Skip to content

[Brevo Mailer] Webhook IP Addresses have changed #61062

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 8, 2025
Merged

[Brevo Mailer] Webhook IP Addresses have changed #61062

merged 1 commit into from
Jul 8, 2025
+1 −1

Conversation

richardhj
Copy link
Contributor

@richardhj richardhj commented Jul 7, 2025
edited
Loading

Q A
Branch? 6.4
Bug fix? yes
New feature? no
Deprecations? no
Issues
License MIT

So first I recognized multiple RejectWebhookExceptions. Then I checked my access logs and realized that webhook from Brevo can also come from the '172.246.240.1/20' IP range.

This is also documented here: https://help.brevo.com/hc/en-us/articles/15127404548498-Brevo-IP-ranges-List-of-publicly-exposed-services

This new IP range must have been added later this year, it hasn't been there in January, for instance: https://web.archive.org/web/20250125161029/https://help.brevo.com/hc/en-us/articles/15127404548498-Brevo-IP-ranges-List-of-publicly-exposed-services

So this PR adds the new IP range for ingress webhook validation.

@carsonbot carsonbot added this to the 6.4 milestone Jul 7, 2025
@carsonbot
Copy link

Hey!

Thanks for your PR. You are targeting branch "6.4" but it seems your PR description refers to branch "6.4 for bug fix".
Could you update the PR description or change target branch? This helps core maintainers a lot.

Cheers!

Carsonbot

@fabpot
Copy link
Member

fabpot commented Jul 8, 2025

Thank you @richardhj.

@fabpot fabpot merged commit 1299446 into symfony:6.4 Jul 8, 2025
11 checks passed
xabbuh
xabbuh reviewed Jul 8, 2025
View reviewed changes
src/Symfony/Component/Mailer/Bridge/Brevo/Webhook/BrevoRequestParser.php
@@ -37,7 +37,7 @@ protected function getRequestMatcher(): RequestMatcherInterface
new IsJsonRequestMatcher(),
// https://developers.brevo.com/docs/how-to-use-webhooks#securing-your-webhooks
// localhost is added for testing
new IpsRequestMatcher(['185.107.232.1/24', '1.179.112.1/20', '127.0.0.1']),
new IpsRequestMatcher(['185.107.232.1/24', '1.179.112.1/20', '172.246.240.1/20', '127.0.0.1']),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the 185.107.232.1/24 range still valid? I cannot find it in the linked document.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You might be right and we can remove the first one. But I thought they might have legacy services running, so this was the most cautious approach.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At least in my environment I don't find 185.107.xxx requests

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see #61223

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They did change the IP ranges in their documentation again which is at the time i write this message : 1.179.112.0/20 and 172.246.240.0/20

I did a PR for that #61223

Source : https://help.brevo.com/hc/en-us/articles/15127404548498-Brevo-IP-ranges-List-of-publicly-exposed-services

@kevinpapst
Copy link

Thanks @richardhj , started seeing a few requests from this new IP range this week.

Brevo should do better with communication, this change was not announced nor mailed to users.

@xabbuh xabbuh mentioned this pull request Jul 24, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xabbuh xabbuh xabbuh left review comments

@jarbey jarbey jarbey left review comments

@fabpot fabpot fabpot approved these changes

Assignees
No one assigned
Labels
Bug Status: Reviewed
Projects
None yet
Milestone
6.4
Development

Successfully merging this pull request may close these issues.
6 participants
@richardhj @carsonbot @fabpot @kevinpapst @xabbuh @jarbey
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy