From eb26d10fdfa51be375d3512022f879581034d975 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ri=C3=ABl=20Notermans?= Date: Mon, 20 Oct 2025 23:49:47 +0200 Subject: [PATCH] fix(backend): exempt inbound MTA endpoints from SSL redirect The SECURE_REDIRECT_EXEMPT setting was missing the inbound MTA router endpoints, causing internal HTTP calls from the MTA-in service to be redirected to HTTPS with a 301 response. This caused the milter to timeout when checking recipients and delivering mail, resulting in "451 4.7.1 Service unavailable" errors. The MTA-in service calls: - /api/v1.0/inbound/mta/check/ (for recipient validation) - /api/v1.0/inbound/mta/deliver/ (for mail delivery) These internal endpoints must accept HTTP requests and should not be redirected to HTTPS. Changed: - Added "^api/v1\.0/inbound/mta/" to SECURE_REDIRECT_EXEMPT This follows the existing pattern for the alias endpoints at /api/v1.0/mta/* which were already exempted. Fixes: MTA milter timeout and mail delivery failures --- src/backend/messages/settings.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/backend/messages/settings.py b/src/backend/messages/settings.py index e56a9f29..39db920b 100755 --- a/src/backend/messages/settings.py +++ b/src/backend/messages/settings.py @@ -983,7 +983,7 @@ class Production(Base): SECURE_HSTS_PRELOAD = True SECURE_HSTS_INCLUDE_SUBDOMAINS = True SECURE_SSL_REDIRECT = True - SECURE_REDIRECT_EXEMPT = ["^__lbheartbeat__", "^__heartbeat__", "^api/v1\\.0/mta/"] + SECURE_REDIRECT_EXEMPT = ["^__lbheartbeat__", "^__heartbeat__", "^api/v1\\.0/mta/", "^api/v1\\.0/inbound/mta/"] # Modern browsers require to have the `secure` attribute on cookies with `Samesite=none` CSRF_COOKIE_SECURE = True