)

Files:

• src/backend/messages/settings.py

src/backend/**/settings.py

📄 CodeRabbit inference engine (.cursor/rules/django-python.mdc)

src/backend/**/settings.py: Leverage Django’s caching framework (e.g., Redis/Memcached) where appropriate
Use Django’s cache framework with a backend like Redis or Memcached to reduce DB load
Optimize static file handling using Django’s staticfiles pipeline (e.g., WhiteNoise)

Files:

• src/backend/messages/settings.py

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: docker-publish-socks-proxy / docker-build-push
• GitHub Check: build-front
• GitHub Check: check-api-state
• GitHub Check: lint-back
• GitHub Check: test-back

🔇 Additional comments (1)

src/backend/messages/settings.py (1)

986-986: Endpoints verified: both /api/v1.0/inbound/mta/check/ and /api/v1.0/inbound/mta/deliver/ are properly defined.

The inbound MTA endpoints are correctly implemented in the codebase:

• InboundMTAViewSet is registered in src/backend/core/urls.py (line 84) via the inbound nested router
• The check action is defined in src/backend/core/api/viewsets/inbound/mta.py (line 83)
• The deliver action is defined in src/backend/core/api/viewsets/inbound/mta.py (line 104-107)
• The SECURE_REDIRECT_EXEMPT regex pattern ^api/v1\.0/inbound/mta/ correctly matches both endpoints