push.rocks/smartmta
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: push.rocks:v2.0.1
Branches Tags
push.rocks:main
push.rocks:v3.0.0 push.rocks:v2.4.0 push.rocks:v2.3.2 push.rocks:v2.3.1 push.rocks:v2.3.0 push.rocks:v2.2.1 push.rocks:v2.2.0 push.rocks:v2.1.0 push.rocks:v2.0.1 push.rocks:v2.0.0 push.rocks:v1.3.1 push.rocks:v1.3.0 push.rocks:v1.2.1 push.rocks:v1.2.0 push.rocks:v1.1.0 push.rocks:v1.0.1
...
compare: push.rocks:v2.1.0
Branches Tags
push.rocks:main
push.rocks:v3.0.0 push.rocks:v2.4.0 push.rocks:v2.3.2 push.rocks:v2.3.1 push.rocks:v2.3.0 push.rocks:v2.2.1 push.rocks:v2.2.0 push.rocks:v2.1.0 push.rocks:v2.0.1 push.rocks:v2.0.0 push.rocks:v1.3.1 push.rocks:v1.3.0 push.rocks:v1.2.1 push.rocks:v1.2.0 push.rocks:v1.1.0 push.rocks:v1.0.1

3 Commits
v2.0.1 ... v2.1.0

Author SHA1 Message Date
Juergen Kunz
fc2e6d44f4 v2.1.0
Some checks failed
CI / Type Check & Lint (push) Failing after 4s
Details
CI / Build Test (Current Platform) (push) Failing after 4s
Details
CI / Build All Platforms (push) Failing after 4s
Details
Publish to npm / npm-publish (push) Failing after 5s
Details
Release / build-and-release (push) Failing after 4s
Details
2026-02-10 21:19:13 +00:00
Juergen Kunz
15a45089aa feat(security): migrate content scanning and bounce detection to Rust security bridge; add scanContent IPC command and Rust content scanner with tests; update TS RustSecurityBridge and callers, and adjust CI package references 2026-02-10 21:19:13 +00:00
Juergen Kunz
b82468ab1e BREAKING CHANGE(rust-bridge): make Rust the primary security backend, remove all TS fallbacks
Some checks failed
CI / Build Test (Current Platform) (push) Failing after 4s
Details
CI / Type Check & Lint (push) Failing after 6s
Details
CI / Build All Platforms (push) Failing after 4s
Details 
Phase 3 of the Rust migration: the Rust security bridge is now mandatory
and all TypeScript security fallback implementations have been removed.

- UnifiedEmailServer.start() throws if Rust bridge fails to start
- SpfVerifier gutted to thin wrapper (parseSpfRecord stays in TS)
- DKIMVerifier gutted to thin wrapper delegating to bridge.verifyDkim()
- IPReputationChecker delegates to bridge.checkIpReputation(), keeps LRU cache
- DmarcVerifier keeps alignment logic (works with pre-computed results)
- DKIM signing via bridge.signDkim() in all 4 locations
- Removed mailauth and ip packages from plugins.ts (~1,200 lines deleted)
 2026-02-10 20:30:43 +00:00
45 changed files with 1301 additions and 4225 deletions
Expand all files Collapse all files

16
.gitea/workflows/npm-publish.yml
View File

@@ -84,7 +84,7 @@ jobs:
mailer --version || echo "Note: Binary execution may fail in CI environment" mailer --version || echo "Note: Binary execution may fail in CI environment"
echo "" echo ""
echo "Checking installed files:" echo "Checking installed files:"
npm ls -g @serve.zone/mailer || true npm ls -g @push.rocks/smartmta || true
- name: Publish to npm - name: Publish to npm
env: env:
@@ -93,10 +93,10 @@ jobs:
echo "Publishing to npm registry..." echo "Publishing to npm registry..."
npm publish --access public npm publish --access public
echo "" echo ""
echo "✅ Successfully published @serve.zone/mailer to npm!" echo "✅ Successfully published @push.rocks/smartmta to npm!"
echo "" echo ""
echo "Package info:" echo "Package info:"
npm view @serve.zone/mailer npm view @push.rocks/smartmta
- name: Verify npm package - name: Verify npm package
run: | run: |
@@ -104,10 +104,10 @@ jobs:
sleep 30 sleep 30
echo "" echo ""
echo "Verifying published package..." echo "Verifying published package..."
npm view @serve.zone/mailer npm view @push.rocks/smartmta
echo "" echo ""
echo "Testing installation from npm:" echo "Testing installation from npm:"
npm install -g @serve.zone/mailer npm install -g @push.rocks/smartmta
echo "" echo ""
echo "Package installed successfully!" echo "Package installed successfully!"
which mailer || echo "Binary location check skipped" which mailer || echo "Binary location check skipped"
@@ -118,12 +118,12 @@ jobs:
echo " npm Publish Complete!" echo " npm Publish Complete!"
echo "================================================" echo "================================================"
echo "" echo ""
echo "✅ Package: @serve.zone/mailer" echo "✅ Package: @push.rocks/smartmta"
echo "✅ Version: ${{ steps.version.outputs.version }}" echo "✅ Version: ${{ steps.version.outputs.version }}"
echo "" echo ""
echo "Installation:" echo "Installation:"
echo " npm install -g @serve.zone/mailer" echo " npm install -g @push.rocks/smartmta"
echo "" echo ""
echo "Registry:" echo "Registry:"
echo " https://www.npmjs.com/package/@serve.zone/mailer" echo " https://www.npmjs.com/package/@push.rocks/smartmta"
echo "" echo ""

10
changelog.md
View File

@@ -1,5 +1,15 @@
# Changelog # Changelog
## 2026-02-10 - 2.1.0 - feat(security)
migrate content scanning and bounce detection to Rust security bridge; add scanContent IPC command and Rust content scanner with tests; update TS RustSecurityBridge and callers, and adjust CI package references
- Add Rust content scanner implementation (rust/crates/mailer-security/src/content_scanner.rs) with pattern-based detection and unit tests (~515 lines)
- Expose new IPC command 'scanContent' in mailer-bin and marshal results via JSON for the RustSecurityBridge
- Update TypeScript RustSecurityBridge with scanContent typing and method, and replace local JS detection logic (bounce/content) to call Rust bridge
- Update tests to start/stop the RustSecurityBridge and rely on Rust-based detection (test updates in test.bouncemanager.ts and test.contentscanner.ts)
- Update CI workflow messages and package references from @serve.zone/mailer to @push.rocks/smartmta
- Add regex dependency to rust mailer-security workspace (Cargo.toml / Cargo.lock updated)
## 2026-02-10 - 2.0.1 - fix(docs/readme) ## 2026-02-10 - 2.0.1 - fix(docs/readme)
update README: clarify APIs, document RustSecurityBridge, update examples and architecture diagram update README: clarify APIs, document RustSecurityBridge, update examples and architecture diagram

2
dist_ts/00_commitinfo_data.js
View File

@@ -3,7 +3,7 @@
*/ */
export const commitinfo = { export const commitinfo = {
name: '@push.rocks/smartmta', name: '@push.rocks/smartmta',
version: '2.0.0', version: '2.0.1',
description: 'A high-performance, enterprise-grade Mail Transfer Agent (MTA) built from scratch in TypeScript with Rust acceleration.' description: 'A high-performance, enterprise-grade Mail Transfer Agent (MTA) built from scratch in TypeScript with Rust acceleration.'
}; };
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiMDBfY29tbWl0aW5mb19kYXRhLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vdHMvMDBfY29tbWl0aW5mb19kYXRhLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBOztHQUVHO0FBQ0gsTUFBTSxDQUFDLE1BQU0sVUFBVSxHQUFHO0lBQ3hCLElBQUksRUFBRSxzQkFBc0I7SUFDNUIsT0FBTyxFQUFFLE9BQU87SUFDaEIsV0FBVyxFQUFFLHlIQUF5SDtDQUN2SSxDQUFBIn0= //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiMDBfY29tbWl0aW5mb19kYXRhLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vdHMvMDBfY29tbWl0aW5mb19kYXRhLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBOztHQUVHO0FBQ0gsTUFBTSxDQUFDLE1BQU0sVUFBVSxHQUFHO0lBQ3hCLElBQUksRUFBRSxzQkFBc0I7SUFDNUIsT0FBTyxFQUFFLE9BQU87SUFDaEIsV0FBVyxFQUFFLHlIQUF5SDtDQUN2SSxDQUFBIn0=

15
dist_ts/mail/core/classes.bouncemanager.d.ts vendored
View File

@@ -165,21 +165,6 @@ export declare class BounceManager {
type: BounceType; type: BounceType;
category: BounceCategory; category: BounceCategory;
} | null; } | null;
/**
* Analyze SMTP response and diagnostic codes to determine bounce type
* @param smtpResponse SMTP response string
* @param diagnosticCode Diagnostic code from bounce
* @param statusCode Status code from bounce
* @returns Detected bounce type and category
*/
private detectBounceType;
/**
* Check if text matches any pattern for a bounce type
* @param text Text to check against patterns
* @param bounceType Bounce type to get patterns for
* @returns Whether the text matches any pattern
*/
private matchesPattern;
/** /**
* Get all known hard bounced addresses * Get all known hard bounced addresses
* @returns Array of hard bounced email addresses * @returns Array of hard bounced email addresses

234
dist_ts/mail/core/classes.bouncemanager.js
View File

File diff suppressed because one or more lines are too long

31
dist_ts/mail/delivery/classes.delivery.system.js
View File

File diff suppressed because one or more lines are too long

24
dist_ts/mail/delivery/classes.emailsignjob.js
View File

@@ -1,4 +1,5 @@
import * as plugins from '../../plugins.js'; import * as plugins from '../../plugins.js';
import { RustSecurityBridge } from '../../security/classes.rustsecuritybridge.js';
export class EmailSignJob { export class EmailSignJob {
emailServerRef; emailServerRef;
jobOptions; jobOptions;
@@ -12,25 +13,14 @@ export class EmailSignJob {
} }
async getSignatureHeader(emailMessage) { async getSignatureHeader(emailMessage) {
const privateKey = await this.loadPrivateKey(); const privateKey = await this.loadPrivateKey();
const signResult = await plugins.dkimSign(emailMessage, { const bridge = RustSecurityBridge.getInstance();
signingDomain: this.jobOptions.domain, const signResult = await bridge.signDkim({
rawMessage: emailMessage,
domain: this.jobOptions.domain,
selector: this.jobOptions.selector, selector: this.jobOptions.selector,
privateKey, privateKey,
canonicalization: 'relaxed/relaxed',
algorithm: 'rsa-sha256',
signTime: new Date(),
signatureData: [
{
signingDomain: this.jobOptions.domain,
selector: this.jobOptions.selector,
privateKey,
algorithm: 'rsa-sha256',
canonicalization: 'relaxed/relaxed',
},
],
}); });
const signature = signResult.signatures; return signResult.header;
return signature;
} }
} }
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xhc3Nlcy5lbWFpbHNpZ25qb2IuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi90cy9tYWlsL2RlbGl2ZXJ5L2NsYXNzZXMuZW1haWxzaWduam9iLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sS0FBSyxPQUFPLE1BQU0sa0JBQWtCLENBQUM7QUFjNUMsTUFBTSxPQUFPLFlBQVk7SUFDdkIsY0FBYyxDQUFxQjtJQUNuQyxVQUFVLENBQXVCO0lBRWpDLFlBQVksY0FBa0MsRUFBRSxPQUE2QjtRQUMzRSxJQUFJLENBQUMsY0FBYyxHQUFHLGNBQWMsQ0FBQztRQUNyQyxJQUFJLENBQUMsVUFBVSxHQUFHLE9BQU8sQ0FBQztJQUM1QixDQUFDO0lBRUQsS0FBSyxDQUFDLGNBQWM7UUFDbEIsTUFBTSxPQUFPLEdBQUcsTUFBTSxJQUFJLENBQUMsY0FBYyxDQUFDLFdBQVcsQ0FBQyxZQUFZLENBQUMsSUFBSSxDQUFDLFVBQVUsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUMzRixPQUFPLE9BQU8sQ0FBQyxVQUFVLENBQUM7SUFDNUIsQ0FBQztJQUVNLEtBQUssQ0FBQyxrQkFBa0IsQ0FBQyxZQUFvQjtRQUNsRCxNQUFNLFVBQVUsR0FBRyxNQUFNLElBQUksQ0FBQyxjQUFjLEVBQUUsQ0FBQztRQUMvQyxNQUFNLFVBQVUsR0FBRyxNQUFNLE9BQU8sQ0FBQyxRQUFRLENBQUMsWUFBWSxFQUFFO1lBQ3RELGFBQWEsRUFBRSxJQUFJLENBQUMsVUFBVSxDQUFDLE1BQU07WUFDckMsUUFBUSxFQUFFLElBQUksQ0FBQyxVQUFVLENBQUMsUUFBUTtZQUNsQyxVQUFVO1lBQ1YsZ0JBQWdCLEVBQUUsaUJBQWlCO1lBQ25DLFNBQVMsRUFBRSxZQUFZO1lBQ3ZCLFFBQVEsRUFBRSxJQUFJLElBQUksRUFBRTtZQUNwQixhQUFhLEVBQUU7Z0JBQ2I7b0JBQ0UsYUFBYSxFQUFFLElBQUksQ0FBQyxVQUFVLENBQUMsTUFBTTtvQkFDckMsUUFBUSxFQUFFLElBQUksQ0FBQyxVQUFVLENBQUMsUUFBUTtvQkFDbEMsVUFBVTtvQkFDVixTQUFTLEVBQUUsWUFBWTtvQkFDdkIsZ0JBQWdCLEVBQUUsaUJBQWlCO2lCQUNwQzthQUNGO1NBQ0YsQ0FBQyxDQUFDO1FBQ0gsTUFBTSxTQUFTLEdBQUcsVUFBVSxDQUFDLFVBQVUsQ0FBQztRQUN4QyxPQUFPLFNBQVMsQ0FBQztJQUNuQixDQUFDO0NBQ0YifQ== //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xhc3Nlcy5lbWFpbHNpZ25qb2IuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi90cy9tYWlsL2RlbGl2ZXJ5L2NsYXNzZXMuZW1haWxzaWduam9iLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sS0FBSyxPQUFPLE1BQU0sa0JBQWtCLENBQUM7QUFFNUMsT0FBTyxFQUFFLGtCQUFrQixFQUFFLE1BQU0sOENBQThDLENBQUM7QUFhbEYsTUFBTSxPQUFPLFlBQVk7SUFDdkIsY0FBYyxDQUFxQjtJQUNuQyxVQUFVLENBQXVCO0lBRWpDLFlBQVksY0FBa0MsRUFBRSxPQUE2QjtRQUMzRSxJQUFJLENBQUMsY0FBYyxHQUFHLGNBQWMsQ0FBQztRQUNyQyxJQUFJLENBQUMsVUFBVSxHQUFHLE9BQU8sQ0FBQztJQUM1QixDQUFDO0lBRUQsS0FBSyxDQUFDLGNBQWM7UUFDbEIsTUFBTSxPQUFPLEdBQUcsTUFBTSxJQUFJLENBQUMsY0FBYyxDQUFDLFdBQVcsQ0FBQyxZQUFZLENBQUMsSUFBSSxDQUFDLFVBQVUsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUMzRixPQUFPLE9BQU8sQ0FBQyxVQUFVLENBQUM7SUFDNUIsQ0FBQztJQUVNLEtBQUssQ0FBQyxrQkFBa0IsQ0FBQyxZQUFvQjtRQUNsRCxNQUFNLFVBQVUsR0FBRyxNQUFNLElBQUksQ0FBQyxjQUFjLEVBQUUsQ0FBQztRQUMvQyxNQUFNLE1BQU0sR0FBRyxrQkFBa0IsQ0FBQyxXQUFXLEVBQUUsQ0FBQztRQUNoRCxNQUFNLFVBQVUsR0FBRyxNQUFNLE1BQU0sQ0FBQyxRQUFRLENBQUM7WUFDdkMsVUFBVSxFQUFFLFlBQVk7WUFDeEIsTUFBTSxFQUFFLElBQUksQ0FBQyxVQUFVLENBQUMsTUFBTTtZQUM5QixRQUFRLEVBQUUsSUFBSSxDQUFDLFVBQVUsQ0FBQyxRQUFRO1lBQ2xDLFVBQVU7U0FDWCxDQUFDLENBQUM7UUFDSCxPQUFPLFVBQVUsQ0FBQyxNQUFNLENBQUM7SUFDM0IsQ0FBQztDQUNGIn0=

37
dist_ts/mail/delivery/classes.smtp.client.legacy.js
View File

File diff suppressed because one or more lines are too long

140
dist_ts/mail/routing/classes.unified.email.server.js
View File

File diff suppressed because one or more lines are too long

25
dist_ts/mail/security/classes.dkimverifier.d.ts vendored
View File

@@ -11,36 +11,19 @@ export interface IDkimVerificationResult {
signatureFields?: Record<string, string>; signatureFields?: Record<string, string>;
} }
/** /**
* Enhanced DKIM verifier using smartmail capabilities * DKIM verifier — delegates to the Rust security bridge.
*/ */
export declare class DKIMVerifier { export declare class DKIMVerifier {
private verificationCache;
private cacheTtl;
constructor(); constructor();
/** /**
* Verify DKIM signature for an email * Verify DKIM signature for an email via Rust bridge
* @param emailData The raw email data
* @param options Verification options
* @returns Verification result
*/ */
verify(emailData: string, options?: { verify(emailData: string, options?: {
useCache?: boolean; useCache?: boolean;
returnDetails?: boolean; returnDetails?: boolean;
}): Promise<IDkimVerificationResult>; }): Promise<IDkimVerificationResult>;
/** /** No-op — Rust bridge handles its own caching */
* Fetch DKIM public key from DNS
* @param domain The domain
* @param selector The DKIM selector
* @returns The DKIM public key or null if not found
*/
private fetchDkimKey;
/**
* Clear the verification cache
*/
clearCache(): void; clearCache(): void;
/** /** Always 0 — cache is managed by the Rust side */
* Get the size of the verification cache
* @returns Number of cached items
*/
getCacheSize(): number; getCacheSize(): number;
} }

323
dist_ts/mail/security/classes.dkimverifier.js
View File

File diff suppressed because one or more lines are too long

3
dist_ts/mail/security/classes.dmarcverifier.js
View File

File diff suppressed because one or more lines are too long

46
dist_ts/mail/security/classes.spfverifier.d.ts vendored
View File

@@ -50,54 +50,22 @@ export interface SpfResult {
error?: string; error?: string;
} }
/** /**
* Class for verifying SPF records * Class for verifying SPF records.
* Delegates actual SPF evaluation to the Rust security bridge.
* Retains parseSpfRecord() for lightweight local parsing.
*/ */
export declare class SpfVerifier { export declare class SpfVerifier {
private dnsManager?; constructor(_dnsManager?: any);
private lookupCount;
constructor(dnsManager?: any);
/** /**
* Parse SPF record from TXT record * Parse SPF record from TXT record (pure string parsing, no DNS)
* @param record SPF TXT record
* @returns Parsed SPF record or null if invalid
*/ */
parseSpfRecord(record: string): SpfRecord | null; parseSpfRecord(record: string): SpfRecord | null;
/** /**
* Check if IP is in CIDR range * Verify SPF for a given email — delegates to Rust bridge
* @param ip IP address to check
* @param cidr CIDR range
* @returns Whether the IP is in the CIDR range
*/
private isIpInCidr;
/**
* Check if a domain has the specified IP in its A or AAAA records
* @param domain Domain to check
* @param ip IP address to check
* @returns Whether the domain resolves to the IP
*/
private isDomainResolvingToIp;
/**
* Verify SPF for a given email with IP and helo domain
* @param email Email to verify
* @param ip Sender IP address
* @param heloDomain HELO/EHLO domain used by sender
* @returns SPF verification result
*/ */
verify(email: Email, ip: string, heloDomain: string): Promise<SpfResult>; verify(email: Email, ip: string, heloDomain: string): Promise<SpfResult>;
/** /**
* Check SPF record against IP address * Check if email passes SPF verification and apply headers
* @param spfRecord Parsed SPF record
* @param domain Domain being checked
* @param ip IP address to check
* @returns SPF result
*/
private checkSpfRecord;
/**
* Check if email passes SPF verification
* @param email Email to verify
* @param ip Sender IP address
* @param heloDomain HELO/EHLO domain used by sender
* @returns Whether email passes SPF
*/ */
verifyAndApply(email: Email, ip: string, heloDomain: string): Promise<boolean>; verifyAndApply(email: Email, ip: string, heloDomain: string): Promise<boolean>;
} }

397
dist_ts/mail/security/classes.spfverifier.js
View File

File diff suppressed because one or more lines are too long

5
dist_ts/plugins.d.ts vendored
View File

@@ -42,9 +42,6 @@ import * as cloudflare from '@apiclient.xyz/cloudflare';
export { cloudflare, }; export { cloudflare, };
import * as tsclass from '@tsclass/tsclass'; import * as tsclass from '@tsclass/tsclass';
export { tsclass, }; export { tsclass, };
import * as mailauth from 'mailauth';
import { dkimSign } from 'mailauth/lib/dkim/sign.js';
import mailparser from 'mailparser'; import mailparser from 'mailparser';
import * as uuid from 'uuid'; import * as uuid from 'uuid';
import * as ip from 'ip'; export { mailparser, uuid, };
export { mailauth, dkimSign, mailparser, uuid, ip, };

7
dist_ts/plugins.js
View File

@@ -48,10 +48,7 @@ export { cloudflare, };
import * as tsclass from '@tsclass/tsclass'; import * as tsclass from '@tsclass/tsclass';
export { tsclass, }; export { tsclass, };
// third party // third party
import * as mailauth from 'mailauth';
import { dkimSign } from 'mailauth/lib/dkim/sign.js';
import mailparser from 'mailparser'; import mailparser from 'mailparser';
import * as uuid from 'uuid'; import * as uuid from 'uuid';
import * as ip from 'ip'; export { mailparser, uuid, };
export { mailauth, dkimSign, mailparser, uuid, ip, }; //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicGx1Z2lucy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uL3RzL3BsdWdpbnMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsY0FBYztBQUNkLE9BQU8sS0FBSyxHQUFHLE1BQU0sS0FBSyxDQUFDO0FBQzNCLE9BQU8sS0FBSyxFQUFFLE1BQU0sSUFBSSxDQUFDO0FBQ3pCLE9BQU8sS0FBSyxNQUFNLE1BQU0sUUFBUSxDQUFDO0FBQ2pDLE9BQU8sS0FBSyxJQUFJLE1BQU0sTUFBTSxDQUFDO0FBQzdCLE9BQU8sS0FBSyxHQUFHLE1BQU0sS0FBSyxDQUFDO0FBQzNCLE9BQU8sS0FBSyxFQUFFLE1BQU0sSUFBSSxDQUFDO0FBQ3pCLE9BQU8sS0FBSyxJQUFJLE1BQU0sTUFBTSxDQUFDO0FBQzdCLE9BQU8sS0FBSyxHQUFHLE1BQU0sS0FBSyxDQUFDO0FBQzNCLE9BQU8sS0FBSyxJQUFJLE1BQU0sTUFBTSxDQUFDO0FBRTdCLE9BQU8sRUFDTCxHQUFHLEVBQ0gsRUFBRSxFQUNGLE1BQU0sRUFDTixJQUFJLEVBQ0osR0FBRyxFQUNILEVBQUUsRUFDRixJQUFJLEVBQ0osR0FBRyxFQUNILElBQUksR0FDTCxDQUFBO0FBRUQsb0JBQW9CO0FBQ3BCLE9BQU8sS0FBSyxtQkFBbUIsTUFBTSx3QkFBd0IsQ0FBQztBQUU5RCxPQUFPLEVBQ0wsbUJBQW1CLEVBQ3BCLENBQUE7QUFFRCxvQkFBb0I7QUFDcEIsT0FBTyxLQUFLLFlBQVksTUFBTSwwQkFBMEIsQ0FBQztBQUN6RCxPQUFPLEtBQUssV0FBVyxNQUFNLHlCQUF5QixDQUFDO0FBQ3ZELE9BQU8sS0FBSyxXQUFXLE1BQU0seUJBQXlCLENBQUM7QUFFdkQsT0FBTyxFQUNMLFlBQVksRUFDWixXQUFXLEVBQ1gsV0FBVyxHQUNaLENBQUE7QUFFRCxvQkFBb0I7QUFDcEIsT0FBTyxLQUFLLFdBQVcsTUFBTSx5QkFBeUIsQ0FBQztBQUN2RCxPQUFPLEtBQUssSUFBSSxNQUFNLGtCQUFrQixDQUFDO0FBQ3pDLE9BQU8sS0FBSyxTQUFTLE1BQU0sdUJBQXVCLENBQUM7QUFDbkQsT0FBTyxLQUFLLFNBQVMsTUFBTSx1QkFBdUIsQ0FBQztBQUNuRCxPQUFPLEtBQUssUUFBUSxNQUFNLHNCQUFzQixDQUFDO0FBQ2pELE9BQU8sS0FBSyxTQUFTLE1BQU0sdUJBQXVCLENBQUM7QUFDbkQsT0FBTyxFQUFFLE9BQU8sRUFBRSxtQkFBbUIsRUFBRSxNQUFNLHFCQUFxQixDQUFDO0FBQ25FLE9BQU8sS0FBSyxVQUFVLE1BQU0sd0JBQXdCLENBQUM7QUFDckQsT0FBTyxLQUFLLFFBQVEsTUFBTSxzQkFBc0IsQ0FBQztBQUNqRCxPQUFPLEtBQUssUUFBUSxNQUFNLHNCQUFzQixDQUFDO0FBQ2pELE9BQU8sS0FBSyxTQUFTLE1BQU0sdUJBQXVCLENBQUM7QUFDbkQsT0FBTyxLQUFLLFlBQVksTUFBTSwwQkFBMEIsQ0FBQztBQUN6RCxPQUFPLEtBQUssWUFBWSxNQUFNLDBCQUEwQixDQUFDO0FBQ3pELE9BQU8sS0FBSyxTQUFTLE1BQU0sdUJBQXVCLENBQUM7QUFDbkQsT0FBTyxLQUFLLFVBQVUsTUFBTSx3QkFBd0IsQ0FBQztBQUNyRCxPQUFPLEtBQUssWUFBWSxNQUFNLDBCQUEwQixDQUFDO0FBQ3pELE9BQU8sS0FBSyxZQUFZLE1BQU0sMEJBQTBCLENBQUM7QUFDekQsT0FBTyxLQUFLLFNBQVMsTUFBTSx1QkFBdUIsQ0FBQztBQUNuRCxPQUFPLEtBQUssU0FBUyxNQUFNLHVCQUF1QixDQUFDO0FBQ25ELE9BQU8sS0FBSyxPQUFPLE1BQU0scUJBQXFCLENBQUM7QUFDL0MsT0FBTyxLQUFLLFdBQVcsTUFBTSx5QkFBeUIsQ0FBQztBQUV2RCxNQUFNLENBQUMsTUFBTSxPQUFPLEdBQUcsSUFBSSxPQUFPLENBQUMsSUFBSSxtQkFBbUIsRUFBRSxDQUFDLENBQUM7QUFFOUQsT0FBTyxFQUFFLFdBQVcsRUFBRSxJQUFJLEVBQUUsU0FBUyxFQUFFLFNBQVMsRUFBRSxRQUFRLEVBQUUsU0FBUyxFQUFFLE9BQU8sRUFBRSxVQUFVLEVBQUUsUUFBUSxFQUFFLFFBQVEsRUFBRSxTQUFTLEVBQUUsWUFBWSxFQUFFLFlBQVksRUFBRSxTQUFTLEVBQUUsVUFBVSxFQUFFLFlBQVksRUFBRSxZQUFZLEVBQUUsU0FBUyxFQUFFLFNBQVMsRUFBRSxPQUFPLEVBQUUsV0FBVyxFQUFFLENBQUM7QUFLdlAsc0JBQXNCO0FBQ3RCLE9BQU8sS0FBSyxVQUFVLE1BQU0sMkJBQTJCLENBQUM7QUFFeEQsT0FBTyxFQUNMLFVBQVUsR0FDWCxDQUFBO0FBRUQsZ0JBQWdCO0FBQ2hCLE9BQU8sS0FBSyxPQUFPLE1BQU0sa0JBQWtCLENBQUM7QUFFNUMsT0FBTyxFQUNMLE9BQU8sR0FDUixDQUFBO0FBRUQsY0FBYztBQUNkLE9BQU8sVUFBVSxNQUFNLFlBQVksQ0FBQztBQUNwQyxPQUFPLEtBQUssSUFBSSxNQUFNLE1BQU0sQ0FBQztBQUU3QixPQUFPLEVBQ0wsVUFBVSxFQUNWLElBQUksR0FDTCxDQUFBIn0=
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicGx1Z2lucy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uL3RzL3BsdWdpbnMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsY0FBYztBQUNkLE9BQU8sS0FBSyxHQUFHLE1BQU0sS0FBSyxDQUFDO0FBQzNCLE9BQU8sS0FBSyxFQUFFLE1BQU0sSUFBSSxDQUFDO0FBQ3pCLE9BQU8sS0FBSyxNQUFNLE1BQU0sUUFBUSxDQUFDO0FBQ2pDLE9BQU8sS0FBSyxJQUFJLE1BQU0sTUFBTSxDQUFDO0FBQzdCLE9BQU8sS0FBSyxHQUFHLE1BQU0sS0FBSyxDQUFDO0FBQzNCLE9BQU8sS0FBSyxFQUFFLE1BQU0sSUFBSSxDQUFDO0FBQ3pCLE9BQU8sS0FBSyxJQUFJLE1BQU0sTUFBTSxDQUFDO0FBQzdCLE9BQU8sS0FBSyxHQUFHLE1BQU0sS0FBSyxDQUFDO0FBQzNCLE9BQU8sS0FBSyxJQUFJLE1BQU0sTUFBTSxDQUFDO0FBRTdCLE9BQU8sRUFDTCxHQUFHLEVBQ0gsRUFBRSxFQUNGLE1BQU0sRUFDTixJQUFJLEVBQ0osR0FBRyxFQUNILEVBQUUsRUFDRixJQUFJLEVBQ0osR0FBRyxFQUNILElBQUksR0FDTCxDQUFBO0FBRUQsb0JBQW9CO0FBQ3BCLE9BQU8sS0FBSyxtQkFBbUIsTUFBTSx3QkFBd0IsQ0FBQztBQUU5RCxPQUFPLEVBQ0wsbUJBQW1CLEVBQ3BCLENBQUE7QUFFRCxvQkFBb0I7QUFDcEIsT0FBTyxLQUFLLFlBQVksTUFBTSwwQkFBMEIsQ0FBQztBQUN6RCxPQUFPLEtBQUssV0FBVyxNQUFNLHlCQUF5QixDQUFDO0FBQ3ZELE9BQU8sS0FBSyxXQUFXLE1BQU0seUJBQXlCLENBQUM7QUFFdkQsT0FBTyxFQUNMLFlBQVksRUFDWixXQUFXLEVBQ1gsV0FBVyxHQUNaLENBQUE7QUFFRCxvQkFBb0I7QUFDcEIsT0FBTyxLQUFLLFdBQVcsTUFBTSx5QkFBeUIsQ0FBQztBQUN2RCxPQUFPLEtBQUssSUFBSSxNQUFNLGtCQUFrQixDQUFDO0FBQ3pDLE9BQU8sS0FBSyxTQUFTLE1BQU0sdUJBQXVCLENBQUM7QUFDbkQsT0FBTyxLQUFLLFNBQVMsTUFBTSx1QkFBdUIsQ0FBQztBQUNuRCxPQUFPLEtBQUssUUFBUSxNQUFNLHNCQUFzQixDQUFDO0FBQ2pELE9BQU8sS0FBSyxTQUFTLE1BQU0sdUJBQXVCLENBQUM7QUFDbkQsT0FBTyxFQUFFLE9BQU8sRUFBRSxtQkFBbUIsRUFBRSxNQUFNLHFCQUFxQixDQUFDO0FBQ25FLE9BQU8sS0FBSyxVQUFVLE1BQU0sd0JBQXdCLENBQUM7QUFDckQsT0FBTyxLQUFLLFFBQVEsTUFBTSxzQkFBc0IsQ0FBQztBQUNqRCxPQUFPLEtBQUssUUFBUSxNQUFNLHNCQUFzQixDQUFDO0FBQ2pELE9BQU8sS0FBSyxTQUFTLE1BQU0sdUJBQXVCLENBQUM7QUFDbkQsT0FBTyxLQUFLLFlBQVksTUFBTSwwQkFBMEIsQ0FBQztBQUN6RCxPQUFPLEtBQUssWUFBWSxNQUFNLDBCQUEwQixDQUFDO0FBQ3pELE9BQU8sS0FBSyxTQUFTLE1BQU0sdUJBQXVCLENBQUM7QUFDbkQsT0FBTyxLQUFLLFVBQVUsTUFBTSx3QkFBd0IsQ0FBQztBQUNyRCxPQUFPLEtBQUssWUFBWSxNQUFNLDBCQUEwQixDQUFDO0FBQ3pELE9BQU8sS0FBSyxZQUFZLE1BQU0sMEJBQTBCLENBQUM7QUFDekQsT0FBTyxLQUFLLFNBQVMsTUFBTSx1QkFBdUIsQ0FBQztBQUNuRCxPQUFPLEtBQUssU0FBUyxNQUFNLHVCQUF1QixDQUFDO0FBQ25ELE9BQU8sS0FBSyxPQUFPLE1BQU0scUJBQXFCLENBQUM7QUFDL0MsT0FBTyxLQUFLLFdBQVcsTUFBTSx5QkFBeUIsQ0FBQztBQUV2RCxNQUFNLENBQUMsTUFBTSxPQUFPLEdBQUcsSUFBSSxPQUFPLENBQUMsSUFBSSxtQkFBbUIsRUFBRSxDQUFDLENBQUM7QUFFOUQsT0FBTyxFQUFFLFdBQVcsRUFBRSxJQUFJLEVBQUUsU0FBUyxFQUFFLFNBQVMsRUFBRSxRQUFRLEVBQUUsU0FBUyxFQUFFLE9BQU8sRUFBRSxVQUFVLEVBQUUsUUFBUSxFQUFFLFFBQVEsRUFBRSxTQUFTLEVBQUUsWUFBWSxFQUFFLFlBQVksRUFBRSxTQUFTLEVBQUUsVUFBVSxFQUFFLFlBQVksRUFBRSxZQUFZLEVBQUUsU0FBUyxFQUFFLFNBQVMsRUFBRSxPQUFPLEVBQUUsV0FBVyxFQUFFLENBQUM7QUFLdlAsc0JBQXNCO0FBQ3RCLE9BQU8sS0FBSyxVQUFVLE1BQU0sMkJBQTJCLENBQUM7QUFFeEQsT0FBTyxFQUNMLFVBQVUsR0FDWCxDQUFBO0FBRUQsZ0JBQWdCO0FBQ2hCLE9BQU8sS0FBSyxPQUFPLE1BQU0sa0JBQWtCLENBQUM7QUFFNUMsT0FBTyxFQUNMLE9BQU8sR0FDUixDQUFBO0FBRUQsY0FBYztBQUNkLE9BQU8sS0FBSyxRQUFRLE1BQU0sVUFBVSxDQUFDO0FBQ3JDLE9BQU8sRUFBRSxRQUFRLEVBQUUsTUFBTSwyQkFBMkIsQ0FBQztBQUNyRCxPQUFPLFVBQVUsTUFBTSxZQUFZLENBQUM7QUFDcEMsT0FBTyxLQUFLLElBQUksTUFBTSxNQUFNLENBQUM7QUFDN0IsT0FBTyxLQUFLLEVBQUUsTUFBTSxJQUFJLENBQUM7QUFFekIsT0FBTyxFQUNMLFFBQVEsRUFDUixRQUFRLEVBQ1IsVUFBVSxFQUNWLElBQUksRUFDSixFQUFFLEdBQ0gsQ0FBQSJ9

52
dist_ts/security/classes.contentscanner.d.ts vendored
View File

@@ -54,9 +54,6 @@ export declare class ContentScanner {
private static instance; private static instance;
private scanCache; private scanCache;
private options; private options;
private static readonly MALICIOUS_PATTERNS;
private static readonly EXECUTABLE_EXTENSIONS;
private static readonly MACRO_DOCUMENT_EXTENSIONS;
/** /**
* Default options for the content scanner * Default options for the content scanner
*/ */
@@ -73,7 +70,9 @@ export declare class ContentScanner {
*/ */
static getInstance(options?: IContentScannerOptions): ContentScanner; static getInstance(options?: IContentScannerOptions): ContentScanner;
/** /**
* Scan an email for malicious content * Scan an email for malicious content.
* Delegates text/subject/html/filename pattern scanning to Rust.
* Binary attachment scanning (PE headers, VBA macros) stays in TS.
* @param email The email to scan * @param email The email to scan
* @returns Scan result * @returns Scan result
*/ */
@@ -85,41 +84,19 @@ export declare class ContentScanner {
*/ */
private generateCacheKey; private generateCacheKey;
/** /**
* Scan email subject for threats * Scan attachment binary content for PE headers and VBA macros.
* @param subject The subject to scan * This stays in TS because it accesses raw Buffer data (too large for IPC).
* @param result The scan result to update
*/
private scanSubject;
/**
* Scan plain text content for threats
* @param text The text content to scan
* @param result The scan result to update
*/
private scanTextContent;
/**
* Scan HTML content for threats
* @param html The HTML content to scan
* @param result The scan result to update
*/
private scanHtmlContent;
/**
* Scan an attachment for threats
* @param attachment The attachment to scan * @param attachment The attachment to scan
* @param result The scan result to update * @param result The scan result to update
*/ */
private scanAttachment; private scanAttachmentBinary;
/** /**
* Extract links from HTML content * Apply custom rules (runtime-configured patterns) to the email.
* @param html HTML content * These stay in TS because they are configured at runtime.
* @returns Array of extracted links * @param email The email to check
* @param result The scan result to update
*/ */
private extractLinksFromHtml; private applyCustomRules;
/**
* Extract plain text from HTML
* @param html HTML content
* @returns Extracted text
*/
private extractTextFromHtml;
/** /**
* Extract text from a binary buffer for scanning * Extract text from a binary buffer for scanning
* @param buffer Binary content * @param buffer Binary content
@@ -128,17 +105,10 @@ export declare class ContentScanner {
private extractTextFromBuffer; private extractTextFromBuffer;
/** /**
* Check if an Office document likely contains macros * Check if an Office document likely contains macros
* This is a simplified check - real implementation would use specialized libraries
* @param attachment The attachment to check * @param attachment The attachment to check
* @returns Whether the file likely contains macros * @returns Whether the file likely contains macros
*/ */
private likelyContainsMacros; private likelyContainsMacros;
/**
* Map a pattern category to a threat type
* @param category The pattern category
* @returns The corresponding threat type
*/
private mapCategoryToThreatType;
/** /**
* Log a high threat finding to the security logger * Log a high threat finding to the security logger
* @param email The email containing the threat * @param email The email containing the threat

439
dist_ts/security/classes.contentscanner.js
View File

File diff suppressed because one or more lines are too long

83
dist_ts/security/classes.ipreputationchecker.d.ts vendored
View File

@@ -48,103 +48,26 @@ export interface IIPReputationOptions {
enableIPInfo?: boolean; enableIPInfo?: boolean;
} }
/** /**
* Class for checking IP reputation of inbound email senders * IP reputation checker — delegates DNSBL lookups to the Rust security bridge.
* Retains LRU caching and disk persistence in TypeScript.
*/ */
export declare class IPReputationChecker { export declare class IPReputationChecker {
private static instance; private static instance;
private reputationCache; private reputationCache;
private options; private options;
private storageManager?; private storageManager?;
private static readonly DEFAULT_DNSBL_SERVERS;
private static readonly DEFAULT_OPTIONS; private static readonly DEFAULT_OPTIONS;
/**
* Constructor for IPReputationChecker
* @param options Configuration options
* @param storageManager Optional StorageManager instance for persistence
*/
constructor(options?: IIPReputationOptions, storageManager?: any); constructor(options?: IIPReputationOptions, storageManager?: any);
/**
* Get the singleton instance of the checker
* @param options Configuration options
* @param storageManager Optional StorageManager instance for persistence
* @returns Singleton instance
*/
static getInstance(options?: IIPReputationOptions, storageManager?: any): IPReputationChecker; static getInstance(options?: IIPReputationOptions, storageManager?: any): IPReputationChecker;
/** /**
* Check an IP address's reputation * Check an IP address's reputation via the Rust bridge
* @param ip IP address to check
* @returns Reputation check result
*/ */
checkReputation(ip: string): Promise<IReputationResult>; checkReputation(ip: string): Promise<IReputationResult>;
/**
* Check an IP against DNS blacklists
* @param ip IP address to check
* @returns DNSBL check results
*/
private checkDNSBL;
/**
* Get information about an IP address
* @param ip IP address to check
* @returns IP information
*/
private getIPInfo;
/**
* Simplified method to determine country from IP
* In a real implementation, this would use a geolocation database or service
* @param ip IP address
* @returns Country code
*/
private determineCountry;
/**
* Simplified method to determine organization from IP
* In a real implementation, this would use an IP-to-org database or service
* @param ip IP address
* @returns Organization name
*/
private determineOrg;
/**
* Reverse an IP address for DNSBL lookups (e.g., 1.2.3.4 -> 4.3.2.1)
* @param ip IP address to reverse
* @returns Reversed IP for DNSBL queries
*/
private reverseIP;
/**
* Create an error result for when reputation check fails
* @param ip IP address
* @param errorMessage Error message
* @returns Error result
*/
private createErrorResult; private createErrorResult;
/**
* Validate IP address format
* @param ip IP address to validate
* @returns Whether the IP is valid
*/
private isValidIPAddress; private isValidIPAddress;
/**
* Log reputation check to security logger
* @param ip IP address
* @param result Reputation result
*/
private logReputationCheck; private logReputationCheck;
/**
* Save cache to disk or storage manager
*/
private saveCache; private saveCache;
/**
* Load cache from disk or storage manager
*/
private loadCache; private loadCache;
/**
* Get the risk level for a reputation score
* @param score Reputation score (0-100)
* @returns Risk level description
*/
static getRiskLevel(score: number): 'high' | 'medium' | 'low' | 'trusted'; static getRiskLevel(score: number): 'high' | 'medium' | 'low' | 'trusted';
/**
* Update the storage manager after instantiation
* This is useful when the storage manager is not available at construction time
* @param storageManager The StorageManager instance to use
*/
updateStorageManager(storageManager: any): void; updateStorageManager(storageManager: any): void;
} }

329
dist_ts/security/classes.ipreputationchecker.js
View File

File diff suppressed because one or more lines are too long

15
dist_ts/security/classes.rustsecuritybridge.d.ts vendored
View File

@@ -48,6 +48,12 @@ interface IReputationResult {
listed_count: number; listed_count: number;
total_checked: number; total_checked: number;
} }
interface IContentScanResult {
threatScore: number;
threatType: string | null;
threatDetails: string | null;
scannedElements: string[];
}
interface IVersionInfo { interface IVersionInfo {
bin: string; bin: string;
core: string; core: string;
@@ -88,6 +94,13 @@ export declare class RustSecurityBridge {
diagnosticCode?: string; diagnosticCode?: string;
statusCode?: string; statusCode?: string;
}): Promise<IBounceDetection>; }): Promise<IBounceDetection>;
/** Scan email content for threats (phishing, spam, malware, etc.). */
scanContent(opts: {
subject?: string;
textBody?: string;
htmlBody?: string;
attachmentNames?: string[];
}): Promise<IContentScanResult>;
/** Check IP reputation via DNSBL. */ /** Check IP reputation via DNSBL. */
checkIpReputation(ip: string): Promise<IReputationResult>; checkIpReputation(ip: string): Promise<IReputationResult>;
/** Verify DKIM signatures on a raw email message. */ /** Verify DKIM signatures on a raw email message. */
@@ -123,4 +136,4 @@ export declare class RustSecurityBridge {
mailFrom: string; mailFrom: string;
}): Promise<IEmailSecurityResult>; }): Promise<IEmailSecurityResult>;
} }
export type { IDkimVerificationResult, ISpfResult, IDmarcResult, IEmailSecurityResult, IValidationResult, IBounceDetection, IReputationResult as IRustReputationResult, IVersionInfo, }; export type { IDkimVerificationResult, ISpfResult, IDmarcResult, IEmailSecurityResult, IValidationResult, IBounceDetection, IContentScanResult, IReputationResult as IRustReputationResult, IVersionInfo, };

6
dist_ts/security/classes.rustsecuritybridge.js
View File

File diff suppressed because one or more lines are too long

2
package.json
View File

@@ -1,6 +1,6 @@
{ {
"name": "@push.rocks/smartmta", "name": "@push.rocks/smartmta",
"version": "2.0.1", "version": "2.1.0",
"description": "A high-performance, enterprise-grade Mail Transfer Agent (MTA) built from scratch in TypeScript with Rust acceleration.", "description": "A high-performance, enterprise-grade Mail Transfer Agent (MTA) built from scratch in TypeScript with Rust acceleration.",
"keywords": [ "keywords": [
"mta", "mta",

212
readme.plan.md
View File

@@ -1,198 +1,24 @@
# Mailer Implementation Plan & Progress # Rust Migration Plan
## Project Goals ## Completed Phases
Build a Deno-based mail server package (`@serve.zone/mailer`) with: ### Phase 3: Rust Primary Backend (DKIM/SPF/DMARC/IP Reputation)
1. CLI interface similar to nupst/spark - Rust is the mandatory security backend — no TS fallbacks
2. SMTP server and client (ported from dcrouter) - All DKIM signing/verification, SPF, DMARC, IP reputation through Rust bridge
3. HTTP REST API (Mailgun-compatible)
4. Automatic DNS management via Cloudflare
5. Systemd daemon service
6. Binary distribution via npm
## Completed Work ### Phase 5: BounceManager + ContentScanner
- BounceManager bounce detection delegated to Rust `detectBounce` IPC command
- ContentScanner pattern matching delegated to new Rust `scanContent` IPC command
- New module: `rust/crates/mailer-security/src/content_scanner.rs` (10 Rust tests)
- ~215 lines removed from BounceManager, ~350 lines removed from ContentScanner
- Binary attachment scanning (PE headers, VBA macros) stays in TS
- Custom rules (runtime-configured) stay in TS
- Net change: ~-560 TS lines, +265 Rust lines
### ✅ Phase 1: Project Structure ## Deferred
- [x] Created Deno-based project structure (deno.json, package.json)
- [x] Set up bin/ wrappers for npm binary distribution
- [x] Created compilation scripts (compile-all.sh)
- [x] Set up install scripts (install-binary.js)
- [x] Created TypeScript source directory structure
### ✅ Phase 2: Mail Implementation (Ported from dcrouter) | Component | Rationale |
- [x] Copied and adapted mail/core/ (Email, EmailValidator, BounceManager, TemplateManager) |-----------|-----------|
- [x] Copied and adapted mail/delivery/ (SMTP client, SMTP server, queues, rate limiting) | EmailValidator | Already thin; uses smartmail; minimal gain |
- [x] Copied and adapted mail/routing/ (EmailRouter, DomainRegistry, DnsManager) | DNS record generation | Pure string building; zero benefit from Rust |
- [x] Copied and adapted mail/security/ (DKIM, SPF, DMARC) | MIME building (`toRFC822String`) | Sync in TS, async via IPC; too much blast radius |
- [x] Fixed all imports from .js to .ts extensions
- [x] Created stub modules for dcrouter dependencies (storage, security, deliverability, errors)
### ✅ Phase 3: Supporting Modules
- [x] Created logger module (simple console logging)
- [x] Created paths module (project paths)
- [x] Created plugins.ts (Deno dependencies + Node.js compatibility)
- [x] Added required npm dependencies (lru-cache, mailaddress-validator, cloudflare)
### ✅ Phase 4: DNS Management
- [x] Created DnsManager class with DNS record generation
- [x] Created CloudflareClient for automatic DNS setup
- [x] Added DNS validation functionality
### ✅ Phase 5: HTTP API
- [x] Created ApiServer class with basic routing
- [x] Implemented Mailgun-compatible endpoint structure
- [x] Added authentication and rate limiting stubs
### ✅ Phase 6: Configuration Management
- [x] Created ConfigManager for JSON-based config storage
- [x] Added domain configuration support
- [x] Implemented config load/save functionality
### ✅ Phase 7: Daemon Service
- [x] Created DaemonManager to coordinate SMTP server and API server
- [x] Added start/stop functionality
- [x] Integrated with ConfigManager
### ✅ Phase 8: CLI Interface
- [x] Created MailerCli class with command routing
- [x] Implemented service commands (start/stop/restart/status/enable/disable)
- [x] Implemented domain commands (add/remove/list)
- [x] Implemented DNS commands (setup/validate/show)
- [x] Implemented send command
- [x] Implemented config commands (show/set)
- [x] Added help and version commands
### ✅ Phase 9: Documentation
- [x] Created comprehensive README.md
- [x] Documented all CLI commands
- [x] Documented HTTP API endpoints
- [x] Provided configuration examples
- [x] Documented DNS requirements
- [x] Created changelog
## Next Steps (Remaining Work)
### Testing & Debugging
1. Fix remaining import/dependency issues
2. Test compilation with `deno compile`
3. Test CLI commands end-to-end
4. Test SMTP sending/receiving
5. Test HTTP API endpoints
6. Write unit tests
### Systemd Integration
1. Create systemd service file
2. Implement service enable/disable
3. Add service status checking
4. Test daemon auto-restart
### Cloudflare Integration
1. Test actual Cloudflare API calls
2. Handle Cloudflare errors gracefully
3. Add zone detection
4. Verify DNS record creation
### Production Readiness
1. Add proper error handling throughout
2. Implement logging to files
3. Add rate limiting implementation
4. Implement API key authentication
5. Add TLS certificate management
6. Implement email queue persistence
### Advanced Features
1. Webhook support for incoming emails
2. Email template system
3. Analytics and reporting
4. SMTP credential management
5. Email event tracking
6. Bounce handling
## Known Issues
1. Some npm dependencies may need version adjustments
2. Deno crypto APIs may need adaptation for DKIM signing
3. Buffer vs Uint8Array conversions may be needed
4. Some dcrouter-specific code may need further adaptation
## File Structure Overview
```
mailer/
├── README.md ✅ Complete
├── license ✅ Complete
├── changelog.md ✅ Complete
├── deno.json ✅ Complete
├── package.json ✅ Complete
├── mod.ts ✅ Complete
├── bin/
│ └── mailer-wrapper.js ✅ Complete
├── scripts/
│ ├── compile-all.sh ✅ Complete
│ └── install-binary.js ✅ Complete
└── ts/
├── 00_commitinfo_data.ts ✅ Complete
├── index.ts ✅ Complete
├── cli.ts ✅ Complete
├── plugins.ts ✅ Complete
├── logger.ts ✅ Complete
├── paths.ts ✅ Complete
├── classes.mailer.ts ✅ Complete
├── cli/
│ ├── index.ts ✅ Complete
│ └── mailer-cli.ts ✅ Complete
├── api/
│ ├── index.ts ✅ Complete
│ ├── api-server.ts ✅ Complete
│ └── routes/ ✅ Structure ready
├── dns/
│ ├── index.ts ✅ Complete
│ ├── dns-manager.ts ✅ Complete
│ └── cloudflare-client.ts ✅ Complete
├── daemon/
│ ├── index.ts ✅ Complete
│ └── daemon-manager.ts ✅ Complete
├── config/
│ ├── index.ts ✅ Complete
│ └── config-manager.ts ✅ Complete
├── storage/
│ └── index.ts ✅ Stub complete
├── security/
│ └── index.ts ✅ Stub complete
├── deliverability/
│ └── index.ts ✅ Stub complete
├── errors/
│ └── index.ts ✅ Stub complete
└── mail/ ✅ Ported from dcrouter
├── core/ ✅ Complete
├── delivery/ ✅ Complete
├── routing/ ✅ Complete
└── security/ ✅ Complete
```
## Summary
The mailer package structure is **95% complete**. All major components have been implemented:
- Project structure and build system ✅
- Mail implementation ported from dcrouter ✅
- CLI interface ✅
- DNS management ✅
- HTTP API ✅
- Configuration system ✅
- Daemon management ✅
- Documentation ✅
**Remaining work**: Testing, debugging dependency issues, systemd integration, and production hardening.

1
rust/Cargo.lock generated
View File

@@ -1054,6 +1054,7 @@ dependencies = [
"mail-auth", "mail-auth",
"mailer-core", "mailer-core",
"psl", "psl",
"regex",
"ring", "ring",
"rustls-pki-types", "rustls-pki-types",
"serde", "serde",

21
rust/crates/mailer-bin/src/main.rs
View File

@@ -1,4 +1,4 @@
//! mailer-bin: CLI and IPC binary for the @serve.zone/mailer Rust crates. //! mailer-bin: CLI and IPC binary for the @push.rocks/smartmta Rust crates.
//! //!
//! Supports two modes: //! Supports two modes:
//! 1. **CLI mode** — traditional subcommands for testing and standalone use //! 1. **CLI mode** — traditional subcommands for testing and standalone use
@@ -560,6 +560,25 @@ async fn handle_ipc_request(req: &IpcRequest) -> IpcResponse {
} }
} }
"scanContent" => {
let subject = req.params.get("subject").and_then(|v| v.as_str());
let text_body = req.params.get("textBody").and_then(|v| v.as_str());
let html_body = req.params.get("htmlBody").and_then(|v| v.as_str());
let attachment_names: Vec<String> = req.params.get("attachmentNames")
.and_then(|v| v.as_array())
.map(|a| a.iter().filter_map(|v| v.as_str().map(String::from)).collect())
.unwrap_or_default();
let result = mailer_security::content_scanner::scan_content(
subject, text_body, html_body, &attachment_names
);
IpcResponse {
id: req.id.clone(),
success: true,
result: Some(serde_json::to_value(&result).unwrap()),
error: None,
}
}
"checkSpf" => { "checkSpf" => {
let ip_str = req.params.get("ip").and_then(|v| v.as_str()).unwrap_or(""); let ip_str = req.params.get("ip").and_then(|v| v.as_str()).unwrap_or("");
let helo = req let helo = req

1
rust/crates/mailer-security/Cargo.toml
View File

@@ -17,3 +17,4 @@ hickory-resolver.workspace = true
ipnet.workspace = true ipnet.workspace = true
rustls-pki-types.workspace = true rustls-pki-types.workspace = true
psl.workspace = true psl.workspace = true
regex.workspace = true

515
rust/crates/mailer-security/src/content_scanner.rs Normal file
View File

@@ -0,0 +1,515 @@
//! Content scanning for email threat detection.
//!
//! Provides pattern-based scanning of email subjects, text bodies, HTML bodies,
//! and attachment filenames for phishing, spam, malware, suspicious links,
//! script injection, and sensitive data patterns.
use regex::Regex;
use serde::Serialize;
use std::sync::LazyLock;
// ---------------------------------------------------------------------------
// Result types
// ---------------------------------------------------------------------------
#[derive(Debug, Clone, Serialize)]
#[serde(rename_all = "camelCase")]
pub struct ContentScanResult {
pub threat_score: u32,
pub threat_type: Option<String>,
pub threat_details: Option<String>,
pub scanned_elements: Vec<String>,
}
// ---------------------------------------------------------------------------
// Pattern definitions (compiled once via LazyLock)
// ---------------------------------------------------------------------------
static PHISHING_PATTERNS: LazyLock<Vec<Regex>> = LazyLock::new(|| {
vec![
Regex::new(r"(?i)(?:verify|confirm|update|login).*(?:account|password|details)").unwrap(),
Regex::new(r"(?i)urgent.*(?:action|attention|required)").unwrap(),
Regex::new(r"(?i)(?:paypal|apple|microsoft|amazon|google|bank).*(?:verify|confirm|suspend)").unwrap(),
Regex::new(r"(?i)your.*(?:account).*(?:suspended|compromised|locked)").unwrap(),
Regex::new(r"(?i)\b(?:password reset|security alert|security notice)\b").unwrap(),
]
});
static SPAM_PATTERNS: LazyLock<Vec<Regex>> = LazyLock::new(|| {
vec![
Regex::new(r"(?i)\b(?:viagra|cialis|enlargement|diet pill|lose weight fast|cheap meds)\b").unwrap(),
Regex::new(r"(?i)\b(?:million dollars|lottery winner|prize claim|inheritance|rich widow)\b").unwrap(),
Regex::new(r"(?i)\b(?:earn from home|make money fast|earn \$\d{3,}/day)\b").unwrap(),
Regex::new(r"(?i)\b(?:limited time offer|act now|exclusive deal|only \d+ left)\b").unwrap(),
Regex::new(r"(?i)\b(?:forex|stock tip|investment opportunity|cryptocurrency|bitcoin)\b").unwrap(),
]
});
static MALWARE_PATTERNS: LazyLock<Vec<Regex>> = LazyLock::new(|| {
vec![
Regex::new(r"(?i)(?:attached file|see attachment).*(?:invoice|receipt|statement|document)").unwrap(),
Regex::new(r"(?i)open.*(?:the attached|this attachment)").unwrap(),
Regex::new(r"(?i)(?:enable|allow).*(?:macros|content|editing)").unwrap(),
Regex::new(r"(?i)download.*(?:attachment|file|document)").unwrap(),
Regex::new(r"(?i)\b(?:ransomware protection|virus alert|malware detected)\b").unwrap(),
]
});
static SUSPICIOUS_LINK_PATTERNS: LazyLock<Vec<Regex>> = LazyLock::new(|| {
vec![
Regex::new(r"(?i)https?://bit\.ly/").unwrap(),
Regex::new(r"(?i)https?://goo\.gl/").unwrap(),
Regex::new(r"(?i)https?://t\.co/").unwrap(),
Regex::new(r"(?i)https?://tinyurl\.com/").unwrap(),
Regex::new(r"(?i)https?://(?:\d{1,3}\.){3}\d{1,3}").unwrap(),
Regex::new(r"(?i)https?://.*\.(?:xyz|top|club|gq|cf)/").unwrap(),
Regex::new(r"(?i)(?:login|account|signin|auth).*\.(?:xyz|top|club|gq|cf|tk|ml|ga|pw|ws|buzz)\b").unwrap(),
]
});
static SCRIPT_INJECTION_PATTERNS: LazyLock<Vec<Regex>> = LazyLock::new(|| {
vec![
Regex::new(r"(?is)<script.*>.*</script>").unwrap(),
Regex::new(r"(?i)javascript:").unwrap(),
Regex::new(r#"(?i)on(?:click|load|mouse|error|focus|blur)=".*""#).unwrap(),
Regex::new(r"(?i)document\.(?:cookie|write|location)").unwrap(),
Regex::new(r"(?i)eval\s*\(").unwrap(),
]
});
static SENSITIVE_DATA_PATTERNS: LazyLock<Vec<Regex>> = LazyLock::new(|| {
vec![
Regex::new(r"\b(?:\d{3}-\d{2}-\d{4}|\d{9})\b").unwrap(),
Regex::new(r"\b\d{13,16}\b").unwrap(),
Regex::new(r"\b(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\b").unwrap(),
]
});
/// Link extraction from HTML href attributes.
static HREF_PATTERN: LazyLock<Regex> = LazyLock::new(|| {
Regex::new(r#"(?i)href=["'](https?://[^"']+)["']"#).unwrap()
});
/// Executable file extensions that are considered dangerous.
static EXECUTABLE_EXTENSIONS: LazyLock<Vec<&'static str>> = LazyLock::new(|| {
vec![
".exe", ".dll", ".bat", ".cmd", ".msi", ".vbs", ".ps1",
".sh", ".jar", ".py", ".com", ".scr", ".pif", ".hta", ".cpl",
".reg", ".vba", ".lnk", ".wsf", ".msp", ".mst",
]
});
/// Document extensions that may contain macros.
static MACRO_DOCUMENT_EXTENSIONS: LazyLock<Vec<&'static str>> = LazyLock::new(|| {
vec![
".doc", ".docm", ".xls", ".xlsm", ".ppt", ".pptm",
".dotm", ".xlsb", ".ppam", ".potm",
]
});
// ---------------------------------------------------------------------------
// HTML helpers
// ---------------------------------------------------------------------------
/// Strip HTML tags and decode common entities to produce plain text.
fn extract_text_from_html(html: &str) -> String {
// Remove style and script blocks first
let no_style = Regex::new(r"(?is)<style[^>]*>.*?</style>").unwrap();
let no_script = Regex::new(r"(?is)<script[^>]*>.*?</script>").unwrap();
let no_tags = Regex::new(r"<[^>]+>").unwrap();
let text = no_style.replace_all(html, " ");
let text = no_script.replace_all(&text, " ");
let text = no_tags.replace_all(&text, " ");
text.replace("&nbsp;", " ")
.replace("&lt;", "<")
.replace("&gt;", ">")
.replace("&amp;", "&")
.replace("&quot;", "\"")
.replace("&apos;", "'")
.split_whitespace()
.collect::<Vec<_>>()
.join(" ")
}
/// Extract all href links from HTML.
fn extract_links_from_html(html: &str) -> Vec<String> {
HREF_PATTERN
.captures_iter(html)
.filter_map(|cap| cap.get(1).map(|m| m.as_str().to_string()))
.collect()
}
// ---------------------------------------------------------------------------
// Scoring helpers
// ---------------------------------------------------------------------------
fn matches_any(text: &str, patterns: &[Regex]) -> bool {
patterns.iter().any(|p| p.is_match(text))
}
// ---------------------------------------------------------------------------
// Main scan entry point
// ---------------------------------------------------------------------------
/// Scan email content for threats.
///
/// This mirrors the TypeScript ContentScanner logic — scanning the subject,
/// text body, HTML body, and attachment filenames against predefined patterns.
/// Returns an aggregate threat score and the highest-severity threat type.
pub fn scan_content(
subject: Option<&str>,
text_body: Option<&str>,
html_body: Option<&str>,
attachment_names: &[String],
) -> ContentScanResult {
let mut score: u32 = 0;
let mut threat_type: Option<String> = None;
let mut threat_details: Option<String> = None;
let mut scanned: Vec<String> = Vec::new();
// Helper: upgrade threat info only if the new finding is more severe.
macro_rules! record {
($new_score:expr, $ttype:expr, $details:expr) => {
score += $new_score;
// Always adopt the threat type from the highest-scoring match.
threat_type = Some($ttype.to_string());
threat_details = Some($details.to_string());
};
}
// ── Subject scanning ──────────────────────────────────────────────
if let Some(subj) = subject {
scanned.push("subject".into());
if matches_any(subj, &PHISHING_PATTERNS) {
record!(25, "phishing", format!("Subject contains potential phishing indicators: {}", subj));
} else if matches_any(subj, &SPAM_PATTERNS) {
record!(15, "spam", format!("Subject contains potential spam indicators: {}", subj));
}
}
// ── Text body scanning ────────────────────────────────────────────
if let Some(text) = text_body {
scanned.push("text".into());
// Check each category and accumulate score (same order as TS)
for pat in SUSPICIOUS_LINK_PATTERNS.iter() {
if pat.is_match(text) {
score += 20;
if threat_type.as_deref() != Some("suspicious_link") {
threat_type = Some("suspicious_link".into());
threat_details = Some("Text contains suspicious links".into());
}
}
}
for pat in PHISHING_PATTERNS.iter() {
if pat.is_match(text) {
score += 25;
threat_type = Some("phishing".into());
threat_details = Some("Text contains potential phishing indicators".into());
}
}
for pat in SPAM_PATTERNS.iter() {
if pat.is_match(text) {
score += 15;
if threat_type.is_none() {
threat_type = Some("spam".into());
threat_details = Some("Text contains potential spam indicators".into());
}
}
}
for pat in MALWARE_PATTERNS.iter() {
if pat.is_match(text) {
score += 30;
threat_type = Some("malware".into());
threat_details = Some("Text contains potential malware indicators".into());
}
}
for pat in SENSITIVE_DATA_PATTERNS.iter() {
if pat.is_match(text) {
score += 25;
if threat_type.is_none() {
threat_type = Some("sensitive_data".into());
threat_details = Some("Text contains potentially sensitive data patterns".into());
}
}
}
}
// ── HTML body scanning ────────────────────────────────────────────
if let Some(html) = html_body {
scanned.push("html".into());
// Script injection check
for pat in SCRIPT_INJECTION_PATTERNS.iter() {
if pat.is_match(html) {
score += 40;
if threat_type.as_deref() != Some("xss") {
threat_type = Some("xss".into());
threat_details = Some("HTML contains potentially malicious script content".into());
}
}
}
// Extract text from HTML and scan (half score to avoid double counting)
let text_content = extract_text_from_html(html);
if !text_content.is_empty() {
let mut html_text_score: u32 = 0;
let mut html_text_type: Option<String> = None;
let mut html_text_details: Option<String> = None;
// Re-run text patterns on extracted HTML text
for pat in SUSPICIOUS_LINK_PATTERNS.iter() {
if pat.is_match(&text_content) {
html_text_score += 20;
html_text_type = Some("suspicious_link".into());
html_text_details = Some("Text contains suspicious links".into());
}
}
for pat in PHISHING_PATTERNS.iter() {
if pat.is_match(&text_content) {
html_text_score += 25;
html_text_type = Some("phishing".into());
html_text_details = Some("Text contains potential phishing indicators".into());
}
}
for pat in SPAM_PATTERNS.iter() {
if pat.is_match(&text_content) {
html_text_score += 15;
if html_text_type.is_none() {
html_text_type = Some("spam".into());
html_text_details = Some("Text contains potential spam indicators".into());
}
}
}
for pat in MALWARE_PATTERNS.iter() {
if pat.is_match(&text_content) {
html_text_score += 30;
html_text_type = Some("malware".into());
html_text_details = Some("Text contains potential malware indicators".into());
}
}
for pat in SENSITIVE_DATA_PATTERNS.iter() {
if pat.is_match(&text_content) {
html_text_score += 25;
if html_text_type.is_none() {
html_text_type = Some("sensitive_data".into());
html_text_details = Some("Text contains potentially sensitive data patterns".into());
}
}
}
if html_text_score > 0 {
// Add half of the text content score to avoid double counting
score += html_text_score / 2;
if let Some(t) = html_text_type {
if threat_type.is_none() || html_text_score > score {
threat_type = Some(t);
threat_details = html_text_details;
}
}
}
}
// Extract and check links from HTML
let links = extract_links_from_html(html);
if !links.is_empty() {
let mut suspicious_count = 0u32;
for link in &links {
if matches_any(link, &SUSPICIOUS_LINK_PATTERNS) {
suspicious_count += 1;
}
}
if suspicious_count > 0 {
let pct = (suspicious_count as f64 / links.len() as f64) * 100.0;
let additional = std::cmp::min(40, (pct / 2.5) as u32);
score += additional;
if additional > 20 || threat_type.is_none() {
threat_type = Some("suspicious_link".into());
threat_details = Some(format!(
"HTML contains {} suspicious links out of {} total links",
suspicious_count,
links.len()
));
}
}
}
}
// ── Attachment filename scanning ──────────────────────────────────
for name in attachment_names {
let lower = name.to_lowercase();
scanned.push(format!("attachment:{}", lower));
// Check executable extensions
for ext in EXECUTABLE_EXTENSIONS.iter() {
if lower.ends_with(ext) {
score += 70;
threat_type = Some("executable".into());
threat_details = Some(format!(
"Attachment has a potentially dangerous extension: {}",
name
));
break;
}
}
// Check macro document extensions
for ext in MACRO_DOCUMENT_EXTENSIONS.iter() {
if lower.ends_with(ext) {
// Flag macro-capable documents (lower score than executables)
score += 20;
if threat_type.is_none() {
threat_type = Some("malicious_macro".into());
threat_details = Some(format!(
"Attachment is a macro-capable document: {}",
name
));
}
break;
}
}
}
ContentScanResult {
threat_score: score,
threat_type,
threat_details,
scanned_elements: scanned,
}
}
// ---------------------------------------------------------------------------
// Tests
// ---------------------------------------------------------------------------
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_clean_content() {
let result = scan_content(
Some("Project Update"),
Some("The project is on track."),
None,
&[],
);
assert_eq!(result.threat_score, 0);
assert!(result.threat_type.is_none());
}
#[test]
fn test_phishing_subject() {
let result = scan_content(
Some("URGENT: Verify your bank account details immediately"),
None,
None,
&[],
);
assert!(result.threat_score >= 25);
assert_eq!(result.threat_type.as_deref(), Some("phishing"));
}
#[test]
fn test_spam_body() {
let result = scan_content(
None,
Some("Win a million dollars in the lottery winner contest!"),
None,
&[],
);
assert!(result.threat_score >= 15);
assert_eq!(result.threat_type.as_deref(), Some("spam"));
}
#[test]
fn test_suspicious_links() {
let result = scan_content(
None,
Some("Check out https://bit.ly/2x3F5 for more info"),
None,
&[],
);
assert!(result.threat_score >= 20);
assert_eq!(result.threat_type.as_deref(), Some("suspicious_link"));
}
#[test]
fn test_script_injection() {
let result = scan_content(
None,
None,
Some("<p>Hello</p><script>document.cookie='steal';</script>"),
&[],
);
assert!(result.threat_score >= 40);
assert_eq!(result.threat_type.as_deref(), Some("xss"));
}
#[test]
fn test_executable_attachment() {
let result = scan_content(
None,
None,
None,
&["update.exe".into()],
);
assert!(result.threat_score >= 70);
assert_eq!(result.threat_type.as_deref(), Some("executable"));
}
#[test]
fn test_macro_document() {
let result = scan_content(
None,
None,
None,
&["report.docm".into()],
);
assert!(result.threat_score >= 20);
assert_eq!(result.threat_type.as_deref(), Some("malicious_macro"));
}
#[test]
fn test_malware_indicators() {
let result = scan_content(
None,
Some("Please enable macros to view this document properly."),
None,
&[],
);
assert!(result.threat_score >= 30);
assert_eq!(result.threat_type.as_deref(), Some("malware"));
}
#[test]
fn test_html_link_extraction() {
let result = scan_content(
None,
None,
Some(r#"<a href="https://bit.ly/abc">click</a> and <a href="https://t.co/xyz">here</a>"#),
&[],
);
assert!(result.threat_score > 0);
}
#[test]
fn test_compound_threats() {
let result = scan_content(
Some("URGENT: Verify your account details immediately"),
Some("Your account will be suspended unless you verify at https://bit.ly/2x3F5"),
Some(r#"<a href="https://bit.ly/2x3F5">verify</a>"#),
&["verification.exe".into()],
);
assert!(result.threat_score > 70);
}
}

1
rust/crates/mailer-security/src/lib.rs
View File

@@ -1,5 +1,6 @@
//! mailer-security: DKIM, SPF, DMARC verification, and IP reputation checking. //! mailer-security: DKIM, SPF, DMARC verification, and IP reputation checking.
pub mod content_scanner;
pub mod dkim; pub mod dkim;
pub mod dmarc; pub mod dmarc;
pub mod error; pub mod error;

11
test/test.bouncemanager.ts
View File

@@ -1,6 +1,13 @@
import { tap, expect } from '@git.zone/tstest/tapbundle'; import { tap, expect } from '@git.zone/tstest/tapbundle';
import { BounceManager, BounceType, BounceCategory } from '../ts/mail/core/classes.bouncemanager.js'; import { BounceManager, BounceType, BounceCategory } from '../ts/mail/core/classes.bouncemanager.js';
import { Email } from '../ts/mail/core/classes.email.js'; import { Email } from '../ts/mail/core/classes.email.js';
import { RustSecurityBridge } from '../ts/security/classes.rustsecuritybridge.js';
tap.test('setup - start Rust security bridge', async () => {
const bridge = RustSecurityBridge.getInstance();
const ok = await bridge.start();
expect(ok).toEqual(true);
});
/** /**
* Test the BounceManager class * Test the BounceManager class
@@ -189,6 +196,10 @@ tap.test('BounceManager - should handle retries for soft bounces', async () => {
expect(info.expiresAt).toBeUndefined(); // Permanent expect(info.expiresAt).toBeUndefined(); // Permanent
}); });
tap.test('cleanup - stop Rust security bridge', async () => {
await RustSecurityBridge.getInstance().stop();
});
tap.test('stop', async () => { tap.test('stop', async () => {
await tap.stopForcefully(); await tap.stopForcefully();
}); });

11
test/test.contentscanner.ts
View File

@@ -1,6 +1,13 @@
import { tap, expect } from '@git.zone/tstest/tapbundle'; import { tap, expect } from '@git.zone/tstest/tapbundle';
import { ContentScanner, ThreatCategory } from '../ts/security/classes.contentscanner.js'; import { ContentScanner, ThreatCategory } from '../ts/security/classes.contentscanner.js';
import { Email } from '../ts/mail/core/classes.email.js'; import { Email } from '../ts/mail/core/classes.email.js';
import { RustSecurityBridge } from '../ts/security/classes.rustsecuritybridge.js';
tap.test('setup - start Rust security bridge', async () => {
const bridge = RustSecurityBridge.getInstance();
const ok = await bridge.start();
expect(ok).toEqual(true);
});
// Test instantiation // Test instantiation
tap.test('ContentScanner - should be instantiable', async () => { tap.test('ContentScanner - should be instantiable', async () => {
@@ -258,6 +265,10 @@ tap.test('ContentScanner - should classify threat levels correctly', async () =>
expect(ContentScanner.getThreatLevel(80)).toEqual('high'); expect(ContentScanner.getThreatLevel(80)).toEqual('high');
}); });
tap.test('cleanup - stop Rust security bridge', async () => {
await RustSecurityBridge.getInstance().stop();
});
tap.test('stop', async () => { tap.test('stop', async () => {
await tap.stopForcefully(); await tap.stopForcefully();
}); });

163
test/test.ipreputationchecker.ts
View File

@@ -1,24 +1,22 @@
import { tap, expect } from '@git.zone/tstest/tapbundle'; import { tap, expect } from '@git.zone/tstest/tapbundle';
import { IPReputationChecker, ReputationThreshold, IPType } from '../ts/security/classes.ipreputationchecker.js'; import { IPReputationChecker, ReputationThreshold } from '../ts/security/classes.ipreputationchecker.js';
import * as plugins from '../ts/plugins.js'; import { RustSecurityBridge } from '../ts/security/classes.rustsecuritybridge.js';
// Mock for dns lookup let bridge: RustSecurityBridge;
const originalDnsResolve = plugins.dns.promises.resolve;
let mockDnsResolveImpl: (hostname: string) => Promise<string[]> = async () => ['127.0.0.1'];
// Setup mock DNS resolver with proper typing // Start the Rust bridge before tests
(plugins.dns.promises as any).resolve = async (hostname: string) => { tap.test('setup - start Rust security bridge', async () => {
return mockDnsResolveImpl(hostname); bridge = RustSecurityBridge.getInstance();
}; const ok = await bridge.start();
expect(ok).toEqual(true);
});
// Test instantiation // Test instantiation
tap.test('IPReputationChecker - should be instantiable', async () => { tap.test('IPReputationChecker - should be instantiable', async () => {
const checker = IPReputationChecker.getInstance({ const checker = IPReputationChecker.getInstance({
enableDNSBL: false,
enableIPInfo: false,
enableLocalCache: false enableLocalCache: false
}); });
expect(checker).toBeTruthy(); expect(checker).toBeTruthy();
}); });
@@ -26,92 +24,62 @@ tap.test('IPReputationChecker - should be instantiable', async () => {
tap.test('IPReputationChecker - should use singleton pattern', async () => { tap.test('IPReputationChecker - should use singleton pattern', async () => {
const checker1 = IPReputationChecker.getInstance(); const checker1 = IPReputationChecker.getInstance();
const checker2 = IPReputationChecker.getInstance(); const checker2 = IPReputationChecker.getInstance();
// Both instances should be the same object
expect(checker1 === checker2).toEqual(true); expect(checker1 === checker2).toEqual(true);
}); });
// Test IP validation // Test IP validation
tap.test('IPReputationChecker - should validate IP address format', async () => { tap.test('IPReputationChecker - should validate IP address format', async () => {
const checker = IPReputationChecker.getInstance({ const checker = IPReputationChecker.getInstance();
enableDNSBL: false,
enableIPInfo: false,
enableLocalCache: false
});
// Valid IP should work
const result = await checker.checkReputation('192.168.1.1');
expect(result.score).toBeGreaterThan(0);
expect(result.error).toBeUndefined();
// Invalid IP should fail with error // Invalid IP should fail with error
const invalidResult = await checker.checkReputation('invalid.ip'); const invalidResult = await checker.checkReputation('invalid.ip');
expect(invalidResult.error).toBeTruthy(); expect(invalidResult.error).toBeTruthy();
}); });
// Test DNSBL lookups // Test reputation check via Rust bridge
tap.test('IPReputationChecker - should check IP against DNSBL', async () => { tap.test('IPReputationChecker - should check IP reputation via Rust', async () => {
try { const testInstance = new IPReputationChecker({
// Setup mock implementation for DNSBL enableLocalCache: false,
mockDnsResolveImpl = async (hostname: string) => { maxCacheSize: 10
// Listed in DNSBL if IP contains 2 });
if (hostname.includes('2.1.168.192') && hostname.includes('zen.spamhaus.org')) {
return ['127.0.0.2'];
}
throw { code: 'ENOTFOUND' };
};
// Create a new instance with specific settings for this test // Check a public IP (Google DNS) — should get a result with a score
const testInstance = new IPReputationChecker({ const result = await testInstance.checkReputation('8.8.8.8');
dnsblServers: ['zen.spamhaus.org'], expect(result).toBeTruthy();
enableIPInfo: false, expect(result.score).toBeGreaterThan(0);
enableLocalCache: false, expect(result.score).toBeLessThanOrEqual(100);
maxCacheSize: 1 // Small cache for testing expect(typeof result.isSpam).toEqual('boolean');
}); expect(typeof result.isProxy).toEqual('boolean');
expect(typeof result.isTor).toEqual('boolean');
// Clean IP should have good score expect(typeof result.isVPN).toEqual('boolean');
const cleanResult = await testInstance.checkReputation('192.168.1.1'); expect(result.timestamp).toBeGreaterThan(0);
expect(cleanResult.isSpam).toEqual(false);
expect(cleanResult.score).toEqual(100);
// Blacklisted IP should have reduced score
const blacklistedResult = await testInstance.checkReputation('192.168.1.2');
expect(blacklistedResult.isSpam).toEqual(true);
expect(blacklistedResult.score < 100).toEqual(true); // Less than 100
expect(blacklistedResult.blacklists).toBeTruthy();
expect((blacklistedResult.blacklists || []).length > 0).toEqual(true);
} catch (err) {
console.error('Test error:', err);
throw err;
}
}); });
// Test caching behavior // Test caching behavior
tap.test('IPReputationChecker - should cache reputation results', async () => { tap.test('IPReputationChecker - should cache reputation results', async () => {
// Create a fresh instance for this test
const testInstance = new IPReputationChecker({ const testInstance = new IPReputationChecker({
enableIPInfo: false,
enableLocalCache: false, enableLocalCache: false,
maxCacheSize: 10 // Small cache for testing maxCacheSize: 10
}); });
// Check that first look performs a lookup and second uses cache const ip = '1.1.1.1';
const ip = '192.168.1.10';
// First check should add to cache // First check should add to cache
const result1 = await testInstance.checkReputation(ip); const result1 = await testInstance.checkReputation(ip);
expect(result1).toBeTruthy(); expect(result1).toBeTruthy();
// Manually verify it's in cache - access private member for testing // Verify it's in cache
const hasInCache = (testInstance as any).reputationCache.has(ip); const hasInCache = (testInstance as any).reputationCache.has(ip);
expect(hasInCache).toEqual(true); expect(hasInCache).toEqual(true);
// Call again, should use cache // Call again, should use cache
const result2 = await testInstance.checkReputation(ip); const result2 = await testInstance.checkReputation(ip);
expect(result2).toBeTruthy(); expect(result2).toBeTruthy();
// Results should be identical // Results should be identical (from cache)
expect(result1.score).toEqual(result2.score); expect(result1.score).toEqual(result2.score);
expect(result1.isSpam).toEqual(result2.isSpam);
}); });
// Test risk level classification // Test risk level classification
@@ -122,58 +90,27 @@ tap.test('IPReputationChecker - should classify risk levels correctly', async ()
expect(IPReputationChecker.getRiskLevel(90)).toEqual('trusted'); expect(IPReputationChecker.getRiskLevel(90)).toEqual('trusted');
}); });
// Test IP type detection // Test error handling for error result
tap.test('IPReputationChecker - should detect special IP types', async () => { tap.test('IPReputationChecker - should handle errors gracefully', async () => {
const testInstance = new IPReputationChecker({ const testInstance = new IPReputationChecker({
enableDNSBL: false,
enableIPInfo: true,
enableLocalCache: false, enableLocalCache: false,
maxCacheSize: 5 // Small cache for testing maxCacheSize: 5
}); });
// Test Tor exit node detection
const torResult = await testInstance.checkReputation('171.25.1.1');
expect(torResult.isTor).toEqual(true);
expect(torResult.score < 90).toEqual(true);
// Test VPN detection
const vpnResult = await testInstance.checkReputation('185.156.1.1');
expect(vpnResult.isVPN).toEqual(true);
expect(vpnResult.score < 90).toEqual(true);
// Test proxy detection
const proxyResult = await testInstance.checkReputation('34.92.1.1');
expect(proxyResult.isProxy).toEqual(true);
expect(proxyResult.score < 90).toEqual(true);
});
// Test error handling // Invalid format should return error result with neutral score
tap.test('IPReputationChecker - should handle DNS lookup errors gracefully', async () => { const result = await testInstance.checkReputation('not-an-ip');
// Setup mock implementation to simulate error expect(result.score).toEqual(50);
mockDnsResolveImpl = async () => { expect(result.error).toBeTruthy();
throw new Error('DNS server error');
};
const checker = IPReputationChecker.getInstance({
dnsblServers: ['zen.spamhaus.org'],
enableIPInfo: false,
enableLocalCache: false,
maxCacheSize: 300 // Force new instance
});
// Should return a result despite errors
const result = await checker.checkReputation('192.168.1.1');
expect(result.score).toEqual(100); // No blacklist hits found due to error
expect(result.isSpam).toEqual(false); expect(result.isSpam).toEqual(false);
}); });
// Restore original implementation at the end // Stop bridge
tap.test('Cleanup - restore mocks', async () => { tap.test('cleanup - stop Rust security bridge', async () => {
plugins.dns.promises.resolve = originalDnsResolve; await bridge.stop();
}); });
tap.test('stop', async () => { tap.test('stop', async () => {
await tap.stopForcefully(); await tap.stopForcefully();
}); });
export default tap.start(); export default tap.start();

2
ts/00_commitinfo_data.ts
View File

@@ -3,6 +3,6 @@
*/ */
export const commitinfo = { export const commitinfo = {
name: '@push.rocks/smartmta', name: '@push.rocks/smartmta',
version: '2.0.1', version: '2.1.0',
description: 'A high-performance, enterprise-grade Mail Transfer Agent (MTA) built from scratch in TypeScript with Rust acceleration.' description: 'A high-performance, enterprise-grade Mail Transfer Agent (MTA) built from scratch in TypeScript with Rust acceleration.'
} }

253
ts/mail/core/classes.bouncemanager.ts
View File

@@ -2,6 +2,7 @@ import * as plugins from '../../plugins.js';
import * as paths from '../../paths.js'; import * as paths from '../../paths.js';
import { logger } from '../../logger.js'; import { logger } from '../../logger.js';
import { SecurityLogger, SecurityLogLevel, SecurityEventType } from '../../security/index.js'; import { SecurityLogger, SecurityLogLevel, SecurityEventType } from '../../security/index.js';
import { RustSecurityBridge } from '../../security/classes.rustsecuritybridge.js';
import { LRUCache } from 'lru-cache'; import { LRUCache } from 'lru-cache';
import type { Email } from './classes.email.js'; import type { Email } from './classes.email.js';
@@ -63,112 +64,6 @@ export interface BounceRecord {
nextRetryTime?: number; nextRetryTime?: number;
} }
/**
* Email bounce patterns to identify bounce types in SMTP responses and bounce messages
*/
const BOUNCE_PATTERNS = {
// Hard bounce patterns
[BounceType.INVALID_RECIPIENT]: [
/no such user/i,
/user unknown/i,
/does not exist/i,
/invalid recipient/i,
/unknown recipient/i,
/no mailbox/i,
/user not found/i,
/recipient address rejected/i,
/550 5\.1\.1/i
],
[BounceType.DOMAIN_NOT_FOUND]: [
/domain not found/i,
/unknown domain/i,
/no such domain/i,
/host not found/i,
/domain invalid/i,
/550 5\.1\.2/i
],
[BounceType.MAILBOX_FULL]: [
/mailbox full/i,
/over quota/i,
/quota exceeded/i,
/552 5\.2\.2/i
],
[BounceType.MAILBOX_INACTIVE]: [
/mailbox disabled/i,
/mailbox inactive/i,
/account disabled/i,
/mailbox not active/i,
/account suspended/i
],
[BounceType.BLOCKED]: [
/blocked/i,
/rejected/i,
/denied/i,
/blacklisted/i,
/prohibited/i,
/refused/i,
/550 5\.7\./i
],
[BounceType.SPAM_RELATED]: [
/spam/i,
/bulk mail/i,
/content rejected/i,
/message rejected/i,
/550 5\.7\.1/i
],
// Soft bounce patterns
[BounceType.SERVER_UNAVAILABLE]: [
/server unavailable/i,
/service unavailable/i,
/try again later/i,
/try later/i,
/451 4\.3\./i,
/421 4\.3\./i
],
[BounceType.TEMPORARY_FAILURE]: [
/temporary failure/i,
/temporary error/i,
/temporary problem/i,
/try again/i,
/451 4\./i
],
[BounceType.QUOTA_EXCEEDED]: [
/quota temporarily exceeded/i,
/mailbox temporarily full/i,
/452 4\.2\.2/i
],
[BounceType.NETWORK_ERROR]: [
/network error/i,
/connection error/i,
/connection timed out/i,
/routing error/i,
/421 4\.4\./i
],
[BounceType.TIMEOUT]: [
/timed out/i,
/timeout/i,
/450 4\.4\.2/i
],
// Auto-responses
[BounceType.AUTO_RESPONSE]: [
/auto[- ]reply/i,
/auto[- ]response/i,
/vacation/i,
/out of office/i,
/away from office/i,
/on vacation/i,
/automatic reply/i
],
[BounceType.CHALLENGE_RESPONSE]: [
/challenge[- ]response/i,
/verify your email/i,
/confirm your email/i,
/email verification/i
]
};
/** /**
* Retry strategy configuration for soft bounces * Retry strategy configuration for soft bounces
*/ */
@@ -269,16 +164,16 @@ export class BounceManager {
nextRetryTime: bounceData.nextRetryTime nextRetryTime: bounceData.nextRetryTime
}; };
// Determine bounce type and category if not provided // Determine bounce type and category via Rust bridge if not provided
if (!bounceData.bounceType || bounceData.bounceType === BounceType.UNKNOWN) { if (!bounceData.bounceType || bounceData.bounceType === BounceType.UNKNOWN) {
const bounceInfo = this.detectBounceType( const bridge = RustSecurityBridge.getInstance();
bounce.smtpResponse || '', const rustResult = await bridge.detectBounce({
bounce.diagnosticCode || '', smtpResponse: bounce.smtpResponse,
bounce.statusCode || '' diagnosticCode: bounce.diagnosticCode,
); statusCode: bounce.statusCode,
});
bounce.bounceType = bounceInfo.type; bounce.bounceType = rustResult.bounce_type as BounceType;
bounce.bounceCategory = bounceInfo.category; bounce.bounceCategory = rustResult.category as BounceCategory;
} }
// Process the bounce based on category // Process the bounce based on category
@@ -791,134 +686,6 @@ export class BounceManager {
return this.bounceCache.get(email.toLowerCase()) || null; return this.bounceCache.get(email.toLowerCase()) || null;
} }
/**
* Analyze SMTP response and diagnostic codes to determine bounce type
* @param smtpResponse SMTP response string
* @param diagnosticCode Diagnostic code from bounce
* @param statusCode Status code from bounce
* @returns Detected bounce type and category
*/
private detectBounceType(
smtpResponse: string,
diagnosticCode: string,
statusCode: string
): {
type: BounceType;
category: BounceCategory;
} {
// Combine all text for comprehensive pattern matching
const fullText = `${smtpResponse} ${diagnosticCode} ${statusCode}`.toLowerCase();
// Check for auto-responses first
if (this.matchesPattern(fullText, BounceType.AUTO_RESPONSE) ||
this.matchesPattern(fullText, BounceType.CHALLENGE_RESPONSE)) {
return {
type: BounceType.AUTO_RESPONSE,
category: BounceCategory.AUTO_RESPONSE
};
}
// Check for hard bounces
for (const bounceType of [
BounceType.INVALID_RECIPIENT,
BounceType.DOMAIN_NOT_FOUND,
BounceType.MAILBOX_FULL,
BounceType.MAILBOX_INACTIVE,
BounceType.BLOCKED,
BounceType.SPAM_RELATED,
BounceType.POLICY_RELATED
]) {
if (this.matchesPattern(fullText, bounceType)) {
return {
type: bounceType,
category: BounceCategory.HARD
};
}
}
// Check for soft bounces
for (const bounceType of [
BounceType.SERVER_UNAVAILABLE,
BounceType.TEMPORARY_FAILURE,
BounceType.QUOTA_EXCEEDED,
BounceType.NETWORK_ERROR,
BounceType.TIMEOUT
]) {
if (this.matchesPattern(fullText, bounceType)) {
return {
type: bounceType,
category: BounceCategory.SOFT
};
}
}
// Handle DSN (Delivery Status Notification) status codes
if (statusCode) {
// Format: class.subject.detail
const parts = statusCode.split('.');
if (parts.length >= 2) {
const statusClass = parts[0];
const statusSubject = parts[1];
// 5.X.X is permanent failure (hard bounce)
if (statusClass === '5') {
// Try to determine specific type based on subject
if (statusSubject === '1') {
return { type: BounceType.INVALID_RECIPIENT, category: BounceCategory.HARD };
} else if (statusSubject === '2') {
return { type: BounceType.MAILBOX_FULL, category: BounceCategory.HARD };
} else if (statusSubject === '7') {
return { type: BounceType.BLOCKED, category: BounceCategory.HARD };
} else {
return { type: BounceType.UNKNOWN, category: BounceCategory.HARD };
}
}
// 4.X.X is temporary failure (soft bounce)
if (statusClass === '4') {
// Try to determine specific type based on subject
if (statusSubject === '2') {
return { type: BounceType.QUOTA_EXCEEDED, category: BounceCategory.SOFT };
} else if (statusSubject === '3') {
return { type: BounceType.SERVER_UNAVAILABLE, category: BounceCategory.SOFT };
} else if (statusSubject === '4') {
return { type: BounceType.NETWORK_ERROR, category: BounceCategory.SOFT };
} else {
return { type: BounceType.TEMPORARY_FAILURE, category: BounceCategory.SOFT };
}
}
}
}
// Default to unknown
return {
type: BounceType.UNKNOWN,
category: BounceCategory.UNKNOWN
};
}
/**
* Check if text matches any pattern for a bounce type
* @param text Text to check against patterns
* @param bounceType Bounce type to get patterns for
* @returns Whether the text matches any pattern
*/
private matchesPattern(text: string, bounceType: BounceType): boolean {
const patterns = BOUNCE_PATTERNS[bounceType];
if (!patterns) {
return false;
}
for (const pattern of patterns) {
if (pattern.test(text)) {
return true;
}
}
return false;
}
/** /**
* Get all known hard bounced addresses * Get all known hard bounced addresses
* @returns Array of hard bounced email addresses * @returns Array of hard bounced email addresses

36
ts/mail/delivery/classes.delivery.system.ts
View File

@@ -12,6 +12,7 @@ import { UnifiedDeliveryQueue, type IQueueItem } from './classes.delivery.queue.
import type { Email } from '../core/classes.email.js'; import type { Email } from '../core/classes.email.js';
import type { UnifiedEmailServer } from '../routing/classes.unified.email.server.js'; import type { UnifiedEmailServer } from '../routing/classes.unified.email.server.js';
import type { SmtpClient } from './smtpclient/smtp-client.js'; import type { SmtpClient } from './smtpclient/smtp-client.js';
import { RustSecurityBridge } from '../../security/classes.rustsecuritybridge.js';
/** /**
* Delivery status enumeration * Delivery status enumeration
@@ -763,33 +764,24 @@ export class MultiModeDeliverySystem extends EventEmitter {
try { try {
// Ensure DKIM keys exist for the domain // Ensure DKIM keys exist for the domain
await this.emailServer.dkimCreator.handleDKIMKeysForDomain(domainName); await this.emailServer.dkimCreator.handleDKIMKeysForDomain(domainName);
// Get the private key
const dkimPrivateKey = (await this.emailServer.dkimCreator.readDKIMKeys(domainName)).privateKey;
// Convert Email to raw format for signing // Convert Email to raw format for signing
const rawEmail = email.toRFC822String(); const rawEmail = email.toRFC822String();
// Sign the email // Sign via Rust bridge
const dkimPrivateKey = (await this.emailServer.dkimCreator.readDKIMKeys(domainName)).privateKey; const bridge = RustSecurityBridge.getInstance();
const signResult = await plugins.dkimSign(rawEmail, { const signResult = await bridge.signDkim({
signingDomain: domainName, rawMessage: rawEmail,
domain: domainName,
selector: keySelector, selector: keySelector,
privateKey: dkimPrivateKey, privateKey: dkimPrivateKey,
canonicalization: 'relaxed/relaxed',
algorithm: 'rsa-sha256',
signTime: new Date(),
signatureData: [
{
signingDomain: domainName,
selector: keySelector,
privateKey: dkimPrivateKey,
algorithm: 'rsa-sha256',
canonicalization: 'relaxed/relaxed'
}
]
}); });
// Add the DKIM-Signature header to the email if (signResult.header) {
if (signResult.signatures) { email.addHeader('DKIM-Signature', signResult.header);
email.addHeader('DKIM-Signature', signResult.signatures);
logger.log('info', `Successfully added DKIM signature for ${domainName}`); logger.log('info', `Successfully added DKIM signature for ${domainName}`);
} }
} catch (error) { } catch (error) {

22
ts/mail/delivery/classes.emailsignjob.ts
View File

@@ -1,5 +1,6 @@
import * as plugins from '../../plugins.js'; import * as plugins from '../../plugins.js';
import type { UnifiedEmailServer } from '../routing/classes.unified.email.server.js'; import type { UnifiedEmailServer } from '../routing/classes.unified.email.server.js';
import { RustSecurityBridge } from '../../security/classes.rustsecuritybridge.js';
interface Headers { interface Headers {
[key: string]: string; [key: string]: string;
@@ -28,24 +29,13 @@ export class EmailSignJob {
public async getSignatureHeader(emailMessage: string): Promise<string> { public async getSignatureHeader(emailMessage: string): Promise<string> {
const privateKey = await this.loadPrivateKey(); const privateKey = await this.loadPrivateKey();
const signResult = await plugins.dkimSign(emailMessage, { const bridge = RustSecurityBridge.getInstance();
signingDomain: this.jobOptions.domain, const signResult = await bridge.signDkim({
rawMessage: emailMessage,
domain: this.jobOptions.domain,
selector: this.jobOptions.selector, selector: this.jobOptions.selector,
privateKey, privateKey,
canonicalization: 'relaxed/relaxed',
algorithm: 'rsa-sha256',
signTime: new Date(),
signatureData: [
{
signingDomain: this.jobOptions.domain,
selector: this.jobOptions.selector,
privateKey,
algorithm: 'rsa-sha256',
canonicalization: 'relaxed/relaxed',
},
],
}); });
const signature = signResult.signatures; return signResult.header;
return signature;
} }
} }

51
ts/mail/delivery/classes.smtp.client.legacy.ts
View File

@@ -1,10 +1,11 @@
import * as plugins from '../../plugins.js'; import * as plugins from '../../plugins.js';
import { logger } from '../../logger.js'; import { logger } from '../../logger.js';
import { import {
SecurityLogger, SecurityLogger,
SecurityLogLevel, SecurityLogLevel,
SecurityEventType SecurityEventType
} from '../../security/index.js'; } from '../../security/index.js';
import { RustSecurityBridge } from '../../security/classes.rustsecuritybridge.js';
import { import {
MtaConnectionError, MtaConnectionError,
@@ -844,42 +845,22 @@ export class SmtpClient {
try { try {
logger.log('debug', `Signing email with DKIM for domain ${this.options.dkim.domain}`); logger.log('debug', `Signing email with DKIM for domain ${this.options.dkim.domain}`);
// Format email for DKIM signing
const { dkimSign } = plugins;
const emailContent = await this.getFormattedEmail(email); const emailContent = await this.getFormattedEmail(email);
// Sign email // Sign via Rust bridge
const signOptions = { const bridge = RustSecurityBridge.getInstance();
signingDomain: this.options.dkim.domain, const signResult = await bridge.signDkim({
rawMessage: emailContent,
domain: this.options.dkim.domain,
selector: this.options.dkim.selector, selector: this.options.dkim.selector,
privateKey: this.options.dkim.privateKey, privateKey: this.options.dkim.privateKey,
canonicalization: 'relaxed/relaxed' as const, });
algorithm: 'rsa-sha256' as const,
signTime: new Date(),
signatureData: [
{
signingDomain: this.options.dkim.domain,
selector: this.options.dkim.selector,
privateKey: this.options.dkim.privateKey,
algorithm: 'rsa-sha256',
canonicalization: 'relaxed/relaxed',
}
]
};
const signResult = await dkimSign(emailContent, signOptions); if (signResult.header) {
email.addHeader('DKIM-Signature', signResult.header);
// Add DKIM-Signature header from the signing result
if (signResult.signatures) {
const dkimHeader = signResult.signatures.split('\r\n')
.find(line => line.startsWith('DKIM-Signature: '));
if (dkimHeader) {
email.addHeader('DKIM-Signature', dkimHeader.substring('DKIM-Signature: '.length));
}
} }
logger.log('debug', 'DKIM signature applied successfully'); logger.log('debug', 'DKIM signature applied successfully');
} catch (error) { } catch (error) {
logger.log('error', `Failed to apply DKIM signature: ${error.message}`); logger.log('error', `Failed to apply DKIM signature: ${error.message}`);

146
ts/mail/routing/classes.unified.email.server.ts
View File

@@ -366,13 +366,12 @@ export class UnifiedEmailServer extends EventEmitter {
await this.deliverySystem.start(); await this.deliverySystem.start();
logger.log('info', 'Email delivery system started'); logger.log('info', 'Email delivery system started');
// Start Rust security bridge (non-blocking — server works without it) // Start Rust security bridge — required for all security operations
const bridgeOk = await this.rustBridge.start(); const bridgeOk = await this.rustBridge.start();
if (bridgeOk) { if (!bridgeOk) {
logger.log('info', 'Rust security bridge started — using Rust for DKIM/SPF/DMARC verification'); throw new Error('Rust security bridge failed to start. The mailer-bin binary is required. Run "pnpm build" to compile it.');
} else {
logger.log('warn', 'Rust security bridge unavailable — falling back to TypeScript security verification');
} }
logger.log('info', 'Rust security bridge started — Rust is the primary security backend');
// Set up DKIM for all domains // Set up DKIM for all domains
await this.setupDkimForDomains(); await this.setupDkimForDomains();
@@ -430,39 +429,36 @@ export class UnifiedEmailServer extends EventEmitter {
verifyDmarc: true verifyDmarc: true
} }
}, },
// Security verification delegated to the Rust bridge when available // Security verification delegated to the Rust bridge
dkimVerifier: { dkimVerifier: {
verify: async (rawMessage: string) => { verify: async (rawMessage: string) => {
if (this.rustBridge.running) { try {
try { const results = await this.rustBridge.verifyDkim(rawMessage);
const results = await this.rustBridge.verifyDkim(rawMessage); const first = results[0];
const first = results[0]; return { isValid: first?.is_valid ?? false, domain: first?.domain ?? '' };
return { isValid: first?.is_valid ?? false, domain: first?.domain ?? '' }; } catch (err) {
} catch (err) { logger.log('warn', `Rust DKIM verification failed: ${(err as Error).message}`);
logger.log('warn', `Rust DKIM verification failed, accepting: ${(err as Error).message}`); return { isValid: false, domain: '' };
return { isValid: true, domain: '' };
}
} }
return { isValid: true, domain: '' }; // No bridge — accept
} }
}, },
spfVerifier: { spfVerifier: {
verifyAndApply: async (session: any) => { verifyAndApply: async (session: any) => {
if (this.rustBridge.running && session?.remoteAddress && session.remoteAddress !== '127.0.0.1') { if (!session?.remoteAddress || session.remoteAddress === '127.0.0.1') {
try { return true; // localhost — skip SPF
const result = await this.rustBridge.checkSpf({ }
ip: session.remoteAddress, try {
heloDomain: session.clientHostname || '', const result = await this.rustBridge.checkSpf({
hostname: this.options.hostname, ip: session.remoteAddress,
mailFrom: session.envelope?.mailFrom?.address || session.mailFrom || '', heloDomain: session.clientHostname || '',
}); hostname: this.options.hostname,
return result.result === 'pass' || result.result === 'none' || result.result === 'neutral'; mailFrom: session.envelope?.mailFrom?.address || session.mailFrom || '',
} catch (err) { });
logger.log('warn', `Rust SPF check failed, accepting: ${(err as Error).message}`); return result.result === 'pass' || result.result === 'none' || result.result === 'neutral';
return true; } catch (err) {
} logger.log('warn', `Rust SPF check failed: ${(err as Error).message}`);
return true; // Accept on error to avoid blocking mail
} }
return true; // No bridge or localhost — accept
} }
}, },
dmarcVerifier: { dmarcVerifier: {
@@ -637,10 +633,6 @@ export class UnifiedEmailServer extends EventEmitter {
* Falls back gracefully if the bridge is not running. * Falls back gracefully if the bridge is not running.
*/ */
private async verifyInboundSecurity(email: Email, session: IExtendedSmtpSession): Promise<void> { private async verifyInboundSecurity(email: Email, session: IExtendedSmtpSession): Promise<void> {
if (!this.rustBridge.running) {
return; // Bridge not available — skip verification
}
try { try {
const rawMessage = session.emailData || email.toRFC822String(); const rawMessage = session.emailData || email.toRFC822String();
const result = await this.rustBridge.verifyEmail({ const result = await this.rustBridge.verifyEmail({
@@ -942,52 +934,10 @@ export class UnifiedEmailServer extends EventEmitter {
// Apply DKIM signing if enabled // Apply DKIM signing if enabled
if (options.dkimSign && options.dkimOptions) { if (options.dkimSign && options.dkimOptions) {
// Sign the email with DKIM const dkimDomain = options.dkimOptions.domainName;
logger.log('info', `Signing email with DKIM for domain ${options.dkimOptions.domainName}`); const dkimSelector = options.dkimOptions.keySelector || 'mta';
logger.log('info', `Signing email with DKIM for domain ${dkimDomain}`);
try { await this.handleDkimSigning(email, dkimDomain, dkimSelector);
// Ensure DKIM keys exist for the domain
await this.dkimCreator.handleDKIMKeysForDomain(options.dkimOptions.domainName);
// Convert Email to raw format for signing
const rawEmail = email.toRFC822String();
// Create headers object
const headers = {};
for (const [key, value] of Object.entries(email.headers)) {
headers[key] = value;
}
// Sign the email
const dkimDomain = options.dkimOptions.domainName;
const dkimSelector = options.dkimOptions.keySelector || 'mta';
const dkimPrivateKey = (await this.dkimCreator.readDKIMKeys(dkimDomain)).privateKey;
const signResult = await plugins.dkimSign(rawEmail, {
signingDomain: dkimDomain,
selector: dkimSelector,
privateKey: dkimPrivateKey,
canonicalization: 'relaxed/relaxed',
algorithm: 'rsa-sha256',
signTime: new Date(),
signatureData: [
{
signingDomain: dkimDomain,
selector: dkimSelector,
privateKey: dkimPrivateKey,
algorithm: 'rsa-sha256',
canonicalization: 'relaxed/relaxed'
}
]
});
// Add the DKIM-Signature header to the email
if (signResult.signatures) {
email.addHeader('DKIM-Signature', signResult.signatures);
logger.log('info', `Successfully added DKIM signature for ${options.dkimOptions.domainName}`);
}
} catch (error) {
logger.log('error', `Failed to sign email with DKIM: ${error.message}`);
}
} }
} }
@@ -1555,35 +1505,23 @@ export class UnifiedEmailServer extends EventEmitter {
try { try {
// Ensure we have DKIM keys for this domain // Ensure we have DKIM keys for this domain
await this.dkimCreator.handleDKIMKeysForDomain(domain); await this.dkimCreator.handleDKIMKeysForDomain(domain);
// Get the private key // Get the private key
const { privateKey } = await this.dkimCreator.readDKIMKeys(domain); const { privateKey } = await this.dkimCreator.readDKIMKeys(domain);
// Convert Email to raw format for signing // Convert Email to raw format for signing
const rawEmail = email.toRFC822String(); const rawEmail = email.toRFC822String();
// Sign the email // Sign the email via Rust bridge
const signResult = await plugins.dkimSign(rawEmail, { const signResult = await this.rustBridge.signDkim({
signingDomain: domain, rawMessage: rawEmail,
selector: selector, domain,
privateKey: privateKey, selector,
canonicalization: 'relaxed/relaxed', privateKey,
algorithm: 'rsa-sha256',
signTime: new Date(),
signatureData: [
{
signingDomain: domain,
selector: selector,
privateKey: privateKey,
algorithm: 'rsa-sha256',
canonicalization: 'relaxed/relaxed'
}
]
}); });
// Add the DKIM-Signature header to the email if (signResult.header) {
if (signResult.signatures) { email.addHeader('DKIM-Signature', signResult.header);
email.addHeader('DKIM-Signature', signResult.signatures);
logger.log('info', `Successfully added DKIM signature for ${domain}`); logger.log('info', `Successfully added DKIM signature for ${domain}`);
} }
} catch (error) { } catch (error) {

370
ts/mail/security/classes.dkimverifier.ts
View File

@@ -1,7 +1,6 @@
import * as plugins from '../../plugins.js';
// MtaService reference removed
import { logger } from '../../logger.js'; import { logger } from '../../logger.js';
import { SecurityLogger, SecurityLogLevel, SecurityEventType } from '../../security/index.js'; import { SecurityLogger, SecurityLogLevel, SecurityEventType } from '../../security/index.js';
import { RustSecurityBridge } from '../../security/classes.rustsecuritybridge.js';
/** /**
* Result of a DKIM verification * Result of a DKIM verification
@@ -17,23 +16,13 @@ export interface IDkimVerificationResult {
} }
/** /**
* Enhanced DKIM verifier using smartmail capabilities * DKIM verifier — delegates to the Rust security bridge.
*/ */
export class DKIMVerifier { export class DKIMVerifier {
// MtaRef reference removed constructor() {}
// Cache verified results to avoid repeated verification
private verificationCache: Map<string, { result: IDkimVerificationResult, timestamp: number }> = new Map();
private cacheTtl = 30 * 60 * 1000; // 30 minutes cache
constructor() {
}
/** /**
* Verify DKIM signature for an email * Verify DKIM signature for an email via Rust bridge
* @param emailData The raw email data
* @param options Verification options
* @returns Verification result
*/ */
public async verify( public async verify(
emailData: string, emailData: string,
@@ -43,340 +32,55 @@ export class DKIMVerifier {
} = {} } = {}
): Promise<IDkimVerificationResult> { ): Promise<IDkimVerificationResult> {
try { try {
// Generate a cache key from the first 128 bytes of the email data const bridge = RustSecurityBridge.getInstance();
const cacheKey = emailData.slice(0, 128); const results = await bridge.verifyDkim(emailData);
const first = results[0];
// Check cache if enabled const result: IDkimVerificationResult = {
if (options.useCache !== false) { isValid: first?.is_valid ?? false,
const cached = this.verificationCache.get(cacheKey); domain: first?.domain ?? undefined,
selector: first?.selector ?? undefined,
if (cached && (Date.now() - cached.timestamp) < this.cacheTtl) { status: first?.status ?? 'none',
logger.log('info', 'DKIM verification result from cache'); details: options.returnDetails ? results : undefined,
return cached.result; };
}
}
// Try to verify using mailauth first SecurityLogger.getInstance().logEvent({
try { level: result.isValid ? SecurityLogLevel.INFO : SecurityLogLevel.WARN,
const verificationMailauth = await plugins.mailauth.authenticate(emailData, {}); type: SecurityEventType.DKIM,
message: `DKIM verification ${result.isValid ? 'passed' : 'failed'} for domain ${result.domain || 'unknown'}`,
if (verificationMailauth && verificationMailauth.dkim && verificationMailauth.dkim.results.length > 0) { details: { selector: result.selector, status: result.status },
const dkimResult = verificationMailauth.dkim.results[0]; domain: result.domain || 'unknown',
const isValid = dkimResult.status.result === 'pass'; success: result.isValid
});
const result: IDkimVerificationResult = {
isValid,
domain: dkimResult.signingDomain,
selector: dkimResult.selector,
status: dkimResult.status.result,
signatureFields: (dkimResult as any).signature,
details: options.returnDetails ? verificationMailauth : undefined
};
// Cache the result
this.verificationCache.set(cacheKey, {
result,
timestamp: Date.now()
});
logger.log(isValid ? 'info' : 'warn', `DKIM Verification using mailauth: ${isValid ? 'pass' : 'fail'} for domain ${dkimResult.signingDomain}`);
// Enhanced security logging
SecurityLogger.getInstance().logEvent({
level: isValid ? SecurityLogLevel.INFO : SecurityLogLevel.WARN,
type: SecurityEventType.DKIM,
message: `DKIM verification ${isValid ? 'passed' : 'failed'} for domain ${dkimResult.signingDomain}`,
details: {
selector: dkimResult.selector,
signatureFields: (dkimResult as any).signature,
result: dkimResult.status.result
},
domain: dkimResult.signingDomain,
success: isValid
});
return result;
}
} catch (mailauthError) {
logger.log('warn', `DKIM verification with mailauth failed, trying smartmail: ${mailauthError.message}`);
// Enhanced security logging
SecurityLogger.getInstance().logEvent({
level: SecurityLogLevel.WARN,
type: SecurityEventType.DKIM,
message: `DKIM verification with mailauth failed, trying smartmail fallback`,
details: { error: mailauthError.message },
success: false
});
}
// Fall back to smartmail for verification logger.log(result.isValid ? 'info' : 'warn',
try { `DKIM verification: ${result.status} for domain ${result.domain || 'unknown'}`);
// Parse and extract DKIM signature
const parsedEmail = await plugins.mailparser.simpleParser(emailData); return result;
// Find DKIM signature header
let dkimSignature = '';
if (parsedEmail.headers.has('dkim-signature')) {
dkimSignature = parsedEmail.headers.get('dkim-signature') as string;
} else {
// No DKIM signature found
const result: IDkimVerificationResult = {
isValid: false,
errorMessage: 'No DKIM signature found'
};
this.verificationCache.set(cacheKey, {
result,
timestamp: Date.now()
});
return result;
}
// Extract domain from DKIM signature
const domainMatch = dkimSignature.match(/d=([^;]+)/i);
const domain = domainMatch ? domainMatch[1].trim() : undefined;
// Extract selector from DKIM signature
const selectorMatch = dkimSignature.match(/s=([^;]+)/i);
const selector = selectorMatch ? selectorMatch[1].trim() : undefined;
// Parse DKIM fields
const signatureFields: Record<string, string> = {};
const fieldMatches = dkimSignature.matchAll(/([a-z]+)=([^;]+)/gi);
for (const match of fieldMatches) {
if (match[1] && match[2]) {
signatureFields[match[1].toLowerCase()] = match[2].trim();
}
}
// Use smartmail's verification if we have domain and selector
if (domain && selector) {
const dkimKey = await this.fetchDkimKey(domain, selector);
if (!dkimKey) {
const result: IDkimVerificationResult = {
isValid: false,
domain,
selector,
status: 'permerror',
errorMessage: 'DKIM public key not found',
signatureFields
};
this.verificationCache.set(cacheKey, {
result,
timestamp: Date.now()
});
return result;
}
// In a real implementation, we would validate the signature here
// For now, if we found a key, we'll consider it valid
// In a future update, add actual crypto verification
const result: IDkimVerificationResult = {
isValid: true,
domain,
selector,
status: 'pass',
signatureFields
};
this.verificationCache.set(cacheKey, {
result,
timestamp: Date.now()
});
logger.log('info', `DKIM verification using smartmail: pass for domain ${domain}`);
// Enhanced security logging
SecurityLogger.getInstance().logEvent({
level: SecurityLogLevel.INFO,
type: SecurityEventType.DKIM,
message: `DKIM verification passed for domain ${domain} using fallback verification`,
details: {
selector,
signatureFields
},
domain,
success: true
});
return result;
} else {
// Missing domain or selector
const result: IDkimVerificationResult = {
isValid: false,
domain,
selector,
status: 'permerror',
errorMessage: 'Missing domain or selector in DKIM signature',
signatureFields
};
this.verificationCache.set(cacheKey, {
result,
timestamp: Date.now()
});
logger.log('warn', `DKIM verification failed: Missing domain or selector in DKIM signature`);
// Enhanced security logging
SecurityLogger.getInstance().logEvent({
level: SecurityLogLevel.WARN,
type: SecurityEventType.DKIM,
message: `DKIM verification failed: Missing domain or selector in signature`,
details: { domain, selector, signatureFields },
domain: domain || 'unknown',
success: false
});
return result;
}
} catch (error) {
const result: IDkimVerificationResult = {
isValid: false,
status: 'temperror',
errorMessage: `Verification error: ${error.message}`
};
this.verificationCache.set(cacheKey, {
result,
timestamp: Date.now()
});
logger.log('error', `DKIM verification error: ${error.message}`);
// Enhanced security logging
SecurityLogger.getInstance().logEvent({
level: SecurityLogLevel.ERROR,
type: SecurityEventType.DKIM,
message: `DKIM verification error during processing`,
details: { error: error.message },
success: false
});
return result;
}
} catch (error) { } catch (error) {
logger.log('error', `DKIM verification failed with unexpected error: ${error.message}`); logger.log('error', `DKIM verification failed: ${error.message}`);
// Enhanced security logging for unexpected errors
SecurityLogger.getInstance().logEvent({ SecurityLogger.getInstance().logEvent({
level: SecurityLogLevel.ERROR, level: SecurityLogLevel.ERROR,
type: SecurityEventType.DKIM, type: SecurityEventType.DKIM,
message: `DKIM verification failed with unexpected error`, message: `DKIM verification error`,
details: { error: error.message }, details: { error: error.message },
success: false success: false
}); });
return { return {
isValid: false, isValid: false,
status: 'temperror', status: 'temperror',
errorMessage: `Unexpected verification error: ${error.message}` errorMessage: `Verification error: ${error.message}`
}; };
} }
} }
/** /** No-op — Rust bridge handles its own caching */
* Fetch DKIM public key from DNS public clearCache(): void {}
* @param domain The domain
* @param selector The DKIM selector /** Always 0 — cache is managed by the Rust side */
* @returns The DKIM public key or null if not found
*/
private async fetchDkimKey(domain: string, selector: string): Promise<string | null> {
try {
const dkimRecord = `${selector}._domainkey.${domain}`;
// Use DNS lookup from plugins
const txtRecords = await new Promise<string[]>((resolve, reject) => {
plugins.dns.resolveTxt(dkimRecord, (err, records) => {
if (err) {
if (err.code === 'ENOTFOUND' || err.code === 'ENODATA') {
resolve([]);
} else {
reject(err);
}
return;
}
// Flatten the arrays that resolveTxt returns
resolve(records.map(record => record.join('')));
});
});
if (!txtRecords || txtRecords.length === 0) {
logger.log('warn', `No DKIM TXT record found for ${dkimRecord}`);
// Security logging for missing DKIM record
SecurityLogger.getInstance().logEvent({
level: SecurityLogLevel.WARN,
type: SecurityEventType.DKIM,
message: `No DKIM TXT record found for ${dkimRecord}`,
domain,
success: false,
details: { selector }
});
return null;
}
// Find record matching DKIM format
for (const record of txtRecords) {
if (record.includes('p=')) {
// Extract public key
const publicKeyMatch = record.match(/p=([^;]+)/i);
if (publicKeyMatch && publicKeyMatch[1]) {
return publicKeyMatch[1].trim();
}
}
}
logger.log('warn', `No valid DKIM public key found in TXT records for ${dkimRecord}`);
// Security logging for invalid DKIM key
SecurityLogger.getInstance().logEvent({
level: SecurityLogLevel.WARN,
type: SecurityEventType.DKIM,
message: `No valid DKIM public key found in TXT records`,
domain,
success: false,
details: { dkimRecord, selector }
});
return null;
} catch (error) {
logger.log('error', `Error fetching DKIM key: ${error.message}`);
// Security logging for DKIM key fetch error
SecurityLogger.getInstance().logEvent({
level: SecurityLogLevel.ERROR,
type: SecurityEventType.DKIM,
message: `Error fetching DKIM key for domain`,
domain,
success: false,
details: { error: error.message, selector, dkimRecord: `${selector}._domainkey.${domain}` }
});
return null;
}
}
/**
* Clear the verification cache
*/
public clearCache(): void {
this.verificationCache.clear();
logger.log('info', 'DKIM verification cache cleared');
}
/**
* Get the size of the verification cache
* @returns Number of cached items
*/
public getCacheSize(): number { public getCacheSize(): number {
return this.verificationCache.size; return 0;
} }
} }

3
ts/mail/security/classes.dmarcverifier.ts
View File

@@ -1,9 +1,6 @@
import * as plugins from '../../plugins.js';
import { logger } from '../../logger.js'; import { logger } from '../../logger.js';
import { SecurityLogger, SecurityLogLevel, SecurityEventType } from '../../security/index.js'; import { SecurityLogger, SecurityLogLevel, SecurityEventType } from '../../security/index.js';
// MtaService reference removed
import type { Email } from '../core/classes.email.js'; import type { Email } from '../core/classes.email.js';
import type { IDnsVerificationResult } from '../routing/classes.dnsmanager.js';
/** /**
* DMARC policy types * DMARC policy types

501
ts/mail/security/classes.spfverifier.ts
View File

@@ -1,9 +1,8 @@
import * as plugins from '../../plugins.js'; import * as plugins from '../../plugins.js';
import { logger } from '../../logger.js'; import { logger } from '../../logger.js';
import { SecurityLogger, SecurityLogLevel, SecurityEventType } from '../../security/index.js'; import { SecurityLogger, SecurityLogLevel, SecurityEventType } from '../../security/index.js';
// MtaService reference removed import { RustSecurityBridge } from '../../security/classes.rustsecuritybridge.js';
import type { Email } from '../core/classes.email.js'; import type { Email } from '../core/classes.email.js';
import type { IDnsVerificationResult } from '../routing/classes.dnsmanager.js';
/** /**
* SPF result qualifiers * SPF result qualifiers
@@ -61,79 +60,64 @@ export interface SpfResult {
} }
/** /**
* Maximum lookup limit for SPF records (prevent infinite loops) * Class for verifying SPF records.
*/ * Delegates actual SPF evaluation to the Rust security bridge.
const MAX_SPF_LOOKUPS = 10; * Retains parseSpfRecord() for lightweight local parsing.
/**
* Class for verifying SPF records
*/ */
export class SpfVerifier { export class SpfVerifier {
// DNS Manager reference for verifying records constructor(_dnsManager?: any) {
private dnsManager?: any; // dnsManager is no longer needed — Rust handles DNS lookups
private lookupCount: number = 0;
constructor(dnsManager?: any) {
this.dnsManager = dnsManager;
} }
/** /**
* Parse SPF record from TXT record * Parse SPF record from TXT record (pure string parsing, no DNS)
* @param record SPF TXT record
* @returns Parsed SPF record or null if invalid
*/ */
public parseSpfRecord(record: string): SpfRecord | null { public parseSpfRecord(record: string): SpfRecord | null {
if (!record.startsWith('v=spf1')) { if (!record.startsWith('v=spf1')) {
return null; return null;
} }
try { try {
const spfRecord: SpfRecord = { const spfRecord: SpfRecord = {
version: 'spf1', version: 'spf1',
mechanisms: [], mechanisms: [],
modifiers: {} modifiers: {}
}; };
// Split into terms
const terms = record.split(' ').filter(term => term.length > 0); const terms = record.split(' ').filter(term => term.length > 0);
// Skip version term
for (let i = 1; i < terms.length; i++) { for (let i = 1; i < terms.length; i++) {
const term = terms[i]; const term = terms[i];
// Check if it's a modifier (name=value)
if (term.includes('=')) { if (term.includes('=')) {
const [name, value] = term.split('='); const [name, value] = term.split('=');
spfRecord.modifiers[name] = value; spfRecord.modifiers[name] = value;
continue; continue;
} }
// Parse as mechanism let qualifier = SpfQualifier.PASS;
let qualifier = SpfQualifier.PASS; // Default is +
let mechanismText = term; let mechanismText = term;
// Check for qualifier if (term.startsWith('+') || term.startsWith('-') ||
if (term.startsWith('+') || term.startsWith('-') ||
term.startsWith('~') || term.startsWith('?')) { term.startsWith('~') || term.startsWith('?')) {
qualifier = term[0] as SpfQualifier; qualifier = term[0] as SpfQualifier;
mechanismText = term.substring(1); mechanismText = term.substring(1);
} }
// Parse mechanism type and value
const colonIndex = mechanismText.indexOf(':'); const colonIndex = mechanismText.indexOf(':');
let type: SpfMechanismType; let type: SpfMechanismType;
let value: string | undefined; let value: string | undefined;
if (colonIndex !== -1) { if (colonIndex !== -1) {
type = mechanismText.substring(0, colonIndex) as SpfMechanismType; type = mechanismText.substring(0, colonIndex) as SpfMechanismType;
value = mechanismText.substring(colonIndex + 1); value = mechanismText.substring(colonIndex + 1);
} else { } else {
type = mechanismText as SpfMechanismType; type = mechanismText as SpfMechanismType;
} }
spfRecord.mechanisms.push({ qualifier, type, value }); spfRecord.mechanisms.push({ qualifier, type, value });
} }
return spfRecord; return spfRecord;
} catch (error) { } catch (error) {
logger.log('error', `Error parsing SPF record: ${error.message}`, { logger.log('error', `Error parsing SPF record: ${error.message}`, {
@@ -143,60 +127,9 @@ export class SpfVerifier {
return null; return null;
} }
} }
/** /**
* Check if IP is in CIDR range * Verify SPF for a given email — delegates to Rust bridge
* @param ip IP address to check
* @param cidr CIDR range
* @returns Whether the IP is in the CIDR range
*/
private isIpInCidr(ip: string, cidr: string): boolean {
try {
const ipAddress = plugins.ip.Address4.parse(ip);
return ipAddress.isInSubnet(new plugins.ip.Address4(cidr));
} catch (error) {
// Try IPv6
try {
const ipAddress = plugins.ip.Address6.parse(ip);
return ipAddress.isInSubnet(new plugins.ip.Address6(cidr));
} catch (e) {
return false;
}
}
}
/**
* Check if a domain has the specified IP in its A or AAAA records
* @param domain Domain to check
* @param ip IP address to check
* @returns Whether the domain resolves to the IP
*/
private async isDomainResolvingToIp(domain: string, ip: string): Promise<boolean> {
try {
// First try IPv4
const ipv4Addresses = await plugins.dns.promises.resolve4(domain);
if (ipv4Addresses.includes(ip)) {
return true;
}
// Then try IPv6
const ipv6Addresses = await plugins.dns.promises.resolve6(domain);
if (ipv6Addresses.includes(ip)) {
return true;
}
return false;
} catch (error) {
return false;
}
}
/**
* Verify SPF for a given email with IP and helo domain
* @param email Email to verify
* @param ip Sender IP address
* @param heloDomain HELO/EHLO domain used by sender
* @returns SPF verification result
*/ */
public async verify( public async verify(
email: Email, email: Email,
@@ -204,109 +137,48 @@ export class SpfVerifier {
heloDomain: string heloDomain: string
): Promise<SpfResult> { ): Promise<SpfResult> {
const securityLogger = SecurityLogger.getInstance(); const securityLogger = SecurityLogger.getInstance();
const mailFrom = email.from || '';
// Reset lookup count const domain = mailFrom.split('@')[1] || '';
this.lookupCount = 0;
// Get domain from envelope from (return-path)
const domain = email.getEnvelopeFrom().split('@')[1] || '';
if (!domain) {
return {
result: 'permerror',
explanation: 'No envelope from domain',
domain: '',
ip
};
}
try { try {
// Look up SPF record const bridge = RustSecurityBridge.getInstance();
const spfVerificationResult = this.dnsManager ? const result = await bridge.checkSpf({
await this.dnsManager.verifySpfRecord(domain) :
{ found: false, valid: false, error: 'DNS Manager not available' };
if (!spfVerificationResult.found) {
return {
result: 'none',
explanation: 'No SPF record found',
domain,
ip
};
}
if (!spfVerificationResult.valid) {
return {
result: 'permerror',
explanation: 'Invalid SPF record',
domain,
ip,
record: spfVerificationResult.value
};
}
// Parse SPF record
const spfRecord = this.parseSpfRecord(spfVerificationResult.value);
if (!spfRecord) {
return {
result: 'permerror',
explanation: 'Failed to parse SPF record',
domain,
ip,
record: spfVerificationResult.value
};
}
// Check SPF record
const result = await this.checkSpfRecord(spfRecord, domain, ip);
// Log the result
const spfLogLevel = result.result === 'pass' ?
SecurityLogLevel.INFO :
(result.result === 'fail' ? SecurityLogLevel.WARN : SecurityLogLevel.INFO);
securityLogger.logEvent({
level: spfLogLevel,
type: SecurityEventType.SPF,
message: `SPF ${result.result} for ${domain} from IP ${ip}`,
domain,
details: {
ip,
heloDomain,
result: result.result,
explanation: result.explanation,
record: spfVerificationResult.value
},
success: result.result === 'pass'
});
return {
...result,
domain,
ip, ip,
record: spfVerificationResult.value heloDomain,
hostname: plugins.os.hostname(),
mailFrom,
});
const spfResult: SpfResult = {
result: result.result as SpfResult['result'],
domain: result.domain,
ip: result.ip,
explanation: result.explanation ?? undefined,
}; };
} catch (error) {
// Log error securityLogger.logEvent({
logger.log('error', `SPF verification error: ${error.message}`, { level: spfResult.result === 'pass' ? SecurityLogLevel.INFO :
domain, (spfResult.result === 'fail' ? SecurityLogLevel.WARN : SecurityLogLevel.INFO),
ip, type: SecurityEventType.SPF,
error: error.message message: `SPF ${spfResult.result} for ${spfResult.domain} from IP ${ip}`,
domain: spfResult.domain,
details: { ip, heloDomain, result: spfResult.result, explanation: spfResult.explanation },
success: spfResult.result === 'pass'
}); });
return spfResult;
} catch (error) {
logger.log('error', `SPF verification error: ${error.message}`, { domain, ip, error: error.message });
securityLogger.logEvent({ securityLogger.logEvent({
level: SecurityLogLevel.ERROR, level: SecurityLogLevel.ERROR,
type: SecurityEventType.SPF, type: SecurityEventType.SPF,
message: `SPF verification error for ${domain}`, message: `SPF verification error for ${domain}`,
domain, domain,
details: { details: { ip, error: error.message },
ip,
error: error.message
},
success: false success: false
}); });
return { return {
result: 'temperror', result: 'temperror',
explanation: `Error verifying SPF: ${error.message}`, explanation: `Error verifying SPF: ${error.message}`,
@@ -316,247 +188,9 @@ export class SpfVerifier {
}; };
} }
} }
/** /**
* Check SPF record against IP address * Check if email passes SPF verification and apply headers
* @param spfRecord Parsed SPF record
* @param domain Domain being checked
* @param ip IP address to check
* @returns SPF result
*/
private async checkSpfRecord(
spfRecord: SpfRecord,
domain: string,
ip: string
): Promise<SpfResult> {
// Check for 'redirect' modifier
if (spfRecord.modifiers.redirect) {
this.lookupCount++;
if (this.lookupCount > MAX_SPF_LOOKUPS) {
return {
result: 'permerror',
explanation: 'Too many DNS lookups',
domain,
ip
};
}
// Handle redirect
const redirectDomain = spfRecord.modifiers.redirect;
const redirectResult = this.dnsManager ?
await this.dnsManager.verifySpfRecord(redirectDomain) :
{ found: false, valid: false, error: 'DNS Manager not available' };
if (!redirectResult.found || !redirectResult.valid) {
return {
result: 'permerror',
explanation: `Invalid redirect to ${redirectDomain}`,
domain,
ip
};
}
const redirectRecord = this.parseSpfRecord(redirectResult.value);
if (!redirectRecord) {
return {
result: 'permerror',
explanation: `Failed to parse redirect record from ${redirectDomain}`,
domain,
ip
};
}
return this.checkSpfRecord(redirectRecord, redirectDomain, ip);
}
// Check each mechanism in order
for (const mechanism of spfRecord.mechanisms) {
let matched = false;
switch (mechanism.type) {
case SpfMechanismType.ALL:
matched = true;
break;
case SpfMechanismType.IP4:
if (mechanism.value) {
matched = this.isIpInCidr(ip, mechanism.value);
}
break;
case SpfMechanismType.IP6:
if (mechanism.value) {
matched = this.isIpInCidr(ip, mechanism.value);
}
break;
case SpfMechanismType.A:
this.lookupCount++;
if (this.lookupCount > MAX_SPF_LOOKUPS) {
return {
result: 'permerror',
explanation: 'Too many DNS lookups',
domain,
ip
};
}
// Check if domain has A/AAAA record matching IP
const checkDomain = mechanism.value || domain;
matched = await this.isDomainResolvingToIp(checkDomain, ip);
break;
case SpfMechanismType.MX:
this.lookupCount++;
if (this.lookupCount > MAX_SPF_LOOKUPS) {
return {
result: 'permerror',
explanation: 'Too many DNS lookups',
domain,
ip
};
}
// Check MX records
const mxDomain = mechanism.value || domain;
try {
const mxRecords = await plugins.dns.promises.resolveMx(mxDomain);
for (const mx of mxRecords) {
// Check if this MX record's IP matches
const mxMatches = await this.isDomainResolvingToIp(mx.exchange, ip);
if (mxMatches) {
matched = true;
break;
}
}
} catch (error) {
// No MX records or error
matched = false;
}
break;
case SpfMechanismType.INCLUDE:
if (!mechanism.value) {
continue;
}
this.lookupCount++;
if (this.lookupCount > MAX_SPF_LOOKUPS) {
return {
result: 'permerror',
explanation: 'Too many DNS lookups',
domain,
ip
};
}
// Check included domain's SPF record
const includeDomain = mechanism.value;
const includeResult = this.dnsManager ?
await this.dnsManager.verifySpfRecord(includeDomain) :
{ found: false, valid: false, error: 'DNS Manager not available' };
if (!includeResult.found || !includeResult.valid) {
continue; // Skip this mechanism
}
const includeRecord = this.parseSpfRecord(includeResult.value);
if (!includeRecord) {
continue; // Skip this mechanism
}
// Recursively check the included SPF record
const includeCheck = await this.checkSpfRecord(includeRecord, includeDomain, ip);
// Include mechanism matches if the result is "pass"
matched = includeCheck.result === 'pass';
break;
case SpfMechanismType.EXISTS:
if (!mechanism.value) {
continue;
}
this.lookupCount++;
if (this.lookupCount > MAX_SPF_LOOKUPS) {
return {
result: 'permerror',
explanation: 'Too many DNS lookups',
domain,
ip
};
}
// Check if domain exists (has any A record)
try {
await plugins.dns.promises.resolve(mechanism.value, 'A');
matched = true;
} catch (error) {
matched = false;
}
break;
}
// If this mechanism matched, return its result
if (matched) {
switch (mechanism.qualifier) {
case SpfQualifier.PASS:
return {
result: 'pass',
explanation: `Matched ${mechanism.type}${mechanism.value ? ':' + mechanism.value : ''}`,
domain,
ip
};
case SpfQualifier.FAIL:
return {
result: 'fail',
explanation: `Matched ${mechanism.type}${mechanism.value ? ':' + mechanism.value : ''}`,
domain,
ip
};
case SpfQualifier.SOFTFAIL:
return {
result: 'softfail',
explanation: `Matched ${mechanism.type}${mechanism.value ? ':' + mechanism.value : ''}`,
domain,
ip
};
case SpfQualifier.NEUTRAL:
return {
result: 'neutral',
explanation: `Matched ${mechanism.type}${mechanism.value ? ':' + mechanism.value : ''}`,
domain,
ip
};
}
}
}
// If no mechanism matched, default to neutral
return {
result: 'neutral',
explanation: 'No matching mechanism found',
domain,
ip
};
}
/**
* Check if email passes SPF verification
* @param email Email to verify
* @param ip Sender IP address
* @param heloDomain HELO/EHLO domain used by sender
* @returns Whether email passes SPF
*/ */
public async verifyAndApply( public async verifyAndApply(
email: Email, email: Email,
@@ -564,43 +198,36 @@ export class SpfVerifier {
heloDomain: string heloDomain: string
): Promise<boolean> { ): Promise<boolean> {
const result = await this.verify(email, ip, heloDomain); const result = await this.verify(email, ip, heloDomain);
// Add headers email.headers['Received-SPF'] = `${result.result} (${result.domain}: ${result.explanation || ''}) client-ip=${ip}; envelope-from=${email.getEnvelopeFrom()}; helo=${heloDomain};`;
email.headers['Received-SPF'] = `${result.result} (${result.domain}: ${result.explanation}) client-ip=${ip}; envelope-from=${email.getEnvelopeFrom()}; helo=${heloDomain};`;
// Apply policy based on result
switch (result.result) { switch (result.result) {
case 'fail': case 'fail':
// Fail - mark as spam
email.mightBeSpam = true; email.mightBeSpam = true;
logger.log('warn', `SPF failed for ${result.domain} from ${ip}: ${result.explanation}`); logger.log('warn', `SPF failed for ${result.domain} from ${ip}: ${result.explanation}`);
return false; return false;
case 'softfail': case 'softfail':
// Soft fail - accept but mark as suspicious
email.mightBeSpam = true; email.mightBeSpam = true;
logger.log('info', `SPF softfailed for ${result.domain} from ${ip}: ${result.explanation}`); logger.log('info', `SPF softfailed for ${result.domain} from ${ip}: ${result.explanation}`);
return true; return true;
case 'neutral': case 'neutral':
case 'none': case 'none':
// Neutral or none - accept but note in headers
logger.log('info', `SPF ${result.result} for ${result.domain} from ${ip}: ${result.explanation}`); logger.log('info', `SPF ${result.result} for ${result.domain} from ${ip}: ${result.explanation}`);
return true; return true;
case 'pass': case 'pass':
// Pass - accept
logger.log('info', `SPF passed for ${result.domain} from ${ip}: ${result.explanation}`); logger.log('info', `SPF passed for ${result.domain} from ${ip}: ${result.explanation}`);
return true; return true;
case 'temperror': case 'temperror':
case 'permerror': case 'permerror':
// Temporary or permanent error - log but accept
logger.log('error', `SPF error for ${result.domain} from ${ip}: ${result.explanation}`); logger.log('error', `SPF error for ${result.domain} from ${ip}: ${result.explanation}`);
return true; return true;
default: default:
return true; return true;
} }
} }
} }

6
ts/plugins.ts
View File

@@ -84,16 +84,10 @@ export {
} }
// third party // third party
import * as mailauth from 'mailauth';
import { dkimSign } from 'mailauth/lib/dkim/sign.js';
import mailparser from 'mailparser'; import mailparser from 'mailparser';
import * as uuid from 'uuid'; import * as uuid from 'uuid';
import * as ip from 'ip';
export { export {
mailauth,
dkimSign,
mailparser, mailparser,
uuid, uuid,
ip,
} }

525
ts/security/classes.contentscanner.ts
View File

@@ -4,6 +4,7 @@ import { logger } from '../logger.js';
import { Email } from '../mail/core/classes.email.js'; import { Email } from '../mail/core/classes.email.js';
import type { IAttachment } from '../mail/core/classes.email.js'; import type { IAttachment } from '../mail/core/classes.email.js';
import { SecurityLogger, SecurityLogLevel, SecurityEventType } from './classes.securitylogger.js'; import { SecurityLogger, SecurityLogLevel, SecurityEventType } from './classes.securitylogger.js';
import { RustSecurityBridge } from './classes.rustsecuritybridge.js';
import { LRUCache } from 'lru-cache'; import { LRUCache } from 'lru-cache';
/** /**
@@ -65,75 +66,6 @@ export class ContentScanner {
private scanCache: LRUCache<string, IScanResult>; private scanCache: LRUCache<string, IScanResult>;
private options: Required<IContentScannerOptions>; private options: Required<IContentScannerOptions>;
// Predefined patterns for common threats
private static readonly MALICIOUS_PATTERNS = {
// Phishing patterns
phishing: [
/(?:verify|confirm|update|login).*(?:account|password|details)/i,
/urgent.*(?:action|attention|required)/i,
/(?:paypal|apple|microsoft|amazon|google|bank).*(?:verify|confirm|suspend)/i,
/your.*(?:account).*(?:suspended|compromised|locked)/i,
/\b(?:password reset|security alert|security notice)\b/i
],
// Spam indicators
spam: [
/\b(?:viagra|cialis|enlargement|diet pill|lose weight fast|cheap meds)\b/i,
/\b(?:million dollars|lottery winner|prize claim|inheritance|rich widow)\b/i,
/\b(?:earn from home|make money fast|earn \$\d{3,}\/day)\b/i,
/\b(?:limited time offer|act now|exclusive deal|only \d+ left)\b/i,
/\b(?:forex|stock tip|investment opportunity|cryptocurrency|bitcoin)\b/i
],
// Malware indicators in text
malware: [
/(?:attached file|see attachment).*(?:invoice|receipt|statement|document)/i,
/open.*(?:the attached|this attachment)/i,
/(?:enable|allow).*(?:macros|content|editing)/i,
/download.*(?:attachment|file|document)/i,
/\b(?:ransomware protection|virus alert|malware detected)\b/i
],
// Suspicious links
suspiciousLinks: [
/https?:\/\/bit\.ly\//i,
/https?:\/\/goo\.gl\//i,
/https?:\/\/t\.co\//i,
/https?:\/\/tinyurl\.com\//i,
/https?:\/\/(?:\d{1,3}\.){3}\d{1,3}/i, // IP address URLs
/https?:\/\/.*\.(?:xyz|top|club|gq|cf)\//i, // Suspicious TLDs
/(?:login|account|signin|auth).*\.(?!gov|edu|com|org|net)\w+\.\w+/i, // Login pages on unusual domains
],
// XSS and script injection
scriptInjection: [
/<script.*>.*<\/script>/is,
/javascript:/i,
/on(?:click|load|mouse|error|focus|blur)=".*"/i,
/document\.(?:cookie|write|location)/i,
/eval\s*\(/i
],
// Sensitive data patterns
sensitiveData: [
/\b(?:\d{3}-\d{2}-\d{4}|\d{9})\b/, // SSN
/\b\d{13,16}\b/, // Credit card numbers
/\b(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\b/ // Possible Base64
]
};
// Common executable extensions
private static readonly EXECUTABLE_EXTENSIONS = [
'.exe', '.dll', '.bat', '.cmd', '.msi', '.ts', '.vbs', '.ps1',
'.sh', '.jar', '.py', '.com', '.scr', '.pif', '.hta', '.cpl',
'.reg', '.vba', '.lnk', '.wsf', '.msi', '.msp', '.mst'
];
// Document formats that may contain macros
private static readonly MACRO_DOCUMENT_EXTENSIONS = [
'.doc', '.docm', '.xls', '.xlsm', '.ppt', '.pptm', '.dotm', '.xlsb', '.ppam', '.potm'
];
/** /**
* Default options for the content scanner * Default options for the content scanner
*/ */
@@ -185,7 +117,9 @@ export class ContentScanner {
} }
/** /**
* Scan an email for malicious content * Scan an email for malicious content.
* Delegates text/subject/html/filename pattern scanning to Rust.
* Binary attachment scanning (PE headers, VBA macros) stays in TS.
* @param email The email to scan * @param email The email to scan
* @returns Scan result * @returns Scan result
*/ */
@@ -193,74 +127,67 @@ export class ContentScanner {
try { try {
// Generate a cache key from the email // Generate a cache key from the email
const cacheKey = this.generateCacheKey(email); const cacheKey = this.generateCacheKey(email);
// Check cache first // Check cache first
const cachedResult = this.scanCache.get(cacheKey); const cachedResult = this.scanCache.get(cacheKey);
if (cachedResult) { if (cachedResult) {
logger.log('info', `Using cached scan result for email ${email.getMessageId()}`); logger.log('info', `Using cached scan result for email ${email.getMessageId()}`);
return cachedResult; return cachedResult;
} }
// Initialize scan result // Delegate text/subject/html/filename scanning to Rust
const bridge = RustSecurityBridge.getInstance();
const rustResult = await bridge.scanContent({
subject: this.options.scanSubject ? email.subject : undefined,
textBody: this.options.scanBody ? email.text : undefined,
htmlBody: this.options.scanBody ? email.html : undefined,
attachmentNames: this.options.scanAttachmentNames
? email.attachments?.map(a => a.filename) ?? []
: [],
});
const result: IScanResult = { const result: IScanResult = {
isClean: true, isClean: true,
threatScore: 0, threatScore: rustResult.threatScore,
scannedElements: [], threatType: rustResult.threatType ?? undefined,
timestamp: Date.now() threatDetails: rustResult.threatDetails ?? undefined,
scannedElements: rustResult.scannedElements,
timestamp: Date.now(),
}; };
// List of scan promises // Attachment binary scanning stays in TS (PE headers, macro detection)
const scanPromises: Array<Promise<void>> = []; if (this.options.scanAttachments && email.attachments?.length > 0) {
// Scan subject
if (this.options.scanSubject && email.subject) {
scanPromises.push(this.scanSubject(email.subject, result));
}
// Scan body content
if (this.options.scanBody) {
if (email.text) {
scanPromises.push(this.scanTextContent(email.text, result));
}
if (email.html) {
scanPromises.push(this.scanHtmlContent(email.html, result));
}
}
// Scan attachments
if (this.options.scanAttachments && email.attachments && email.attachments.length > 0) {
for (const attachment of email.attachments) { for (const attachment of email.attachments) {
scanPromises.push(this.scanAttachment(attachment, result)); this.scanAttachmentBinary(attachment, result);
} }
} }
// Run all scans in parallel // Apply custom rules (TS-only, runtime-configured)
await Promise.all(scanPromises); this.applyCustomRules(email, result);
// Determine if the email is clean based on threat score // Determine if the email is clean based on threat score
result.isClean = result.threatScore < this.options.minThreatScore; result.isClean = result.threatScore < this.options.minThreatScore;
// Save to cache // Save to cache
this.scanCache.set(cacheKey, result); this.scanCache.set(cacheKey, result);
// Log high threat findings // Log high threat findings
if (result.threatScore >= this.options.highThreatScore) { if (result.threatScore >= this.options.highThreatScore) {
this.logHighThreatFound(email, result); this.logHighThreatFound(email, result);
} else if (!result.isClean) { } else if (!result.isClean) {
this.logThreatFound(email, result); this.logThreatFound(email, result);
} }
return result; return result;
} catch (error) { } catch (error) {
logger.log('error', `Error scanning email: ${error.message}`, { logger.log('error', `Error scanning email: ${error.message}`, {
messageId: email.getMessageId(), messageId: email.getMessageId(),
error: error.stack error: error.stack
}); });
// Return a safe default with error indication // Return a safe default with error indication
return { return {
isClean: true, // Let it pass if scanner fails (configure as desired) isClean: true,
threatScore: 0, threatScore: 0,
scannedElements: ['error'], scannedElements: ['error'],
timestamp: Date.now(), timestamp: Date.now(),
@@ -269,7 +196,7 @@ export class ContentScanner {
}; };
} }
} }
/** /**
* Generate a cache key from an email * Generate a cache key from an email
* @param email The email to generate a key for * @param email The email to generate a key for
@@ -280,7 +207,7 @@ export class ContentScanner {
if (email.getMessageId()) { if (email.getMessageId()) {
return `email:${email.getMessageId()}`; return `email:${email.getMessageId()}`;
} }
// Fallback to a hash of key content // Fallback to a hash of key content
const contentToHash = [ const contentToHash = [
email.from, email.from,
@@ -289,321 +216,75 @@ export class ContentScanner {
email.html?.substring(0, 1000) || '', email.html?.substring(0, 1000) || '',
email.attachments?.length || 0 email.attachments?.length || 0
].join(':'); ].join(':');
return `email:${plugins.crypto.createHash('sha256').update(contentToHash).digest('hex')}`; return `email:${plugins.crypto.createHash('sha256').update(contentToHash).digest('hex')}`;
} }
/** /**
* Scan email subject for threats * Scan attachment binary content for PE headers and VBA macros.
* @param subject The subject to scan * This stays in TS because it accesses raw Buffer data (too large for IPC).
* @param result The scan result to update
*/
private async scanSubject(subject: string, result: IScanResult): Promise<void> {
result.scannedElements.push('subject');
// Check against phishing patterns
for (const pattern of ContentScanner.MALICIOUS_PATTERNS.phishing) {
if (pattern.test(subject)) {
result.threatScore += 25;
result.threatType = ThreatCategory.PHISHING;
result.threatDetails = `Subject contains potential phishing indicators: ${subject}`;
return;
}
}
// Check against spam patterns
for (const pattern of ContentScanner.MALICIOUS_PATTERNS.spam) {
if (pattern.test(subject)) {
result.threatScore += 15;
result.threatType = ThreatCategory.SPAM;
result.threatDetails = `Subject contains potential spam indicators: ${subject}`;
return;
}
}
// Check custom rules
for (const rule of this.options.customRules) {
const pattern = rule.pattern instanceof RegExp ? rule.pattern : new RegExp(rule.pattern, 'i');
if (pattern.test(subject)) {
result.threatScore += rule.score;
result.threatType = rule.type;
result.threatDetails = rule.description;
return;
}
}
}
/**
* Scan plain text content for threats
* @param text The text content to scan
* @param result The scan result to update
*/
private async scanTextContent(text: string, result: IScanResult): Promise<void> {
result.scannedElements.push('text');
// Check suspicious links
for (const pattern of ContentScanner.MALICIOUS_PATTERNS.suspiciousLinks) {
if (pattern.test(text)) {
result.threatScore += 20;
if (!result.threatType || result.threatScore > (result.threatType === ThreatCategory.SUSPICIOUS_LINK ? 0 : 20)) {
result.threatType = ThreatCategory.SUSPICIOUS_LINK;
result.threatDetails = `Text contains suspicious links`;
}
}
}
// Check phishing
for (const pattern of ContentScanner.MALICIOUS_PATTERNS.phishing) {
if (pattern.test(text)) {
result.threatScore += 25;
if (!result.threatType || result.threatScore > (result.threatType === ThreatCategory.PHISHING ? 0 : 25)) {
result.threatType = ThreatCategory.PHISHING;
result.threatDetails = `Text contains potential phishing indicators`;
}
}
}
// Check spam
for (const pattern of ContentScanner.MALICIOUS_PATTERNS.spam) {
if (pattern.test(text)) {
result.threatScore += 15;
if (!result.threatType || result.threatScore > (result.threatType === ThreatCategory.SPAM ? 0 : 15)) {
result.threatType = ThreatCategory.SPAM;
result.threatDetails = `Text contains potential spam indicators`;
}
}
}
// Check malware indicators
for (const pattern of ContentScanner.MALICIOUS_PATTERNS.malware) {
if (pattern.test(text)) {
result.threatScore += 30;
if (!result.threatType || result.threatScore > (result.threatType === ThreatCategory.MALWARE ? 0 : 30)) {
result.threatType = ThreatCategory.MALWARE;
result.threatDetails = `Text contains potential malware indicators`;
}
}
}
// Check sensitive data
for (const pattern of ContentScanner.MALICIOUS_PATTERNS.sensitiveData) {
if (pattern.test(text)) {
result.threatScore += 25;
if (!result.threatType || result.threatScore > (result.threatType === ThreatCategory.SENSITIVE_DATA ? 0 : 25)) {
result.threatType = ThreatCategory.SENSITIVE_DATA;
result.threatDetails = `Text contains potentially sensitive data patterns`;
}
}
}
// Check custom rules
for (const rule of this.options.customRules) {
const pattern = rule.pattern instanceof RegExp ? rule.pattern : new RegExp(rule.pattern, 'i');
if (pattern.test(text)) {
result.threatScore += rule.score;
if (!result.threatType || result.threatScore > 20) {
result.threatType = rule.type;
result.threatDetails = rule.description;
}
}
}
}
/**
* Scan HTML content for threats
* @param html The HTML content to scan
* @param result The scan result to update
*/
private async scanHtmlContent(html: string, result: IScanResult): Promise<void> {
result.scannedElements.push('html');
// Check for script injection
for (const pattern of ContentScanner.MALICIOUS_PATTERNS.scriptInjection) {
if (pattern.test(html)) {
result.threatScore += 40;
if (!result.threatType || result.threatType !== ThreatCategory.XSS) {
result.threatType = ThreatCategory.XSS;
result.threatDetails = `HTML contains potentially malicious script content`;
}
}
}
// Extract text content from HTML for further scanning
const textContent = this.extractTextFromHtml(html);
if (textContent) {
// We'll leverage the text scanning but not double-count threat score
const tempResult: IScanResult = {
isClean: true,
threatScore: 0,
scannedElements: [],
timestamp: Date.now()
};
await this.scanTextContent(textContent, tempResult);
// Only add additional threat types if they're more severe
if (tempResult.threatType && tempResult.threatScore > 0) {
// Add half of the text content score to avoid double counting
result.threatScore += Math.floor(tempResult.threatScore / 2);
// Adopt the threat type if more severe or no existing type
if (!result.threatType || tempResult.threatScore > result.threatScore) {
result.threatType = tempResult.threatType;
result.threatDetails = tempResult.threatDetails;
}
}
}
// Extract and check links from HTML
const links = this.extractLinksFromHtml(html);
if (links.length > 0) {
// Check for suspicious links
let suspiciousLinks = 0;
for (const link of links) {
for (const pattern of ContentScanner.MALICIOUS_PATTERNS.suspiciousLinks) {
if (pattern.test(link)) {
suspiciousLinks++;
break;
}
}
}
if (suspiciousLinks > 0) {
// Add score based on percentage of suspicious links
const suspiciousPercentage = (suspiciousLinks / links.length) * 100;
const additionalScore = Math.min(40, Math.floor(suspiciousPercentage / 2.5));
result.threatScore += additionalScore;
if (!result.threatType || additionalScore > 20) {
result.threatType = ThreatCategory.SUSPICIOUS_LINK;
result.threatDetails = `HTML contains ${suspiciousLinks} suspicious links out of ${links.length} total links`;
}
}
}
}
/**
* Scan an attachment for threats
* @param attachment The attachment to scan * @param attachment The attachment to scan
* @param result The scan result to update * @param result The scan result to update
*/ */
private async scanAttachment(attachment: IAttachment, result: IScanResult): Promise<void> { private scanAttachmentBinary(attachment: IAttachment, result: IScanResult): void {
const filename = attachment.filename.toLowerCase(); if (!attachment.content) {
result.scannedElements.push(`attachment:${filename}`);
// Skip large attachments if configured
if (attachment.content && attachment.content.length > this.options.maxAttachmentSizeToScan) {
logger.log('info', `Skipping scan of large attachment: ${filename} (${attachment.content.length} bytes)`);
return; return;
} }
// Check filename for executable extensions // Skip large attachments
if (this.options.blockExecutables) { if (attachment.content.length > this.options.maxAttachmentSizeToScan) {
for (const ext of ContentScanner.EXECUTABLE_EXTENSIONS) { return;
if (filename.endsWith(ext)) {
result.threatScore += 70; // High score for executable attachments
result.threatType = ThreatCategory.EXECUTABLE;
result.threatDetails = `Attachment has a potentially dangerous extension: ${filename}`;
return; // No need to scan contents if filename already flagged
}
}
} }
// Check for Office documents with macros const filename = attachment.filename.toLowerCase();
if (this.options.blockMacros) {
for (const ext of ContentScanner.MACRO_DOCUMENT_EXTENSIONS) { // Check for PE headers (Windows executables disguised with non-.exe extensions)
if (filename.endsWith(ext)) { if (attachment.content.length > 64 &&
// For Office documents, check if they contain macros attachment.content[0] === 0x4D &&
// This is a simplified check - a real implementation would use specialized libraries attachment.content[1] === 0x5A) { // 'MZ' header
// to detect macros in Office documents result.threatScore += 80;
if (attachment.content && this.likelyContainsMacros(attachment)) { result.threatType = ThreatCategory.EXECUTABLE;
result.threatScore += 60; result.threatDetails = `Attachment contains executable code: ${filename}`;
result.threatType = ThreatCategory.MALICIOUS_MACRO; return;
result.threatDetails = `Attachment appears to contain macros: ${filename}`;
return;
}
}
}
} }
// Perform basic content analysis if we have content buffer // Check for VBA macro indicators in Office documents
if (attachment.content) { if (this.options.blockMacros && this.likelyContainsMacros(attachment)) {
// Convert to string for scanning, with a limit to prevent memory issues result.threatScore += 60;
const textContent = this.extractTextFromBuffer(attachment.content); result.threatType = ThreatCategory.MALICIOUS_MACRO;
result.threatDetails = `Attachment appears to contain macros: ${filename}`;
if (textContent) {
// Scan for malicious patterns in attachment content
for (const category in ContentScanner.MALICIOUS_PATTERNS) {
const patterns = ContentScanner.MALICIOUS_PATTERNS[category];
for (const pattern of patterns) {
if (pattern.test(textContent)) {
result.threatScore += 30;
if (!result.threatType) {
result.threatType = this.mapCategoryToThreatType(category);
result.threatDetails = `Attachment content contains suspicious patterns: ${filename}`;
}
break;
}
}
}
}
// Check for PE headers (Windows executables)
if (attachment.content.length > 64 &&
attachment.content[0] === 0x4D &&
attachment.content[1] === 0x5A) { // 'MZ' header
result.threatScore += 80;
result.threatType = ThreatCategory.EXECUTABLE;
result.threatDetails = `Attachment contains executable code: ${filename}`;
}
} }
} }
/** /**
* Extract links from HTML content * Apply custom rules (runtime-configured patterns) to the email.
* @param html HTML content * These stay in TS because they are configured at runtime.
* @returns Array of extracted links * @param email The email to check
* @param result The scan result to update
*/ */
private extractLinksFromHtml(html: string): string[] { private applyCustomRules(email: Email, result: IScanResult): void {
const links: string[] = []; if (!this.options.customRules.length) {
return;
// Simple regex-based extraction - a real implementation might use a proper HTML parser }
const matches = html.match(/href=["'](https?:\/\/[^"']+)["']/gi);
if (matches) { const textsToCheck: string[] = [];
for (const match of matches) { if (email.subject) textsToCheck.push(email.subject);
const linkMatch = match.match(/href=["'](https?:\/\/[^"']+)["']/i); if (email.text) textsToCheck.push(email.text);
if (linkMatch && linkMatch[1]) { if (email.html) textsToCheck.push(email.html);
links.push(linkMatch[1]);
for (const rule of this.options.customRules) {
const pattern = rule.pattern instanceof RegExp ? rule.pattern : new RegExp(rule.pattern, 'i');
for (const text of textsToCheck) {
if (pattern.test(text)) {
result.threatScore += rule.score;
result.threatType = rule.type;
result.threatDetails = rule.description;
return;
} }
} }
} }
return links;
} }
/**
* Extract plain text from HTML
* @param html HTML content
* @returns Extracted text
*/
private extractTextFromHtml(html: string): string {
// Remove HTML tags and decode entities - simplified version
return html
.replace(/<style[^>]*>.*?<\/style>/gs, '')
.replace(/<script[^>]*>.*?<\/script>/gs, '')
.replace(/<[^>]+>/g, ' ')
.replace(/&nbsp;/g, ' ')
.replace(/&lt;/g, '<')
.replace(/&gt;/g, '>')
.replace(/&amp;/g, '&')
.replace(/&quot;/g, '"')
.replace(/&apos;/g, "'")
.replace(/\s+/g, ' ')
.trim();
}
/** /**
* Extract text from a binary buffer for scanning * Extract text from a binary buffer for scanning
* @param buffer Binary content * @param buffer Binary content
@@ -614,7 +295,7 @@ export class ContentScanner {
// Limit the amount we convert to avoid memory issues // Limit the amount we convert to avoid memory issues
const sampleSize = Math.min(buffer.length, 100 * 1024); // 100KB max sample const sampleSize = Math.min(buffer.length, 100 * 1024); // 100KB max sample
const sample = buffer.slice(0, sampleSize); const sample = buffer.slice(0, sampleSize);
// Try to convert to string, filtering out non-printable chars // Try to convert to string, filtering out non-printable chars
return sample.toString('utf8') return sample.toString('utf8')
.replace(/[\x00-\x09\x0B-\x1F\x7F-\x9F]/g, '') // Remove control chars .replace(/[\x00-\x09\x0B-\x1F\x7F-\x9F]/g, '') // Remove control chars
@@ -624,16 +305,13 @@ export class ContentScanner {
return ''; return '';
} }
} }
/** /**
* Check if an Office document likely contains macros * Check if an Office document likely contains macros
* This is a simplified check - real implementation would use specialized libraries
* @param attachment The attachment to check * @param attachment The attachment to check
* @returns Whether the file likely contains macros * @returns Whether the file likely contains macros
*/ */
private likelyContainsMacros(attachment: IAttachment): boolean { private likelyContainsMacros(attachment: IAttachment): boolean {
// Simple heuristic: look for VBA/macro related strings
// This is a simplified approach and not comprehensive
const content = this.extractTextFromBuffer(attachment.content); const content = this.extractTextFromBuffer(attachment.content);
const macroIndicators = [ const macroIndicators = [
/vbaProject\.bin/i, /vbaProject\.bin/i,
@@ -647,33 +325,16 @@ export class ContentScanner {
/\bShell\(/i, /\bShell\(/i,
/\bCreateObject\(/i /\bCreateObject\(/i
]; ];
for (const indicator of macroIndicators) { for (const indicator of macroIndicators) {
if (indicator.test(content)) { if (indicator.test(content)) {
return true; return true;
} }
} }
return false; return false;
} }
/**
* Map a pattern category to a threat type
* @param category The pattern category
* @returns The corresponding threat type
*/
private mapCategoryToThreatType(category: string): string {
switch (category) {
case 'phishing': return ThreatCategory.PHISHING;
case 'spam': return ThreatCategory.SPAM;
case 'malware': return ThreatCategory.MALWARE;
case 'suspiciousLinks': return ThreatCategory.SUSPICIOUS_LINK;
case 'scriptInjection': return ThreatCategory.XSS;
case 'sensitiveData': return ThreatCategory.SENSITIVE_DATA;
default: return ThreatCategory.BLACKLISTED_CONTENT;
}
}
/** /**
* Log a high threat finding to the security logger * Log a high threat finding to the security logger
* @param email The email containing the threat * @param email The email containing the threat

407
ts/security/classes.ipreputationchecker.ts
View File

@@ -59,33 +59,19 @@ export interface IIPReputationOptions {
} }
/** /**
* Class for checking IP reputation of inbound email senders * IP reputation checker — delegates DNSBL lookups to the Rust security bridge.
* Retains LRU caching and disk persistence in TypeScript.
*/ */
export class IPReputationChecker { export class IPReputationChecker {
private static instance: IPReputationChecker; private static instance: IPReputationChecker;
private reputationCache: LRUCache<string, IReputationResult>; private reputationCache: LRUCache<string, IReputationResult>;
private options: Required<IIPReputationOptions>; private options: Required<IIPReputationOptions>;
private storageManager?: any; // StorageManager instance private storageManager?: any;
// Default DNSBL servers
private static readonly DEFAULT_DNSBL_SERVERS = [
'zen.spamhaus.org', // Spamhaus
'bl.spamcop.net', // SpamCop
'b.barracudacentral.org', // Barracuda
'spam.dnsbl.sorbs.net', // SORBS
'dnsbl.sorbs.net', // SORBS (expanded)
'cbl.abuseat.org', // Composite Blocking List
'xbl.spamhaus.org', // Spamhaus XBL
'pbl.spamhaus.org', // Spamhaus PBL
'dnsbl-1.uceprotect.net', // UCEPROTECT
'psbl.surriel.com' // PSBL
];
// Default options
private static readonly DEFAULT_OPTIONS: Required<IIPReputationOptions> = { private static readonly DEFAULT_OPTIONS: Required<IIPReputationOptions> = {
maxCacheSize: 10000, maxCacheSize: 10000,
cacheTTL: 24 * 60 * 60 * 1000, // 24 hours cacheTTL: 24 * 60 * 60 * 1000,
dnsblServers: IPReputationChecker.DEFAULT_DNSBL_SERVERS, dnsblServers: [],
highRiskThreshold: ReputationThreshold.HIGH_RISK, highRiskThreshold: ReputationThreshold.HIGH_RISK,
mediumRiskThreshold: ReputationThreshold.MEDIUM_RISK, mediumRiskThreshold: ReputationThreshold.MEDIUM_RISK,
lowRiskThreshold: ReputationThreshold.LOW_RISK, lowRiskThreshold: ReputationThreshold.LOW_RISK,
@@ -93,66 +79,39 @@ export class IPReputationChecker {
enableDNSBL: true, enableDNSBL: true,
enableIPInfo: true enableIPInfo: true
}; };
/**
* Constructor for IPReputationChecker
* @param options Configuration options
* @param storageManager Optional StorageManager instance for persistence
*/
constructor(options: IIPReputationOptions = {}, storageManager?: any) { constructor(options: IIPReputationOptions = {}, storageManager?: any) {
// Merge with default options
this.options = { this.options = {
...IPReputationChecker.DEFAULT_OPTIONS, ...IPReputationChecker.DEFAULT_OPTIONS,
...options ...options
}; };
this.storageManager = storageManager; this.storageManager = storageManager;
// If no storage manager provided, log warning
if (!storageManager && this.options.enableLocalCache) {
logger.log('warn',
'⚠️ WARNING: IPReputationChecker initialized without StorageManager.\n' +
' IP reputation cache will only be stored to filesystem.\n' +
' Consider passing a StorageManager instance for better storage flexibility.'
);
}
// Initialize reputation cache
this.reputationCache = new LRUCache<string, IReputationResult>({ this.reputationCache = new LRUCache<string, IReputationResult>({
max: this.options.maxCacheSize, max: this.options.maxCacheSize,
ttl: this.options.cacheTTL, // Cache TTL ttl: this.options.cacheTTL,
}); });
// Load cache from disk if enabled
if (this.options.enableLocalCache) { if (this.options.enableLocalCache) {
// Fire and forget the load operation
this.loadCache().catch(error => { this.loadCache().catch(error => {
logger.log('error', `Failed to load IP reputation cache during initialization: ${error.message}`); logger.log('error', `Failed to load IP reputation cache during initialization: ${error.message}`);
}); });
} }
} }
/**
* Get the singleton instance of the checker
* @param options Configuration options
* @param storageManager Optional StorageManager instance for persistence
* @returns Singleton instance
*/
public static getInstance(options: IIPReputationOptions = {}, storageManager?: any): IPReputationChecker { public static getInstance(options: IIPReputationOptions = {}, storageManager?: any): IPReputationChecker {
if (!IPReputationChecker.instance) { if (!IPReputationChecker.instance) {
IPReputationChecker.instance = new IPReputationChecker(options, storageManager); IPReputationChecker.instance = new IPReputationChecker(options, storageManager);
} }
return IPReputationChecker.instance; return IPReputationChecker.instance;
} }
/** /**
* Check an IP address's reputation * Check an IP address's reputation via the Rust bridge
* @param ip IP address to check
* @returns Reputation check result
*/ */
public async checkReputation(ip: string): Promise<IReputationResult> { public async checkReputation(ip: string): Promise<IReputationResult> {
try { try {
// Validate IP address format
if (!this.isValidIPAddress(ip)) { if (!this.isValidIPAddress(ip)) {
logger.log('warn', `Invalid IP address format: ${ip}`); logger.log('warn', `Invalid IP address format: ${ip}`);
return this.createErrorResult(ip, 'Invalid IP address format'); return this.createErrorResult(ip, 'Invalid IP address format');
@@ -168,262 +127,47 @@ export class IPReputationChecker {
return cachedResult; return cachedResult;
} }
// Try Rust bridge first (parallel DNSBL via tokio — faster than Node sequential DNS) // Delegate to Rust bridge
const bridge = RustSecurityBridge.getInstance(); const bridge = RustSecurityBridge.getInstance();
if (bridge.running) { const rustResult = await bridge.checkIpReputation(ip);
try {
const rustResult = await bridge.checkIpReputation(ip);
const result: IReputationResult = {
score: rustResult.score,
isSpam: rustResult.listed_count > 0,
isProxy: rustResult.ip_type === 'proxy',
isTor: rustResult.ip_type === 'tor',
isVPN: rustResult.ip_type === 'vpn',
blacklists: rustResult.dnsbl_results
.filter(d => d.listed)
.map(d => d.server),
timestamp: Date.now(),
};
this.reputationCache.set(ip, result);
if (this.options.enableLocalCache) {
this.saveCache().catch(error => {
logger.log('error', `Failed to save IP reputation cache: ${error.message}`);
});
}
this.logReputationCheck(ip, result);
return result;
} catch (err) {
logger.log('warn', `Rust IP reputation check failed, falling back to TS: ${(err as Error).message}`);
}
}
// Fallback: TypeScript DNSBL implementation
const result: IReputationResult = { const result: IReputationResult = {
score: 100, // Start with perfect score score: rustResult.score,
isSpam: false, isSpam: rustResult.listed_count > 0,
isProxy: false, isProxy: rustResult.ip_type === 'proxy',
isTor: false, isTor: rustResult.ip_type === 'tor',
isVPN: false, isVPN: rustResult.ip_type === 'vpn',
timestamp: Date.now() blacklists: rustResult.dnsbl_results
.filter(d => d.listed)
.map(d => d.server),
timestamp: Date.now(),
}; };
// Check IP against DNS blacklists if enabled
if (this.options.enableDNSBL) {
const dnsblResult = await this.checkDNSBL(ip);
// Update result with DNSBL information
result.score -= dnsblResult.listCount * 10; // Subtract 10 points per blacklist
result.isSpam = dnsblResult.listCount > 0;
result.blacklists = dnsblResult.lists;
}
// Get additional IP information if enabled
if (this.options.enableIPInfo) {
const ipInfo = await this.getIPInfo(ip);
// Update result with IP info
result.country = ipInfo.country;
result.asn = ipInfo.asn;
result.org = ipInfo.org;
// Adjust score based on IP type
if (ipInfo.type === IPType.PROXY || ipInfo.type === IPType.TOR || ipInfo.type === IPType.VPN) {
result.score -= 30; // Subtract 30 points for proxies, Tor, VPNs
// Set proxy flags
result.isProxy = ipInfo.type === IPType.PROXY;
result.isTor = ipInfo.type === IPType.TOR;
result.isVPN = ipInfo.type === IPType.VPN;
}
}
// Ensure score is between 0 and 100
result.score = Math.max(0, Math.min(100, result.score));
// Update cache with result
this.reputationCache.set(ip, result); this.reputationCache.set(ip, result);
// Save cache if enabled
if (this.options.enableLocalCache) { if (this.options.enableLocalCache) {
// Fire and forget the save operation
this.saveCache().catch(error => { this.saveCache().catch(error => {
logger.log('error', `Failed to save IP reputation cache: ${error.message}`); logger.log('error', `Failed to save IP reputation cache: ${error.message}`);
}); });
} }
// Log the reputation check
this.logReputationCheck(ip, result); this.logReputationCheck(ip, result);
return result; return result;
} catch (error) { } catch (error) {
logger.log('error', `Error checking IP reputation for ${ip}: ${error.message}`, { logger.log('error', `Error checking IP reputation for ${ip}: ${error.message}`, {
ip, ip,
stack: error.stack stack: error.stack
}); });
const errorResult = this.createErrorResult(ip, error.message);
// Cache error results to avoid repeated failing lookups
this.reputationCache.set(ip, errorResult);
return errorResult;
}
}
return this.createErrorResult(ip, error.message);
}
}
/**
* Check an IP against DNS blacklists
* @param ip IP address to check
* @returns DNSBL check results
*/
private async checkDNSBL(ip: string): Promise<{
listCount: number;
lists: string[];
}> {
try {
// Reverse the IP for DNSBL queries
const reversedIP = this.reverseIP(ip);
const results = await Promise.allSettled(
this.options.dnsblServers.map(async (server) => {
try {
const lookupDomain = `${reversedIP}.${server}`;
await plugins.dns.promises.resolve(lookupDomain);
return server; // IP is listed in this DNSBL
} catch (error) {
if (error.code === 'ENOTFOUND') {
return null; // IP is not listed in this DNSBL
}
throw error; // Other error
}
})
);
// Extract successful lookups (listed in DNSBL)
const lists = results
.filter((result): result is PromiseFulfilledResult<string> =>
result.status === 'fulfilled' && result.value !== null
)
.map(result => result.value);
return {
listCount: lists.length,
lists
};
} catch (error) {
logger.log('error', `Error checking DNSBL for ${ip}: ${error.message}`);
return {
listCount: 0,
lists: []
};
}
}
/**
* Get information about an IP address
* @param ip IP address to check
* @returns IP information
*/
private async getIPInfo(ip: string): Promise<{
country?: string;
asn?: string;
org?: string;
type: IPType;
}> {
try {
// In a real implementation, this would use an IP data service API
// For this implementation, we'll use a simplified approach
// Check if it's a known Tor exit node (simplified)
const isTor = ip.startsWith('171.25.') || ip.startsWith('185.220.') || ip.startsWith('95.216.');
// Check if it's a known VPN (simplified)
const isVPN = ip.startsWith('185.156.') || ip.startsWith('37.120.');
// Check if it's a known proxy (simplified)
const isProxy = ip.startsWith('34.92.') || ip.startsWith('34.206.');
// Determine IP type
let type = IPType.UNKNOWN;
if (isTor) {
type = IPType.TOR;
} else if (isVPN) {
type = IPType.VPN;
} else if (isProxy) {
type = IPType.PROXY;
} else {
// Simple datacenters detection (major cloud providers)
if (
ip.startsWith('13.') || // AWS
ip.startsWith('35.') || // Google Cloud
ip.startsWith('52.') || // AWS
ip.startsWith('34.') || // Google Cloud
ip.startsWith('104.') // Various providers
) {
type = IPType.DATACENTER;
} else {
type = IPType.RESIDENTIAL;
}
}
// Return the information
return {
country: this.determineCountry(ip), // Simplified, would use geolocation service
asn: 'AS12345', // Simplified, would look up real ASN
org: this.determineOrg(ip), // Simplified, would use real org data
type
};
} catch (error) {
logger.log('error', `Error getting IP info for ${ip}: ${error.message}`);
return {
type: IPType.UNKNOWN
};
}
}
/**
* Simplified method to determine country from IP
* In a real implementation, this would use a geolocation database or service
* @param ip IP address
* @returns Country code
*/
private determineCountry(ip: string): string {
// Simplified mapping for demo purposes
if (ip.startsWith('13.') || ip.startsWith('52.')) return 'US';
if (ip.startsWith('35.') || ip.startsWith('34.')) return 'US';
if (ip.startsWith('185.')) return 'NL';
if (ip.startsWith('171.')) return 'DE';
return 'XX'; // Unknown
}
/**
* Simplified method to determine organization from IP
* In a real implementation, this would use an IP-to-org database or service
* @param ip IP address
* @returns Organization name
*/
private determineOrg(ip: string): string {
// Simplified mapping for demo purposes
if (ip.startsWith('13.') || ip.startsWith('52.')) return 'Amazon AWS';
if (ip.startsWith('35.') || ip.startsWith('34.')) return 'Google Cloud';
if (ip.startsWith('185.156.')) return 'NordVPN';
if (ip.startsWith('37.120.')) return 'ExpressVPN';
if (ip.startsWith('185.220.')) return 'Tor Exit Node';
return 'Unknown';
}
/**
* Reverse an IP address for DNSBL lookups (e.g., 1.2.3.4 -> 4.3.2.1)
* @param ip IP address to reverse
* @returns Reversed IP for DNSBL queries
*/
private reverseIP(ip: string): string {
return ip.split('.').reverse().join('.');
}
/**
* Create an error result for when reputation check fails
* @param ip IP address
* @param errorMessage Error message
* @returns Error result
*/
private createErrorResult(ip: string, errorMessage: string): IReputationResult { private createErrorResult(ip: string, errorMessage: string): IReputationResult {
return { return {
score: 50, // Neutral score for errors score: 50,
isSpam: false, isSpam: false,
isProxy: false, isProxy: false,
isTor: false, isTor: false,
@@ -432,33 +176,18 @@ export class IPReputationChecker {
error: errorMessage error: errorMessage
}; };
} }
/**
* Validate IP address format
* @param ip IP address to validate
* @returns Whether the IP is valid
*/
private isValidIPAddress(ip: string): boolean { private isValidIPAddress(ip: string): boolean {
// IPv4 regex pattern
const ipv4Pattern = /^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/; const ipv4Pattern = /^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/;
return ipv4Pattern.test(ip); return ipv4Pattern.test(ip);
} }
/**
* Log reputation check to security logger
* @param ip IP address
* @param result Reputation result
*/
private logReputationCheck(ip: string, result: IReputationResult): void { private logReputationCheck(ip: string, result: IReputationResult): void {
// Determine log level based on reputation score
let logLevel = SecurityLogLevel.INFO; let logLevel = SecurityLogLevel.INFO;
if (result.score < this.options.highRiskThreshold) { if (result.score < this.options.highRiskThreshold) {
logLevel = SecurityLogLevel.WARN; logLevel = SecurityLogLevel.WARN;
} else if (result.score < this.options.mediumRiskThreshold) {
logLevel = SecurityLogLevel.INFO;
} }
// Log the check
SecurityLogger.getInstance().logEvent({ SecurityLogger.getInstance().logEvent({
level: logLevel, level: logLevel,
type: SecurityEventType.IP_REPUTATION, type: SecurityEventType.IP_REPUTATION,
@@ -476,71 +205,52 @@ export class IPReputationChecker {
success: !result.isSpam success: !result.isSpam
}); });
} }
/**
* Save cache to disk or storage manager
*/
private async saveCache(): Promise<void> { private async saveCache(): Promise<void> {
try { try {
// Convert cache entries to serializable array
const entries = Array.from(this.reputationCache.entries()).map(([ip, data]) => ({ const entries = Array.from(this.reputationCache.entries()).map(([ip, data]) => ({
ip, ip,
data data
})); }));
// Only save if we have entries
if (entries.length === 0) { if (entries.length === 0) {
return; return;
} }
const cacheData = JSON.stringify(entries); const cacheData = JSON.stringify(entries);
// Save to storage manager if available
if (this.storageManager) { if (this.storageManager) {
await this.storageManager.set('/security/ip-reputation-cache.json', cacheData); await this.storageManager.set('/security/ip-reputation-cache.json', cacheData);
logger.log('info', `Saved ${entries.length} IP reputation cache entries to StorageManager`); logger.log('info', `Saved ${entries.length} IP reputation cache entries to StorageManager`);
} else { } else {
// Fall back to filesystem
const cacheDir = plugins.path.join(paths.dataDir, 'security'); const cacheDir = plugins.path.join(paths.dataDir, 'security');
await plugins.smartfs.directory(cacheDir).recursive().create(); await plugins.smartfs.directory(cacheDir).recursive().create();
const cacheFile = plugins.path.join(cacheDir, 'ip_reputation_cache.json'); const cacheFile = plugins.path.join(cacheDir, 'ip_reputation_cache.json');
await plugins.smartfs.file(cacheFile).write(cacheData); await plugins.smartfs.file(cacheFile).write(cacheData);
logger.log('info', `Saved ${entries.length} IP reputation cache entries to disk`); logger.log('info', `Saved ${entries.length} IP reputation cache entries to disk`);
} }
} catch (error) { } catch (error) {
logger.log('error', `Failed to save IP reputation cache: ${error.message}`); logger.log('error', `Failed to save IP reputation cache: ${error.message}`);
} }
} }
/**
* Load cache from disk or storage manager
*/
private async loadCache(): Promise<void> { private async loadCache(): Promise<void> {
try { try {
let cacheData: string | null = null; let cacheData: string | null = null;
let fromFilesystem = false; let fromFilesystem = false;
// Try to load from storage manager first
if (this.storageManager) { if (this.storageManager) {
try { try {
cacheData = await this.storageManager.get('/security/ip-reputation-cache.json'); cacheData = await this.storageManager.get('/security/ip-reputation-cache.json');
if (!cacheData) { if (!cacheData) {
// Check if data exists in filesystem and migrate it
const cacheFile = plugins.path.join(paths.dataDir, 'security', 'ip_reputation_cache.json'); const cacheFile = plugins.path.join(paths.dataDir, 'security', 'ip_reputation_cache.json');
if (plugins.fs.existsSync(cacheFile)) { if (plugins.fs.existsSync(cacheFile)) {
logger.log('info', 'Migrating IP reputation cache from filesystem to StorageManager'); logger.log('info', 'Migrating IP reputation cache from filesystem to StorageManager');
cacheData = plugins.fs.readFileSync(cacheFile, 'utf8'); cacheData = plugins.fs.readFileSync(cacheFile, 'utf8');
fromFilesystem = true; fromFilesystem = true;
// Migrate to storage manager
await this.storageManager.set('/security/ip-reputation-cache.json', cacheData); await this.storageManager.set('/security/ip-reputation-cache.json', cacheData);
logger.log('info', 'IP reputation cache migrated to StorageManager successfully'); logger.log('info', 'IP reputation cache migrated to StorageManager successfully');
// Optionally delete the old file after successful migration
try { try {
plugins.fs.unlinkSync(cacheFile); plugins.fs.unlinkSync(cacheFile);
logger.log('info', 'Old cache file removed after migration'); logger.log('info', 'Old cache file removed after migration');
@@ -553,31 +263,25 @@ export class IPReputationChecker {
logger.log('error', `Error loading from StorageManager: ${error.message}`); logger.log('error', `Error loading from StorageManager: ${error.message}`);
} }
} else { } else {
// No storage manager, load from filesystem
const cacheFile = plugins.path.join(paths.dataDir, 'security', 'ip_reputation_cache.json'); const cacheFile = plugins.path.join(paths.dataDir, 'security', 'ip_reputation_cache.json');
if (plugins.fs.existsSync(cacheFile)) { if (plugins.fs.existsSync(cacheFile)) {
cacheData = plugins.fs.readFileSync(cacheFile, 'utf8'); cacheData = plugins.fs.readFileSync(cacheFile, 'utf8');
fromFilesystem = true; fromFilesystem = true;
} }
} }
// Parse and restore cache if data was found
if (cacheData) { if (cacheData) {
const entries = JSON.parse(cacheData); const entries = JSON.parse(cacheData);
// Validate and filter entries
const now = Date.now(); const now = Date.now();
const validEntries = entries.filter(entry => { const validEntries = entries.filter(entry => {
const age = now - entry.data.timestamp; const age = now - entry.data.timestamp;
return age < this.options.cacheTTL; // Only load entries that haven't expired return age < this.options.cacheTTL;
}); });
// Restore cache
for (const entry of validEntries) { for (const entry of validEntries) {
this.reputationCache.set(entry.ip, entry.data); this.reputationCache.set(entry.ip, entry.data);
} }
const source = fromFilesystem ? 'disk' : 'StorageManager'; const source = fromFilesystem ? 'disk' : 'StorageManager';
logger.log('info', `Loaded ${validEntries.length} IP reputation cache entries from ${source}`); logger.log('info', `Loaded ${validEntries.length} IP reputation cache entries from ${source}`);
} }
@@ -585,12 +289,7 @@ export class IPReputationChecker {
logger.log('error', `Failed to load IP reputation cache: ${error.message}`); logger.log('error', `Failed to load IP reputation cache: ${error.message}`);
} }
} }
/**
* Get the risk level for a reputation score
* @param score Reputation score (0-100)
* @returns Risk level description
*/
public static getRiskLevel(score: number): 'high' | 'medium' | 'low' | 'trusted' { public static getRiskLevel(score: number): 'high' | 'medium' | 'low' | 'trusted' {
if (score < ReputationThreshold.HIGH_RISK) { if (score < ReputationThreshold.HIGH_RISK) {
return 'high'; return 'high';
@@ -602,21 +301,15 @@ export class IPReputationChecker {
return 'trusted'; return 'trusted';
} }
} }
/**
* Update the storage manager after instantiation
* This is useful when the storage manager is not available at construction time
* @param storageManager The StorageManager instance to use
*/
public updateStorageManager(storageManager: any): void { public updateStorageManager(storageManager: any): void {
this.storageManager = storageManager; this.storageManager = storageManager;
logger.log('info', 'IPReputationChecker storage manager updated'); logger.log('info', 'IPReputationChecker storage manager updated');
// If cache is enabled and we have entries, save them to the new storage manager
if (this.options.enableLocalCache && this.reputationCache.size > 0) { if (this.options.enableLocalCache && this.reputationCache.size > 0) {
this.saveCache().catch(error => { this.saveCache().catch(error => {
logger.log('error', `Failed to save cache to new storage manager: ${error.message}`); logger.log('error', `Failed to save cache to new storage manager: ${error.message}`);
}); });
} }
} }
} }

27
ts/security/classes.rustsecuritybridge.ts
View File

@@ -59,6 +59,13 @@ interface IReputationResult {
total_checked: number; total_checked: number;
} }
interface IContentScanResult {
threatScore: number;
threatType: string | null;
threatDetails: string | null;
scannedElements: string[];
}
interface IVersionInfo { interface IVersionInfo {
bin: string; bin: string;
core: string; core: string;
@@ -102,6 +109,15 @@ type TMailerCommands = {
params: { ip: string; heloDomain: string; hostname?: string; mailFrom: string }; params: { ip: string; heloDomain: string; hostname?: string; mailFrom: string };
result: ISpfResult; result: ISpfResult;
}; };
scanContent: {
params: {
subject?: string;
textBody?: string;
htmlBody?: string;
attachmentNames?: string[];
};
result: IContentScanResult;
};
verifyEmail: { verifyEmail: {
params: { params: {
rawMessage: string; rawMessage: string;
@@ -243,6 +259,16 @@ export class RustSecurityBridge {
return this.bridge.sendCommand('detectBounce', opts); return this.bridge.sendCommand('detectBounce', opts);
} }
/** Scan email content for threats (phishing, spam, malware, etc.). */
public async scanContent(opts: {
subject?: string;
textBody?: string;
htmlBody?: string;
attachmentNames?: string[];
}): Promise<IContentScanResult> {
return this.bridge.sendCommand('scanContent', opts);
}
/** Check IP reputation via DNSBL. */ /** Check IP reputation via DNSBL. */
public async checkIpReputation(ip: string): Promise<IReputationResult> { public async checkIpReputation(ip: string): Promise<IReputationResult> {
return this.bridge.sendCommand('checkIpReputation', { ip }); return this.bridge.sendCommand('checkIpReputation', { ip });
@@ -298,6 +324,7 @@ export type {
IEmailSecurityResult, IEmailSecurityResult,
IValidationResult, IValidationResult,
IBounceDetection, IBounceDetection,
IContentScanResult,
IReputationResult as IRustReputationResult, IReputationResult as IRustReputationResult,
IVersionInfo, IVersionInfo,
}; };