Error 403 for Expense Mailbox

Joybird · June 10, 2025, 6:00pm

Version ie <v5.10.30>

v5.12.0

Environment <Docker/Shared Hosting/Zip/Other>

docker

Checklist

Can you replicate the issue on our v5 demo site https://demo.invoiceninja.com or Invoice Ninja?
Not Possible to test

Have you searched existing issues?
yes

Have you inspected the logs in storage/logs/laravel.log for any errors?
[ip stanatized] - - [10/Jun/2025:17:07:44 +0000] “POST /api/v1/mailgun_inbound_webhook HTTP/1.1” 403 57 “-” “Go-http-client/2.0” “35.212.98.13”

Describe the bug

Expense Inbox doesn’t work, I have mailgun forwarding and the requests are recieved, but it’s giving me error 403 in the logs.

Steps To Reproduce

Configure mailgun/invoiceninja according to

github.com/invoiceninja/invoiceninja

Feature: inbound email expenses & mindee ocr

v5-develop ← paulwer:feature-inbound-email-expenses

opened 07:04AM - 14 Dec 23 UTC

paulwer

+2882 -213

this PR is a draft for importing inbound emails as expenses. I would like to us…e this draft to may ask some questions and to develop this feature. - PostMark InboundWebhook Processing: https://postmarkapp.com/developer/webhooks/inbound-webhook - Mailgun https://documentation.mailgun.com/en/latest/quickstart-receiving.html - Brevo https://www.brevo.com/inbound-parsing/ waiting for: #9053 Any more providers to cover? Status (Tests): - [x] PostMark Inbound Webhook Processing - [X] Mailgun Inbound Webhook Processing - [x] Brevo Inbound Webhook Processing - [x] InboundMailEngine - [X] E-mail Format - [x] Global BlackList - [x] Sender Cache Blocking - [x] Total Inbound Count Blocking (Cache Expiration also tested) - [x] Unknown Reciepent Count Blocking (Cache Expiration also tested) - [x] Company Whitelist - [x] Company Blacklist - [x] Allow inbound by users - [X] Allow inbound by vendors - [X] Allow inbound by clients - [x] Allow inbound All - [X] HTML Body to File - [X] Expense Creation - [X] Vendor Matching - [x] System Logs for Blocked entities - [x] Company Entity - [x] Inbound Mailbox Endings - [x] Inbound Mailbox Unique Systemwide Check # Dev Environment [Webhook Relay on Localhost](https://docs.webhookrelay.com/short-examples/webhook-forwarding/receiving-webhooks-on-localhost) I have used webhook relay to simulate a internet contactable url to test the webhook behavior with each provider. # Documentation ## Company Configuration If you are starting with the IngresEngine, you should have to take a look at some major points. First of all the mailbox recieving the email has to be allowed, which can be configured at the company level. The IngresEngine can denie incomming emails, when the configuration and data related to your vendors allows it to. - **expense_mailbox_active** Enable Disable Mail Processing - **expense_mailbox** E-Mail of the recieving mailbox - **inbound_mailbox_allow_company_users** If true, all of your users of your own company are allowed to send in emails, which will not get blocked - **inbound_mailbox_allow_vendors** If true and the sender of an email matches the vendor inbound mailbox configuration it will not get blocked - **inbound_mailbox_allow_unknown** If true all mails will not get blocked - **inbound_mailbox_whitelist** a comma seperated list of additional domains or full emails, which should be allowed to send emails (even when expense_mailbox_allow_unknown is false) - **inbound_mailbox_blacklist** a comma seperated list of blocked domains or full emails, which should not be allowed to send emails (even when expense_mailbox_allow_unknown is true or the mail would be allowed by any other setting) ## Vendor Matching Incomming emails are beeing attempted to match against a vendor by checking the vendor contact emails. ## SetUp Inbound Providers ### SetUp Mailgun To ensure delivery, you have to configure all used mailgun regions with a recieving configuration using store & notify. 1. Create and setup your mailgun account 2. Prepare your DNS settings for inbound mail processing, by setting up necessary MX records 3. Create a recieving route using store and notify 3a. Go to Recieving Section and click on "Create Route" ![image](https://github.com/invoiceninja/invoiceninja/assets/52678724/5971433c-da1f-46d9-80a9-33d547880d9c) 3b. Create your route by selecting your mailbox configured in invoiceninja and add notify endpoint /api/v1/mailgun_inbound_webhook ![Unbenannt](https://github.com/invoiceninja/invoiceninja/assets/52678724/6136bd8e-66d3-468f-bddc-05ceb3a6b3c7) ### SetUp Brevo To ensure delivery you have to configure brevo inbound parsing according to: https://developers.brevo.com/docs/inbound-parse-webhooks 1. Create and setup your brevo account 2. Prepare your DNS settings for inbound mail processing, by setting up necessary MX records 3. Register the webhook via the brevo api to the following notify endpoint: /api/v1/brevo_inbound_webhook?token=brevo-api-token ### SetUp Postmark To ensure delivery you have to configure brevo inbound parsing according to: https://developers.brevo.com/docs/inbound-parse-webhooks // TODO ### SetUp with Own MailServer If you want to use your own mailbox, you have to eigher redirect the mail to a mailbox of one of the providers above or use a provider for inbound directly. We recommend to use one of these providers hosted on a subdomain f.ex. invoicing.xxx.com directly or to use the auto-generated mailbox of postmark when you are using redirect. ## SetUp Mindee OCR To parse a document IN can use OCR solutions like Mindee. Mindee offers to process documents and guess the contents using AI. Each account has 250 pages for free, which makes it very suiteable for small busineses using self-hosted.

Expected Behavior

Expense is created

Additional context

Screenshots

Logs

172.23.0.2 - - [10/Jun/2025:16:42:44 +0000] “POST /api/v1/mailgun_inbound_webhook HTTP/1.1” 403 57 “-” “Go-http-client/2.0” “35.212.1.149”
06/10/202509:46:36 AM

172.23.0.2 - - [10/Jun/2025:16:46:36 +0000] “POST /api/v1/mailgun_inbound_webhook HTTP/1.1” 403 57 “-” “Go-http-client/2.0” “35.212.134.215”

06/10/202509:52:44 AM

172.23.0.2 - - [10/Jun/2025:16:52:44 +0000] “POST /api/v1/mailgun_inbound_webhook HTTP/1.1” 403 57 “-” “Go-http-client/2.0” “35.212.98.13”

06/10/202509:56:37 AM

172.23.0.2 - - [10/Jun/2025:16:56:37 +0000] “POST /api/v1/mailgun_inbound_webhook HTTP/1.1” 403 57 “-” “Go-http-client/2.0” “35.212.198.12”

06/10/202509:56:39 AM

172.23.0.2 - - [10/Jun/2025:16:56:39 +0000] “POST /api/v1/mailgun_inbound_webhook HTTP/1.1” 403 57 “-” “Go-http-client/2.0” “35.212.124.33”

06/10/202510:02:35 AM

172.23.0.2 - - [10/Jun/2025:17:02:35 +0000] “POST /api/v1/mailgun_inbound_webhook HTTP/1.1” 403 57 “-” “Go-http-client/2.0” “35.212.1.149”

06/10/202510:06:19 AM

172.23.0.2 - - [10/Jun/2025:17:06:19 +0000] “POST /api/v1/mailgun_inbound_webhook HTTP/1.1” 403 57 “-” “Go-http-client/2.0” “35.212.152.199”

06/10/202510:06:39 AM

172.23.0.2 - - [10/Jun/2025:17:06:39 +0000] “POST /api/v1/mailgun_inbound_webhook HTTP/1.1” 403 57 “-” “Go-http-client/2.0” “35.212.46.96”

06/10/202510:07:44 AM

172.23.0.2 - - [10/Jun/2025:17:07:44 +0000] “POST /api/v1/mailgun_inbound_webhook HTTP/1.1” 403 57 “-” “Go-http-client/2.0” “35.212.98.13”

06/10/202510:11:37 AM

172.23.0.2 - - [10/Jun/2025:17:11:37 +0000] “POST /api/v1/mailgun_inbound_webhook HTTP/1.1” 403 57 “-” “Go-http-client/2.0” “35.212.198.12”

hillel · June 10, 2025, 6:10pm

Hi,

Maybe this info from ChatGPT will help?

You’re encountering a 403 Forbidden error when Mailgun tries to hit the /api/v1/mailgun_inbound_webhook endpoint on your Invoice Ninja installation. This typically indicates unauthorized access, most often due to missing or incorrect authentication.

Confirmed Setup

Invoice Ninja Version: v5.12.0
Deployed via: Docker
Mailgun forwarding works: Yes
Webhook endpoint hit: Yes
Error in response: HTTP 403

Root Cause

Invoice Ninja requires a secret token to authorize the Mailgun webhook request.

From the relevant pull request and source code, the /api/v1/mailgun_inbound_webhook endpoint checks for an X-Mailgun-Signature or custom token to validate the request.

If no valid token is passed or it doesn’t match, the system will return 403.

Fix Instructions

Set your webhook signing secret in .env:

Add a variable like:
```
MAILGUN_WEBHOOK_SECRET=mysecret
```
Restart Docker containers so .env changes take effect:
```
docker-compose down
docker-compose up -d
```
Update your Mailgun forwarding to use the secret token:

When setting up the webhook in Mailgun, you must ensure that either:
- The POST includes a custom header (e.g., X-Mailgun-Token: mysecret)
- Or, if you’re using Mailgun’s signing mechanism, ensure Invoice Ninja is checking X-Mailgun-Signature.
If Mailgun doesn’t support custom headers in webhooks, you might need to:
- Modify Invoice Ninja’s webhook handling code to skip token validation ( not recommended for production)
- Or proxy the Mailgun request through a small script that adds the required header/token

Alternative Debugging Tips

Double-check the IP whitelist (some apps reject unknown IPs).
Confirm the webhook is POSTing to the correct base URL, especially behind proxies or Docker.
Run php artisan route:list and check that the route /api/v1/mailgun_inbound_webhook is active and accessible.