refactor(auth): remove hardcoded MX denylist defaults

The MX-backend denylist is now entirely operator-supplied via
BLOCKED_EMAIL_MX_HOSTS. Sim is open source, so no specific mail backends are
named in the repo, the env example, or the tests — deployments configure their
own list out of band (e.g. via secrets). The no-MX hygiene check is unchanged;
with an empty denylist no backend is blocked.

Author: waleedlatif1

apps/sim/lib/core/config/env.ts

@@ -28,7 +28,7 @@ export const env = createEnv({
     ALLOWED_LOGIN_DOMAINS:                 z.string().optional(),                  // Comma-separated list of allowed email domains for login
     BLOCKED_SIGNUP_DOMAINS:                z.string().optional(),                  // Comma-separated list of email domains blocked from signing up (e.g., "gmail.com,yahoo.com")
     SIGNUP_MX_VALIDATION_ENABLED:          z.boolean().optional(),                 // Opt-in: validate the email's MX backend at signup (blocks no-MX domains and denylisted shared spam backends). Off by default; enable on hosted/abuse-targeted deployments.
-    BLOCKED_EMAIL_MX_HOSTS:                z.string().optional(),                  // Comma-separated MX-host substrings blocked from signing up; matches the domain's resolved MX backend (e.g., "215.im,gravityengine.cc"). Catches throwaway domains that share a mail backend. Merged with built-in defaults. Only used when SIGNUP_MX_VALIDATION_ENABLED is set.
+    BLOCKED_EMAIL_MX_HOSTS:                z.string().optional(),                  // Comma-separated MX-host substrings blocked from signing up; matched against the domain's resolved MX backend to catch throwaway domains that share a mail backend. No defaults — operators supply their own list. Only used when SIGNUP_MX_VALIDATION_ENABLED is set.
     TRUSTED_ORIGINS:                       z.string().optional(),                  // Comma-separated additional origins to trust for auth (e.g., "https://app.example.com,https://www.example.com"). Merged into Better Auth trustedOrigins.
     TURNSTILE_SECRET_KEY:                  z.string().min(1).optional(),           // Cloudflare Turnstile secret key for captcha verification
     SIGNUP_EMAIL_VALIDATION_ENABLED:       z.boolean().optional(),                 // Enable disposable email blocking via better-auth-harmony (55K+ domains)

apps/sim/lib/messaging/email/validation.server.test.ts

@@ -31,20 +31,29 @@ describe('validateSignupEmailMx', () => {
     envRef.BLOCKED_EMAIL_MX_HOSTS = undefined
   })
 
-  it('blocks the known shared spam backend 215.im', async () => {
-    mockResolveMx.mockResolvedValue(mx('smtp.215.im'))
-    const result = await validateSignupEmailMx('simuser_abc@lyi25swr.cn')
+  it('blocks a domain whose MX backend is on the configured denylist', async () => {
+    envRef.BLOCKED_EMAIL_MX_HOSTS = 'blocked-backend.example'
+    mockResolveMx.mockResolvedValue(mx('smtp.blocked-backend.example'))
+    const result = await validateSignupEmailMx('user@rotated-domain.test')
     expect(result.allowed).toBe(false)
     expect(result.reason).toBe('blocked_mx_backend')
   })
 
-  it('blocks gravityengine.cc backend', async () => {
-    mockResolveMx.mockResolvedValue(mx('email.gravityengine.cc'))
-    const result = await validateSignupEmailMx('x@acgfun.eu.org')
+  it('matches the denylist as a case-insensitive substring of the MX exchange', async () => {
+    envRef.BLOCKED_EMAIL_MX_HOSTS = 'Blocked-Backend.Example'
+    mockResolveMx.mockResolvedValue(mx('mx1.blocked-backend.example'))
+    const result = await validateSignupEmailMx('user@another-domain.test')
     expect(result.allowed).toBe(false)
     expect(result.reason).toBe('blocked_mx_backend')
   })
 
+  it('does not block any backend when the denylist is empty (no hardcoded defaults)', async () => {
+    envRef.BLOCKED_EMAIL_MX_HOSTS = undefined
+    mockResolveMx.mockResolvedValue(mx('smtp.blocked-backend.example'))
+    const result = await validateSignupEmailMx('user@rotated-domain.test')
+    expect(result.allowed).toBe(true)
+  })
+
   it('allows a legitimate domain (gmail)', async () => {
     mockResolveMx.mockResolvedValue(
       mx('gmail-smtp-in.l.google.com', 'alt1.gmail-smtp-in.l.google.com')
@@ -73,14 +82,6 @@ describe('validateSignupEmailMx', () => {
     expect(result.allowed).toBe(true)
   })
 
-  it('honors additional backends from BLOCKED_EMAIL_MX_HOSTS', async () => {
-    envRef.BLOCKED_EMAIL_MX_HOSTS = 'newbadhost.example'
-    mockResolveMx.mockResolvedValue(mx('mx1.newbadhost.example'))
-    const result = await validateSignupEmailMx('x@rotated-domain.top')
-    expect(result.allowed).toBe(false)
-    expect(result.reason).toBe('blocked_mx_backend')
-  })
-
   it('allows when the email has no domain (defers to other validation)', async () => {
     const result = await validateSignupEmailMx('not-an-email')
     expect(result.allowed).toBe(true)

apps/sim/lib/messaging/email/validation.server.ts

@@ -6,23 +6,23 @@ import { env } from '@/lib/core/config/env'
 
 const logger = createLogger('EmailValidationServer')
 
-/**
- * Mail backends abused by signup-spam botnets. The bots rotate throwaway
- * domains rapidly but funnel them through a small number of shared catch-all
- * mail providers, so the resolved MX host is a far more stable signal than the
- * domain itself. Matched as a case-insensitive substring against each MX
- * exchange. Extend at runtime via `BLOCKED_EMAIL_MX_HOSTS`.
- */
-const DEFAULT_BLOCKED_MX_HOSTS = ['215.im', 'gravityengine.cc'] as const
-
 const MX_LOOKUP_TIMEOUT_MS = 3000
 
+/**
+ * MX-host substrings to block, supplied at runtime via `BLOCKED_EMAIL_MX_HOSTS`.
+ *
+ * Signup-spam botnets rotate throwaway domains rapidly but funnel them through a
+ * small number of shared catch-all mail providers, so the resolved MX host is a
+ * far more stable signal than the domain itself. Each entry is matched as a
+ * case-insensitive substring against the domain's resolved MX exchanges. No
+ * hosts are hardcoded — operators configure their own denylist out of band.
+ */
 function getBlockedMxHosts(): string[] {
-  const extra =
+  return (
     env.BLOCKED_EMAIL_MX_HOSTS?.split(',')
       .map((h) => h.trim().toLowerCase())
       .filter(Boolean) ?? []
-  return [...DEFAULT_BLOCKED_MX_HOSTS, ...extra]
+  )
 }
 
 export interface SignupEmailCheck {