@push.rocks/smartmta 5.1.3 → 5.2.1

package/ts/mail/routing/index.ts

@@ -0,0 +1,9 @@
+// Email routing components
+export * from './classes.email.router.js';
+export * from './classes.unified.email.server.js';
+export * from './classes.dns.manager.js';
+export * from './interfaces.js';
+export * from './classes.domain.registry.js';
+export * from './classes.email.action.executor.js';
+export * from './classes.dkim.manager.js';
+

package/ts/mail/routing/interfaces.ts

@@ -0,0 +1,202 @@
+import type { Email } from '../core/classes.email.js';
+import type { IExtendedSmtpSession } from './classes.unified.email.server.js';
+
+/**
+ * Route configuration for email routing
+ */
+export interface IEmailRoute {
+  /** Route identifier */
+  name: string;
+  /** Order of evaluation (higher priority evaluated first, default: 0) */
+  priority?: number;
+  /** Conditions to match */
+  match: IEmailMatch;
+  /** Action to take when matched */
+  action: IEmailAction;
+}
+
+/**
+ * Match criteria for email routing
+ */
+export interface IEmailMatch {
+  /** Email patterns to match recipients: "*@example.com", "admin@*" */
+  recipients?: string | string[];
+  /** Email patterns to match senders */
+  senders?: string | string[];
+  /** IP addresses or CIDR ranges to match */
+  clientIp?: string | string[];
+  /** Require authentication status */
+  authenticated?: boolean;
+  
+  // Optional advanced matching
+  /** Headers to match */
+  headers?: Record<string, string | RegExp>;
+  /** Message size range */
+  sizeRange?: { min?: number; max?: number };
+  /** Subject line patterns */
+  subject?: string | RegExp;
+  /** Has attachments */
+  hasAttachments?: boolean;
+}
+
+/**
+ * Action to take when route matches
+ */
+export interface IEmailAction {
+  /** Type of action to perform */
+  type: 'forward' | 'deliver' | 'reject' | 'process';
+  
+  /** Forward action configuration */
+  forward?: {
+    /** Target host to forward to */
+    host: string;
+    /** Target port (default: 25) */
+    port?: number;
+    /** Authentication credentials */
+    auth?: {
+      user: string;
+      pass: string;
+    };
+    /** Preserve original headers */
+    preserveHeaders?: boolean;
+    /** Additional headers to add */
+    addHeaders?: Record<string, string>;
+  };
+  
+  /** Reject action configuration */
+  reject?: {
+    /** SMTP response code */
+    code: number;
+    /** SMTP response message */
+    message: string;
+  };
+  
+  /** Process action configuration */
+  process?: {
+    /** Enable content scanning */
+    scan?: boolean;
+    /** Enable DKIM signing */
+    dkim?: boolean;
+    /** Delivery queue priority */
+    queue?: 'normal' | 'priority' | 'bulk';
+  };
+  
+  /** Options for various action types */
+  options?: {
+    /** MTA specific options */
+    mtaOptions?: {
+      domain?: string;
+      allowLocalDelivery?: boolean;
+      localDeliveryPath?: string;
+      dkimSign?: boolean;
+      dkimOptions?: {
+        domainName: string;
+        keySelector: string;
+        privateKey?: string;
+      };
+      smtpBanner?: string;
+      maxConnections?: number;
+      connTimeout?: number;
+      spoolDir?: string;
+    };
+    /** Content scanning configuration */
+    contentScanning?: boolean;
+    scanners?: Array<{
+      type: 'spam' | 'virus' | 'attachment';
+      threshold?: number;
+      action: 'tag' | 'reject';
+      blockedExtensions?: string[];
+    }>;
+    /** Email transformations */
+    transformations?: Array<{
+      type: string;
+      header?: string;
+      value?: string;
+      domains?: string[];
+      append?: boolean;
+      [key: string]: any;
+    }>;
+  };
+  
+  /** Delivery options (applies to forward/process/deliver) */
+  delivery?: {
+    /** Rate limit (messages per minute) */
+    rateLimit?: number;
+    /** Number of retry attempts */
+    retries?: number;
+  };
+}
+
+/**
+ * Context for route evaluation
+ */
+export interface IEmailContext {
+  /** The email being routed */
+  email: Email;
+  /** The SMTP session */
+  session: IExtendedSmtpSession;
+}
+
+/**
+ * Email domain configuration
+ */
+export interface IEmailDomainConfig {
+  /** Domain name */
+  domain: string;
+  
+  /** DNS handling mode */
+  dnsMode: 'forward' | 'internal-dns' | 'external-dns';
+  
+  /** DNS configuration based on mode */
+  dns?: {
+    /** For 'forward' mode */
+    forward?: {
+      /** Skip DNS validation (default: false) */
+      skipDnsValidation?: boolean;
+      /** Target server's expected domain */
+      targetDomain?: string;
+    };
+    
+    /** For 'internal-dns' mode */
+    internal?: {
+      /** TTL for DNS records in seconds (default: 3600) */
+      ttl?: number;
+      /** MX record priority (default: 10) */
+      mxPriority?: number;
+    };
+    
+    /** For 'external-dns' mode */
+    external?: {
+      /** Custom DNS servers (default: system DNS) */
+      servers?: string[];
+      /** Which records to validate (default: ['MX', 'SPF', 'DKIM', 'DMARC']) */
+      requiredRecords?: ('MX' | 'SPF' | 'DKIM' | 'DMARC')[];
+    };
+  };
+  
+  /** Per-domain DKIM settings (DKIM always enabled) */
+  dkim?: {
+    /** DKIM selector (default: 'default') */
+    selector?: string;
+    /** Key size in bits (default: 2048) */
+    keySize?: number;
+    /** Automatically rotate keys (default: false) */
+    rotateKeys?: boolean;
+    /** Days between key rotations (default: 90) */
+    rotationInterval?: number;
+  };
+  
+  /** Per-domain rate limits */
+  rateLimits?: {
+    outbound?: {
+      messagesPerMinute?: number;
+      messagesPerHour?: number;
+      messagesPerDay?: number;
+    };
+    inbound?: {
+      messagesPerMinute?: number;
+      connectionsPerIp?: number;
+      recipientsPerMessage?: number;
+    };
+  };
+}

package/ts/mail/security/classes.dkimcreator.ts

@@ -0,0 +1,447 @@
+import * as plugins from '../../plugins.js';
+import * as paths from '../../paths.js';
+
+import { Email } from '../core/classes.email.js';
+// MtaService reference removed
+
+const readFile = plugins.util.promisify(plugins.fs.readFile);
+const writeFile = plugins.util.promisify(plugins.fs.writeFile);
+const generateKeyPair = plugins.util.promisify(plugins.crypto.generateKeyPair);
+
+export interface IKeyPaths {
+  privateKeyPath: string;
+  publicKeyPath: string;
+}
+
+export interface IDkimKeyMetadata {
+  domain: string;
+  selector: string;
+  createdAt: number;
+  rotatedAt?: number;
+  previousSelector?: string;
+  keySize: number;
+}
+
+export class DKIMCreator {
+  private keysDir: string;
+  private storageManager?: any; // StorageManager instance
+
+  constructor(keysDir = paths.keysDir, storageManager?: any) {
+    this.keysDir = keysDir;
+    this.storageManager = storageManager;
+  }
+
+  public async getKeyPathsForDomain(domainArg: string): Promise<IKeyPaths> {
+    return {
+      privateKeyPath: plugins.path.join(this.keysDir, `${domainArg}-private.pem`),
+      publicKeyPath: plugins.path.join(this.keysDir, `${domainArg}-public.pem`),
+    };
+  }
+
+  // Check if a DKIM key is present and creates one and stores it to disk otherwise
+  public async handleDKIMKeysForDomain(domainArg: string): Promise<void> {
+    try {
+      await this.readDKIMKeys(domainArg);
+    } catch (error) {
+      console.log(`No DKIM keys found for ${domainArg}. Generating...`);
+      await this.createAndStoreDKIMKeys(domainArg);
+      const dnsValue = await this.getDNSRecordForDomain(domainArg);
+      await plugins.smartfs.directory(paths.dnsRecordsDir).recursive().create();
+      await plugins.smartfs.file(plugins.path.join(paths.dnsRecordsDir, `${domainArg}.dkimrecord.json`)).write(JSON.stringify(dnsValue, null, 2));
+    }
+  }
+
+  public async handleDKIMKeysForEmail(email: Email): Promise<void> {
+    const domain = email.from.split('@')[1];
+    await this.handleDKIMKeysForDomain(domain);
+  }
+
+  // Read DKIM keys - always use storage manager, migrate from filesystem if needed
+  public async readDKIMKeys(domainArg: string): Promise<{ privateKey: string; publicKey: string }> {
+    // Try to read from storage manager first
+    if (this.storageManager) {
+      try {
+        const [privateKey, publicKey] = await Promise.all([
+          this.storageManager.get(`/email/dkim/${domainArg}/private.key`),
+          this.storageManager.get(`/email/dkim/${domainArg}/public.key`)
+        ]);
+        
+        if (privateKey && publicKey) {
+          return { privateKey, publicKey };
+        }
+      } catch (error) {
+        // Fall through to migration check
+      }
+      
+      // Check if keys exist in filesystem and migrate them to storage manager
+      const keyPaths = await this.getKeyPathsForDomain(domainArg);
+      try {
+        const [privateKeyBuffer, publicKeyBuffer] = await Promise.all([
+          readFile(keyPaths.privateKeyPath),
+          readFile(keyPaths.publicKeyPath),
+        ]);
+
+        // Convert the buffers to strings
+        const privateKey = privateKeyBuffer.toString();
+        const publicKey = publicKeyBuffer.toString();
+        
+        // Migrate to storage manager
+        console.log(`Migrating DKIM keys for ${domainArg} from filesystem to StorageManager`);
+        await Promise.all([
+          this.storageManager.set(`/email/dkim/${domainArg}/private.key`, privateKey),
+          this.storageManager.set(`/email/dkim/${domainArg}/public.key`, publicKey)
+        ]);
+        
+        return { privateKey, publicKey };
+      } catch (error) {
+        if (error.code === 'ENOENT') {
+          // Keys don't exist anywhere
+          throw new Error(`DKIM keys not found for domain ${domainArg}`);
+        }
+        throw error;
+      }
+    } else {
+      // No storage manager, use filesystem directly
+      const keyPaths = await this.getKeyPathsForDomain(domainArg);
+      const [privateKeyBuffer, publicKeyBuffer] = await Promise.all([
+        readFile(keyPaths.privateKeyPath),
+        readFile(keyPaths.publicKeyPath),
+      ]);
+
+      const privateKey = privateKeyBuffer.toString();
+      const publicKey = publicKeyBuffer.toString();
+      
+      return { privateKey, publicKey };
+    }
+  }
+
+  // Create an RSA DKIM key pair - changed to public for API access
+  public async createDKIMKeys(): Promise<{ privateKey: string; publicKey: string }> {
+    const { privateKey, publicKey } = await generateKeyPair('rsa', {
+      modulusLength: 2048,
+      publicKeyEncoding: { type: 'spki', format: 'pem' },
+      privateKeyEncoding: { type: 'pkcs1', format: 'pem' },
+    });
+
+    return { privateKey, publicKey };
+  }
+
+  // Create an Ed25519 DKIM key pair (RFC 8463)
+  public async createEd25519Keys(): Promise<{ privateKey: string; publicKey: string }> {
+    const { privateKey, publicKey } = await generateKeyPair('ed25519', {
+      publicKeyEncoding: { type: 'spki', format: 'pem' },
+      privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
+    });
+
+    return { privateKey, publicKey };
+  }
+
+  // Store a DKIM key pair - uses storage manager if available, else disk
+  public async storeDKIMKeys(
+    privateKey: string,
+    publicKey: string,
+    privateKeyPath: string,
+    publicKeyPath: string
+  ): Promise<void> {
+    // Store in storage manager if available
+    if (this.storageManager) {
+      // Extract domain from path (e.g., /path/to/keys/example.com-private.pem -> example.com)
+      const match = privateKeyPath.match(/\/([^\/]+)-private\.pem$/);
+      if (match) {
+        const domain = match[1];
+        await Promise.all([
+          this.storageManager.set(`/email/dkim/${domain}/private.key`, privateKey),
+          this.storageManager.set(`/email/dkim/${domain}/public.key`, publicKey)
+        ]);
+      }
+    }
+    
+    // Also store to filesystem for backward compatibility
+    await Promise.all([writeFile(privateKeyPath, privateKey), writeFile(publicKeyPath, publicKey)]);
+  }
+
+  // Create a DKIM key pair and store it to disk - changed to public for API access
+  public async createAndStoreDKIMKeys(domain: string): Promise<void> {
+    const { privateKey, publicKey } = await this.createDKIMKeys();
+    const keyPaths = await this.getKeyPathsForDomain(domain);
+    await this.storeDKIMKeys(
+      privateKey,
+      publicKey,
+      keyPaths.privateKeyPath,
+      keyPaths.publicKeyPath
+    );
+    console.log(`DKIM keys for ${domain} created and stored.`);
+  }
+
+  // Changed to public for API access
+  public async getDNSRecordForDomain(domainArg: string): Promise<plugins.tsclass.network.IDnsRecord> {
+    await this.handleDKIMKeysForDomain(domainArg);
+    const keys = await this.readDKIMKeys(domainArg);
+
+    // Remove the PEM header and footer and newlines
+    const pemHeader = '-----BEGIN PUBLIC KEY-----';
+    const pemFooter = '-----END PUBLIC KEY-----';
+    const keyContents = keys.publicKey
+      .replace(pemHeader, '')
+      .replace(pemFooter, '')
+      .replace(/\n/g, '');
+
+    // Detect key type from PEM header
+    const keyAlgo = keys.privateKey.includes('ED25519') || keys.publicKey.length < 200 ? 'ed25519' : 'rsa';
+
+    // Now generate the DKIM DNS TXT record
+    const dnsRecordValue = `v=DKIM1; h=sha256; k=${keyAlgo}; p=${keyContents}`;
+
+    return {
+      name: `mta._domainkey.${domainArg}`,
+      type: 'TXT',
+      dnsSecEnabled: null,
+      value: dnsRecordValue,
+    };
+  }
+
+  /**
+   * Get DKIM key metadata for a domain
+   */
+  private async getKeyMetadata(domain: string, selector: string = 'default'): Promise<IDkimKeyMetadata | null> {
+    if (!this.storageManager) {
+      return null;
+    }
+    
+    const metadataKey = `/email/dkim/${domain}/${selector}/metadata`;
+    const metadataStr = await this.storageManager.get(metadataKey);
+    
+    if (!metadataStr) {
+      return null;
+    }
+    
+    return JSON.parse(metadataStr) as IDkimKeyMetadata;
+  }
+
+  /**
+   * Save DKIM key metadata
+   */
+  private async saveKeyMetadata(metadata: IDkimKeyMetadata): Promise<void> {
+    if (!this.storageManager) {
+      return;
+    }
+    
+    const metadataKey = `/email/dkim/${metadata.domain}/${metadata.selector}/metadata`;
+    await this.storageManager.set(metadataKey, JSON.stringify(metadata));
+  }
+
+  /**
+   * Check if DKIM keys need rotation
+   */
+  public async needsRotation(domain: string, selector: string = 'default', rotationIntervalDays: number = 90): Promise<boolean> {
+    const metadata = await this.getKeyMetadata(domain, selector);
+    
+    if (!metadata) {
+      // No metadata means old keys, should rotate
+      return true;
+    }
+    
+    const now = Date.now();
+    const keyAgeMs = now - metadata.createdAt;
+    const keyAgeDays = keyAgeMs / (1000 * 60 * 60 * 24);
+    
+    return keyAgeDays >= rotationIntervalDays;
+  }
+
+  /**
+   * Rotate DKIM keys for a domain
+   */
+  public async rotateDkimKeys(domain: string, currentSelector: string = 'default', keySize: number = 2048): Promise<string> {
+    console.log(`Rotating DKIM keys for ${domain}...`);
+    
+    // Generate new selector based on date
+    const now = new Date();
+    const newSelector = `key${now.getFullYear()}${String(now.getMonth() + 1).padStart(2, '0')}`;
+    
+    // Create new keys with custom key size
+    const { privateKey, publicKey } = await generateKeyPair('rsa', {
+      modulusLength: keySize,
+      publicKeyEncoding: { type: 'spki', format: 'pem' },
+      privateKeyEncoding: { type: 'pkcs1', format: 'pem' },
+    });
+    
+    // Store new keys with new selector
+    const newKeyPaths = await this.getKeyPathsForSelector(domain, newSelector);
+    
+    // Store in storage manager if available
+    if (this.storageManager) {
+      await Promise.all([
+        this.storageManager.set(`/email/dkim/${domain}/${newSelector}/private.key`, privateKey),
+        this.storageManager.set(`/email/dkim/${domain}/${newSelector}/public.key`, publicKey)
+      ]);
+    }
+    
+    // Also store to filesystem
+    await this.storeDKIMKeys(
+      privateKey,
+      publicKey,
+      newKeyPaths.privateKeyPath,
+      newKeyPaths.publicKeyPath
+    );
+    
+    // Save metadata for new keys
+    const metadata: IDkimKeyMetadata = {
+      domain,
+      selector: newSelector,
+      createdAt: Date.now(),
+      previousSelector: currentSelector,
+      keySize
+    };
+    await this.saveKeyMetadata(metadata);
+    
+    // Update metadata for old keys
+    const oldMetadata = await this.getKeyMetadata(domain, currentSelector);
+    if (oldMetadata) {
+      oldMetadata.rotatedAt = Date.now();
+      await this.saveKeyMetadata(oldMetadata);
+    }
+    
+    console.log(`DKIM keys rotated for ${domain}. New selector: ${newSelector}`);
+    return newSelector;
+  }
+
+  /**
+   * Get key paths for a specific selector
+   */
+  public async getKeyPathsForSelector(domain: string, selector: string): Promise<IKeyPaths> {
+    return {
+      privateKeyPath: plugins.path.join(this.keysDir, `${domain}-${selector}-private.pem`),
+      publicKeyPath: plugins.path.join(this.keysDir, `${domain}-${selector}-public.pem`),
+    };
+  }
+
+  /**
+   * Read DKIM keys for a specific selector
+   */
+  public async readDKIMKeysForSelector(domain: string, selector: string): Promise<{ privateKey: string; publicKey: string }> {
+    // Try to read from storage manager first
+    if (this.storageManager) {
+      try {
+        const [privateKey, publicKey] = await Promise.all([
+          this.storageManager.get(`/email/dkim/${domain}/${selector}/private.key`),
+          this.storageManager.get(`/email/dkim/${domain}/${selector}/public.key`)
+        ]);
+        
+        if (privateKey && publicKey) {
+          return { privateKey, publicKey };
+        }
+      } catch (error) {
+        // Fall through to migration check
+      }
+      
+      // Check if keys exist in filesystem and migrate them to storage manager
+      const keyPaths = await this.getKeyPathsForSelector(domain, selector);
+      try {
+        const [privateKeyBuffer, publicKeyBuffer] = await Promise.all([
+          readFile(keyPaths.privateKeyPath),
+          readFile(keyPaths.publicKeyPath),
+        ]);
+
+        const privateKey = privateKeyBuffer.toString();
+        const publicKey = publicKeyBuffer.toString();
+        
+        // Migrate to storage manager
+        console.log(`Migrating DKIM keys for ${domain}/${selector} from filesystem to StorageManager`);
+        await Promise.all([
+          this.storageManager.set(`/email/dkim/${domain}/${selector}/private.key`, privateKey),
+          this.storageManager.set(`/email/dkim/${domain}/${selector}/public.key`, publicKey)
+        ]);
+        
+        return { privateKey, publicKey };
+      } catch (error) {
+        if (error.code === 'ENOENT') {
+          throw new Error(`DKIM keys not found for domain ${domain} with selector ${selector}`);
+        }
+        throw error;
+      }
+    } else {
+      // No storage manager, use filesystem directly
+      const keyPaths = await this.getKeyPathsForSelector(domain, selector);
+      const [privateKeyBuffer, publicKeyBuffer] = await Promise.all([
+        readFile(keyPaths.privateKeyPath),
+        readFile(keyPaths.publicKeyPath),
+      ]);
+
+      const privateKey = privateKeyBuffer.toString();
+      const publicKey = publicKeyBuffer.toString();
+
+      return { privateKey, publicKey };
+    }
+  }
+
+  /**
+   * Get DNS record for a specific selector
+   */
+  public async getDNSRecordForSelector(domain: string, selector: string): Promise<plugins.tsclass.network.IDnsRecord> {
+    const keys = await this.readDKIMKeysForSelector(domain, selector);
+
+    // Remove the PEM header and footer and newlines
+    const pemHeader = '-----BEGIN PUBLIC KEY-----';
+    const pemFooter = '-----END PUBLIC KEY-----';
+    const keyContents = keys.publicKey
+      .replace(pemHeader, '')
+      .replace(pemFooter, '')
+      .replace(/\n/g, '');
+
+    // Detect key type from PEM header
+    const keyAlgo = keys.privateKey.includes('ED25519') || keys.publicKey.length < 200 ? 'ed25519' : 'rsa';
+
+    // Generate the DKIM DNS TXT record
+    const dnsRecordValue = `v=DKIM1; h=sha256; k=${keyAlgo}; p=${keyContents}`;
+
+    return {
+      name: `${selector}._domainkey.${domain}`,
+      type: 'TXT',
+      dnsSecEnabled: null,
+      value: dnsRecordValue,
+    };
+  }
+
+  /**
+   * Clean up old DKIM keys after grace period
+   */
+  public async cleanupOldKeys(domain: string, gracePeriodDays: number = 30): Promise<void> {
+    if (!this.storageManager) {
+      return;
+    }
+    
+    // List all selectors for the domain
+    const metadataKeys = await this.storageManager.list(`/email/dkim/${domain}/`);
+    
+    for (const key of metadataKeys) {
+      if (key.endsWith('/metadata')) {
+        const metadataStr = await this.storageManager.get(key);
+        if (metadataStr) {
+          const metadata = JSON.parse(metadataStr) as IDkimKeyMetadata;
+          
+          // Check if key is rotated and past grace period
+          if (metadata.rotatedAt) {
+            const gracePeriodMs = gracePeriodDays * 24 * 60 * 60 * 1000;
+            const now = Date.now();
+            
+            if (now - metadata.rotatedAt > gracePeriodMs) {
+              console.log(`Cleaning up old DKIM keys for ${domain} selector ${metadata.selector}`);
+              
+              // Delete key files
+              const keyPaths = await this.getKeyPathsForSelector(domain, metadata.selector);
+              try {
+                await plugins.fs.promises.unlink(keyPaths.privateKeyPath);
+                await plugins.fs.promises.unlink(keyPaths.publicKeyPath);
+              } catch (error) {
+                console.warn(`Failed to delete old key files: ${error.message}`);
+              }
+              
+              // Delete metadata
+              await this.storageManager.delete(key);
+            }
+          }
+        }
+      }
+    }
+  }
+}