diff --git a/.gitea/release-template.md b/.gitea/release-template.md
index a72bb69..e1f4596 100644
--- a/.gitea/release-template.md
+++ b/.gitea/release-template.md
@@ -6,7 +6,7 @@ Pre-compiled binaries for multiple platforms.
#### Option 1: Via npm (recommended)
```bash
-npm install -g @serve.zone/mailer
+npm install -g @push.rocks/smartmta
```
#### Option 2: Direct binary download
diff --git a/changelog.md b/changelog.md
index 6c52916..7be976c 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,5 +1,15 @@
# Changelog
+## 2026-02-10 - 2.0.0 - BREAKING CHANGE(smartmta)
+Rebrand package to @push.rocks/smartmta, add consolidated email security verification and IPC handler
+
+- Package renamed from @serve.zone/mailer to @push.rocks/smartmta (package.json, commitinfo, README and homepage/bugs/repository URLs updated) β breaking for consumers who import by package name.
+- Added new compound email security API verify_email_security that runs DKIM, SPF and DMARC in a single call (rust/crates/mailer-security/src/verify.rs) and exposed it from the mailer-security crate.
+- Added IPC handler "verifyEmail" in mailer-bin to call the new verify_email_security function from the Rust side.
+- Refactored DKIM and SPF code to convert mail-auth outputs to serializable results (dkim_outputs_to_results and SpfResult::from_output) and wired them into the combined verifier.
+- Updated TypeScript plugin exports and dependencies: added @push.rocks/smartrust and exported smartrust in ts/plugins.ts.
+- Large README overhaul to reflect rebranding, install instructions, architecture and legal/company info.
+
## 2026-02-10 - 1.3.1 - fix(deps)
add workspace dependency entries for multiple crates across mailer-bin, mailer-core, and mailer-security
diff --git a/dist_ts/00_commitinfo_data.js b/dist_ts/00_commitinfo_data.js
index 535583e..18498c9 100644
--- a/dist_ts/00_commitinfo_data.js
+++ b/dist_ts/00_commitinfo_data.js
@@ -2,8 +2,8 @@
* autocreated commitinfo by @push.rocks/commitinfo
*/
export const commitinfo = {
- name: '@serve.zone/mailer',
- version: '1.3.0',
- description: 'Enterprise mail server with SMTP, HTTP API, and DNS management - built for serve.zone infrastructure'
+ name: '@push.rocks/smartmta',
+ version: '1.3.1',
+ description: 'A high-performance, enterprise-grade Mail Transfer Agent (MTA) built from scratch in TypeScript with Rust acceleration.'
};
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiMDBfY29tbWl0aW5mb19kYXRhLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vdHMvMDBfY29tbWl0aW5mb19kYXRhLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBOztHQUVHO0FBQ0gsTUFBTSxDQUFDLE1BQU0sVUFBVSxHQUFHO0lBQ3hCLElBQUksRUFBRSxvQkFBb0I7SUFDMUIsT0FBTyxFQUFFLE9BQU87SUFDaEIsV0FBVyxFQUFFLHNHQUFzRztDQUNwSCxDQUFBIn0=
\ No newline at end of file
diff --git a/package.json b/package.json
index f4fac85..abcd3af 100644
--- a/package.json
+++ b/package.json
@@ -1,30 +1,30 @@
{
- "name": "@serve.zone/mailer",
+ "name": "@push.rocks/smartmta",
"version": "1.3.1",
- "description": "Enterprise mail server with SMTP, HTTP API, and DNS management - built for serve.zone infrastructure",
+ "description": "A high-performance, enterprise-grade Mail Transfer Agent (MTA) built from scratch in TypeScript with Rust acceleration.",
"keywords": [
- "mailer",
+ "mta",
"smtp",
"email",
"mail server",
- "mailgun",
+ "mail transfer agent",
"dkim",
"spf",
+ "dmarc",
"dns",
"cloudflare",
- "daemon service",
- "api",
- "serve.zone"
+ "typescript",
+ "rust"
],
- "homepage": "https://code.foss.global/serve.zone/mailer",
+ "homepage": "https://code.foss.global/push.rocks/smartmta",
"bugs": {
- "url": "https://code.foss.global/serve.zone/mailer/issues"
+ "url": "https://code.foss.global/push.rocks/smartmta/issues"
},
"repository": {
"type": "git",
- "url": "git+https://code.foss.global/serve.zone/mailer.git"
+ "url": "git+https://code.foss.global/push.rocks/smartmta.git"
},
- "author": "Serve Zone",
+ "author": "Task Venture Capital GmbH",
"license": "MIT",
"type": "module",
"bin": {
@@ -66,6 +66,7 @@
"@push.rocks/smartproxy": "^23.1.0",
"@push.rocks/smartrequest": "^5.0.1",
"@push.rocks/smartrule": "^2.0.1",
+ "@push.rocks/smartrust": "^1.1.1",
"@push.rocks/smartrx": "^3.0.10",
"@push.rocks/smartunique": "^3.0.9",
"@serve.zone/interfaces": "^5.0.4",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 3b81ca4..9ad0b7c 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -74,6 +74,9 @@ importers:
'@push.rocks/smartrule':
specifier: ^2.0.1
version: 2.0.1
+ '@push.rocks/smartrust':
+ specifier: ^1.1.1
+ version: 1.1.1
'@push.rocks/smartrx':
specifier: ^3.0.10
version: 3.0.10
diff --git a/readme.md b/readme.md
index ebda83e..e58858c 100644
--- a/readme.md
+++ b/readme.md
@@ -1,361 +1,479 @@
-# @serve.zone/mailer
+# @push.rocks/smartmta
-> Enterprise mail server with SMTP, HTTP API, and DNS management
+A high-performance, enterprise-grade Mail Transfer Agent (MTA) built from scratch in TypeScript with Rust acceleration β no nodemailer, no shortcuts. π
-[](license)
-[](package.json)
+## Issue Reporting and Security
+
+For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
+
+## Install
+
+```bash
+pnpm install @push.rocks/smartmta
+# or
+npm install @push.rocks/smartmta
+```
## Overview
-`@serve.zone/mailer` is a comprehensive mail server solution built with Deno, featuring:
+`@push.rocks/smartmta` is a **complete mail server solution** β SMTP server, SMTP client, email security, content scanning, and delivery management β all built with a custom SMTP implementation. No wrappers around nodemailer. No half-measures.
-- **SMTP Server & Client** - Full-featured SMTP implementation for sending and receiving emails
-- **HTTP REST API** - Mailgun-compatible API for programmatic email management
-- **DNS Management** - Automatic DNS setup via Cloudflare API
-- **DKIM/SPF/DMARC** - Complete email authentication and security
-- **Daemon Service** - Systemd integration for production deployments
-- **CLI Interface** - Command-line management of all features
+### β¨ What's Inside
-## Architecture
+| Module | What It Does |
+|---|---|
+| **SMTP Server** | RFC 5321-compliant server with TLS/STARTTLS, authentication, pipelining |
+| **SMTP Client** | Outbound delivery with connection pooling, retry logic, TLS negotiation |
+| **DKIM** | Key generation, signing, and verification β per domain |
+| **SPF** | Full SPF record validation |
+| **DMARC** | Policy enforcement and verification |
+| **Email Router** | Pattern-based routing with priority, forward/deliver/reject/process actions |
+| **Bounce Manager** | Automatic bounce detection, classification (hard/soft), and tracking |
+| **Content Scanner** | Spam, phishing, malware, XSS, and suspicious link detection |
+| **IP Reputation** | DNSBL checks, proxy/TOR/VPN detection, risk scoring |
+| **Rate Limiter** | Hierarchical rate limiting (global, per-domain, per-sender) |
+| **Delivery Queue** | Persistent queue with exponential backoff retry |
+| **Template Engine** | Email templates with variable substitution |
+| **Domain Registry** | Multi-domain management with per-domain configuration |
+| **DNS Manager** | Automatic DNS record management with Cloudflare API integration |
+| **Rust Accelerator** | Performance-critical operations (DKIM, MIME, validation) in Rust via IPC |
-### Technology Stack
-
-- **Runtime**: Deno (compiles to standalone binaries)
-- **Language**: TypeScript
-- **Distribution**: npm (via binary wrappers)
-- **Service**: systemd daemon
-- **DNS**: Cloudflare API integration
-
-### Project Structure
+### ποΈ Architecture
```
-mailer/
-βββ bin/ # npm binary wrappers
-βββ scripts/ # Build scripts
-βββ ts/ # TypeScript source
-β βββ mail/ # Email implementation (ported from dcrouter)
-β β βββ core/ # Email classes, validation, templates
-β β βββ delivery/ # SMTP client/server, queues
-β β βββ routing/ # Email routing, domain config
-β β βββ security/ # DKIM, SPF, DMARC
-β βββ api/ # HTTP REST API (Mailgun-compatible)
-β βββ dns/ # DNS management + Cloudflare
-β βββ daemon/ # Systemd service management
-β βββ config/ # Configuration system
-β βββ cli/ # Command-line interface
-βββ test/ # Test suite
-βββ deno.json # Deno configuration
-βββ package.json # npm metadata
-βββ mod.ts # Main entry point
-```
-
-## Installation
-
-### Via npm (recommended)
-
-```bash
-npm install -g @serve.zone/mailer
-```
-
-### From source
-
-```bash
-git clone https://code.foss.global/serve.zone/mailer
-cd mailer
-deno task compile
+βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
+β UnifiedEmailServer β
+β (orchestrates all components, emits events) β
+ββββββββββββ¬βββββββββββ¬ββββββββββββ¬ββββββββββββββββββββ€
+β SMTP β Email β Security β Delivery β
+β Server β Router β Stack β System β
+β βββββββ β βββββββ β ββββββββ β βββββββββββββββ β
+β β TLS β β βMatchβ β β DKIM β β β Queue β β
+β β Authβ β βRouteβ β β SPF β β β Rate Limit β β
+β β Cmd β β β Act β β βDMARC β β β SMTP Client β β
+β β Dataβ β β β β βIPRep β β β Retry Logic β β
+β βββββββ β βββββββ β βScan β β βββββββββββββββ β
+β β β ββββββββ β β
+ββββββββββββ΄βββββββββββ΄ββββββββββββ΄ββββββββββββββββββββ€
+β Rust Acceleration Layer β
+β (mailer-core, mailer-security via smartrust IPC) β
+βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
## Usage
-### CLI Commands
+### π§ Setting Up the Email Server
-#### Service Management
-
-```bash
-# Start the mailer daemon
-sudo mailer service start
-
-# Stop the daemon
-sudo mailer service stop
-
-# Restart the daemon
-sudo mailer service restart
-
-# Check status
-mailer service status
-
-# Enable systemd service
-sudo mailer service enable
-
-# Disable systemd service
-sudo mailer service disable
-```
-
-#### Domain Management
-
-```bash
-# Add a domain
-mailer domain add example.com
-
-# Remove a domain
-mailer domain remove example.com
-
-# List all domains
-mailer domain list
-```
-
-#### DNS Management
-
-```bash
-# Auto-configure DNS via Cloudflare
-mailer dns setup example.com
-
-# Validate DNS configuration
-mailer dns validate example.com
-
-# Show required DNS records
-mailer dns show example.com
-```
-
-#### Sending Email
-
-```bash
-# Send email via CLI
-mailer send \\
- --from sender@example.com \\
- --to recipient@example.com \\
- --subject "Hello" \\
- --text "World"
-```
-
-#### Configuration
-
-```bash
-# Show current configuration
-mailer config show
-
-# Set configuration value
-mailer config set smtpPort 25
-mailer config set apiPort 8080
-mailer config set hostname mail.example.com
-```
-
-### HTTP API
-
-The mailer provides a Mailgun-compatible REST API:
-
-#### Send Email
-
-```bash
-POST /v1/messages
-Content-Type: application/json
-
-{
- "from": "sender@example.com",
- "to": "recipient@example.com",
- "subject": "Hello",
- "text": "World",
- "html": "World
"
-}
-```
-
-#### List Domains
-
-```bash
-GET /v1/domains
-```
-
-#### Manage SMTP Credentials
-
-```bash
-GET /v1/domains/:domain/credentials
-POST /v1/domains/:domain/credentials
-DELETE /v1/domains/:domain/credentials/:id
-```
-
-#### Email Events
-
-```bash
-GET /v1/events
-```
-
-### Programmatic Usage
+The central entry point is `UnifiedEmailServer`, which orchestrates SMTP, routing, security, and delivery:
```typescript
-import { Email, SmtpClient } from '@serve.zone/mailer';
+import { UnifiedEmailServer } from '@push.rocks/smartmta';
-// Create an email
-const email = new Email({
- from: 'sender@example.com',
- to: 'recipient@example.com',
- subject: 'Hello from Mailer',
- text: 'This is a test email',
- html: 'This is a test email
',
+const emailServer = new UnifiedEmailServer(dcRouterRef, {
+ ports: [25, 587, 465],
+ hostname: 'mail.example.com',
+ domains: [
+ {
+ domain: 'example.com',
+ dnsMode: 'external-dns',
+ dkim: {
+ selector: 'default',
+ keySize: 2048,
+ rotateKeys: true,
+ rotationInterval: 90,
+ },
+ rateLimits: {
+ maxMessagesPerMinute: 100,
+ maxRecipientsPerMessage: 50,
+ },
+ },
+ ],
+ routes: [
+ {
+ name: 'catch-all-forward',
+ priority: 10,
+ match: {
+ recipients: '*@example.com',
+ },
+ action: {
+ type: 'forward',
+ forward: {
+ host: 'internal-mail.example.com',
+ port: 25,
+ },
+ },
+ },
+ {
+ name: 'reject-spam-senders',
+ priority: 100,
+ match: {
+ senders: '*@spamdomain.com',
+ },
+ action: {
+ type: 'reject',
+ reject: {
+ code: 550,
+ message: 'Sender rejected by policy',
+ },
+ },
+ },
+ ],
+ auth: {
+ required: false,
+ methods: ['PLAIN', 'LOGIN'],
+ users: [{ username: 'outbound', password: 'secret' }],
+ },
+ tls: {
+ certPath: '/etc/ssl/mail.crt',
+ keyPath: '/etc/ssl/mail.key',
+ },
+ maxMessageSize: 25 * 1024 * 1024, // 25 MB
+ maxClients: 500,
});
-// Send via SMTP
-const client = new SmtpClient({
+await emailServer.start();
+```
+
+### π§ Sending Emails with the SMTP Client
+
+Create and send emails using the built-in SMTP client with connection pooling:
+
+```typescript
+import { Email, createSmtpClient } from '@push.rocks/smartmta';
+
+// Create a client with connection pooling
+const client = createSmtpClient({
host: 'smtp.example.com',
port: 587,
- secure: true,
+ secure: false, // will upgrade via STARTTLS
+ pool: true,
+ maxConnections: 5,
auth: {
- user: 'username',
- pass: 'password',
+ user: 'sender@example.com',
+ pass: 'your-password',
},
});
-await client.sendMail(email);
-```
-
-## Configuration
-
-Configuration is stored in `~/.mailer/config.json`:
-
-```json
-{
- "domains": [
+// Build an email
+const email = new Email({
+ from: 'sender@example.com',
+ to: ['recipient@example.com'],
+ cc: ['cc@example.com'],
+ subject: 'Hello from smartmta!',
+ text: 'Plain text body',
+ html: 'Hello!
HTML body with formatting
',
+ priority: 'high',
+ attachments: [
{
- "domain": "example.com",
- "dnsMode": "external-dns",
- "cloudflare": {
- "apiToken": "your-cloudflare-token"
- }
- }
+ filename: 'report.pdf',
+ content: pdfBuffer,
+ contentType: 'application/pdf',
+ },
],
- "apiKeys": ["api-key-1", "api-key-2"],
- "smtpPort": 25,
- "apiPort": 8080,
- "hostname": "mail.example.com"
-}
+});
+
+// Send it
+const result = await client.sendMail(email);
+console.log(`Message sent: ${result.messageId}`);
```
-## DNS Setup
+### π DKIM Signing
-The mailer requires the following DNS records for each domain:
+Automatic DKIM key generation, storage, and signing per domain:
-### MX Record
-```
-Type: MX
-Name: @
-Value: mail.example.com
-Priority: 10
-TTL: 3600
+```typescript
+import { DKIMCreator } from '@push.rocks/smartmta';
+
+const dkimCreator = new DKIMCreator('/path/to/keys');
+
+// Auto-generate keys if they don't exist
+await dkimCreator.handleDKIMKeysForDomain('example.com');
+
+// Get the DNS record you need to publish
+const dnsRecord = await dkimCreator.getDNSRecordForDomain('example.com');
+console.log(dnsRecord);
+// β { type: 'TXT', name: 'default._domainkey.example.com', value: 'v=DKIM1; k=rsa; p=...' }
+
+// Sign an email
+const signedEmail = await dkimCreator.signEmail(email);
```
-### A Record
-```
-Type: A
-Name: mail
-Value:
-TTL: 3600
+### π‘οΈ Email Authentication (SPF, DKIM, DMARC)
+
+Verify incoming emails against all three authentication standards:
+
+```typescript
+import { DKIMVerifier, SpfVerifier, DmarcVerifier } from '@push.rocks/smartmta';
+
+// SPF verification
+const spfVerifier = new SpfVerifier();
+const spfResult = await spfVerifier.verify(senderIP, senderDomain, ehloHostname);
+// β { result: 'pass' | 'fail' | 'softfail' | 'neutral' | 'none' | 'temperror' | 'permerror' }
+
+// DKIM verification
+const dkimVerifier = new DKIMVerifier();
+const dkimResult = await dkimVerifier.verify(rawEmailContent);
+
+// DMARC verification
+const dmarcVerifier = new DmarcVerifier();
+const dmarcResult = await dmarcVerifier.verify(fromDomain, spfResult, dkimResult);
```
-### SPF Record
-```
-Type: TXT
-Name: @
-Value: v=spf1 mx ip4: ~all
-TTL: 3600
+### π Email Routing
+
+Pattern-based routing engine with priority ordering and flexible match criteria:
+
+```typescript
+import { EmailRouter } from '@push.rocks/smartmta';
+
+const router = new EmailRouter([
+ {
+ name: 'admin-mail',
+ priority: 100,
+ match: {
+ recipients: 'admin@example.com',
+ authenticated: true,
+ },
+ action: {
+ type: 'deliver',
+ },
+ },
+ {
+ name: 'external-forward',
+ priority: 50,
+ match: {
+ recipients: '*@example.com',
+ sizeRange: { max: 10 * 1024 * 1024 }, // under 10MB
+ },
+ action: {
+ type: 'forward',
+ forward: {
+ host: 'backend-mail.internal',
+ port: 25,
+ preserveHeaders: true,
+ },
+ },
+ },
+ {
+ name: 'process-with-scanning',
+ priority: 10,
+ match: {
+ recipients: '*@*',
+ },
+ action: {
+ type: 'process',
+ process: {
+ scan: true,
+ dkim: true,
+ queue: 'normal',
+ },
+ },
+ },
+]);
+
+// Routes are evaluated by priority (highest first)
+const matchedRoute = router.route(email, context);
```
-### DKIM Record
-```
-Type: TXT
-Name: default._domainkey
-Value:
-TTL: 3600
+### π΅οΈ Content Scanning
+
+Built-in content scanner for detecting spam, phishing, malware, and other threats:
+
+```typescript
+import { ContentScanner } from '@push.rocks/smartmta';
+
+const scanner = new ContentScanner({
+ scanSubject: true,
+ scanBody: true,
+ scanAttachments: true,
+ blockExecutables: true,
+ blockMacros: true,
+ minThreatScore: 30,
+ highThreatScore: 70,
+ customRules: [
+ {
+ pattern: /bitcoin.*wallet/i,
+ type: 'scam',
+ score: 80,
+ description: 'Cryptocurrency scam pattern',
+ },
+ ],
+});
+
+const result = await scanner.scan(email);
+// β { isClean: false, threatScore: 85, threatType: 'phishing', scannedElements: [...] }
```
-### DMARC Record
-```
-Type: TXT
-Name: _dmarc
-Value: v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com
-TTL: 3600
+### π IP Reputation Checking
+
+Check sender IP addresses against DNSBL blacklists and classify IP types:
+
+```typescript
+import { IPReputationChecker } from '@push.rocks/smartmta';
+
+const ipChecker = new IPReputationChecker({
+ enableDNSBL: true,
+ dnsblServers: ['zen.spamhaus.org', 'bl.spamcop.net'],
+ cacheTTL: 24 * 60 * 60 * 1000, // 24 hours
+});
+
+const reputation = await ipChecker.checkReputation('192.168.1.1');
+// β { score: 85, isSpam: false, isProxy: false, isTor: false, blacklists: [] }
```
-Use `mailer dns setup ` to automatically configure these via Cloudflare.
+### β±οΈ Rate Limiting
-## Development
+Hierarchical rate limiting to protect your server and maintain deliverability:
-### Prerequisites
+```typescript
+import { UnifiedRateLimiter } from '@push.rocks/smartmta';
-- Deno 1.40+
-- Node.js 14+ (for npm distribution)
-
-### Build
-
-```bash
-# Compile for all platforms
-deno task compile
-
-# Run in development mode
-deno task dev
-
-# Run tests
-deno task test
-
-# Format code
-deno task fmt
-
-# Lint code
-deno task lint
+const rateLimiter = new UnifiedRateLimiter({
+ global: {
+ maxPerMinute: 1000,
+ maxPerHour: 10000,
+ },
+ perDomain: {
+ 'example.com': {
+ maxPerMinute: 100,
+ maxPerHour: 1000,
+ },
+ },
+ perSender: {
+ maxPerMinute: 20,
+ maxPerHour: 200,
+ },
+});
```
-### Ported Components
+### π¬ Bounce Management
-The mail implementation is ported from [dcrouter](https://code.foss.global/serve.zone/dcrouter) and adapted for Deno:
+Automatic bounce detection, classification, and tracking:
-- β
Email core (Email, EmailValidator, BounceManager, TemplateManager)
-- β
SMTP Server (with TLS support)
-- β
SMTP Client (with connection pooling)
-- β
Email routing and domain management
-- β
DKIM signing and verification
-- β
SPF and DMARC validation
-- β
Delivery queues and rate limiting
+```typescript
+import { BounceManager } from '@push.rocks/smartmta';
-## Roadmap
+const bounceManager = new BounceManager();
-### Phase 1 - Core Functionality (Current)
-- [x] Project structure and build system
-- [x] Port mail implementation from dcrouter
-- [x] CLI interface
-- [x] Configuration management
-- [x] DNS management basics
-- [ ] Cloudflare DNS integration
-- [ ] HTTP REST API implementation
-- [ ] Systemd service integration
+// Process an SMTP failure
+const bounce = await bounceManager.processSmtpFailure(
+ 'recipient@example.com',
+ '550 5.1.1 User unknown',
+ { originalEmailId: 'msg-123' }
+);
+// β { bounceType: 'invalid_recipient', bounceCategory: 'hard', ... }
-### Phase 2 - Production Ready
-- [ ] Comprehensive testing
-- [ ] Documentation
-- [ ] Performance optimization
-- [ ] Security hardening
-- [ ] Monitoring and logging
+// Check if an address is known to bounce
+const shouldSuppress = bounceManager.shouldSuppressDelivery('recipient@example.com');
+```
-### Phase 3 - Advanced Features
-- [ ] Webhook support
-- [ ] Email templates
-- [ ] Analytics and reporting
-- [ ] Multi-tenancy
-- [ ] Load balancing
+### π Email Templates
-## License
+Template engine with variable substitution for transactional and notification emails:
-MIT Β© Serve Zone
+```typescript
+import { TemplateManager } from '@push.rocks/smartmta';
-## Contributing
+const templates = new TemplateManager({
+ from: 'noreply@example.com',
+ footerHtml: 'Β© 2026 Example Corp
',
+});
-Contributions are welcome! Please see our [contributing guidelines](https://code.foss.global/serve.zone/mailer/contributing).
+// Register a template
+templates.registerTemplate({
+ id: 'welcome',
+ name: 'Welcome Email',
+ description: 'Sent to new users',
+ from: 'welcome@example.com',
+ subject: 'Welcome, {{name}}!',
+ bodyHtml: 'Welcome, {{name}}!
Your account is ready.
',
+ bodyText: 'Welcome, {{name}}! Your account is ready.',
+ category: 'transactional',
+});
-## Support
+// Render and send
+const email = templates.renderTemplate('welcome', {
+ to: 'newuser@example.com',
+ variables: { name: 'Alice' },
+});
+```
-- Documentation: https://code.foss.global/serve.zone/mailer
-- Issues: https://code.foss.global/serve.zone/mailer/issues
-- Email: support@serve.zone
+### π DNS Management with Cloudflare
-## Acknowledgments
+Automatic DNS record setup for MX, SPF, DKIM, and DMARC via the Cloudflare API:
-- Mail implementation ported from [dcrouter](https://code.foss.global/serve.zone/dcrouter)
-- Inspired by [Mailgun](https://www.mailgun.com/) API design
-- Built with [Deno](https://deno.land/)
+```typescript
+import { DnsManager } from '@push.rocks/smartmta';
+
+const dnsManager = new DnsManager({
+ domains: [
+ {
+ domain: 'example.com',
+ dnsMode: 'external-dns', // managed via Cloudflare API
+ },
+ ],
+});
+
+// Auto-configure all required DNS records
+await dnsManager.setupDnsForDomain('example.com', {
+ serverIp: '203.0.113.10',
+ mxHostname: 'mail.example.com',
+});
+```
+
+## π¦ Rust Acceleration
+
+Performance-critical operations are implemented in Rust and communicate with the TypeScript runtime via `@push.rocks/smartrust` (JSON-over-stdin/stdout IPC):
+
+- **mailer-core**: Email type validation, MIME building, bounce detection
+- **mailer-security**: DKIM signing/verification, SPF checks, DMARC policy, IP reputation/DNSBL
+
+The Rust workspace is at `rust/` with five crates:
+
+| Crate | Status | Purpose |
+|---|---|---|
+| `mailer-core` | β
Complete | Email types, validation, MIME, bounce detection |
+| `mailer-security` | β
Complete | DKIM, SPF, DMARC, IP reputation |
+| `mailer-bin` | β
Complete | CLI + smartrust IPC bridge |
+| `mailer-smtp` | π Phase 2 | SMTP protocol in Rust |
+| `mailer-napi` | π Phase 2 | Native Node.js addon |
+
+## Project Structure
+
+```
+smartmta/
+βββ ts/ # TypeScript source
+β βββ mail/
+β β βββ core/ # Email, EmailValidator, BounceManager, TemplateManager
+β β βββ delivery/ # DeliverySystem, Queue, RateLimiter
+β β β βββ smtpclient/ # SMTP client with connection pooling
+β β β βββ smtpserver/ # SMTP server with TLS, auth, pipelining
+β β βββ routing/ # UnifiedEmailServer, EmailRouter, DomainRegistry, DnsManager
+β β βββ security/ # DKIMCreator, DKIMVerifier, SpfVerifier, DmarcVerifier
+β βββ security/ # ContentScanner, IPReputationChecker, SecurityLogger
+βββ rust/ # Rust workspace
+β βββ crates/ # mailer-core, mailer-security, mailer-bin, mailer-smtp, mailer-napi
+βββ test/ # Comprehensive test suite (RFC compliance, security, performance, edge cases)
+βββ dist_ts/ # Compiled output
+```
+
+## License and Legal Information
+
+This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](./LICENSE) file.
+
+**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
+
+### Trademarks
+
+This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH or third parties, and are not included within the scope of the MIT license granted herein.
+
+Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines or the guidelines of the respective third-party owners, and any usage must be approved in writing. Third-party trademarks used herein are the property of their respective owners and used only in a descriptive manner, e.g. for an implementation of an API or similar.
+
+### Company Information
+
+Task Venture Capital GmbH
+Registered at District Court Bremen HRB 35230 HB, Germany
+
+For any legal inquiries or further information, please contact us via email at hello@task.vc.
+
+By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.
diff --git a/rust/crates/mailer-bin/src/main.rs b/rust/crates/mailer-bin/src/main.rs
index ecbc825..ee44fe2 100644
--- a/rust/crates/mailer-bin/src/main.rs
+++ b/rust/crates/mailer-bin/src/main.rs
@@ -491,6 +491,75 @@ async fn handle_ipc_request(req: &IpcRequest) -> IpcResponse {
}
}
+ "verifyEmail" => {
+ let raw_message = req
+ .params
+ .get("rawMessage")
+ .and_then(|v| v.as_str())
+ .unwrap_or("");
+ let ip_str = req.params.get("ip").and_then(|v| v.as_str()).unwrap_or("");
+ let helo = req
+ .params
+ .get("heloDomain")
+ .and_then(|v| v.as_str())
+ .unwrap_or("");
+ let hostname = req
+ .params
+ .get("hostname")
+ .and_then(|v| v.as_str())
+ .unwrap_or("localhost");
+ let mail_from = req
+ .params
+ .get("mailFrom")
+ .and_then(|v| v.as_str())
+ .unwrap_or("");
+
+ match ip_str.parse::() {
+ Ok(ip_addr) => {
+ let authenticator = match mailer_security::default_authenticator() {
+ Ok(a) => a,
+ Err(e) => {
+ return IpcResponse {
+ id: req.id.clone(),
+ success: false,
+ result: None,
+ error: Some(format!("Authenticator error: {}", e)),
+ };
+ }
+ };
+ match mailer_security::verify_email_security(
+ raw_message.as_bytes(),
+ ip_addr,
+ helo,
+ hostname,
+ mail_from,
+ &authenticator,
+ )
+ .await
+ {
+ Ok(result) => IpcResponse {
+ id: req.id.clone(),
+ success: true,
+ result: Some(serde_json::to_value(&result).unwrap()),
+ error: None,
+ },
+ Err(e) => IpcResponse {
+ id: req.id.clone(),
+ success: false,
+ result: None,
+ error: Some(e.to_string()),
+ },
+ }
+ }
+ Err(e) => IpcResponse {
+ id: req.id.clone(),
+ success: false,
+ result: None,
+ error: Some(format!("Invalid IP address: {}", e)),
+ },
+ }
+ }
+
"checkSpf" => {
let ip_str = req.params.get("ip").and_then(|v| v.as_str()).unwrap_or("");
let helo = req
diff --git a/rust/crates/mailer-security/src/dkim.rs b/rust/crates/mailer-security/src/dkim.rs
index 6399a4e..adab979 100644
--- a/rust/crates/mailer-security/src/dkim.rs
+++ b/rust/crates/mailer-security/src/dkim.rs
@@ -1,7 +1,7 @@
use mail_auth::common::crypto::{RsaKey, Sha256};
use mail_auth::common::headers::HeaderWriter;
use mail_auth::dkim::{Canonicalization, DkimSigner};
-use mail_auth::{AuthenticatedMessage, DkimResult, MessageAuthenticator};
+use mail_auth::{AuthenticatedMessage, DkimOutput, DkimResult, MessageAuthenticator};
use rustls_pki_types::{PrivateKeyDer, PrivatePkcs1KeyDer, pem::PemObject};
use serde::{Deserialize, Serialize};
@@ -22,6 +22,48 @@ pub struct DkimVerificationResult {
pub details: Option,
}
+/// Convert raw `mail-auth` DKIM outputs to our serializable results.
+///
+/// This is used internally by `verify_dkim` and by the compound `verify_email_security`.
+pub fn dkim_outputs_to_results(dkim_outputs: &[DkimOutput<'_>]) -> Vec {
+ if dkim_outputs.is_empty() {
+ return vec![DkimVerificationResult {
+ is_valid: false,
+ domain: None,
+ selector: None,
+ status: "none".to_string(),
+ details: Some("No DKIM signatures found".to_string()),
+ }];
+ }
+
+ dkim_outputs
+ .iter()
+ .map(|output| {
+ let (is_valid, status, details) = match output.result() {
+ DkimResult::Pass => (true, "pass", None),
+ DkimResult::Neutral(err) => (false, "neutral", Some(err.to_string())),
+ DkimResult::Fail(err) => (false, "fail", Some(err.to_string())),
+ DkimResult::PermError(err) => (false, "permerror", Some(err.to_string())),
+ DkimResult::TempError(err) => (false, "temperror", Some(err.to_string())),
+ DkimResult::None => (false, "none", None),
+ };
+
+ let (domain, selector) = output
+ .signature()
+ .map(|sig| (Some(sig.d.clone()), Some(sig.s.clone())))
+ .unwrap_or((None, None));
+
+ DkimVerificationResult {
+ is_valid,
+ domain,
+ selector,
+ status: status.to_string(),
+ details,
+ }
+ })
+ .collect()
+}
+
/// Verify DKIM signatures on a raw email message.
///
/// Uses the `mail-auth` crate which performs full RFC 6376 verification
@@ -34,45 +76,7 @@ pub async fn verify_dkim(
.ok_or_else(|| SecurityError::Parse("Failed to parse email for DKIM verification".into()))?;
let dkim_outputs = authenticator.verify_dkim(&message).await;
-
- let mut results = Vec::new();
-
- if dkim_outputs.is_empty() {
- results.push(DkimVerificationResult {
- is_valid: false,
- domain: None,
- selector: None,
- status: "none".to_string(),
- details: Some("No DKIM signatures found".to_string()),
- });
- return Ok(results);
- }
-
- for output in &dkim_outputs {
- let (is_valid, status, details) = match output.result() {
- DkimResult::Pass => (true, "pass", None),
- DkimResult::Neutral(err) => (false, "neutral", Some(err.to_string())),
- DkimResult::Fail(err) => (false, "fail", Some(err.to_string())),
- DkimResult::PermError(err) => (false, "permerror", Some(err.to_string())),
- DkimResult::TempError(err) => (false, "temperror", Some(err.to_string())),
- DkimResult::None => (false, "none", None),
- };
-
- let (domain, selector) = output
- .signature()
- .map(|sig| (Some(sig.d.clone()), Some(sig.s.clone())))
- .unwrap_or((None, None));
-
- results.push(DkimVerificationResult {
- is_valid,
- domain,
- selector,
- status: status.to_string(),
- details,
- });
- }
-
- Ok(results)
+ Ok(dkim_outputs_to_results(&dkim_outputs))
}
/// Sign a raw email message with DKIM (RSA-SHA256).
diff --git a/rust/crates/mailer-security/src/lib.rs b/rust/crates/mailer-security/src/lib.rs
index fc3f772..65f6022 100644
--- a/rust/crates/mailer-security/src/lib.rs
+++ b/rust/crates/mailer-security/src/lib.rs
@@ -5,10 +5,12 @@ pub mod dmarc;
pub mod error;
pub mod ip_reputation;
pub mod spf;
+pub mod verify;
// Re-exports for convenience
-pub use dkim::{dkim_dns_record_value, sign_dkim, verify_dkim, DkimVerificationResult};
+pub use dkim::{dkim_dns_record_value, dkim_outputs_to_results, sign_dkim, verify_dkim, DkimVerificationResult};
pub use dmarc::{check_dmarc, DmarcPolicy, DmarcResult};
+pub use verify::{verify_email_security, EmailSecurityResult};
pub use error::{Result, SecurityError};
pub use ip_reputation::{
check_dnsbl, check_reputation, risk_level, DnsblResult, IpType, ReputationResult, RiskLevel,
diff --git a/rust/crates/mailer-security/src/spf.rs b/rust/crates/mailer-security/src/spf.rs
index 4959bb3..597664d 100644
--- a/rust/crates/mailer-security/src/spf.rs
+++ b/rust/crates/mailer-security/src/spf.rs
@@ -23,6 +23,28 @@ impl SpfResult {
pub fn passed(&self) -> bool {
self.result == "pass"
}
+
+ /// Create an `SpfResult` from a raw `mail-auth` `SpfOutput`.
+ ///
+ /// Used by the compound `verify_email_security` to avoid re-doing the SPF query.
+ pub fn from_output(output: &mail_auth::SpfOutput, ip: IpAddr) -> Self {
+ let result_str = match output.result() {
+ MailAuthSpfResult::Pass => "pass",
+ MailAuthSpfResult::Fail => "fail",
+ MailAuthSpfResult::SoftFail => "softfail",
+ MailAuthSpfResult::Neutral => "neutral",
+ MailAuthSpfResult::TempError => "temperror",
+ MailAuthSpfResult::PermError => "permerror",
+ MailAuthSpfResult::None => "none",
+ };
+
+ SpfResult {
+ result: result_str.to_string(),
+ domain: output.domain().to_string(),
+ ip: ip.to_string(),
+ explanation: output.explanation().map(|s| s.to_string()),
+ }
+ }
}
/// Check SPF for a given sender IP, HELO domain, and MAIL FROM address.
diff --git a/rust/crates/mailer-security/src/verify.rs b/rust/crates/mailer-security/src/verify.rs
new file mode 100644
index 0000000..c95c5f0
--- /dev/null
+++ b/rust/crates/mailer-security/src/verify.rs
@@ -0,0 +1,115 @@
+//! Compound email security verification.
+//!
+//! Runs DKIM, SPF, and DMARC verification in a single call, avoiding multiple
+//! IPC round-trips and handling the internal `mail-auth` types that DMARC needs.
+
+use mail_auth::spf::verify::SpfParameters;
+use mail_auth::{AuthenticatedMessage, MessageAuthenticator};
+use serde::{Deserialize, Serialize};
+use std::net::IpAddr;
+
+use crate::dkim::DkimVerificationResult;
+use crate::dmarc::{check_dmarc, DmarcResult};
+use crate::error::{Result, SecurityError};
+use crate::spf::SpfResult;
+
+/// Combined result of DKIM + SPF + DMARC verification.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct EmailSecurityResult {
+ pub dkim: Vec,
+ pub spf: Option,
+ pub dmarc: Option,
+}
+
+/// Run all email security checks (DKIM, SPF, DMARC) in one call.
+///
+/// This is the preferred entry point for inbound email verification because:
+/// 1. DMARC requires raw `mail-auth` DKIM/SPF outputs (not our serialized types).
+/// 2. A single call avoids 3 sequential IPC round-trips.
+///
+/// # Arguments
+/// * `raw_message` - The raw RFC 5322 message bytes
+/// * `ip` - The connecting client's IP address
+/// * `helo_domain` - The domain from the SMTP EHLO/HELO command
+/// * `host_domain` - Your receiving server's hostname
+/// * `mail_from` - The full MAIL FROM address (e.g. "sender@example.com")
+/// * `authenticator` - The `MessageAuthenticator` for DNS lookups
+pub async fn verify_email_security(
+ raw_message: &[u8],
+ ip: IpAddr,
+ helo_domain: &str,
+ host_domain: &str,
+ mail_from: &str,
+ authenticator: &MessageAuthenticator,
+) -> Result {
+ // Parse the message once for all checks
+ let message = AuthenticatedMessage::parse(raw_message)
+ .ok_or_else(|| SecurityError::Parse("Failed to parse email message".into()))?;
+
+ // --- DKIM verification ---
+ let dkim_outputs = authenticator.verify_dkim(&message).await;
+ let dkim_results = crate::dkim::dkim_outputs_to_results(&dkim_outputs);
+
+ // --- SPF verification ---
+ let spf_output = authenticator
+ .verify_spf(SpfParameters::verify_mail_from(
+ ip,
+ helo_domain,
+ host_domain,
+ mail_from,
+ ))
+ .await;
+
+ let spf_result = SpfResult::from_output(&spf_output, ip);
+
+ // --- DMARC verification (needs raw dkim_outputs + spf_output) ---
+ let mail_from_domain = mail_from
+ .rsplit_once('@')
+ .map(|(_, d)| d)
+ .unwrap_or(helo_domain);
+
+ let dmarc_result = check_dmarc(
+ raw_message,
+ &dkim_outputs,
+ &spf_output,
+ mail_from_domain,
+ authenticator,
+ )
+ .await
+ .ok(); // DMARC failure is non-fatal; we still return DKIM + SPF results
+
+ Ok(EmailSecurityResult {
+ dkim: dkim_results,
+ spf: Some(spf_result),
+ dmarc: dmarc_result,
+ })
+}
+
+#[cfg(test)]
+mod tests {
+ use super::*;
+
+ #[test]
+ fn test_email_security_result_serialization() {
+ let result = EmailSecurityResult {
+ dkim: vec![DkimVerificationResult {
+ is_valid: false,
+ domain: None,
+ selector: None,
+ status: "none".to_string(),
+ details: Some("No DKIM signatures".to_string()),
+ }],
+ spf: Some(SpfResult {
+ result: "none".to_string(),
+ domain: "example.com".to_string(),
+ ip: "1.2.3.4".to_string(),
+ explanation: None,
+ }),
+ dmarc: None,
+ };
+ let json = serde_json::to_string(&result).unwrap();
+ assert!(json.contains("\"dkim\""));
+ assert!(json.contains("\"spf\""));
+ assert!(json.contains("\"dmarc\":null"));
+ }
+}
diff --git a/ts/00_commitinfo_data.ts b/ts/00_commitinfo_data.ts
index 59c377f..3cb90df 100644
--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@@ -2,7 +2,7 @@
* autocreated commitinfo by @push.rocks/commitinfo
*/
export const commitinfo = {
- name: '@serve.zone/mailer',
- version: '1.3.1',
- description: 'Enterprise mail server with SMTP, HTTP API, and DNS management - built for serve.zone infrastructure'
+ name: '@push.rocks/smartmta',
+ version: '2.0.0',
+ description: 'A high-performance, enterprise-grade Mail Transfer Agent (MTA) built from scratch in TypeScript with Rust acceleration.'
}
diff --git a/ts/mail/routing/classes.unified.email.server.ts b/ts/mail/routing/classes.unified.email.server.ts
index c2ae8b4..6eab0f0 100644
--- a/ts/mail/routing/classes.unified.email.server.ts
+++ b/ts/mail/routing/classes.unified.email.server.ts
@@ -9,6 +9,7 @@ import {
} from '../../security/index.js';
import { DKIMCreator } from '../security/classes.dkimcreator.js';
import { IPReputationChecker } from '../../security/classes.ipreputationchecker.js';
+import { RustSecurityBridge } from '../../security/classes.rustsecuritybridge.js';
// Deliverability types (IPWarmupManager and SenderReputationMonitor are optional external modules)
interface IIPWarmupConfig {
enabled?: boolean;
@@ -192,7 +193,8 @@ export class UnifiedEmailServer extends EventEmitter {
// Add components needed for sending and securing emails
public dkimCreator: DKIMCreator;
- private ipReputationChecker: IPReputationChecker; // TODO: Implement IP reputation checks in processEmailByMode
+ private rustBridge: RustSecurityBridge;
+ private ipReputationChecker: IPReputationChecker;
private bounceManager: BounceManager;
private ipWarmupManager: IPWarmupManager | null;
private senderReputationMonitor: SenderReputationMonitor | null;
@@ -217,6 +219,9 @@ export class UnifiedEmailServer extends EventEmitter {
socketTimeout: options.socketTimeout || 60000 // 1 minute
};
+ // Initialize Rust security bridge (singleton)
+ this.rustBridge = RustSecurityBridge.getInstance();
+
// Initialize DKIM creator with storage manager
this.dkimCreator = new DKIMCreator(paths.keysDir, dcRouter.storageManager);
@@ -360,7 +365,15 @@ export class UnifiedEmailServer extends EventEmitter {
// Start the delivery system
await this.deliverySystem.start();
logger.log('info', 'Email delivery system started');
-
+
+ // Start Rust security bridge (non-blocking β server works without it)
+ const bridgeOk = await this.rustBridge.start();
+ if (bridgeOk) {
+ logger.log('info', 'Rust security bridge started β using Rust for DKIM/SPF/DMARC verification');
+ } else {
+ logger.log('warn', 'Rust security bridge unavailable β falling back to TypeScript security verification');
+ }
+
// Set up DKIM for all domains
await this.setupDkimForDomains();
logger.log('info', 'DKIM configuration completed for all domains');
@@ -417,12 +430,40 @@ export class UnifiedEmailServer extends EventEmitter {
verifyDmarc: true
}
},
- // These will be implemented in the real integration:
+ // Security verification delegated to the Rust bridge when available
dkimVerifier: {
- verify: async () => ({ isValid: true, domain: '' })
+ verify: async (rawMessage: string) => {
+ if (this.rustBridge.running) {
+ try {
+ const results = await this.rustBridge.verifyDkim(rawMessage);
+ const first = results[0];
+ return { isValid: first?.is_valid ?? false, domain: first?.domain ?? '' };
+ } catch (err) {
+ logger.log('warn', `Rust DKIM verification failed, accepting: ${(err as Error).message}`);
+ return { isValid: true, domain: '' };
+ }
+ }
+ return { isValid: true, domain: '' }; // No bridge β accept
+ }
},
spfVerifier: {
- verifyAndApply: async () => true
+ verifyAndApply: async (session: any) => {
+ if (this.rustBridge.running && session?.remoteAddress && session.remoteAddress !== '127.0.0.1') {
+ try {
+ const result = await this.rustBridge.checkSpf({
+ ip: session.remoteAddress,
+ heloDomain: session.clientHostname || '',
+ hostname: this.options.hostname,
+ mailFrom: session.envelope?.mailFrom?.address || session.mailFrom || '',
+ });
+ return result.result === 'pass' || result.result === 'none' || result.result === 'neutral';
+ } catch (err) {
+ logger.log('warn', `Rust SPF check failed, accepting: ${(err as Error).message}`);
+ return true;
+ }
+ }
+ return true; // No bridge or localhost β accept
+ }
},
dmarcVerifier: {
verify: async () => ({}),
@@ -552,7 +593,10 @@ export class UnifiedEmailServer extends EventEmitter {
try {
// Clear the servers array - servers will be garbage collected
this.servers = [];
-
+
+ // Stop Rust security bridge
+ await this.rustBridge.stop();
+
// Stop the delivery system
if (this.deliverySystem) {
await this.deliverySystem.stop();
@@ -588,6 +632,63 @@ export class UnifiedEmailServer extends EventEmitter {
+ /**
+ * Verify inbound email security (DKIM/SPF/DMARC) using the Rust bridge.
+ * Falls back gracefully if the bridge is not running.
+ */
+ private async verifyInboundSecurity(email: Email, session: IExtendedSmtpSession): Promise {
+ if (!this.rustBridge.running) {
+ return; // Bridge not available β skip verification
+ }
+
+ try {
+ const rawMessage = session.emailData || email.toRFC822String();
+ const result = await this.rustBridge.verifyEmail({
+ rawMessage,
+ ip: session.remoteAddress,
+ heloDomain: session.clientHostname || '',
+ hostname: this.options.hostname,
+ mailFrom: session.envelope?.mailFrom?.address || session.mailFrom || '',
+ });
+
+ // Apply DKIM result headers
+ if (result.dkim && result.dkim.length > 0) {
+ const dkimSummary = result.dkim
+ .map(d => `${d.status}${d.domain ? ` (${d.domain})` : ''}`)
+ .join(', ');
+ email.setHeader('X-DKIM-Result', dkimSummary);
+ }
+
+ // Apply SPF result header
+ if (result.spf) {
+ email.setHeader('Received-SPF', `${result.spf.result} (domain: ${result.spf.domain}, ip: ${result.spf.ip})`);
+
+ // Mark as spam on SPF hard fail
+ if (result.spf.result === 'fail') {
+ email.mightBeSpam = true;
+ logger.log('warn', `SPF fail for ${session.remoteAddress} β marking as potential spam`);
+ }
+ }
+
+ // Apply DMARC result header and policy
+ if (result.dmarc) {
+ email.setHeader('X-DMARC-Result', `${result.dmarc.action} (policy=${result.dmarc.policy}, dkim=${result.dmarc.dkim_result}, spf=${result.dmarc.spf_result})`);
+
+ if (result.dmarc.action === 'reject') {
+ email.mightBeSpam = true;
+ logger.log('warn', `DMARC reject for domain ${result.dmarc.domain} β marking as spam`);
+ } else if (result.dmarc.action === 'quarantine') {
+ email.mightBeSpam = true;
+ logger.log('info', `DMARC quarantine for domain ${result.dmarc.domain} β marking as potential spam`);
+ }
+ }
+
+ logger.log('info', `Inbound security verified for email from ${session.remoteAddress}: DKIM=${result.dkim?.[0]?.status ?? 'none'}, SPF=${result.spf?.result ?? 'none'}, DMARC=${result.dmarc?.action ?? 'none'}`);
+ } catch (err) {
+ logger.log('warn', `Inbound security verification failed: ${(err as Error).message} β accepting email`);
+ }
+ }
+
/**
* Process email based on routing rules
*/
@@ -617,7 +718,12 @@ export class UnifiedEmailServer extends EventEmitter {
} else {
email = emailData;
}
-
+
+ // Run inbound security verification (DKIM/SPF/DMARC) via Rust bridge
+ if (session.remoteAddress && session.remoteAddress !== '127.0.0.1') {
+ await this.verifyInboundSecurity(email, session);
+ }
+
// First check if this is a bounce notification email
// Look for common bounce notification subject patterns
const subject = email.subject || '';
diff --git a/ts/plugins.ts b/ts/plugins.ts
index f1b503a..031d623 100644
--- a/ts/plugins.ts
+++ b/ts/plugins.ts
@@ -58,12 +58,13 @@ import * as smartproxy from '@push.rocks/smartproxy';
import * as smartpromise from '@push.rocks/smartpromise';
import * as smartrequest from '@push.rocks/smartrequest';
import * as smartrule from '@push.rocks/smartrule';
+import * as smartrust from '@push.rocks/smartrust';
import * as smartrx from '@push.rocks/smartrx';
import * as smartunique from '@push.rocks/smartunique';
export const smartfs = new SmartFs(new SmartFsProviderNode());
-export { projectinfo, qenv, smartacme, smartdata, smartdns, smartfile, SmartFs, smartguard, smartjwt, smartlog, smartmail, smartmetrics, smartnetwork, smartpath, smartproxy, smartpromise, smartrequest, smartrule, smartrx, smartunique };
+export { projectinfo, qenv, smartacme, smartdata, smartdns, smartfile, SmartFs, smartguard, smartjwt, smartlog, smartmail, smartmetrics, smartnetwork, smartpath, smartproxy, smartpromise, smartrequest, smartrule, smartrust, smartrx, smartunique };
// Define SmartLog types for use in error handling
export type TLogLevel = 'error' | 'warn' | 'info' | 'success' | 'debug';
diff --git a/ts/security/classes.ipreputationchecker.ts b/ts/security/classes.ipreputationchecker.ts
index aed70fe..6cfe77e 100644
--- a/ts/security/classes.ipreputationchecker.ts
+++ b/ts/security/classes.ipreputationchecker.ts
@@ -2,6 +2,7 @@ import * as plugins from '../plugins.js';
import * as paths from '../paths.js';
import { logger } from '../logger.js';
import { SecurityLogger, SecurityLogLevel, SecurityEventType } from './classes.securitylogger.js';
+import { RustSecurityBridge } from './classes.rustsecuritybridge.js';
import { LRUCache } from 'lru-cache';
/**
@@ -156,7 +157,7 @@ export class IPReputationChecker {
logger.log('warn', `Invalid IP address format: ${ip}`);
return this.createErrorResult(ip, 'Invalid IP address format');
}
-
+
// Check cache first
const cachedResult = this.reputationCache.get(ip);
if (cachedResult) {
@@ -166,8 +167,37 @@ export class IPReputationChecker {
});
return cachedResult;
}
-
- // Initialize empty result
+
+ // Try Rust bridge first (parallel DNSBL via tokio β faster than Node sequential DNS)
+ const bridge = RustSecurityBridge.getInstance();
+ if (bridge.running) {
+ try {
+ const rustResult = await bridge.checkIpReputation(ip);
+ const result: IReputationResult = {
+ score: rustResult.score,
+ isSpam: rustResult.listed_count > 0,
+ isProxy: rustResult.ip_type === 'proxy',
+ isTor: rustResult.ip_type === 'tor',
+ isVPN: rustResult.ip_type === 'vpn',
+ blacklists: rustResult.dnsbl_results
+ .filter(d => d.listed)
+ .map(d => d.server),
+ timestamp: Date.now(),
+ };
+ this.reputationCache.set(ip, result);
+ if (this.options.enableLocalCache) {
+ this.saveCache().catch(error => {
+ logger.log('error', `Failed to save IP reputation cache: ${error.message}`);
+ });
+ }
+ this.logReputationCheck(ip, result);
+ return result;
+ } catch (err) {
+ logger.log('warn', `Rust IP reputation check failed, falling back to TS: ${(err as Error).message}`);
+ }
+ }
+
+ // Fallback: TypeScript DNSBL implementation
const result: IReputationResult = {
score: 100, // Start with perfect score
isSpam: false,
@@ -176,43 +206,43 @@ export class IPReputationChecker {
isVPN: false,
timestamp: Date.now()
};
-
+
// Check IP against DNS blacklists if enabled
if (this.options.enableDNSBL) {
const dnsblResult = await this.checkDNSBL(ip);
-
+
// Update result with DNSBL information
result.score -= dnsblResult.listCount * 10; // Subtract 10 points per blacklist
result.isSpam = dnsblResult.listCount > 0;
result.blacklists = dnsblResult.lists;
}
-
+
// Get additional IP information if enabled
if (this.options.enableIPInfo) {
const ipInfo = await this.getIPInfo(ip);
-
+
// Update result with IP info
result.country = ipInfo.country;
result.asn = ipInfo.asn;
result.org = ipInfo.org;
-
+
// Adjust score based on IP type
if (ipInfo.type === IPType.PROXY || ipInfo.type === IPType.TOR || ipInfo.type === IPType.VPN) {
result.score -= 30; // Subtract 30 points for proxies, Tor, VPNs
-
+
// Set proxy flags
result.isProxy = ipInfo.type === IPType.PROXY;
result.isTor = ipInfo.type === IPType.TOR;
result.isVPN = ipInfo.type === IPType.VPN;
}
}
-
+
// Ensure score is between 0 and 100
result.score = Math.max(0, Math.min(100, result.score));
-
+
// Update cache with result
this.reputationCache.set(ip, result);
-
+
// Save cache if enabled
if (this.options.enableLocalCache) {
// Fire and forget the save operation
@@ -220,17 +250,17 @@ export class IPReputationChecker {
logger.log('error', `Failed to save IP reputation cache: ${error.message}`);
});
}
-
+
// Log the reputation check
this.logReputationCheck(ip, result);
-
+
return result;
} catch (error) {
logger.log('error', `Error checking IP reputation for ${ip}: ${error.message}`, {
ip,
stack: error.stack
});
-
+
return this.createErrorResult(ip, error.message);
}
}
diff --git a/ts/security/classes.rustsecuritybridge.ts b/ts/security/classes.rustsecuritybridge.ts
new file mode 100644
index 0000000..ade61a9
--- /dev/null
+++ b/ts/security/classes.rustsecuritybridge.ts
@@ -0,0 +1,307 @@
+import * as plugins from '../plugins.js';
+import * as paths from '../paths.js';
+import { logger } from '../logger.js';
+
+// ---------------------------------------------------------------------------
+// IPC command type map β mirrors the methods in mailer-bin's management mode
+// ---------------------------------------------------------------------------
+
+interface IDkimVerificationResult {
+ is_valid: boolean;
+ domain: string | null;
+ selector: string | null;
+ status: string;
+ details: string | null;
+}
+
+interface ISpfResult {
+ result: string;
+ domain: string;
+ ip: string;
+ explanation: string | null;
+}
+
+interface IDmarcResult {
+ passed: boolean;
+ policy: string;
+ domain: string;
+ dkim_result: string;
+ spf_result: string;
+ action: string;
+ details: string | null;
+}
+
+interface IEmailSecurityResult {
+ dkim: IDkimVerificationResult[];
+ spf: ISpfResult | null;
+ dmarc: IDmarcResult | null;
+}
+
+interface IValidationResult {
+ valid: boolean;
+ formatValid: boolean;
+ score: number;
+ error: string | null;
+}
+
+interface IBounceDetection {
+ bounce_type: string;
+ severity: string;
+ category: string;
+ should_retry: boolean;
+ recommended_action: string;
+ details: string;
+}
+
+interface IReputationResult {
+ ip: string;
+ score: number;
+ risk_level: string;
+ ip_type: string;
+ dnsbl_results: Array<{ server: string; listed: boolean; response: string | null }>;
+ listed_count: number;
+ total_checked: number;
+}
+
+interface IVersionInfo {
+ bin: string;
+ core: string;
+ security: string;
+ smtp: string;
+}
+
+/**
+ * Type-safe command map for the mailer-bin IPC bridge.
+ */
+type TMailerCommands = {
+ ping: {
+ params: Record;
+ result: { pong: boolean };
+ };
+ version: {
+ params: Record;
+ result: IVersionInfo;
+ };
+ validateEmail: {
+ params: { email: string };
+ result: IValidationResult;
+ };
+ detectBounce: {
+ params: { smtpResponse?: string; diagnosticCode?: string; statusCode?: string };
+ result: IBounceDetection;
+ };
+ checkIpReputation: {
+ params: { ip: string };
+ result: IReputationResult;
+ };
+ verifyDkim: {
+ params: { rawMessage: string };
+ result: IDkimVerificationResult[];
+ };
+ signDkim: {
+ params: { rawMessage: string; domain: string; selector?: string; privateKey: string };
+ result: { header: string; signedMessage: string };
+ };
+ checkSpf: {
+ params: { ip: string; heloDomain: string; hostname?: string; mailFrom: string };
+ result: ISpfResult;
+ };
+ verifyEmail: {
+ params: {
+ rawMessage: string;
+ ip: string;
+ heloDomain: string;
+ hostname?: string;
+ mailFrom: string;
+ };
+ result: IEmailSecurityResult;
+ };
+};
+
+// ---------------------------------------------------------------------------
+// RustSecurityBridge β singleton wrapper around smartrust.RustBridge
+// ---------------------------------------------------------------------------
+
+/**
+ * Bridge between TypeScript and the Rust `mailer-bin` binary.
+ *
+ * Uses `@push.rocks/smartrust` for JSON-over-stdin/stdout IPC.
+ * Singleton β access via `RustSecurityBridge.getInstance()`.
+ */
+export class RustSecurityBridge {
+ private static instance: RustSecurityBridge | null = null;
+
+ private bridge: InstanceType>;
+ private _running = false;
+
+ private constructor() {
+ this.bridge = new plugins.smartrust.RustBridge({
+ binaryName: 'mailer-bin',
+ cliArgs: ['--management'],
+ requestTimeoutMs: 30_000,
+ readyTimeoutMs: 10_000,
+ localPaths: [
+ plugins.path.join(paths.packageDir, 'dist_rust', 'mailer-bin'),
+ plugins.path.join(paths.packageDir, 'rust', 'target', 'release', 'mailer-bin'),
+ plugins.path.join(paths.packageDir, 'rust', 'target', 'debug', 'mailer-bin'),
+ ],
+ searchSystemPath: false,
+ });
+
+ // Forward lifecycle events
+ this.bridge.on('ready', () => {
+ this._running = true;
+ logger.log('info', 'Rust security bridge is ready');
+ });
+
+ this.bridge.on('exit', (code: number | null, signal: string | null) => {
+ this._running = false;
+ logger.log('warn', `Rust security bridge exited (code=${code}, signal=${signal})`);
+ });
+
+ this.bridge.on('stderr', (line: string) => {
+ logger.log('debug', `[rust-bridge] ${line}`);
+ });
+ }
+
+ /** Get or create the singleton instance. */
+ public static getInstance(): RustSecurityBridge {
+ if (!RustSecurityBridge.instance) {
+ RustSecurityBridge.instance = new RustSecurityBridge();
+ }
+ return RustSecurityBridge.instance;
+ }
+
+ /** Whether the Rust process is currently running and accepting commands. */
+ public get running(): boolean {
+ return this._running;
+ }
+
+ // -----------------------------------------------------------------------
+ // Lifecycle
+ // -----------------------------------------------------------------------
+
+ /**
+ * Spawn the Rust binary and wait for the ready signal.
+ * @returns `true` if the binary started successfully, `false` otherwise.
+ */
+ public async start(): Promise {
+ if (this._running) {
+ return true;
+ }
+ try {
+ const ok = await this.bridge.spawn();
+ this._running = ok;
+ if (ok) {
+ logger.log('info', 'Rust security bridge started');
+ } else {
+ logger.log('warn', 'Rust security bridge failed to start (binary not found or timeout)');
+ }
+ return ok;
+ } catch (err) {
+ logger.log('error', `Failed to start Rust security bridge: ${(err as Error).message}`);
+ return false;
+ }
+ }
+
+ /** Kill the Rust process. */
+ public async stop(): Promise {
+ if (!this._running) {
+ return;
+ }
+ try {
+ this.bridge.kill();
+ this._running = false;
+ logger.log('info', 'Rust security bridge stopped');
+ } catch (err) {
+ logger.log('error', `Error stopping Rust security bridge: ${(err as Error).message}`);
+ }
+ }
+
+ // -----------------------------------------------------------------------
+ // Commands β thin typed wrappers over sendCommand
+ // -----------------------------------------------------------------------
+
+ /** Ping the Rust process. */
+ public async ping(): Promise {
+ const res = await this.bridge.sendCommand('ping', {} as any);
+ return res?.pong === true;
+ }
+
+ /** Get version information for all Rust crates. */
+ public async getVersion(): Promise {
+ return this.bridge.sendCommand('version', {} as any);
+ }
+
+ /** Validate an email address. */
+ public async validateEmail(email: string): Promise {
+ return this.bridge.sendCommand('validateEmail', { email });
+ }
+
+ /** Detect bounce type from SMTP response / diagnostic code. */
+ public async detectBounce(opts: {
+ smtpResponse?: string;
+ diagnosticCode?: string;
+ statusCode?: string;
+ }): Promise {
+ return this.bridge.sendCommand('detectBounce', opts);
+ }
+
+ /** Check IP reputation via DNSBL. */
+ public async checkIpReputation(ip: string): Promise {
+ return this.bridge.sendCommand('checkIpReputation', { ip });
+ }
+
+ /** Verify DKIM signatures on a raw email message. */
+ public async verifyDkim(rawMessage: string): Promise {
+ return this.bridge.sendCommand('verifyDkim', { rawMessage });
+ }
+
+ /** Sign an email with DKIM. */
+ public async signDkim(opts: {
+ rawMessage: string;
+ domain: string;
+ selector?: string;
+ privateKey: string;
+ }): Promise<{ header: string; signedMessage: string }> {
+ return this.bridge.sendCommand('signDkim', opts);
+ }
+
+ /** Check SPF for a sender. */
+ public async checkSpf(opts: {
+ ip: string;
+ heloDomain: string;
+ hostname?: string;
+ mailFrom: string;
+ }): Promise {
+ return this.bridge.sendCommand('checkSpf', opts);
+ }
+
+ /**
+ * Compound email security verification: DKIM + SPF + DMARC in one IPC call.
+ *
+ * This is the preferred method for inbound email verification β it avoids
+ * 3 sequential round-trips and correctly passes raw mail-auth types internally.
+ */
+ public async verifyEmail(opts: {
+ rawMessage: string;
+ ip: string;
+ heloDomain: string;
+ hostname?: string;
+ mailFrom: string;
+ }): Promise {
+ return this.bridge.sendCommand('verifyEmail', opts);
+ }
+}
+
+// Re-export interfaces for consumers
+export type {
+ IDkimVerificationResult,
+ ISpfResult,
+ IDmarcResult,
+ IEmailSecurityResult,
+ IValidationResult,
+ IBounceDetection,
+ IReputationResult as IRustReputationResult,
+ IVersionInfo,
+};
diff --git a/ts/security/index.ts b/ts/security/index.ts
index 2f99b6b..befbe7e 100644
--- a/ts/security/index.ts
+++ b/ts/security/index.ts
@@ -18,4 +18,16 @@ export {
ThreatCategory,
type IScanResult,
type IContentScannerOptions
-} from './classes.contentscanner.js';
\ No newline at end of file
+} from './classes.contentscanner.js';
+
+export {
+ RustSecurityBridge,
+ type IDkimVerificationResult,
+ type ISpfResult,
+ type IDmarcResult,
+ type IEmailSecurityResult,
+ type IValidationResult,
+ type IBounceDetection,
+ type IRustReputationResult,
+ type IVersionInfo,
+} from './classes.rustsecuritybridge.js';
\ No newline at end of file