feat(mailer-smtp): add in-process security pipeline for SMTP delivery (DKIM/SPF/DMARC, content scanning, IP reputation)

2026-02-10 22:26:20 +00:00
parent 595634fb0f
commit eb2643de93
151 changed files with 477 additions and 47531 deletions
--- a/rust/crates/mailer-smtp/src/server.rs
+++ b/rust/crates/mailer-smtp/src/server.rs
@@ -9,6 +9,8 @@ use crate::connection::{
 };
 use crate::rate_limiter::{RateLimitConfig, RateLimiter};

+use hickory_resolver::TokioResolver;
+use mailer_security::MessageAuthenticator;
 use rustls_pki_types::{CertificateDer, PrivateKeyDer};
 use std::io::BufReader;
 use std::sync::atomic::{AtomicBool, AtomicU32, Ordering};
@@ -63,6 +65,17 @@ pub async fn start_server(

    let (event_tx, event_rx) = mpsc::channel::<ConnectionEvent>(1024);

+    // Create shared security resources for in-process email verification
+    let authenticator: Arc<MessageAuthenticator> = Arc::new(
+        mailer_security::default_authenticator()
+            .map_err(|e| format!("Failed to create MessageAuthenticator: {e}"))?
+    );
+    let resolver: Arc<TokioResolver> = Arc::new(
+        TokioResolver::builder_tokio()
+            .map(|b| b.build())
+            .map_err(|e| format!("Failed to create TokioResolver: {e}"))?
+    );
+
    // Build TLS acceptor if configured
    let tls_acceptor = if config.has_tls() {
        Some(Arc::new(build_tls_acceptor(&config)?))
@@ -87,6 +100,8 @@ pub async fn start_server(
            callback_registry.clone(),
            tls_acceptor.clone(),
            false, // not implicit TLS
+            authenticator.clone(),
+            resolver.clone(),
        ));
        handles.push(handle);
    }
@@ -108,6 +123,8 @@ pub async fn start_server(
                callback_registry.clone(),
                tls_acceptor.clone(),
                true, // implicit TLS
+                authenticator.clone(),
+                resolver.clone(),
            ));
            handles.push(handle);
        } else {
@@ -153,6 +170,8 @@ async fn accept_loop(
    callback_registry: Arc<dyn CallbackRegistry + Send + Sync>,
    tls_acceptor: Option<Arc<tokio_rustls::TlsAcceptor>>,
    implicit_tls: bool,
+    authenticator: Arc<MessageAuthenticator>,
+    resolver: Arc<TokioResolver>,
 ) {
    loop {
        if shutdown.load(Ordering::SeqCst) {
@@ -194,6 +213,8 @@ async fn accept_loop(
        let callback_registry = callback_registry.clone();
        let tls_acceptor = tls_acceptor.clone();
        let active_connections = active_connections.clone();
+        let authenticator = authenticator.clone();
+        let resolver = resolver.clone();

        active_connections.fetch_add(1, Ordering::SeqCst);

@@ -232,6 +253,8 @@ async fn accept_loop(
                tls_acceptor,
                remote_addr,
                implicit_tls,
+                authenticator,
+                resolver,
            )
            .await;