Skip to content

[Brevo Mailer] Webhook IP Addresses have changed #61062

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 8, 2025
Merged

[Brevo Mailer] Webhook IP Addresses have changed #61062

merged 1 commit into from
Jul 8, 2025
+1 −1

Conversation

richardhj
Copy link
Contributor

@richardhj richardhj commented Jul 7, 2025
edited
Loading

Q A
Branch? 6.4
Bug fix? yes
New feature? no
Deprecations? no
Issues
License MIT

So first I recognized multiple RejectWebhookExceptions. Then I checked my access logs and realized that webhook from Brevo can also come from the '172.246.240.1/20' IP range.

This is also documented here: https://help.brevo.com/hc/en-us/articles/15127404548498-Brevo-IP-ranges-List-of-publicly-exposed-services

This new IP range must have been added later this year, it hasn't been there in January, for instance: https://web.archive.org/web/20250125161029/https://help.brevo.com/hc/en-us/articles/15127404548498-Brevo-IP-ranges-List-of-publicly-exposed-services

So this PR adds the new IP range for ingress webhook validation.

@carsonbot carsonbot added this to the 6.4 milestone Jul 7, 2025
@carsonbot
Copy link

Hey!

Thanks for your PR. You are targeting branch "6.4" but it seems your PR description refers to branch "6.4 for bug fix".
Could you update the PR description or change target branch? This helps core maintainers a lot.

Cheers!

Carsonbot

@fabpot
Copy link
Member

fabpot commented Jul 8, 2025

Thank you @richardhj.

@fabpot fabpot merged commit 1299446 into symfony:6.4 Jul 8, 2025
11 checks passed
xabbuh
xabbuh reviewed Jul 8, 2025
View reviewed changes
src/Symfony/Component/Mailer/Bridge/Brevo/Webhook/BrevoRequestParser.php
@@ -37,7 +37,7 @@ protected function getRequestMatcher(): RequestMatcherInterface
new IsJsonRequestMatcher(),
// https://developers.brevo.com/docs/how-to-use-webhooks#securing-your-webhooks
// localhost is added for testing
new IpsRequestMatcher(['185.107.232.1/24', '1.179.112.1/20', '127.0.0.1']),
new IpsRequestMatcher(['185.107.232.1/24', '1.179.112.1/20', '172.246.240.1/20', '127.0.0.1']),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the 185.107.232.1/24 range still valid? I cannot find it in the linked document.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You might be right and we can remove the first one. But I thought they might have legacy services running, so this was the most cautious approach.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At least in my environment I don't find 185.107.xxx requests

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xabbuh xabbuh xabbuh left review comments

@fabpot fabpot fabpot approved these changes

Assignees
No one assigned
Labels
Bug Status: Reviewed
Projects
None yet
Milestone
6.4
Development

Successfully merging this pull request may close these issues.
4 participants
@richardhj @carsonbot @fabpot @xabbuh
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy