@serve.zone/dcrouter 13.43.5 → 13.44.0

package/ts/classes.dcrouter.ts

@@ -31,9 +31,10 @@ import { SecurityLogger, ContentScanner, IPReputationChecker, SecurityPolicyMana
 import { type IHttp3Config, augmentRoutesWithHttp3 } from './http3/index.js';
 import { DnsManager } from './dns/manager.dns.js';
 import { AcmeConfigManager } from './acme/manager.acme-config.js';
-import { EmailDomainManager, SmartMtaStorageManager, WorkAppMailManager, buildEmailDnsRecords } from './email/index.js';
+import { EmailDomainManager, EmailSettingsManager, SmartMtaStorageManager, WorkAppMailManager, buildEmailDnsRecords } from './email/index.js';
 import type { IRoute } from '../ts_interfaces/data/route-management.js';
-import type { IDcRouterRouteConfig, IRemoteIngressHubSettings, IRemoteIngressPerformanceConfig } from '../ts_interfaces/data/remoteingress.js';
+import type { IEmailPortConfig, IEmailServerSettings, IEmailServerSettingsSeed, TEmailServerSettingsUpdate } from '../ts_interfaces/data/email-settings.js';
+import type { IDcRouterRouteConfig, IRemoteIngressHubSettings, IRemoteIngressPerformanceConfig, TRemoteIngressHubSettingsUpdate } from '../ts_interfaces/data/remoteingress.js';
 import type { ISecurityCompiledPolicy } from '../ts_interfaces/data/security-policy.js';
 
 export interface IDcRouterOptions {
@@ -57,14 +58,7 @@ export interface IDcRouterOptions {
    * Allows configuring specific ports for email handling
    * This overrides the default port mapping in the emailConfig
    */
-  emailPortConfig?: {
-    /** External to internal port mapping */
-    portMapping?: Record<number, number>;
-    /** Custom port configuration for specific ports */
-    portSettings?: Record<number, any>;
-    /** Path to store received emails */
-    receivedEmailsPath?: string;
-  };
+  emailPortConfig?: IEmailPortConfig;
   
   /** TLS/certificate configuration */
   tls?: {
@@ -282,6 +276,8 @@ export class DcRouter {
   public remoteIngressManager?: RemoteIngressManager;
   public tunnelManager?: TunnelManager;
   private remoteIngressHubLifecycleChain: Promise<void> = Promise.resolve();
+  private smartProxyLifecycleChain: Promise<void> = Promise.resolve();
+  private emailLifecycleChain: Promise<void> = Promise.resolve();
   private remoteIngressHubStopping = false;
   private remoteIngressHubGeneration = 0;
 
@@ -300,6 +296,7 @@ export class DcRouter {
 
   // ACME configuration (DB-backed singleton, replaces tls.contactEmail)
   public acmeConfigManager?: AcmeConfigManager;
+  public emailSettingsManager?: EmailSettingsManager;
   public emailDomainManager?: EmailDomainManager;
   public workAppMailManager: WorkAppMailManager;
   public securityPolicyManager?: SecurityPolicyManager;
@@ -341,7 +338,7 @@ export class DcRouter {
 
   // Seed routes assembled during setupSmartProxy, passed to RouteConfigManager for DB seeding
   private seedConfigRoutes: plugins.smartproxy.IRouteConfig[] = [];
-  private seedEmailRoutes: plugins.smartproxy.IRouteConfig[] = [];
+  private seedEmailRoutes: IDcRouterRouteConfig[] = [];
   private seedDnsRoutes: plugins.smartproxy.IRouteConfig[] = [];
   // Live DoH routes used during SmartProxy bootstrap before RouteConfigManager re-applies stored routes.
   private runtimeDnsRoutes: plugins.smartproxy.IRouteConfig[] = [];
@@ -482,7 +479,7 @@ export class DcRouter {
       this.serviceManager.addService(
         new plugins.taskbuffer.Service('EmailDomainManager')
           .optional()
-          .dependsOn('DcRouterDb')
+          .dependsOn('DcRouterDb', 'EmailSettingsManager')
           .withStart(async () => {
             this.emailDomainManager = new EmailDomainManager(this);
             await this.emailDomainManager.start();
@@ -496,6 +493,28 @@ export class DcRouter {
       );
     }
 
+    // EmailSettingsManager: optional, depends on DcRouterDb — owns the DB-backed
+    // singleton email server config and projects it into runtime options before
+    // SmartProxy and EmailDomainManager read email settings.
+    if (this.options.dbConfig?.enabled !== false) {
+      this.serviceManager.addService(
+        new plugins.taskbuffer.Service('EmailSettingsManager')
+          .optional()
+          .dependsOn('DcRouterDb')
+          .withStart(async () => {
+            this.emailSettingsManager = new EmailSettingsManager(this.options);
+            await this.emailSettingsManager.start();
+          })
+          .withStop(async () => {
+            if (this.emailSettingsManager) {
+              await this.emailSettingsManager.stop();
+              this.emailSettingsManager = undefined;
+            }
+          })
+          .withRetry({ maxRetries: 1, baseDelayMs: 500 }),
+      );
+    }
+
     // SecurityPolicyManager: optional, depends on DcRouterDb — owns IP intelligence
     // and compiles the global block policy for SmartProxy and remote ingress edges.
     if (this.options.dbConfig?.enabled !== false) {
@@ -519,13 +538,34 @@ export class DcRouter {
       );
     }
 
+    // RemoteIngressManager: optional, depends on DcRouterDb — owns DB-backed
+    // hub settings and edge registrations. It starts before SmartProxy so
+    // SmartProxy can use the DB-backed enabled flag for PROXY protocol setup.
+    if (this.options.dbConfig?.enabled !== false) {
+      this.serviceManager.addService(
+        new plugins.taskbuffer.Service('RemoteIngressManager')
+          .optional()
+          .dependsOn('DcRouterDb')
+          .withStart(async () => {
+            this.remoteIngressManager = new RemoteIngressManager();
+            await this.remoteIngressManager.initialize();
+          })
+          .withStop(async () => {
+            this.remoteIngressManager = undefined;
+          })
+          .withRetry({ maxRetries: 1, baseDelayMs: 500 }),
+      );
+    }
+
     // SmartProxy: critical, depends on DcRouterDb + DnsManager + AcmeConfigManager (if enabled)
     const smartProxyDeps: string[] = [];
     if (this.options.dbConfig?.enabled !== false) {
       smartProxyDeps.push('DcRouterDb');
       smartProxyDeps.push('DnsManager');
       smartProxyDeps.push('AcmeConfigManager');
+      smartProxyDeps.push('EmailSettingsManager');
       smartProxyDeps.push('SecurityPolicyManager');
+      smartProxyDeps.push('RemoteIngressManager');
     }
     this.serviceManager.addService(
       new plugins.taskbuffer.Service('SmartProxy')
@@ -535,11 +575,20 @@ export class DcRouter {
           await this.setupSmartProxy();
         })
         .withStop(async () => {
-          if (this.smartProxy) {
-            this.smartProxy.removeAllListeners();
-            await this.smartProxy.stop();
-            this.smartProxy = undefined;
-          }
+          await this.queueSmartProxyLifecycleTask(async () => {
+            try {
+              if (this.smartProxy) {
+                const existingSmartProxy = this.smartProxy;
+                existingSmartProxy.removeAllListeners();
+                await existingSmartProxy.stop();
+                if (this.smartProxy === existingSmartProxy) {
+                  this.smartProxy = undefined;
+                }
+              }
+            } finally {
+              await this.stopSmartAcme();
+            }
+          });
         })
         .withRetry({ maxRetries: 0 }),
     );
@@ -630,7 +679,7 @@ export class DcRouter {
     }
 
     // Email Server: optional, depends on SmartProxy
-    if (this.options.emailConfig) {
+    if (this.options.dbConfig?.enabled !== false || this.options.emailConfig) {
       const emailServiceDeps = ['SmartProxy', 'MetricsManager'];
       if (this.options.dbConfig?.enabled !== false) {
         emailServiceDeps.push('EmailDomainManager');
@@ -640,14 +689,18 @@ export class DcRouter {
           .optional()
           .dependsOn(...emailServiceDeps)
           .withStart(async () => {
-            await this.setupUnifiedEmailHandling();
+            await this.queueEmailLifecycleTask(async () => {
+              if (!this.options.emailConfig) {
+                logger.log('info', 'EmailServer: no email settings configured, skipping startup');
+                return;
+              }
+              await this.setupUnifiedEmailHandling();
+            });
           })
           .withStop(async () => {
-            if (this.emailServer) {
-              this.clearEmailEventSubscriptions();
-              await this.emailServer.stop();
-              this.emailServer = undefined;
-            }
+            await this.queueEmailLifecycleTask(async () => {
+              await this.stopUnifiedEmailComponents();
+            });
           })
           .withRetry({ maxRetries: 3, baseDelayMs: 2000, maxDelayMs: 30_000 }),
       );
@@ -658,7 +711,7 @@ export class DcRouter {
       this.serviceManager.addService(
         new plugins.taskbuffer.Service('DnsServer')
           .optional()
-          .dependsOn('SmartProxy', ...(this.options.emailConfig ? ['EmailServer'] : []))
+          .dependsOn('SmartProxy', ...((this.options.dbConfig?.enabled !== false || this.options.emailConfig) ? ['EmailServer'] : []))
           .withStart(async () => {
             await this.setupDnsWithSocketHandler();
           })
@@ -702,12 +755,14 @@ export class DcRouter {
       );
     }
 
-    // Remote Ingress: optional, depends on SmartProxy
-    if (this.options.remoteIngressConfig?.enabled) {
+    // Remote Ingress: optional, depends on SmartProxy and DB-backed settings.
+    // The service starts as a no-op when the DB setting is disabled, so the UI
+    // can still manage edge registrations and hub settings.
+    if (this.options.dbConfig?.enabled !== false) {
       this.serviceManager.addService(
         new plugins.taskbuffer.Service('RemoteIngress')
           .optional()
-          .dependsOn('SmartProxy')
+          .dependsOn('SmartProxy', 'RemoteIngressManager')
           .withStart(async () => {
             await this.setupRemoteIngress();
           })
@@ -752,6 +807,42 @@ export class DcRouter {
     });
   }
 
+  private isRemoteIngressHubEnabled(): boolean {
+    return this.remoteIngressManager?.getHubSettings().enabled
+      ?? this.options.remoteIngressConfig?.enabled
+      ?? false;
+  }
+
+  private getRemoteIngressHubSettingsLegacySeed(): TRemoteIngressHubSettingsUpdate {
+    const remoteIngressConfig = this.options.remoteIngressConfig;
+    const seed: TRemoteIngressHubSettingsUpdate = {};
+    if (remoteIngressConfig?.enabled !== undefined) {
+      seed.enabled = remoteIngressConfig.enabled;
+    }
+    if (remoteIngressConfig?.tunnelPort !== undefined) {
+      seed.tunnelPort = remoteIngressConfig.tunnelPort;
+    }
+    if (remoteIngressConfig?.hubDomain !== undefined) {
+      seed.hubDomain = remoteIngressConfig.hubDomain;
+    }
+    if (remoteIngressConfig?.performance !== undefined) {
+      seed.performance = remoteIngressConfig.performance;
+    }
+    return seed;
+  }
+
+  private getEmailSettingsLegacySeed(): IEmailServerSettingsSeed {
+    const seed: IEmailServerSettingsSeed = {};
+    if (this.options.emailConfig) {
+      seed.enabled = true;
+      seed.emailConfig = JSON.parse(JSON.stringify(this.options.emailConfig));
+    }
+    if (this.options.emailPortConfig) {
+      seed.emailPortConfig = JSON.parse(JSON.stringify(this.options.emailPortConfig));
+    }
+    return seed;
+  }
+
   private startSmartAcmeInBackground(): void {
     if (!this.smartAcme) {
       this.smartAcmeReady = false;
@@ -965,10 +1056,11 @@ export class DcRouter {
     }
 
     // Remote Ingress summary
-    if (this.tunnelManager && this.options.remoteIngressConfig?.enabled) {
+    const remoteIngressHubSettings = this.remoteIngressManager?.getHubSettings();
+    if (this.tunnelManager && remoteIngressHubSettings?.enabled) {
       const edgeCount = this.remoteIngressManager?.getAllEdges().length || 0;
       const connectedCount = this.tunnelManager.getConnectedCount();
-      logger.log('info', `Remote Ingress: tunnel port=${this.options.remoteIngressConfig.tunnelPort || 8443}, edges=${edgeCount} registered/${connectedCount} connected`);
+      logger.log('info', `Remote Ingress: tunnel port=${remoteIngressHubSettings.tunnelPort}, edges=${edgeCount} registered/${connectedCount} connected`);
     }
 
     // Database summary
@@ -1013,7 +1105,10 @@ export class DcRouter {
 
     // Run any pending data migrations before anything else reads from the DB.
     // This must complete before ConfigManagers loads profiles.
-    const migration = await createMigrationRunner(this.dcRouterDb.getDb(), commitinfo.version);
+    const migration = await createMigrationRunner(this.dcRouterDb.getDb(), commitinfo.version, {
+      remoteIngressHubSettings: this.getRemoteIngressHubSettingsLegacySeed(),
+      emailServerSettings: this.getEmailSettingsLegacySeed(),
+    });
     const migrationResult = await migration.run();
     if (migrationResult.stepsApplied.length > 0) {
       logger.log('info',
@@ -1043,8 +1138,16 @@ export class DcRouter {
 
     // Clean up any existing SmartProxy instance (e.g. from a retry)
     if (this.smartProxy) {
-      this.smartProxy.removeAllListeners();
-      this.smartProxy = undefined;
+      const existingSmartProxy = this.smartProxy;
+      try {
+        existingSmartProxy.removeAllListeners();
+        await existingSmartProxy.stop();
+        if (this.smartProxy === existingSmartProxy) {
+          this.smartProxy = undefined;
+        }
+      } finally {
+        await this.stopSmartAcme();
+      }
     }
 
     // Assemble serializable seed routes from constructor config — these will be seeded into DB
@@ -1279,7 +1382,7 @@ export class DcRouter {
       
       // When remoteIngress is enabled, the hub binary forwards tunneled connections
       // to SmartProxy with PROXY protocol v1 headers to preserve client IPs.
-      if (this.options.remoteIngressConfig?.enabled) {
+      if (this.isRemoteIngressHubEnabled()) {
         smartProxyConfig.acceptProxyProtocol = true;
         if (!smartProxyConfig.proxyIPs) {
           smartProxyConfig.proxyIPs = [];
@@ -1303,16 +1406,17 @@ export class DcRouter {
       // Create SmartProxy instance
       logger.log('info', `Creating SmartProxy instance: routes=${smartProxyConfig.routes?.length}, acme=${smartProxyConfig.acme?.enabled}, certProvisionFunction=${!!smartProxyConfig.certProvisionFunction}`);
       
-      this.smartProxy = new plugins.smartproxy.SmartProxy(smartProxyConfig);
+      const smartProxy = new plugins.smartproxy.SmartProxy(smartProxyConfig);
+      this.smartProxy = smartProxy;
       
       // Set up event listeners
-      this.smartProxy.on('error', (err) => {
+      smartProxy.on('error', (err) => {
         logger.log('error', `SmartProxy error: ${err.message}`, { stack: err.stack });
       });
       
       // Always listen for certificate events — emitted by both ACME and certProvisionFunction paths
       // Events are keyed by domain for domain-centric certificate tracking
-      this.smartProxy.on('certificate-issued', (event: plugins.smartproxy.ICertificateIssuedEvent) => {
+      smartProxy.on('certificate-issued', (event: plugins.smartproxy.ICertificateIssuedEvent) => {
         logger.log('info', `Certificate issued for ${event.domain} via ${event.source}, expires ${event.expiryDate}`);
         const routeNames = this.findRouteNamesForDomain(event.domain);
         this.certificateStatusMap.set(event.domain, {
@@ -1326,7 +1430,7 @@ export class DcRouter {
       // Renewals come through 'certificate-issued' (with optional isRenewal? in the payload).
       // The vestigial 'certificate-renewed' event from common-types.ts is never emitted.
 
-      this.smartProxy.on('certificate-failed', (event: plugins.smartproxy.ICertificateFailedEvent) => {
+      smartProxy.on('certificate-failed', (event: plugins.smartproxy.ICertificateFailedEvent) => {
         logger.log('error', `Certificate failed for ${event.domain} (${event.source}): ${event.error}`);
         const routeNames = this.findRouteNamesForDomain(event.domain);
         this.certificateStatusMap.set(event.domain, {
@@ -1337,7 +1441,23 @@ export class DcRouter {
       
       // Start SmartProxy
       logger.log('info', 'Starting SmartProxy...');
-      await this.smartProxy.start();
+      try {
+        await smartProxy.start();
+      } catch (err) {
+        smartProxy.removeAllListeners();
+        if (this.smartProxy === smartProxy) {
+          this.smartProxy = undefined;
+        }
+        await this.stopSmartAcme();
+        if (this.certProvisionScheduler) {
+          this.certProvisionScheduler.clear();
+          this.certProvisionScheduler = undefined;
+        }
+        await smartProxy.stop().catch((stopErr) => {
+          logger.log('warn', `Failed to clean up SmartProxy after startup failure: ${(stopErr as Error).message}`);
+        });
+        throw err;
+      }
       logger.log('info', 'SmartProxy started successfully');
 
       // Populate certificateStatusMap for certs loaded from store at startup
@@ -1460,8 +1580,8 @@ export class DcRouter {
   /**
    * Generate SmartProxy routes for email configuration
    */
-  private generateEmailRoutes(emailConfig: IUnifiedEmailServerOptions): plugins.smartproxy.IRouteConfig[] {
-    const emailRoutes: plugins.smartproxy.IRouteConfig[] = [];
+  private generateEmailRoutes(emailConfig: IUnifiedEmailServerOptions): IDcRouterRouteConfig[] {
+    const emailRoutes: IDcRouterRouteConfig[] = [];
     
     // Create routes for each email port
     for (const port of emailConfig.ports) {
@@ -1535,13 +1655,17 @@ export class DcRouter {
       }
       
       // Create the route configuration
-      const routeConfig: plugins.smartproxy.IRouteConfig = {
+      const routeConfig: IDcRouterRouteConfig = {
         name: routeName,
         match: {
           ports: [port]
         },
         action: action
       };
+
+      if (this.isRemoteIngressHubEnabled()) {
+        routeConfig.remoteIngress = { enabled: true };
+      }
       
       // Add the route to our list
       emailRoutes.push(routeConfig);
@@ -1768,19 +1892,33 @@ export class DcRouter {
     });
     
     // Create unified email server
-    this.emailServer = new UnifiedEmailServer(this, emailConfig);
+    const emailServer = new UnifiedEmailServer(this, emailConfig);
+    this.emailServer = emailServer;
     this.clearEmailEventSubscriptions();
     
     // Set up error handling
-    this.addEmailEventSubscription(this.emailServer, 'error', (err: Error) => {
+    this.addEmailEventSubscription(emailServer, 'error', (err: Error) => {
       logger.log('error', `UnifiedEmailServer error: ${err.message}`);
     });
     
     // Start the server
-    await this.emailServer.start();
+    try {
+      await emailServer.start();
+    } catch (error: unknown) {
+      this.clearEmailEventSubscriptions();
+      try {
+        await emailServer.stop();
+      } catch (stopError: unknown) {
+        logger.log('warn', `Error cleaning up failed UnifiedEmailServer start: ${(stopError as Error).message}`);
+      }
+      if (this.emailServer === emailServer) {
+        this.emailServer = undefined;
+      }
+      throw error;
+    }
 
     // Wire delivery events to MetricsManager and logger using smartmta's public queue APIs.
-    if (this.metricsManager && this.emailServer) {
+    if (this.metricsManager) {
       const getEnvelope = (item: { processingResult?: any; lastError?: string }) => {
         const emailLike = item?.processingResult;
         const from = emailLike?.from || emailLike?.email?.from || '';
@@ -1795,34 +1933,34 @@ export class DcRouter {
         };
       };
       const updateQueueSize = () => {
-        this.metricsManager!.updateQueueSize(this.emailServer!.getQueueStats().queueSize);
+        this.metricsManager!.updateQueueSize(emailServer.getQueueStats().queueSize);
       };
 
-      this.addEmailEventSubscription(this.emailServer.deliveryQueue, 'itemEnqueued', (item: any) => {
+      this.addEmailEventSubscription(emailServer.deliveryQueue, 'itemEnqueued', (item: any) => {
         const envelope = getEnvelope(item);
         this.metricsManager!.trackEmailReceived(envelope.from);
         updateQueueSize();
         logger.log('info', `Email queued: ${envelope.from} → ${envelope.recipients.join(', ') || 'unknown'}`, { zone: 'email' });
       });
-      this.addEmailEventSubscription(this.emailServer.deliveryQueue, 'itemDelivered', (item: any) => {
+      this.addEmailEventSubscription(emailServer.deliveryQueue, 'itemDelivered', (item: any) => {
         const envelope = getEnvelope(item);
         this.metricsManager!.trackEmailSent(envelope.recipients[0]);
         updateQueueSize();
         logger.log('info', `Email delivered to ${envelope.recipients.join(', ') || 'unknown'}`, { zone: 'email' });
       });
-      this.addEmailEventSubscription(this.emailServer.deliveryQueue, 'itemFailed', (item: any) => {
+      this.addEmailEventSubscription(emailServer.deliveryQueue, 'itemFailed', (item: any) => {
         const envelope = getEnvelope(item);
         this.metricsManager!.trackEmailFailed(envelope.recipients[0], item?.lastError);
         updateQueueSize();
         logger.log('warn', `Email delivery failed to ${envelope.recipients.join(', ') || 'unknown'}: ${item?.lastError || 'unknown error'}`, { zone: 'email' });
       });
-      this.addEmailEventSubscription(this.emailServer.deliveryQueue, 'itemDeferred', () => {
+      this.addEmailEventSubscription(emailServer.deliveryQueue, 'itemDeferred', () => {
         updateQueueSize();
       });
-      this.addEmailEventSubscription(this.emailServer.deliveryQueue, 'itemRemoved', () => {
+      this.addEmailEventSubscription(emailServer.deliveryQueue, 'itemRemoved', () => {
         updateQueueSize();
       });
-      this.addEmailEventSubscription(this.emailServer, 'bounceProcessed', () => {
+      this.addEmailEventSubscription(emailServer, 'bounceProcessed', () => {
         this.metricsManager!.trackEmailBounced();
         logger.log('warn', 'Email bounce processed', { zone: 'email' });
       });
@@ -1837,16 +1975,57 @@ export class DcRouter {
    * @param config New email configuration
    */
   public async updateEmailConfig(config: IUnifiedEmailServerOptions): Promise<void> {
-    // Stop existing email components
-    await this.stopUnifiedEmailComponents();
-    
-    // Update configuration
-    this.options.emailConfig = config;
-    
-    // Start email handling with new configuration
-    await this.setupUnifiedEmailHandling();
-    
-    logger.log('info', 'Unified email configuration updated');
+    await this.queueEmailLifecycleTask(async () => {
+      // Stop existing email components
+      await this.stopUnifiedEmailComponents();
+
+      // Update configuration
+      this.options.emailConfig = config;
+      this.emailDomainManager?.setBaseEmailDomains(config.domains as IEmailDomainConfig[] | undefined);
+      await this.emailDomainManager?.syncManagedDomainsToRuntime();
+
+      // Start email handling with new configuration
+      await this.setupUnifiedEmailHandling();
+
+      logger.log('info', 'Unified email configuration updated');
+    });
+  }
+
+  public async updateEmailServerSettings(
+    settings: TEmailServerSettingsUpdate,
+    updatedBy = 'system',
+  ): Promise<IEmailServerSettings> {
+    return await this.queueEmailLifecycleTask(async () => {
+      if (!this.emailSettingsManager) {
+        throw new Error('EmailSettingsManager is not initialized');
+      }
+
+      const updatedSettings = await this.emailSettingsManager.updateSettings(settings, updatedBy);
+      this.emailDomainManager?.setBaseEmailDomains(this.options.emailConfig?.domains as IEmailDomainConfig[] | undefined);
+      await this.emailDomainManager?.syncManagedDomainsToRuntime();
+      this.seedEmailRoutes = this.options.emailConfig
+        ? this.generateEmailRoutes(this.options.emailConfig)
+        : [];
+
+      if (this.routeConfigManager) {
+        await this.routeConfigManager.initialize(
+          this.seedConfigRoutes as import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig[],
+          this.seedEmailRoutes as import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig[],
+          this.seedDnsRoutes as import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig[],
+        );
+      }
+
+      if (this.options.emailConfig) {
+        if (this.emailServer) {
+          await this.stopUnifiedEmailComponents();
+        }
+        await this.setupUnifiedEmailHandling();
+      } else if (this.emailServer) {
+        await this.stopUnifiedEmailComponents();
+      }
+
+      return updatedSettings;
+    });
   }
   
   /**
@@ -2438,7 +2617,14 @@ export class DcRouter {
    * Set up Remote Ingress hub for edge tunnel connections
    */
   private async setupRemoteIngress(): Promise<void> {
-    if (!this.options.remoteIngressConfig?.enabled) {
+    const remoteIngressManager = this.remoteIngressManager;
+    if (!remoteIngressManager) {
+      return;
+    }
+
+    const hubSettings = remoteIngressManager.getHubSettings();
+    if (!hubSettings.enabled) {
+      logger.log('info', 'Remote Ingress hub is disabled in DB settings');
       return;
     }
 
@@ -2446,14 +2632,6 @@ export class DcRouter {
     this.remoteIngressHubStopping = false;
     const generation = ++this.remoteIngressHubGeneration;
 
-    // Initialize the edge registration manager
-    const remoteIngressManager = new RemoteIngressManager(this.options.remoteIngressConfig.performance);
-    this.remoteIngressManager = remoteIngressManager;
-    await remoteIngressManager.initialize();
-    if (!this.isRemoteIngressHubGenerationCurrent(generation, remoteIngressManager)) {
-      return;
-    }
-
     const firewallConfig = await this.securityPolicyManager?.compileRemoteIngressFirewall();
     if (!this.isRemoteIngressHubGenerationCurrent(generation, remoteIngressManager)) {
       return;
@@ -2483,7 +2661,7 @@ export class DcRouter {
     }
 
     const edgeCount = remoteIngressManager.getAllEdges().length;
-    logger.log('info', `Remote Ingress hub started on port ${this.options.remoteIngressConfig.tunnelPort || 8443} with ${edgeCount} registered edge(s)`);
+    logger.log('info', `Remote Ingress hub started on port ${hubSettings.tunnelPort} with ${edgeCount} registered edge(s)`);
   }
 
   private isRemoteIngressHubGenerationCurrent(generation: number, manager: RemoteIngressManager): boolean {
@@ -2498,17 +2676,30 @@ export class DcRouter {
     return run;
   }
 
+  private queueSmartProxyLifecycleTask<T>(task: () => Promise<T>): Promise<T> {
+    const run = this.smartProxyLifecycleChain.then(task);
+    this.smartProxyLifecycleChain = run.then(() => undefined, () => undefined);
+    return run;
+  }
+
+  private queueEmailLifecycleTask<T>(task: () => Promise<T>): Promise<T> {
+    const run = this.emailLifecycleChain.then(task);
+    this.emailLifecycleChain = run.then(() => undefined, () => undefined);
+    return run;
+  }
+
   private async stopRemoteIngress(): Promise<void> {
     this.remoteIngressHubStopping = true;
     this.remoteIngressHubGeneration++;
     await this.queueRemoteIngressHubTask(async () => {
       const currentTunnelManager = this.tunnelManager;
-      this.tunnelManager = undefined;
       if (currentTunnelManager) {
         await currentTunnelManager.stop();
+        if (this.tunnelManager === currentTunnelManager) {
+          this.tunnelManager = undefined;
+        }
       }
     });
-    this.remoteIngressManager = undefined;
   }
 
   public async mutateRemoteIngressEdges<T>(
@@ -2544,35 +2735,96 @@ export class DcRouter {
   }
 
   public async updateRemoteIngressHubSettings(
-    updates: { performance?: IRemoteIngressPerformanceConfig },
+    updates: TRemoteIngressHubSettingsUpdate,
     updatedBy: string,
   ): Promise<IRemoteIngressHubSettings> {
-    return await this.queueRemoteIngressHubTask(async () => {
-      if (this.remoteIngressHubStopping) {
-        throw new Error('RemoteIngress is stopping');
-      }
-      if (!this.remoteIngressManager) {
-        throw new Error('RemoteIngress is not configured');
-      }
+    const manager = this.remoteIngressManager;
+    if (!manager) {
+      throw new Error('RemoteIngress is not configured');
+    }
+
+    const previousSettings = manager.getHubSettings();
+    const settings = await manager.updateHubSettings(updates, updatedBy);
+    const enabledChanged = previousSettings.enabled !== settings.enabled;
+
+    if (!settings.enabled) {
+      await this.queueRemoteIngressHubTask(async () => {
+        await this.stopRemoteIngressTunnelHubLocked();
+      });
+    }
 
-      const settings = await this.remoteIngressManager.updateHubSettings(updates, updatedBy);
-      if (this.options.remoteIngressConfig?.enabled) {
+    if (enabledChanged) {
+      await this.restartSmartProxyForRemoteIngressSettings();
+    }
+
+    if (settings.enabled) {
+      await this.queueRemoteIngressHubTask(async () => {
         await this.restartRemoteIngressTunnelHubLocked();
+      });
+    }
+
+    return settings;
+  }
+
+  private async restartSmartProxyForRemoteIngressSettings(): Promise<void> {
+    await this.queueSmartProxyLifecycleTask(async () => {
+      const restartSmartProxy = async () => {
+        try {
+          if (this.smartProxy) {
+            const existingSmartProxy = this.smartProxy;
+            existingSmartProxy.removeAllListeners();
+            await existingSmartProxy.stop();
+            if (this.smartProxy === existingSmartProxy) {
+              this.smartProxy = undefined;
+            }
+          }
+        } finally {
+          await this.stopSmartAcme();
+        }
+        await this.setupSmartProxy();
+      };
+
+      if (this.routeConfigManager) {
+        await this.routeConfigManager.runExclusiveRouteUpdate(restartSmartProxy);
+      } else {
+        await restartSmartProxy();
+      }
+
+      if (!this.routeConfigManager) {
+        return;
       }
-      return settings;
+      await this.routeConfigManager.initialize(
+        this.seedConfigRoutes as IDcRouterRouteConfig[],
+        this.seedEmailRoutes as IDcRouterRouteConfig[],
+        this.seedDnsRoutes as IDcRouterRouteConfig[],
+      );
     });
   }
 
+  private async stopRemoteIngressTunnelHubLocked(): Promise<void> {
+    this.remoteIngressHubGeneration++;
+    const currentTunnelManager = this.tunnelManager;
+    if (currentTunnelManager) {
+      await currentTunnelManager.stop();
+      if (this.tunnelManager === currentTunnelManager) {
+        this.tunnelManager = undefined;
+      }
+    }
+  }
+
   private async restartRemoteIngressTunnelHubLocked(): Promise<void> {
     const generation = ++this.remoteIngressHubGeneration;
-    if (!this.remoteIngressManager || !this.options.remoteIngressConfig?.enabled || this.remoteIngressHubStopping) {
+    const hubSettings = this.remoteIngressManager?.getHubSettings();
+    if (!this.remoteIngressManager || !hubSettings?.enabled || this.remoteIngressHubStopping) {
       return;
     }
 
     const currentTunnelManager = this.tunnelManager;
-    this.tunnelManager = undefined;
     if (currentTunnelManager) {
       await currentTunnelManager.stop();
+      if (this.tunnelManager === currentTunnelManager) {
+        this.tunnelManager = undefined;
+      }
     }
 
     if (this.remoteIngressHubStopping || generation !== this.remoteIngressHubGeneration) {
@@ -2582,19 +2834,25 @@ export class DcRouter {
   }
 
   private async startRemoteIngressTunnelHubLocked(generation: number): Promise<void> {
-    const riCfg = this.options.remoteIngressConfig;
     const manager = this.remoteIngressManager;
-    if (!riCfg?.enabled || !manager || this.remoteIngressHubStopping || generation !== this.remoteIngressHubGeneration) {
+    const hubSettings = manager?.getHubSettings();
+    if (!manager || !hubSettings?.enabled || this.remoteIngressHubStopping || generation !== this.remoteIngressHubGeneration) {
       return;
     }
 
-    const tlsConfig = await this.resolveRemoteIngressTlsConfig(riCfg);
+    const firewallConfig = await this.securityPolicyManager?.compileRemoteIngressFirewall();
+    if (this.remoteIngressHubStopping || generation !== this.remoteIngressHubGeneration || this.remoteIngressManager !== manager) {
+      return;
+    }
+    manager.setFirewallConfig(firewallConfig);
+
+    const tlsConfig = await this.resolveRemoteIngressTlsConfig(hubSettings.hubDomain);
     if (this.remoteIngressHubStopping || generation !== this.remoteIngressHubGeneration || this.remoteIngressManager !== manager) {
       return;
     }
 
     const tunnelManager = new TunnelManager(manager, {
-      tunnelPort: riCfg.tunnelPort ?? 8443,
+      tunnelPort: hubSettings.tunnelPort,
       targetHost: '127.0.0.1',
       tls: tlsConfig,
       performance: manager.getHubPerformanceConfig(),
@@ -2607,23 +2865,26 @@ export class DcRouter {
     }
 
     if (this.remoteIngressHubStopping || generation !== this.remoteIngressHubGeneration || this.remoteIngressManager !== manager) {
-      await tunnelManager.stop();
+      await tunnelManager.stop().catch((err) => {
+        logger.log('warn', `Failed to stop stale RemoteIngress tunnel hub: ${(err as Error).message}`);
+      });
       return;
     }
     this.tunnelManager = tunnelManager;
   }
 
   private async resolveRemoteIngressTlsConfig(
-    riCfg: NonNullable<IDcRouterOptions['remoteIngressConfig']>,
+    hubDomain?: string,
   ): Promise<{ certPem: string; keyPem: string } | undefined> {
     // Resolve TLS certs for tunnel: explicit paths > ACME for hubDomain > self-signed (Rust default)
     let tlsConfig: { certPem: string; keyPem: string } | undefined;
 
     // Priority 1: Explicit cert/key file paths
-    if (riCfg.tls?.certPath && riCfg.tls?.keyPath) {
+    const explicitTls = this.options.remoteIngressConfig?.tls;
+    if (explicitTls?.certPath && explicitTls?.keyPath) {
       try {
-        const certPem = plugins.fs.readFileSync(riCfg.tls.certPath, 'utf8');
-        const keyPem = plugins.fs.readFileSync(riCfg.tls.keyPath, 'utf8');
+        const certPem = plugins.fs.readFileSync(explicitTls.certPath, 'utf8');
+        const keyPem = plugins.fs.readFileSync(explicitTls.keyPath, 'utf8');
         tlsConfig = { certPem, keyPem };
         logger.log('info', 'Using explicit TLS cert/key for RemoteIngress tunnel');
       } catch (err: unknown) {
@@ -2632,12 +2893,12 @@ export class DcRouter {
     }
 
     // Priority 2: Existing cert from SmartProxy cert store for hubDomain
-    if (!tlsConfig && riCfg.hubDomain) {
+    if (!tlsConfig && hubDomain) {
       try {
-        const stored = await ProxyCertDoc.findByDomain(riCfg.hubDomain);
+        const stored = await ProxyCertDoc.findByDomain(hubDomain);
         if (stored?.publicKey && stored?.privateKey) {
           tlsConfig = { certPem: stored.publicKey, keyPem: stored.privateKey };
-          logger.log('info', `Using stored ACME cert for RemoteIngress tunnel TLS: ${riCfg.hubDomain}`);
+          logger.log('info', `Using stored ACME cert for RemoteIngress tunnel TLS: ${hubDomain}`);
         }
       } catch { /* no stored cert, fall through */ }
     }