Description
We use laravel-mailbox receive lots of emails each day. Since a few weeks, we see more and more messages failing with a temporary error in Mailgun and eventually some mail will fail definitely.
I've done some investigation and the problem is caused by the timestamp verification in the MailgunRequest. I've manually changed the time to ten minutes and all the messages are now arriving successfully.
There are two possible solutions to this issue:
- Increase the time to when a message is considered to old
- Drop the check for the freshness of a message
The documentation of Mailgun doesn't mention a check on the timestamp, so I would propose to remove the check of the freshness of the message.
Making it secure
There’s nothing to stop someone who knows our webhook URL from crafting false event data and sending it to the URL. Luckily, Mailgun signs each request sent and posts the following parameters as well:
- timestamp (number of seconds passed since January 1, 1970)
- token (randomly generated string with length 50)
- signature (hexadecimal string generated by HMAC algorithm)
To verify the token, you need to:
- Concatenate the values of timestamp and token.
- Encode the resulting string with HMAC, using your Mailgun API key as the key and Sha256 as the algorithm.
I'd be happy to create a PR for either solution.