From 3b3defe27192f071f850378cd8e9e55ec6e06e2f Mon Sep 17 00:00:00 2001
From: Adam Cooke <adam@krystal.io>
Date: Wed, 3 Jun 2026 15:52:46 +0100
Subject: [PATCH] doc: update config with new allowed request destinations
 option

---
 doc/config/environment-variables.md | 1 +
 doc/config/yaml.yml                 | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/doc/config/environment-variables.md b/doc/config/environment-variables.md
index 940424e..56fc70a 100644
--- a/doc/config/environment-variables.md
+++ b/doc/config/environment-variables.md
@@ -18,6 +18,7 @@ This document contains all the environment variables which are available for thi
 | `POSTAL_SIGNING_KEY_PATH` | String | Path to the private key used for signing | $config-file-root/signing.key |
 | `POSTAL_SMTP_RELAYS` | Array of strings | An array of SMTP relays in the format of smtp://host:port | [] |
 | `POSTAL_TRUSTED_PROXIES` | Array of strings | An array of IP addresses to trust for proxying requests to Postal (in addition to localhost addresses) | [] |
+| `POSTAL_ALLOWED_REQUEST_DESTINATIONS` | Array of strings | Hostnames or IP/CIDR ranges that outbound webhook and HTTP endpoint requests are permitted to reach even when they resolve to a private, loopback, link-local or otherwise reserved address. All other such destinations are blocked to prevent SSRF. | [] |
 | `POSTAL_QUEUED_MESSAGE_LOCK_STALE_DAYS` | Integer | The number of days after which to consider a lock as stale. Messages with stale locks will be removed and not retried. | 1 |
 | `POSTAL_BATCH_QUEUED_MESSAGES` | Boolean | When enabled queued messages will be de-queued in batches based on their destination | true |
 | `WEB_SERVER_DEFAULT_PORT` | Integer | The default port the web server should listen on unless overriden by the PORT environment variable | 5000 |
diff --git a/doc/config/yaml.yml b/doc/config/yaml.yml
index f3a735a..4e0406d 100644
--- a/doc/config/yaml.yml
+++ b/doc/config/yaml.yml
@@ -29,6 +29,8 @@ postal:
   smtp_relays: []
   # An array of IP addresses to trust for proxying requests to Postal (in addition to localhost addresses)
   trusted_proxies: []
+  # Hostnames or IP/CIDR ranges that outbound webhook and HTTP endpoint requests are permitted to reach even when they resolve to a private, loopback, link-local or otherwise reserved address. All other such destinations are blocked to prevent SSRF.
+  allowed_request_destinations: []
   # The number of days after which to consider a lock as stale. Messages with stale locks will be removed and not retried.
   queued_message_lock_stale_days: 1
   # When enabled queued messages will be de-queued in batches based on their destination