I would like to propose a Mailgun config related feature request to improve security posture when working with an account-wide Mailgun api key, which is the default and only way of sending newsletters.
Some background, Mailgun account api keys provide read/write access to much of the Mailgun apis for every domain on the account, even when scoped to a developer role. This API key is easy to pull from the ghost admin input where it is masked. It would be ideal to have domain scoped keys, but as mentioned before those domain keys do not provide stats access, and it is very unlikely Mailgun will change their api to support this.
Given that constraint, is it possible to allow customizing the the mailgun_base_url in the Mailgun API settings form in the Ghost Admin panel? Keep the existing US/EU section, but maybe an advanced section for custom url input.
I have confirmed the Ghost codebase already supports proxying to a custom domain.
My proof-of-concept Mailgun proxy does the following request pass through: myproxy.example.com/* -> api.mailgun.net/*.
The proxy request handler is then able to verify the domain in the Mailgun requests from Ghost, ex: /v*/{domain}/* and verify my custom domain scoped key in the authorization header, api:my-custom-domain-key.
This change would allow people to define custom api-keys scoped to a domain to prevent exposing messages, or logs, or any other data outside of the custom domain - custom key mapping provisioned.
This requires zero changes to the existing code-base to work. To confirm this, I was able to switch the Ghost mail transport to my Mailgun proxy (http api for registration emails) and I am able to overwrite the settings via PUT /ghost/api/admin/settings/ that sets the mailgun_base_url.
Example use case 1: If an account key is ever compromised by a bad actor, or some future exploit, the blast radius is limited to a single domain if a proxy is used. (Mailgun does allow ip allow-listing, which sort of helps but not if the sendinghost is compromised).
Example use case 2: This would be incredibly handy for purchasing cooperatives/resellers/etc to be able to securely provide competitive pricing for their members and/or their customers, as Mailgun price per email decreases the more you send.
Also, I think this would be a great value for managed ghost providers. Please let me know if you have any questions, or would like the PoC code sample.
Thanks Ghost team!