@blamejs/core 0.8.52 → 0.8.57

package/lib/mail.js

@@ -69,7 +69,9 @@ var mailAuth = require("./mail-auth");
 var mailBimi = require("./mail-bimi");
 var mailUnsubscribe = require("./mail-unsubscribe");
 var net = lazyRequire(function () { return require("net"); });
+var networkDns = lazyRequire(function () { return require("./network-dns"); });
 var nodeUrl = require("url");
+var numericBounds = require("./numeric-bounds");
 var tls = lazyRequire(function () { return require("tls"); });
 var safeJson = require("./safe-json");
 var safeSchema = require("./safe-schema");
@@ -165,6 +167,85 @@ function toUnicode(domain) {
   catch (_e) { return null; }
 }
 
+/**
+ * @primitive b.mail.reverseDns
+ * @signature b.mail.reverseDns(ip)
+ * @since     0.8.53
+ * @status    stable
+ * @related   b.mail.create
+ *
+ * Forward-confirmed reverse DNS lookup (FCrDNS, RFC 8601 §3 lite) for
+ * an IPv4 or IPv6 address. Returns
+ * `{ ok, ptr, forward, fcrdns }`:
+ *
+ *   - `ok`      — whether the PTR resolved at all.
+ *   - `ptr`     — the first PTR record name (or `null`).
+ *   - `forward` — array of A / AAAA addresses for that name (or `[]`).
+ *   - `fcrdns`  — `true` when the original `ip` appears in `forward`.
+ *
+ * Used as the building block for the iprev mail-authentication check
+ * (RFC 8601 §2.7.3): a sender's connect-IP must reverse-resolve to a
+ * PTR name whose forward A/AAAA includes that IP. Operators wiring
+ * inbound mail-receive paths call this on the connect address before
+ * accepting the SMTP transaction; bulk-sender reputation systems use
+ * the same check for outbound submission.
+ *
+ * Errors thrown by the underlying DNS path (bad-IP shape / lookup
+ * timeout) are caught and surfaced as `{ ok: false, error: code }`
+ * so the call doesn't reject the inbound path on a transient DNS
+ * blip; `fcrdns` remains `false`.
+ *
+ * @example
+ *   var b = require("@blamejs/core");
+ *   var r = await b.mail.reverseDns("8.8.8.8");
+ *   // → { ok: true, ptr: "dns.google", forward: ["8.8.8.8"], fcrdns: true }
+ */
+async function reverseDns(ip) {
+  var dns = networkDns();
+  var result = { ok: false, ptr: null, forward: [], fcrdns: false };
+  var ptrs;
+  try {
+    ptrs = await dns.reverse(ip);
+  } catch (e) {
+    result.error = (e && e.code) || "dns/reverse-failed";
+    return result;
+  }
+  if (!Array.isArray(ptrs) || ptrs.length === 0) {
+    result.error = "dns/no-ptr";
+    return result;
+  }
+  var ptrName = String(ptrs[0]);
+  result.ok = true;
+  result.ptr = ptrName;
+  // Forward-confirm — query A or AAAA depending on the IP family of
+  // the original input. RFC 8601 §3 says the forward query must use
+  // the same family as the source; mismatched families don't count
+  // as confirmation.
+  var net = require("net");
+  var forwardAddrs = [];
+  try {
+    if (net.isIPv6(ip)) {
+      forwardAddrs = await dns.resolveAaaa(ptrName);
+    } else {
+      forwardAddrs = await dns.resolve4(ptrName);
+    }
+  } catch (e) {
+    result.error = (e && e.code) || "dns/forward-failed";
+    return result;
+  }
+  result.forward = Array.isArray(forwardAddrs) ? forwardAddrs.slice() : [];
+  // Case-insensitive equality on IPv6 (canonical form differs for
+  // ::ffff:8.8.8.8 vs 8.8.8.8); compare lower-cased strings.
+  var ipLc = String(ip).toLowerCase();
+  for (var i = 0; i < result.forward.length; i += 1) {
+    if (String(result.forward[i]).toLowerCase() === ipLc) {
+      result.fcrdns = true;
+      break;
+    }
+  }
+  return result;
+}
+
 function _isValidEmail(addr) {
   if (typeof addr !== "string" || addr.length === 0 || addr.length > EMAIL_MAX_LEN) {
     return false;
@@ -707,17 +788,44 @@ function smtpTransport(opts) {
                    ? undefined : host;
   }
 
+  // RFC 3030 BDAT chunking — default chunk size 256 KiB. Operator opt
+  // `chunking: false` disables BDAT even when offered (some legacy
+  // receivers advertise CHUNKING but mishandle bare BDAT framing).
+  var chunkingEnabled = opts.chunking !== false;
+  numericBounds.requirePositiveFiniteIntIfPresent(opts.chunkSize,
+    "smtp transport: opts.chunkSize", MailError, "mail/smtp-misconfigured");
+  var chunkSize = (opts.chunkSize !== undefined) ? opts.chunkSize : C.BYTES.kib(256);
+
+  // RFC 1870 SIZE — by default we honor the peer's advertised cap and
+  // refuse before opening DATA / BDAT. `respectPeerSize: false`
+  // disables the precheck (operator-asserted "I trust the peer to
+  // accept whatever I send").
+  var respectPeerSize = opts.respectPeerSize !== false;
+
+  // IPv4 / IPv6 family preference for the underlying connect. "any"
+  // lets Node pick (default — Happy Eyeballs / system policy); "4" or
+  // "6" forces a single family. The framework auto-detects when the
+  // local network has no IPv6 interfaces and prefers v4 in that case
+  // so a v6-only peer doesn't hang the connect timeout.
+  var preferFamily = (opts.preferFamily === 4 || opts.preferFamily === 6 ||
+                      opts.preferFamily === "4" || opts.preferFamily === "6")
+    ? Number(opts.preferFamily) : "any";
+
   var cfg = {
-    host:           host,
-    port:           port,
-    user:           opts.user,
-    pass:           opts.pass,
-    useImplicitTLS: useImplicitTLS,
-    ehloName:       ehloName,
-    timeoutMs:      timeoutMs,
-    tlsOpts:        tlsOpts,
-    servername:     servername,
-    dkimSigner:     opts.dkimSigner || null,
+    host:            host,
+    port:            port,
+    user:            opts.user,
+    pass:            opts.pass,
+    useImplicitTLS:  useImplicitTLS,
+    ehloName:        ehloName,
+    timeoutMs:       timeoutMs,
+    tlsOpts:         tlsOpts,
+    servername:      servername,
+    dkimSigner:      opts.dkimSigner || null,
+    chunkingEnabled: chunkingEnabled,
+    chunkSize:       chunkSize,
+    respectPeerSize: respectPeerSize,
+    preferFamily:    preferFamily,
   };
 
   return {
@@ -739,6 +847,10 @@ var SMTP_STEP_RCPT_TO    = 0x6;
 var SMTP_STEP_DATA       = 0x7;
 var SMTP_STEP_BODY       = 0x8;
 var SMTP_STEP_STARTTLS   = 0xA;
+// RFC 3030 BDAT chunked-body framing. The transport sends `BDAT N`
+// (or `BDAT N LAST`) followed by exactly N bytes of body; each chunk
+// expects a 250 response before the next chunk is written.
+var SMTP_STEP_BDAT       = 0xB;
 
 function _smtpUtf8Suffix(requiresSmtpUtf8, peerSupportsSmtpUtf8) {
   // RFC 6531 §3.4 — when SMTPUTF8 is advertised by the peer AND the
@@ -748,16 +860,133 @@ function _smtpUtf8Suffix(requiresSmtpUtf8, peerSupportsSmtpUtf8) {
   return (requiresSmtpUtf8 && peerSupportsSmtpUtf8) ? " SMTPUTF8" : "";
 }
 
+// Detect whether the message has an 8-bit / binary attachment that
+// requires BINARYMIME (RFC 3030 §3) on the wire. Pure-text messages —
+// even when text/html bodies contain UTF-8 — go through 8BITMIME
+// (RFC 6152) which is universally supported. The "binary" trigger is
+// a Buffer attachment whose octet stream includes NUL bytes (or any
+// byte > 0x7F when the operator marks `binary: true`). Buffers with
+// the "application/octet-stream" claimed content-type also count.
+function _messageRequiresBinaryMime(message) {
+  if (!message) return false;
+  if (!Array.isArray(message.attachments)) return false;
+  for (var i = 0; i < message.attachments.length; i += 1) {
+    var att = message.attachments[i];
+    if (!att) continue;
+    // Operator can mark explicit binary intent.
+    if (att.binary === true) return true;
+    // Buffer attachments whose content includes NUL are binary —
+    // base64 wraps them safely but the source octets are 8-bit-binary
+    // so the BODY=BINARYMIME hint is what tells the peer to expect
+    // RFC 3030 framing instead of bare 8BITMIME.
+    if (Buffer.isBuffer(att.content)) {
+      // Quick scan — first 4 KiB is enough to detect the common case
+      // (any executable / image / archive / pdf).
+      var max = Math.min(att.content.length, C.BYTES.kib(4));
+      for (var j = 0; j < max; j += 1) {
+        if (att.content[j] === 0) return true;
+      }
+    }
+  }
+  return false;
+}
+
+// Detect whether the message body has any non-ASCII (8-bit) octets
+// requiring at minimum 8BITMIME (RFC 6152) on the wire. Triggers on
+// non-ASCII text bytes in subject / text / html / calendar parts.
+// Distinct from BINARYMIME — the latter is for true binary streams
+// (NUL-bearing).
+function _messageRequires8BitMime(message) {
+  if (!message) return false;
+  var fields = ["text", "html", "subject"];
+  for (var i = 0; i < fields.length; i += 1) {
+    var v = message[fields[i]];
+    if (typeof v === "string" && NON_ASCII_RE.test(v)) return true;   // allow:regex-no-length-cap — header-value detector; bounded by SMTP line cap upstream
+  }
+  if (message.calendar && typeof message.calendar.icalText === "string" &&
+      NON_ASCII_RE.test(message.calendar.icalText)) return true;   // allow:regex-no-length-cap — caller bounds calendar.icalText size
+  return false;
+}
+
+// Auto-detect IPv4 / IPv6 family for outbound connect when the
+// operator didn't pin one. Walks `os.networkInterfaces()`; if the
+// host has no non-internal IPv6 interfaces, prefer family=4 so a
+// v6-only AAAA record doesn't hang the connect timeout. When the
+// host has both, return 0 (let Node pick — Happy Eyeballs / system
+// resultOrder applies).
+function _autoDetectFamily() {
+  try {
+    var os = require("os");
+    var ifaces = os.networkInterfaces();
+    var hasV6 = false;
+    var hasV4 = false;
+    var keys = Object.keys(ifaces);
+    for (var k = 0; k < keys.length; k += 1) {
+      var arr = ifaces[keys[k]] || [];
+      for (var i = 0; i < arr.length; i += 1) {
+        var entry = arr[i];
+        if (entry.internal) continue;
+        if (entry.family === "IPv6" || entry.family === 6) hasV6 = true;
+        if (entry.family === "IPv4" || entry.family === 4) hasV4 = true;
+      }
+    }
+    if (hasV4 && !hasV6) return 4;
+    if (!hasV4 && hasV6) return 6;
+    return 0;
+  } catch (_e) {
+    return 0;
+  }
+}
+
+// Compute the wire size of the produced RFC 822 message. Used by RFC
+// 1870 SIZE pre-check before MAIL FROM. Caller passes the already-
+// CRLF-normalized + dot-stuffed wire string (the same one that goes
+// into DATA / BDAT). Returns the byte count Node will write.
+function _messageWireSize(wire) {
+  if (typeof wire !== "string") return 0;
+  return Buffer.byteLength(wire, "utf8");
+}
+
+// Parse the SIZE keyword's argument from a `SIZE 12345` EHLO line.
+// Returns 0 when SIZE is advertised without a value (RFC 1870 §3 —
+// some peers omit the limit, indicating "no enforced cap"); returns
+// -1 when SIZE isn't advertised; otherwise returns the operator-side
+// peer cap.
+function _parsePeerSize(ehloLines) {
+  if (!Array.isArray(ehloLines)) return -1;
+  for (var i = 0; i < ehloLines.length; i += 1) {
+    var line = ehloLines[i];
+    // Lines come in already uppercased keyword form; the SIZE entry
+    // may be `SIZE` alone OR `SIZE 12345` — split on whitespace.
+    var parts = String(line).split(/\s+/);
+    if (parts[0] === "SIZE") {
+      if (parts.length < 2) return 0;
+      var n = parseInt(parts[1], 10);
+      return isFinite(n) && n >= 0 ? n : -1;
+    }
+  }
+  return -1;
+}
+
 function _smtpSend(message, cfg) {
   return new Promise(function (resolve, reject) {
     var socket;
     var step = SMTP_STEP_GREETING;
     var buffer = "";
-    var ehloLines = [];                  // RFC 5321 §4.1.1.1 — EHLO extension lines
-    var peerSupportsSmtpUtf8 = false;    // RFC 6531 — set from EHLO response
+    var ehloLines = [];                   // RFC 5321 §4.1.1.1 — EHLO extension lines (uppercase keyword)
+    var ehloFullLines = [];               // Full extension text (incl. args, e.g. "SIZE 12345")
+    var peerSupportsSmtpUtf8 = false;     // RFC 6531 — set from EHLO response
+    var peerSupportsChunking = false;     // RFC 3030 §2 CHUNKING
+    var peerSupportsBinaryMime = false;   // RFC 3030 §3 BINARYMIME
+    var peerSupports8BitMime = false;     // RFC 6152 (eight-bit MIME)                                            // allow:raw-byte-literal — RFC number, not a byte literal
+    var peerSizeCap = -1;                 // RFC 1870 SIZE — -1 unset, 0 = no cap, >0 = byte limit
     var upgradedToTLS = false;
     var settled = false;
     var rcptIndex = 0;
+    var bdatOffset = 0;                   // Bytes of dataMessage written so far via BDAT
+    var dataWireBytes = null;             // Buffer view of dataMessage for BDAT slicing
+    var useBdat = false;                  // Decided post-EHLO based on peerSupportsChunking + cfg.chunkingEnabled
+    var bodyMode = "7BIT";                // "7BIT" / "8BITMIME" / "BINARYMIME"
 
     var fromAddr = _extractAddr(message.from);
     var toList   = _toArray(message.to).map(_extractAddr);
@@ -765,6 +994,8 @@ function _smtpSend(message, cfg) {
     var bccList  = _toArray(message.bcc).map(_extractAddr);
     var rcpts    = toList.concat(ccList, bccList);
     var requiresSmtpUtf8 = _messageRequiresSmtpUtf8(message);
+    var requiresBinaryMime = _messageRequiresBinaryMime(message);
+    var requires8BitMime = _messageRequires8BitMime(message);
     var dataMessage = _buildRfc822(message);
     if (cfg.dkimSigner) {
       try { dataMessage = cfg.dkimSigner.sign(dataMessage); }
@@ -774,6 +1005,7 @@ function _smtpSend(message, cfg) {
         return;
       }
     }
+    var messageWireSize = _messageWireSize(dataMessage);
 
     // Outbound SMTP-smuggling defense — refuse before opening the
     // socket if the produced RFC 822 wire contains the bare-CR / bare-
@@ -814,6 +1046,51 @@ function _smtpSend(message, cfg) {
       catch (e) { fail(e.message || String(e)); }
     }
 
+    // RFC 5321 + 6531 + 6152 + 3030 + 1870 — MAIL FROM keyword bundle.
+    // Order: SMTPUTF8 (6531) → BODY=<7BIT|8BITMIME|BINARYMIME> →
+    // SIZE=<bytes>. Peers tolerate any order but consistent ordering
+    // simplifies the wire-trace gold files.
+    function _mailFromSuffix() {
+      var s = "";
+      s += _smtpUtf8Suffix(requiresSmtpUtf8, peerSupportsSmtpUtf8);
+      if (bodyMode === "BINARYMIME" && peerSupportsBinaryMime) {
+        s += " BODY=BINARYMIME";
+      } else if (bodyMode === "8BITMIME" && peerSupports8BitMime) {
+        s += " BODY=8BITMIME";
+      }
+      // Append SIZE= when peer advertised SIZE (cap or no-cap form).
+      // Peers without SIZE support get no SIZE= keyword (some legacy
+      // peers reject unknown MAIL FROM keywords).
+      if (peerSizeCap !== -1) {
+        s += " SIZE=" + messageWireSize;
+      }
+      return s;
+    }
+
+    // Send the next BDAT chunk. Each `BDAT N [LAST]` line is followed
+    // immediately by exactly N bytes of body (no CRLF terminator on
+    // the chunk; SMTP framing is purely length-based per RFC 3030 §2).
+    function sendBdatChunk() {
+      if (!dataWireBytes) dataWireBytes = Buffer.from(dataMessage, "utf8");
+      var remaining = dataWireBytes.length - bdatOffset;
+      if (remaining <= 0) {
+        // Empty body — send `BDAT 0 LAST` to terminate gracefully.
+        socket.write("BDAT 0 LAST\r\n");
+        return;
+      }
+      var thisChunk = Math.min(remaining, cfg.chunkSize);
+      var isLast = (bdatOffset + thisChunk) >= dataWireBytes.length;
+      var header = "BDAT " + thisChunk + (isLast ? " LAST" : "") + "\r\n";
+      try {
+        socket.write(header);
+        socket.write(dataWireBytes.slice(bdatOffset, bdatOffset + thisChunk));
+      } catch (e) {
+        fail(e.message || String(e));
+        return;
+      }
+      bdatOffset += thisChunk;
+    }
+
     function onData(data) {
       buffer += data;
       var lines = buffer.split("\r\n");
@@ -823,11 +1100,17 @@ function _smtpSend(message, cfg) {
         if (!line) continue;
         var code = parseInt(line.slice(0, 3), 10);
         // EHLO continuation lines (250-X) carry extension names. We
-        // capture them so the dispatcher can branch on SMTPUTF8 / 8BITMIME
-        // / STARTTLS support before MAIL FROM is sent.
+        // capture them so the dispatcher can branch on SMTPUTF8 /
+        // 8BITMIME / BINARYMIME / CHUNKING / SIZE / STARTTLS before
+        // MAIL FROM is sent. Both forms recorded: keyword-only (used
+        // for set-membership tests) and full-line (used for SIZE arg).
         if (step === SMTP_STEP_EHLO_RESP) {
-          var keyword = line.slice(4).split(" ")[0].toUpperCase();
-          if (keyword) ehloLines.push(keyword);
+          var rest = line.slice(4);
+          var keyword = rest.split(" ")[0].toUpperCase();
+          if (keyword) {
+            ehloLines.push(keyword);
+            ehloFullLines.push(rest.toUpperCase());
+          }
         }
         if (line[3] === "-") continue; // continuation line
         try { handleResponse(code); }
@@ -846,12 +1129,24 @@ function _smtpSend(message, cfg) {
     }
 
     function connect() {
+      // Family preference for the underlying lookup. Node's net /
+      // tls.connect both honor `family: 4|6` to bias the dns lookup;
+      // the framework auto-detects an IPv4-only host when the operator
+      // didn't pin one explicitly so a v6-only AAAA result doesn't
+      // hang the connect.
+      var family = cfg.preferFamily;
+      if (family === "any") family = _autoDetectFamily();
       if (cfg.useImplicitTLS) {
         var tlsConnectOpts = Object.assign({}, cfg.tlsOpts);
         if (cfg.servername) tlsConnectOpts.servername = cfg.servername;
-        attachSocket(tls().connect(cfg.port, cfg.host, tlsConnectOpts));
+        tlsConnectOpts.host = cfg.host;
+        tlsConnectOpts.port = cfg.port;
+        if (family === 4 || family === 6) tlsConnectOpts.family = family;
+        attachSocket(tls().connect(tlsConnectOpts));
       } else {
-        attachSocket(net().createConnection(cfg.port, cfg.host));
+        var netOpts = { host: cfg.host, port: cfg.port };
+        if (family === 4 || family === 6) netOpts.family = family;
+        attachSocket(net().createConnection(netOpts));
       }
     }
 
@@ -863,7 +1158,11 @@ function _smtpSend(message, cfg) {
       else if (step === SMTP_STEP_EHLO_RESP) {
         if (code < 200 || code >= 300) { fail("ehlo-rejected (code " + code + ")"); return; }
         // Snapshot extensions advertised on the wire for downstream use.
-        peerSupportsSmtpUtf8 = ehloLines.indexOf("SMTPUTF8") !== -1;
+        peerSupportsSmtpUtf8    = ehloLines.indexOf("SMTPUTF8")    !== -1;
+        peerSupports8BitMime    = ehloLines.indexOf("8BITMIME")    !== -1;
+        peerSupportsBinaryMime  = ehloLines.indexOf("BINARYMIME")  !== -1;
+        peerSupportsChunking    = ehloLines.indexOf("CHUNKING")    !== -1;
+        peerSizeCap             = _parsePeerSize(ehloFullLines);
         // RFC 6531 §3.2 — if the message requires SMTPUTF8 and the
         // peer does not advertise it, refuse hard rather than emit a
         // mangled wire (server might still accept but headers/local
@@ -872,9 +1171,41 @@ function _smtpSend(message, cfg) {
           fail("eai-required-not-supported: message has non-ASCII content but peer does not advertise SMTPUTF8");
           return;
         }
+        // RFC 3030 §3 — BINARYMIME is only legal when the peer
+        // advertises it. If the message requires it but the peer
+        // doesn't offer it, refuse: silently downgrading to 8BITMIME
+        // would corrupt NUL-bearing octets in transit.
+        if (requiresBinaryMime && !peerSupportsBinaryMime) {
+          settled = true;
+          try { socket.destroy(); } catch (_e) { /* socket may already be torn down */ }
+          reject(new MailError("mail/binarymime-not-advertised",
+            "message has 8-bit binary content but peer does not advertise BINARYMIME (RFC 3030 §3)",
+            true));
+          return;
+        }
+        // RFC 1870 §3 — SIZE pre-check. Refuse before opening DATA /
+        // BDAT so the caller gets a clean error instead of a 552
+        // mid-stream rejection. peerSizeCap = 0 means "no enforced
+        // cap"; -1 means "SIZE not advertised" (no precheck).
+        if (cfg.respectPeerSize && peerSizeCap > 0 && messageWireSize > peerSizeCap) {
+          settled = true;
+          try { socket.destroy(); } catch (_e) { /* socket may already be torn down */ }
+          reject(new MailError("mail/peer-size-exceeded",
+            "message wire size " + messageWireSize + " bytes exceeds peer SIZE cap " +
+            peerSizeCap + " bytes (RFC 1870)", true));
+          return;
+        }
+        // Decide BDAT vs DATA + BODY=8BITMIME / BINARYMIME for this
+        // transaction. CHUNKING + BDAT is preferred when both peer
+        // advertises it AND operator didn't disable it.
+        useBdat = peerSupportsChunking && cfg.chunkingEnabled;
+        if (requiresBinaryMime)              bodyMode = "BINARYMIME";
+        else if (requires8BitMime && peerSupports8BitMime) bodyMode = "8BITMIME";
+        else                                 bodyMode = "7BIT";
+
         if (!cfg.useImplicitTLS && !upgradedToTLS) { send("STARTTLS"); step = SMTP_STEP_STARTTLS; }
         else if (cfg.user) { send("AUTH LOGIN"); step = SMTP_STEP_AUTH_USER; }
-        else { send("MAIL FROM:<" + fromAddr + ">" + _smtpUtf8Suffix(requiresSmtpUtf8, peerSupportsSmtpUtf8)); step = SMTP_STEP_MAIL_FROM; }
+        else { send("MAIL FROM:<" + fromAddr + ">" + _mailFromSuffix()); step = SMTP_STEP_MAIL_FROM; }
       }
       else if (step === SMTP_STEP_STARTTLS) {
         if (code !== 220) { fail("starttls-rejected (code " + code + ")"); return; }
@@ -901,7 +1232,7 @@ function _smtpSend(message, cfg) {
       }
       else if (step === SMTP_STEP_AUTH_FINAL) {
         if (code !== 235) { fail("auth-failed (code " + code + ")"); return; }
-        send("MAIL FROM:<" + fromAddr + ">" + _smtpUtf8Suffix(requiresSmtpUtf8, peerSupportsSmtpUtf8)); step = SMTP_STEP_MAIL_FROM;
+        send("MAIL FROM:<" + fromAddr + ">" + _mailFromSuffix()); step = SMTP_STEP_MAIL_FROM;
       }
       else if (step === SMTP_STEP_MAIL_FROM) {
         if (code < 200 || code >= 300) { fail("mail-from-rejected (code " + code + ")"); return; }
@@ -911,6 +1242,33 @@ function _smtpSend(message, cfg) {
         if (code < 200 || code >= 300) { fail("rcpt-rejected (code " + code + ")"); return; }
         if (rcptIndex < rcpts.length) {
           send("RCPT TO:<" + rcpts[rcptIndex++] + ">");
+        } else if (useBdat) {
+          // RFC 3030 §2 — BDAT framing replaces DATA + CRLF.CRLF.
+          // Each chunk is `BDAT <octet-count> [LAST]\r\n` followed by
+          // exactly <octet-count> bytes of body. We emit the audit
+          // signal once per send (not per chunk) so the audit chain
+          // doesn't get flooded for large messages.
+          try {
+            audit().safeEmit({
+              action:   "mail.transport.bdat",
+              outcome:  "success",
+              metadata: {
+                wireBytes:    messageWireSize,
+                chunkSize:    cfg.chunkSize,
+                expectedChunks: Math.max(1, Math.ceil(messageWireSize / cfg.chunkSize)),
+                bodyMode:     bodyMode,
+              },
+            });
+            if (bodyMode === "BINARYMIME") {
+              audit().safeEmit({
+                action:   "mail.transport.binarymime",
+                outcome:  "success",
+                metadata: { wireBytes: messageWireSize },
+              });
+            }
+          } catch (_e) { /* audit best-effort */ }
+          step = SMTP_STEP_BDAT;
+          sendBdatChunk();
         } else {
           send("DATA"); step = SMTP_STEP_DATA;
         }
@@ -920,6 +1278,26 @@ function _smtpSend(message, cfg) {
         send(dataMessage + "\r\n.");
         step = SMTP_STEP_BODY;
       }
+      else if (step === SMTP_STEP_BDAT) {
+        // Each BDAT chunk gets a 250 response per RFC 3030 §2. Anything
+        // else (4xx / 5xx) is a hard rejection of the chunk; surface
+        // a stable error code so downstream retry policy can identify
+        // the chunked-body failure mode.
+        if (code !== 250) {
+          settled = true;
+          try { socket.destroy(); } catch (_e) { /* socket may already be torn down */ }
+          reject(new MailError("mail/bdat-chunk-rejected",
+            "BDAT chunk rejected (code " + code + ", offset " + bdatOffset + "/" +
+            messageWireSize + ")", false));
+          return;
+        }
+        if (bdatOffset >= messageWireSize) {
+          // Final chunk acknowledged — message accepted.
+          done(true, code);
+          return;
+        }
+        sendBdatChunk();
+      }
       else if (step === SMTP_STEP_BODY) {
         var ok = code === 250;
         done(ok, code);
@@ -1368,6 +1746,9 @@ module.exports = {
   // pre-SMTPUTF8 ASCII regex check.
   toAscii:    toAscii,
   toUnicode:  toUnicode,
+  // Forward-confirmed reverse DNS lookup (RFC 8601 §3 lite). Building
+  // block for inbound iprev / outbound submission reputation checks.
+  reverseDns: reverseDns,
   // DKIM-Signature header generation for outbound mail (rsa-sha256
   // default, ed25519-sha256 opt-in). Wire it into the smtp transport
   // via opts.dkimSigner. See lib/mail-dkim.js for the full surface.
@@ -1379,6 +1760,7 @@ module.exports = {
   spf:         mailAuth.spf,
   dmarc:       mailAuth.dmarc,
   arc:         mailAuth.arc,
+  iprev:       mailAuth.iprev,
   authResults: mailAuth.authResults,
   bimi:        mailBimi,
   // Test-only export: lets unit tests inspect the wire format without

package/lib/middleware/bearer-auth.js

@@ -82,7 +82,7 @@ function _extractToken(req, scheme) {
  * @primitive b.middleware.bearerAuth
  * @signature b.middleware.bearerAuth(req, res, next)
  * @since     0.1.0
- * @related   b.middleware.attachUser, b.middleware.requireAuth, b.auth.jwt
+ * @related   b.middleware.attachUser, b.middleware.requireAuth
  *
  * Extracts `Authorization: Bearer <token>`, calls an operator-supplied
  * verifier, attaches the result to `req.user`. Constructed via