From cf016caa91d27825277c0a64d5ad87413e962cc5 Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Thu, 16 Apr 2020 09:43:14 +0200
Subject: [PATCH] Refuse disposable emails in can_be_used_as_personal_email()

---
 app/email_utils.py        | 12 ++++++++++--
 tests/test_email_utils.py | 10 ++++++++++
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/app/email_utils.py b/app/email_utils.py
index 9a9209d4..7fa02a10 100644
--- a/app/email_utils.py
+++ b/app/email_utils.py
@@ -4,7 +4,7 @@ from email.message import Message
 from email.mime.base import MIMEBase
 from email.mime.multipart import MIMEMultipart
 from email.mime.text import MIMEText
-from email.utils import make_msgid, formatdate, parseaddr, formataddr
+from email.utils import make_msgid, formatdate, parseaddr
 from smtplib import SMTP
 from typing import Optional
 
@@ -23,6 +23,7 @@ from app.config import (
     SUPPORT_NAME,
     POSTFIX_SUBMISSION_TLS,
     MAX_NB_EMAIL_FREE_PLAN,
+    DISPOSABLE_EMAIL_DOMAINS,
 )
 from app.log import LOG
 from app.models import Mailbox, User
@@ -246,7 +247,7 @@ def get_email_domain_part(address):
     Get the domain part from email
     ab@cd.com -> cd.com
     """
-    return address[address.find("@") + 1 :]
+    return address[address.find("@") + 1 :].strip().lower()
 
 
 def add_dkim_signature(msg: Message, email_domain: str):
@@ -320,6 +321,13 @@ def can_be_used_as_personal_email(email: str) -> bool:
     if CustomDomain.get_by(domain=domain, verified=True):
         return False
 
+    for d in DISPOSABLE_EMAIL_DOMAINS:
+        if domain == d:
+            return False
+        # subdomain
+        if domain.endswith("." + d):
+            return False
+
     return True
 
 
diff --git a/tests/test_email_utils.py b/tests/test_email_utils.py
index 16777ca7..08405e74 100644
--- a/tests/test_email_utils.py
+++ b/tests/test_email_utils.py
@@ -40,6 +40,16 @@ def test_can_be_used_as_personal_email(flask_client):
     db.session.commit()
     assert not can_be_used_as_personal_email("hey@ab.cd")
 
+    # disposable domain
+    assert not can_be_used_as_personal_email("abcd@10minutesmail.fr")
+    assert not can_be_used_as_personal_email("abcd@temp-mail.com")
+    # subdomain will not work
+    assert not can_be_used_as_personal_email("abcd@sub.temp-mail.com")
+    # valid domains should not be affected
+    assert can_be_used_as_personal_email("abcd@protonmail.com")
+    assert can_be_used_as_personal_email("abcd@gmail.com")
+    assert can_be_used_as_personal_email("abcd@example.com")
+
 
 def test_delete_header():
     msg = EmailMessage()