@serve.zone/dcrouter 15.0.0 → 15.0.2

package/ts/classes.dcrouter.ts

@@ -27,61 +27,22 @@ import { commitinfo } from './00_commitinfo_data.js';
 import { OpsServer } from './opsserver/index.js';
 import { MetricsManager } from './monitoring/index.js';
 import { RadiusServer, type IRadiusServerConfig } from './radius/index.js';
-import { RemoteIngressManager, TunnelManager } from './remoteingress/index.js';
-import { VpnManager, type IVpnManagerConfig } from './vpn/index.js';
+import { RemoteIngressHubLifecycle, RemoteIngressManager, TunnelManager } from './remoteingress/index.js';
+import { VpnAccessResolver, VpnManager, type IVpnManagerConfig } from './vpn/index.js';
 import { RouteConfigManager, ApiTokenManager, GatewayClientManager, ReferenceResolver, DbSeeder, TargetProfileManager, buildHttpRedirectRuntimeRoutes } from './config/index.js';
 import type { TVpnClientAllowEntry } from './config/classes.route-config-manager.js';
-import { SecurityLogger, ContentScanner, IPReputationChecker, SecurityPolicyManager } from './security/index.js';
+import { SecurityLogger, ContentScanner, IPReputationChecker, SecurityPolicyManager, RoutePolicyAugmenter } from './security/index.js';
 import { type IHttp3Config, augmentRoutesWithHttp3 } from './http3/index.js';
 import { DnsManager } from './dns/manager.dns.js';
+import { DnsServerRuntime } from './dns/classes.dns-server-runtime.js';
 import { AcmeConfigManager } from './acme/manager.acme-config.js';
-import { EmailDomainManager, EmailSettingsManager, SmartMtaStorageManager, WorkAppMailManager, buildEmailDnsRecords } from './email/index.js';
+import { SmartAcmeLifecycle } from './acme/classes.smartacme-lifecycle.js';
+import { AcceptedEmailSpool, EmailDomainManager, EmailRouteBuilder, EmailSettingsManager, SmartMtaStorageManager, WorkAppMailManager, type TSmartMtaQueueItemLike } from './email/index.js';
 import type { IRoute } from '../ts_interfaces/data/route-management.js';
 import type { IEmailPortConfig, IEmailServerSettings, IEmailServerSettingsSeed, TEmailServerSettingsUpdate } from '../ts_interfaces/data/email-settings.js';
 import type { IDcRouterRouteConfig, IRemoteIngressHubSettings, IRemoteIngressPerformanceConfig, TRemoteIngressHubSettingsUpdate } from '../ts_interfaces/data/remoteingress.js';
 import type { ISecurityCompiledPolicy } from '../ts_interfaces/data/security-policy.js';
 
-type TInboundProxyProtocolPolicy = NonNullable<plugins.smartproxy.IRouteMatch['inboundProxyProtocol']>;
-const DCROUTER_CACHE_ID_HEADER = 'X-Dcrouter-Cached-Email-Id';
-const ACCEPTED_EMAIL_SPOOL_INTERVAL_MS = 60_000;
-const ACCEPTED_EMAIL_RETRY_DELAY_MS = 5 * 60_000;
-const ACCEPTED_EMAIL_QUEUE_LEASE_MS = 30 * 60_000;
-const ACCEPTED_EMAIL_SPOOL_BATCH_SIZE = 25;
-const ACCEPTED_EMAIL_STOP_DRAIN_TIMEOUT_MS = 30_000;
-
-type TSmartMtaQueueItemLike = {
-  processingResult?: {
-    headers?: Record<string, string>;
-    email?: { headers?: Record<string, string> };
-  };
-  status?: 'pending' | 'processing' | 'queued' | 'delivered' | 'failed' | 'deferred';
-  attempts?: number;
-  nextAttempt?: Date;
-  lastError?: string;
-};
-
-type TStoredCachedEmailEnvelopeAddress = {
-  address: string;
-  args?: Record<string, string>;
-};
-
-type TStoredCachedEmailSession = {
-  id?: string;
-  clientHostname?: string;
-  remoteAddress?: string;
-  secure?: boolean;
-  authenticated?: boolean;
-  user?: IExtendedSmtpSession['user'];
-  envelope?: {
-    mailFrom?: TStoredCachedEmailEnvelopeAddress;
-    rcptTo?: TStoredCachedEmailEnvelopeAddress[];
-  };
-};
-
-type TStoredCachedEmailRouteData = {
-  session?: TStoredCachedEmailSession;
-};
-
 export interface IDcRouterOptions {
   /** Base directory for all dcrouter data. Defaults to ~/.serve.zone/dcrouter */
   baseDir?: string;
@@ -320,16 +281,8 @@ export class DcRouter {
   // Remote Ingress
   public remoteIngressManager?: RemoteIngressManager;
   public tunnelManager?: TunnelManager;
-  private remoteIngressHubLifecycleChain: Promise<void> = Promise.resolve();
   private smartProxyLifecycleChain: Promise<void> = Promise.resolve();
   private emailLifecycleChain: Promise<void> = Promise.resolve();
-  private acceptedEmailSpoolTimer?: ReturnType<typeof setInterval> & { unref?: () => void };
-  private acceptedEmailSpoolRun?: Promise<void>;
-  private acceptedEmailSpoolProcessing = false;
-  private acceptedEmailSpoolStopping = false;
-  private acceptedEmailQueueUpdatePromises = new Set<Promise<void>>();
-  private remoteIngressHubStopping = false;
-  private remoteIngressHubGeneration = 0;
 
   // VPN
   public vpnManager?: VpnManager;
@@ -349,16 +302,13 @@ export class DcRouter {
   public emailSettingsManager?: EmailSettingsManager;
   public emailDomainManager?: EmailDomainManager;
   public workAppMailManager: WorkAppMailManager;
+  public acceptedEmailSpool: AcceptedEmailSpool;
   public securityPolicyManager?: SecurityPolicyManager;
 
   // Auto-discovered public IP (populated by generateAuthoritativeRecords)
   public detectedPublicIp: string | null = null;
 
   // DNS query logging rate limiter state
-  private dnsLogWindowSecond: number = 0; // epoch second of current window
-  private dnsLogWindowCount: number = 0;  // queries logged this second
-  private dnsBatchCount: number = 0;
-  private dnsBatchTimer: ReturnType<typeof setTimeout> | null = null;
 
   // Certificate status tracking from SmartProxy events (keyed by domain)
   public certificateStatusMap = new Map<string, {
@@ -376,19 +326,19 @@ export class DcRouter {
   // Service lifecycle management
   public serviceManager: plugins.taskbuffer.ServiceManager;
   private serviceSubjectSubscription?: plugins.smartrx.rxjs.Subscription;
-  public smartAcmeReady = false;
-  private smartAcmeServiceStarted = false;
-  private smartAcmeStartGeneration = 0;
-  private smartAcmeStartPromise?: Promise<void>;
-  private smartAcmeRetryTimer?: ReturnType<typeof setTimeout>;
-  private smartAcmeRetryAttempt = 0;
+  public smartAcmeLifecycle: SmartAcmeLifecycle;
+  public vpnAccessResolver: VpnAccessResolver;
+  public remoteIngressHubLifecycle: RemoteIngressHubLifecycle;
+  public dnsServerRuntime: DnsServerRuntime;
+  public emailRouteBuilder: EmailRouteBuilder;
+  public routePolicyAugmenter: RoutePolicyAugmenter;
 
   // TypedRouter for API endpoints
   public typedrouter = new plugins.typedrequest.TypedRouter();
 
   // Seed routes assembled during setupSmartProxy, passed to RouteConfigManager for DB seeding
   private seedConfigRoutes: plugins.smartproxy.IRouteConfig[] = [];
-  private seedEmailRoutes: IDcRouterRouteConfig[] = [];
+  public seedEmailRoutes: IDcRouterRouteConfig[] = [];
   private seedDnsRoutes: plugins.smartproxy.IRouteConfig[] = [];
   // Live DoH routes used during SmartProxy bootstrap before RouteConfigManager re-applies stored routes.
   private runtimeDnsRoutes: plugins.smartproxy.IRouteConfig[] = [];
@@ -409,6 +359,13 @@ export class DcRouter {
       plugins.path.join(this.resolvedPaths.dataDir, 'smartmta-storage')
     );
     this.workAppMailManager = new WorkAppMailManager(this);
+    this.acceptedEmailSpool = new AcceptedEmailSpool(this);
+    this.smartAcmeLifecycle = new SmartAcmeLifecycle(this);
+    this.vpnAccessResolver = new VpnAccessResolver(this);
+    this.remoteIngressHubLifecycle = new RemoteIngressHubLifecycle(this);
+    this.dnsServerRuntime = new DnsServerRuntime(this);
+    this.emailRouteBuilder = new EmailRouteBuilder(this);
+    this.routePolicyAugmenter = new RoutePolicyAugmenter(this);
 
     // Initialize service manager and register all services
     this.serviceManager = new plugins.taskbuffer.ServiceManager({
@@ -635,7 +592,7 @@ export class DcRouter {
                 }
               }
             } finally {
-              await this.stopSmartAcme();
+              await this.smartAcmeLifecycle.stop();
             }
           });
         })
@@ -652,12 +609,12 @@ export class DcRouter {
           .optional()
           .dependsOn('SmartProxy')
           .withStart(async () => {
-            this.smartAcmeServiceStarted = true;
-            this.startSmartAcmeInBackground();
+            this.smartAcmeLifecycle.serviceStarted = true;
+            this.smartAcmeLifecycle.startInBackground();
           })
           .withStop(async () => {
-            this.smartAcmeServiceStarted = false;
-            await this.stopSmartAcme();
+            this.smartAcmeLifecycle.serviceStarted = false;
+            await this.smartAcmeLifecycle.stop();
           })
           .withRetry({ maxRetries: 0 }),
       );
@@ -684,20 +641,20 @@ export class DcRouter {
             this.routeConfigManager = new RouteConfigManager(
               () => this.smartProxy,
               () => this.options.http3,
-              this.createVpnClientAccessResolver(),
+              this.vpnAccessResolver.createRouteAllowResolver(),
               this.referenceResolver,
               // Sync routes to RemoteIngressManager whenever routes change,
               // then push updated derived ports to the Rust hub binary
               async (routes) => {
                 try {
-                  await this.updateRemoteIngressRoutes(routes as IDcRouterRouteConfig[]);
+                  await this.remoteIngressHubLifecycle.updateRoutes(routes as IDcRouterRouteConfig[]);
                 } catch (err: unknown) {
                   logger.log('error', `Failed to sync Remote Ingress allowed edges: ${(err as Error).message}`);
                 }
               },
               (preparedRoutes) => buildHttpRedirectRuntimeRoutes(preparedRoutes || []),
-              (storedRoute: IRoute) => this.hydrateStoredRouteForRuntime(storedRoute),
-              (routes) => this.applyInboundProxyProtocolPolicies(routes),
+              (storedRoute: IRoute) => this.emailRouteBuilder.hydrateStoredRouteForRuntime(storedRoute),
+              (routes) => this.routePolicyAugmenter.applyInboundProxyProtocolPolicies(routes),
             );
             this.apiTokenManager = new ApiTokenManager();
             await this.apiTokenManager.initialize();
@@ -763,20 +720,11 @@ export class DcRouter {
           .optional()
           .dependsOn('SmartProxy', ...((this.options.dbConfig?.enabled !== false) ? ['EmailServer'] : []))
           .withStart(async () => {
-            await this.setupDnsWithSocketHandler();
+            await this.dnsServerRuntime.setup();
           })
           .withStop(async () => {
             // Flush pending DNS batch log
-            if (this.dnsBatchTimer) {
-              clearTimeout(this.dnsBatchTimer);
-              if (this.dnsBatchCount > 0) {
-                logger.log('info', `DNS: ${this.dnsBatchCount} queries processed (final flush)`, { zone: 'dns' });
-              }
-              this.dnsBatchTimer = null;
-              this.dnsBatchCount = 0;
-              this.dnsLogWindowSecond = 0;
-              this.dnsLogWindowCount = 0;
-            }
+            this.dnsServerRuntime.flushQueryLogBatch();
             if (this.dnsServer) {
               this.dnsServer.removeAllListeners();
               await this.dnsServer.stop();
@@ -814,10 +762,10 @@ export class DcRouter {
           .optional()
           .dependsOn('SmartProxy', 'RemoteIngressManager')
           .withStart(async () => {
-            await this.setupRemoteIngress();
+            await this.remoteIngressHubLifecycle.setup();
           })
           .withStop(async () => {
-            await this.stopRemoteIngress();
+            await this.remoteIngressHubLifecycle.stop();
           })
           .withRetry({ maxRetries: 3, baseDelayMs: 2000, maxDelayMs: 30_000 }),
       );
@@ -857,7 +805,7 @@ export class DcRouter {
     });
   }
 
-  private isRemoteIngressHubEnabled(): boolean {
+  public isRemoteIngressHubEnabled(): boolean {
     return this.remoteIngressManager?.getHubSettings().enabled
       ?? this.options.remoteIngressConfig?.enabled
       ?? false;
@@ -893,138 +841,6 @@ export class DcRouter {
     return seed;
   }
 
-  private startSmartAcmeInBackground(): void {
-    if (!this.smartAcme) {
-      this.smartAcmeReady = false;
-      return;
-    }
-
-    const generation = ++this.smartAcmeStartGeneration;
-    this.smartAcmeReady = false;
-    this.smartAcmeRetryAttempt = 0;
-    this.clearSmartAcmeRetryTimer();
-    this.scheduleSmartAcmeStart(generation, 0);
-  }
-
-  private scheduleSmartAcmeStart(generation: number, delayMs: number): void {
-    this.clearSmartAcmeRetryTimer();
-    const retryTimer = setTimeout(() => {
-      this.smartAcmeRetryTimer = undefined;
-      this.runSmartAcmeStartAttempt(generation).catch((err) => {
-        logger.log('error', `Unexpected SmartAcme startup error: ${(err as Error).message}`);
-      });
-    }, delayMs);
-    this.smartAcmeRetryTimer = retryTimer;
-    const unrefableTimer = retryTimer as any;
-    if (typeof unrefableTimer?.unref === 'function') {
-      unrefableTimer.unref();
-    }
-  }
-
-  private async runSmartAcmeStartAttempt(generation: number): Promise<void> {
-    const smartAcme = this.smartAcme;
-    if (!smartAcme || generation !== this.smartAcmeStartGeneration) {
-      return;
-    }
-
-    const startPromise = smartAcme.start();
-    this.smartAcmeStartPromise = startPromise;
-
-    try {
-      await startPromise;
-      if (generation !== this.smartAcmeStartGeneration || this.smartAcme !== smartAcme) {
-        await smartAcme.stop().catch((err) => {
-          logger.log('warn', `Failed to stop stale SmartAcme instance: ${(err as Error).message}`);
-        });
-        return;
-      }
-
-      this.smartAcmeReady = true;
-      this.smartAcmeRetryAttempt = 0;
-      logger.log('info', 'SmartAcme DNS-01 provider is now ready');
-      this.retriggerCertificateProvisioningAfterSmartAcmeReady();
-    } catch (err) {
-      if (generation !== this.smartAcmeStartGeneration || this.smartAcme !== smartAcme) {
-        return;
-      }
-
-      this.smartAcmeReady = false;
-      await smartAcme.stop().catch((stopErr) => {
-        logger.log('warn', `Failed to clean up SmartAcme after startup failure: ${(stopErr as Error).message}`);
-      });
-      this.smartAcmeRetryAttempt++;
-      if (this.smartAcmeRetryAttempt > 20) {
-        logger.log('error', `SmartAcme DNS-01 provider failed after 20 startup attempts: ${(err as Error).message}`);
-        return;
-      }
-
-      const baseDelayMs = 5000;
-      const maxDelayMs = 3_600_000;
-      const delayMs = Math.min(baseDelayMs * Math.pow(2, this.smartAcmeRetryAttempt - 1), maxDelayMs);
-      const jitter = 0.8 + Math.random() * 0.4;
-      const actualDelayMs = Math.floor(delayMs * jitter);
-      logger.log('warn', `SmartAcme DNS-01 provider startup failed: ${(err as Error).message}; retrying in ${actualDelayMs}ms (attempt ${this.smartAcmeRetryAttempt}/20)`);
-      this.scheduleSmartAcmeStart(generation, actualDelayMs);
-    } finally {
-      if (this.smartAcmeStartPromise === startPromise) {
-        this.smartAcmeStartPromise = undefined;
-      }
-    }
-  }
-
-  private retriggerCertificateProvisioningAfterSmartAcmeReady(): void {
-    // During startup, certProvisionFunction returns 'http01' while SmartAcme is not ready,
-    // but Rust ACME is disabled when certProvisionFunction is set. Re-applying routes
-    // retries provisioning now that DNS-01 is available.
-    if (this.routeConfigManager) {
-      logger.log('info', 'Re-triggering certificate provisioning via RouteConfigManager');
-      this.routeConfigManager.applyRoutes().catch((err: any) => {
-        logger.log('warn', `Failed to re-trigger cert provisioning: ${err?.message || err}`);
-      });
-      return;
-    }
-
-    if (this.smartProxy) {
-      if (this.certProvisionScheduler) {
-        this.certProvisionScheduler.clear();
-      }
-      const currentRoutes = this.smartProxy.routeManager.getRoutes();
-      logger.log('info', `Re-triggering certificate provisioning for ${currentRoutes.length} routes`);
-      this.smartProxy.updateRoutes(currentRoutes).catch((err: any) => {
-        logger.log('warn', `Failed to re-trigger cert provisioning: ${err?.message || err}`);
-      });
-    }
-  }
-
-  private clearSmartAcmeRetryTimer(): void {
-    if (this.smartAcmeRetryTimer) {
-      clearTimeout(this.smartAcmeRetryTimer);
-      this.smartAcmeRetryTimer = undefined;
-    }
-  }
-
-  private async stopSmartAcme(): Promise<void> {
-    this.smartAcmeStartGeneration++;
-    this.smartAcmeReady = false;
-    this.smartAcmeRetryAttempt = 0;
-    this.clearSmartAcmeRetryTimer();
-
-    const smartAcme = this.smartAcme;
-    if (!smartAcme) {
-      return;
-    }
-
-    try {
-      await smartAcme.stop();
-    } catch (err) {
-      logger.log('error', 'Error stopping SmartAcme', { error: String(err) });
-    } finally {
-      if (this.smartAcme === smartAcme) {
-        this.smartAcme = undefined;
-      }
-    }
-  }
-
   public async start() {
     await this.checkSystemLimits();
     logger.log('info', 'Starting DcRouter Services');
@@ -1196,7 +1012,7 @@ export class DcRouter {
           this.smartProxy = undefined;
         }
       } finally {
-        await this.stopSmartAcme();
+        await this.smartAcmeLifecycle.stop();
       }
     }
 
@@ -1207,7 +1023,7 @@ export class DcRouter {
 
     this.seedEmailRoutes = [];
     if (this.options.emailConfig && this.options.dbConfig?.enabled !== false) {
-      this.seedEmailRoutes = this.generateEmailRoutes(this.options.emailConfig);
+      this.seedEmailRoutes = this.emailRouteBuilder.generateEmailRoutes(this.options.emailConfig);
       logger.log('debug', 'Email routes generated', { routes: JSON.stringify(this.seedEmailRoutes) });
     } else if (this.options.emailConfig) {
       logger.log('warn', 'Email routes skipped because dbConfig.enabled=false and SMTP acceptance requires durable DB persistence');
@@ -1224,7 +1040,7 @@ export class DcRouter {
     // Combined routes for SmartProxy bootstrap (before DB routes are loaded)
     let routes: plugins.smartproxy.IRouteConfig[] = [
       ...this.seedConfigRoutes,
-      ...this.getRuntimeEmailRoutes(this.seedEmailRoutes as IDcRouterRouteConfig[]),
+      ...this.emailRouteBuilder.getRuntimeEmailRoutes(this.seedEmailRoutes as IDcRouterRouteConfig[]),
       ...this.runtimeDnsRoutes,
     ];
 
@@ -1273,10 +1089,10 @@ export class DcRouter {
       routes = augmentRoutesWithHttp3(routes, http3Config);
       logger.log('info', 'HTTP/3: Augmented qualifying HTTPS routes with QUIC/H3 configuration');
     }
-    routes = this.applyInboundProxyProtocolPolicies(routes);
+    routes = this.routePolicyAugmenter.applyInboundProxyProtocolPolicies(routes);
 
     const compiledSecurityPolicy = await this.securityPolicyManager?.compileSmartProxyPolicy();
-    const mergedSecurityPolicy = this.mergeSecurityPolicies(
+    const mergedSecurityPolicy = this.routePolicyAugmenter.mergeSecurityPolicies(
       (this.options.smartProxyConfig as any)?.securityPolicy,
       compiledSecurityPolicy,
     );
@@ -1359,7 +1175,7 @@ export class DcRouter {
       // SmartAcme starts in the background because ACME account setup can be slow or rate-limited,
       // and must not block dcrouter's global startup timeout.
       if (this.smartAcme) {
-        await this.stopSmartAcme();
+        await this.smartAcmeLifecycle.stop();
       }
       if (challengeHandlers.length > 0) {
         // Safe non-null: challengeHandlers.length > 0 implies both dnsManager
@@ -1371,15 +1187,15 @@ export class DcRouter {
           challengeHandlers: challengeHandlers,
           challengePriority: ['dns-01'],
         });
-        if (this.smartAcmeServiceStarted) {
-          this.startSmartAcmeInBackground();
+        if (this.smartAcmeLifecycle.serviceStarted) {
+          this.smartAcmeLifecycle.startInBackground();
         }
 
         const scheduler = this.certProvisionScheduler;
         smartProxyConfig.certProvisionFallbackToAcme = false;
         smartProxyConfig.certProvisionFunction = async (domain, eventComms) => {
           // If SmartAcme is not yet ready (still starting or retrying), fall back to HTTP-01
-          if (!this.smartAcmeReady) {
+          if (!this.smartAcmeLifecycle.ready) {
             eventComms.warn(`SmartAcme not yet initialized, falling back to http-01 for ${domain}`);
             return 'http01';
           }
@@ -1492,7 +1308,7 @@ export class DcRouter {
         if (this.smartProxy === smartProxy) {
           this.smartProxy = undefined;
         }
-        await this.stopSmartAcme();
+        await this.smartAcmeLifecycle.stop();
         if (this.certProvisionScheduler) {
           this.certProvisionScheduler.clear();
           this.certProvisionScheduler = undefined;
@@ -1570,7 +1386,7 @@ export class DcRouter {
     }
 
     const compiledSmartProxyPolicy = await this.securityPolicyManager.compileSmartProxyPolicy();
-    const mergedSecurityPolicy = this.mergeSecurityPolicies(
+    const mergedSecurityPolicy = this.routePolicyAugmenter.mergeSecurityPolicies(
       (this.options.smartProxyConfig as any)?.securityPolicy,
       compiledSmartProxyPolicy,
     );
@@ -1583,240 +1399,9 @@ export class DcRouter {
     }
 
     const firewallConfig = await this.securityPolicyManager.compileRemoteIngressFirewall();
-    await this.queueRemoteIngressHubTask(async () => {
-      if (this.remoteIngressHubStopping) return;
-      if (this.remoteIngressManager) {
-        this.remoteIngressManager.setFirewallConfig(firewallConfig);
-      }
-      if (this.tunnelManager) {
-        await this.tunnelManager.syncAllowedEdges();
-      }
-    });
-  }
-
-  private mergeSecurityPolicies(
-    ...policies: Array<Partial<ISecurityCompiledPolicy> | undefined>
-  ): ISecurityCompiledPolicy | undefined {
-    const blockedIps = new Set<string>();
-    const blockedCidrs = new Set<string>();
-
-    for (const policy of policies) {
-      for (const ip of policy?.blockedIps || []) {
-        if (ip) blockedIps.add(ip);
-      }
-      for (const cidr of policy?.blockedCidrs || []) {
-        if (cidr) blockedCidrs.add(cidr);
-      }
-    }
-
-    if (blockedIps.size === 0 && blockedCidrs.size === 0) {
-      return undefined;
-    }
-
-    return {
-      blockedIps: [...blockedIps].sort(),
-      blockedCidrs: [...blockedCidrs].sort(),
-    };
-  }
-   
-   
-
-  private applyInboundProxyProtocolPolicies(
-    routes: plugins.smartproxy.IRouteConfig[],
-  ): plugins.smartproxy.IRouteConfig[] {
-    const policiesByListener = new Map<string, TInboundProxyProtocolPolicy>();
-
-    for (const route of routes) {
-      const policy = route.match?.inboundProxyProtocol || this.getDesiredInboundProxyProtocolPolicy(route);
-      if (!policy) {
-        continue;
-      }
-      for (const listenerKey of this.getInboundProxyListenerKeys(route)) {
-        const mergedPolicy = this.mergeInboundProxyProtocolPolicies(
-          policiesByListener.get(listenerKey),
-          policy,
-        );
-        if (mergedPolicy) {
-          policiesByListener.set(listenerKey, mergedPolicy);
-        }
-      }
-    }
-
-    if (policiesByListener.size === 0) {
-      return routes;
-    }
-
-    return routes.map((route) => {
-      if (route.match?.inboundProxyProtocol) {
-        return route;
-      }
-      let listenerPolicy: TInboundProxyProtocolPolicy | undefined;
-      for (const listenerKey of this.getInboundProxyListenerKeys(route)) {
-        listenerPolicy = this.mergeInboundProxyProtocolPolicies(
-          listenerPolicy,
-          policiesByListener.get(listenerKey),
-        );
-      }
-      if (!listenerPolicy) {
-        return route;
-      }
-      return {
-        ...route,
-        match: {
-          ...route.match,
-          inboundProxyProtocol: listenerPolicy,
-        },
-      };
-    });
-  }
-
-  private getDesiredInboundProxyProtocolPolicy(
-    route: plugins.smartproxy.IRouteConfig,
-  ): TInboundProxyProtocolPolicy | undefined {
-    const dcRoute = route as IDcRouterRouteConfig;
-    if (this.isRemoteIngressHubEnabled() && dcRoute.remoteIngress?.enabled) {
-      const ports = plugins.smartproxy.expandPortRange(route.match.ports as any) as number[];
-      if (ports.some((port) => port === 25 || port === 587)) {
-        return { mode: 'required' };
-      }
-      return { mode: 'optional' };
-    }
-    if (this.options.vpnConfig?.enabled) {
-      return { mode: 'optional' };
-    }
-    return undefined;
-  }
-
-  private getInboundProxyListenerKeys(route: plugins.smartproxy.IRouteConfig): string[] {
-    const ports = plugins.smartproxy.expandPortRange(route.match.ports as any) as number[];
-    const transports = route.match.transport === 'udp'
-      ? ['udp']
-      : route.match.transport === 'all'
-        ? ['tcp', 'udp']
-        : ['tcp'];
-    const keys: string[] = [];
-    for (const port of ports) {
-      for (const transport of transports) {
-        keys.push(`${transport}:${port}`);
-      }
-    }
-    return keys;
-  }
-
-  private mergeInboundProxyProtocolPolicies(
-    current?: TInboundProxyProtocolPolicy,
-    next?: TInboundProxyProtocolPolicy,
-  ): TInboundProxyProtocolPolicy | undefined {
-    if (!current) return next;
-    if (!next) return current;
-    if (current.mode === 'required') return current;
-    if (next.mode === 'required') return next;
-    if (current.mode === 'optional') return current;
-    if (next.mode === 'optional') return next;
-    return current;
+    await this.remoteIngressHubLifecycle.applyFirewallConfig(firewallConfig);
   }
 
-  /**
-   * Generate SmartProxy routes for email configuration
-   */
-  private generateEmailRoutes(emailConfig: IUnifiedEmailServerOptions): IDcRouterRouteConfig[] {
-    const emailRoutes: IDcRouterRouteConfig[] = [];
-    
-    // Create routes for each email port
-    for (const port of emailConfig.ports) {
-      // Create a descriptive name for the route based on the port
-      let routeName = 'email-route';
-      let tlsMode: 'terminate' | undefined;
-      
-      // Handle different email ports differently
-      switch (port) {
-        case 25: // SMTP
-          routeName = 'smtp-route';
-          break;
-          
-        case 587: // Submission
-          routeName = 'submission-route';
-          break;
-          
-        case 465: // SMTPS
-          routeName = 'smtps-route';
-          tlsMode = 'terminate'; // SmartProxy owns public TLS; backend remains server-first SMTP
-          break;
-          
-        default:
-          routeName = `email-port-${port}-route`;
-          
-          // Check if we have specific settings for this port
-          if (this.options.emailPortConfig?.portSettings && 
-              this.options.emailPortConfig.portSettings[port]) {
-            const portSettings = this.options.emailPortConfig.portSettings[port];
-            
-            // If this port requires TLS termination, set the mode accordingly
-            if (portSettings.terminateTls) {
-              tlsMode = 'terminate';
-            }
-            
-            // Override the route name if specified
-            if (portSettings.routeName) {
-              routeName = portSettings.routeName;
-            }
-          }
-          break;
-      }
-      
-      // Create forward action to route to internal email server ports
-      const defaultPortMapping: Record<number, number> = {
-        25: 10025,   // SMTP
-        587: 10587,  // Submission
-        465: 10465   // SMTPS
-      };
-
-      const portMapping = this.options.emailPortConfig?.portMapping || defaultPortMapping;
-      const internalPort = portMapping[port] || port + 10000;
-
-      let action: any = {
-        type: 'forward',
-        sendProxyProtocol: true,
-        targets: [{
-          host: 'localhost', // Forward to internal email server
-          port: internalPort,
-          sendProxyProtocol: true,
-        }]
-      };
-      
-      // Plain SMTP/STARTTLS ports must not carry TLS metadata, or SmartProxy waits for TLS/SNI first.
-      if (tlsMode === 'terminate') {
-        action.tls = {
-          mode: tlsMode,
-          certificate: 'auto',
-        };
-      }
-      
-      // Create the route configuration
-      const routeConfig: IDcRouterRouteConfig = {
-        name: routeName,
-        match: {
-          ports: [port],
-          transport: 'tcp',
-        },
-        action: action
-      };
-
-      if (this.isRemoteIngressHubEnabled()) {
-        routeConfig.remoteIngress = { enabled: true };
-        const inboundProxyProtocol = this.getRemoteIngressEmailInboundProxyPolicy(port);
-        if (inboundProxyProtocol) {
-          routeConfig.match.inboundProxyProtocol = inboundProxyProtocol;
-        }
-      }
-      
-      // Add the route to our list
-      emailRoutes.push(routeConfig);
-    }
-    
-    return emailRoutes;
-  }
-  
   /**
    * Generate SmartProxy routes for DNS configuration
    */
@@ -1845,7 +1430,7 @@ export class DcRouter {
         action: includeSocketHandler
           ? {
               type: 'socket-handler' as any,
-              socketHandler: this.createDnsSocketHandler()
+              socketHandler: this.dnsServerRuntime.createSocketHandler()
             } as any
           : {
               type: 'socket-handler' as any,
@@ -1858,198 +1443,6 @@ export class DcRouter {
     return dnsRoutes;
   }
 
-  private getRuntimeEmailRoutes(emailRoutes: IDcRouterRouteConfig[]): plugins.smartproxy.IRouteConfig[] {
-    return emailRoutes.map((route) => this.createServerFirstEmailRuntimeRoute(route) || route);
-  }
-
-  private getCurrentGeneratedEmailRouteNames(): Set<string> {
-    if (this.options.dbConfig?.enabled === false) {
-      return new Set();
-    }
-    const sourceRoutes = this.seedEmailRoutes.length > 0
-      ? this.seedEmailRoutes
-      : this.options.emailConfig
-        ? this.generateEmailRoutes(this.options.emailConfig)
-        : [];
-    return new Set(sourceRoutes.map((route) => route.name).filter(Boolean) as string[]);
-  }
-
-  private shouldHydrateGeneratedEmailRoute(storedRoute: IRoute): boolean {
-    if (storedRoute.origin !== 'email') {
-      return false;
-    }
-    const routeName = storedRoute.route.name;
-    if (!routeName || !this.getCurrentGeneratedEmailRouteNames().has(routeName)) {
-      return false;
-    }
-    const expectedSystemKey = `email:${routeName}`;
-    return !storedRoute.systemKey || storedRoute.systemKey === expectedSystemKey;
-  }
-
-  private createServerFirstEmailRuntimeRoute(
-    route: plugins.smartproxy.IRouteConfig,
-  ): plugins.smartproxy.IRouteConfig | undefined {
-    const action = route.action as any;
-    if (action?.type !== 'forward') {
-      return undefined;
-    }
-    const tlsMode = action.tls?.mode;
-    if (tlsMode === 'terminate-and-reencrypt') {
-      return undefined;
-    }
-    const routePorts = plugins.smartproxy.expandPortRange(route.match?.ports as any) as number[];
-    if (routePorts.length !== 1) {
-      return undefined;
-    }
-
-    const target = action.targets?.[0];
-    if (!target || action.targets.length !== 1 || typeof target.port !== 'number') {
-      return undefined;
-    }
-    if (typeof target.host !== 'string') {
-      return undefined;
-    }
-
-    const targetHost = target.host === 'localhost' ? '127.0.0.1' : target.host;
-    const inboundProxyProtocol = this.getRemoteIngressEmailInboundProxyPolicy(routePorts[0]);
-    return {
-      ...route,
-      match: {
-        ...route.match,
-        ...(inboundProxyProtocol
-          ? { inboundProxyProtocol }
-          : {}),
-      },
-      action: {
-        type: 'socket-handler' as any,
-        ...(action.tls
-          ? { tls: action.tls }
-          : {}),
-        socketHandler: this.createEmailSocketProxyHandler(targetHost, target.port),
-      } as any,
-    };
-  }
-
-  private getRemoteIngressEmailInboundProxyPolicy(
-    port: number,
-  ): TInboundProxyProtocolPolicy | undefined {
-    if (!this.isRemoteIngressHubEnabled()) {
-      return undefined;
-    }
-    return { mode: port === 25 || port === 587 ? 'required' : 'optional' };
-  }
-
-  private createEmailSocketProxyHandler(
-    targetHost: string,
-    targetPort: number,
-  ): NonNullable<plugins.smartproxy.IRouteConfig['action']['socketHandler']> {
-    return (clientSocket, context) => {
-      let backendSocket: plugins.net.Socket | undefined;
-      let connectTimeout: ReturnType<typeof setTimeout> & { unref?: () => void };
-      let cleanupDone = false;
-
-      const cleanup = () => {
-        if (cleanupDone) return;
-        cleanupDone = true;
-        clearTimeout(connectTimeout);
-        clientSocket.removeListener('timeout', cleanup);
-        clientSocket.removeListener('error', cleanup);
-        clientSocket.removeListener('end', cleanup);
-        clientSocket.removeListener('close', cleanup);
-        backendSocket?.removeListener('timeout', cleanup);
-        backendSocket?.removeListener('error', cleanup);
-        backendSocket?.removeListener('end', cleanup);
-        backendSocket?.removeListener('close', cleanup);
-        clientSocket.destroy();
-        backendSocket?.destroy();
-      };
-
-      connectTimeout = setTimeout(() => {
-        cleanup();
-      }, 30_000);
-      connectTimeout.unref?.();
-
-      clientSocket.setTimeout(300_000);
-      clientSocket.on('timeout', cleanup);
-      clientSocket.on('error', cleanup);
-      clientSocket.on('end', cleanup);
-      clientSocket.on('close', cleanup);
-
-      backendSocket = plugins.net.connect(targetPort, targetHost, () => {
-        clearTimeout(connectTimeout);
-        backendSocket?.setTimeout(300_000);
-        const proxyHeader = this.createProxyProtocolV1Header(
-          context?.clientIp,
-          targetHost,
-          0,
-          targetPort,
-        );
-        if (!proxyHeader) {
-          cleanup();
-          return;
-        }
-        backendSocket!.write(proxyHeader, () => {
-          clientSocket.pipe(backendSocket!);
-          backendSocket!.pipe(clientSocket);
-        });
-      });
-      backendSocket.setTimeout(30_000);
-      backendSocket.on('timeout', cleanup);
-      backendSocket.on('error', cleanup);
-      backendSocket.on('end', cleanup);
-      backendSocket.on('close', cleanup);
-    };
-  }
-
-  private createProxyProtocolV1Header(
-    sourceIp: string | undefined,
-    destinationIp: string,
-    sourcePort: number,
-    destinationPort: number,
-  ): string | undefined {
-    if (!sourceIp || !plugins.net.isIP(sourceIp)) {
-      logger.log('warn', `Cannot create email PROXY protocol header for invalid source IP: ${sourceIp || 'unknown'}`);
-      return undefined;
-    }
-    const sourceFamily = plugins.net.isIP(sourceIp);
-    const destinationAddress = destinationIp === 'localhost' || destinationIp === '127.0.0.1' || destinationIp === '::1'
-      ? sourceFamily === 6 ? '::1' : '127.0.0.1'
-      : destinationIp;
-    const destinationFamily = plugins.net.isIP(destinationAddress);
-    if (!destinationFamily) {
-      logger.log('warn', `Cannot create email PROXY protocol header for invalid destination IP: ${destinationIp}`);
-      return undefined;
-    }
-    if (sourceFamily !== destinationFamily) {
-      return undefined;
-    }
-    const protocol = sourceFamily === 6 ? 'TCP6' : 'TCP4';
-    return `PROXY ${protocol} ${sourceIp} ${destinationAddress} ${sourcePort} ${destinationPort}\r\n`;
-  }
-
-  private hydrateStoredRouteForRuntime(storedRoute: IRoute): plugins.smartproxy.IRouteConfig | undefined {
-    const routeName = storedRoute.route.name || '';
-    const isDohRoute = storedRoute.origin === 'dns'
-      && storedRoute.route.action?.type === 'socket-handler'
-      && routeName.startsWith('dns-over-https-');
-
-    if (!isDohRoute) {
-      if (this.shouldHydrateGeneratedEmailRoute(storedRoute)) {
-        return this.createServerFirstEmailRuntimeRoute(storedRoute.route);
-      }
-      return undefined;
-    }
-
-    return {
-      ...storedRoute.route,
-      action: {
-        ...storedRoute.route.action,
-        type: 'socket-handler' as any,
-        socketHandler: this.createDnsSocketHandler(),
-      } as any,
-    };
-  }
-
   /**
    * Check if a domain matches a pattern (including wildcard support)
    * @param domain The domain to check
@@ -2217,7 +1610,7 @@ export class DcRouter {
           if (configuredDecision && !configuredDecision.accepted) {
             return configuredDecision;
           }
-          const dcrouterDecision = await this.acceptSmartMtaMessage(
+          const dcrouterDecision = await this.acceptedEmailSpool.acceptMessage(
             context,
             configuredDecision ? configuredDecision.continueProcessing === true : true,
           );
@@ -2258,16 +1651,16 @@ export class DcRouter {
 
     try {
       this.addEmailEventSubscription(emailServer.deliveryQueue, 'itemEnqueued', (item: TSmartMtaQueueItemLike) => {
-        this.trackAcceptedEmailQueueUpdate(item, 'queued', 'Unable to update accepted email after queue enqueue');
+        this.acceptedEmailSpool.trackQueueUpdate(item, 'queued', 'Unable to update accepted email after queue enqueue');
       });
       this.addEmailEventSubscription(emailServer.deliveryQueue, 'itemDelivered', (item: TSmartMtaQueueItemLike) => {
-        this.trackAcceptedEmailQueueUpdate(item, 'delivered', 'Unable to mark accepted email delivered');
+        this.acceptedEmailSpool.trackQueueUpdate(item, 'delivered', 'Unable to mark accepted email delivered');
       });
       this.addEmailEventSubscription(emailServer.deliveryQueue, 'itemDeferred', (item: TSmartMtaQueueItemLike) => {
-        this.trackAcceptedEmailQueueUpdate(item, 'queued', 'Unable to defer accepted email');
+        this.acceptedEmailSpool.trackQueueUpdate(item, 'queued', 'Unable to defer accepted email');
       });
       this.addEmailEventSubscription(emailServer.deliveryQueue, 'itemFailed', (item: TSmartMtaQueueItemLike) => {
-        this.trackAcceptedEmailQueueUpdate(item, 'failed', 'Unable to mark accepted email failed');
+        this.acceptedEmailSpool.trackQueueUpdate(item, 'failed', 'Unable to mark accepted email failed');
       });
 
       // Wire delivery events to MetricsManager and logger using smartmta's public queue APIs.
@@ -2320,18 +1713,17 @@ export class DcRouter {
         updateQueueSize();
       }
 
-      await this.recoverQueuedAcceptedEmails();
-      this.startAcceptedEmailSpoolProcessor();
+      await this.acceptedEmailSpool.recoverQueuedEmails();
+      this.acceptedEmailSpool.start();
     } catch (error: unknown) {
-      this.acceptedEmailSpoolStopping = true;
-      this.clearAcceptedEmailSpoolTimer();
+      this.acceptedEmailSpool.beginStop();
       try {
         await emailServer.stop();
       } catch (stopError: unknown) {
         logger.log('warn', `Error cleaning up failed UnifiedEmailServer setup: ${(stopError as Error).message}`);
       }
-      await this.stopAcceptedEmailSpoolProcessor();
-      await this.drainAcceptedEmailQueueUpdates();
+      await this.acceptedEmailSpool.stop();
+      await this.acceptedEmailSpool.drainQueueUpdates();
       this.clearEmailEventSubscriptions();
       if (this.emailServer === emailServer) {
         this.emailServer = undefined;
@@ -2342,421 +1734,63 @@ export class DcRouter {
     logger.log('info', `Email server started on ports: ${emailConfig.ports.join(', ')}`);
   }
 
-  private async acceptSmartMtaMessage(
-    context: IMessageAcceptanceContext,
-    processAfterAccept = true,
-  ): Promise<IMessageAcceptanceDecision> {
-    if (!this.dcRouterDb?.isReady()) {
-      throw new Error('DcRouterDb is not available for email acceptance');
-    }
-    this.throwIfMessageAcceptanceAborted(context.abortSignal);
-
-    const rawMessage = context.rawMessage;
-    const session = context.session;
-    const envelope = session.envelope;
-    const envelopeRecipients = Array.isArray(envelope.rcptTo)
-      ? envelope.rcptTo.map((recipient) => recipient.address).filter(Boolean)
-      : [];
-    const email = context.email;
-    const headers = email.headers;
-
-    const cachedEmail = CachedEmail.createNew();
-    this.removeHeader(email.headers, DCROUTER_CACHE_ID_HEADER);
-    email.headers[DCROUTER_CACHE_ID_HEADER] = cachedEmail.id;
-    cachedEmail.messageId = headers['Message-ID'] || headers['message-id'] || cachedEmail.id;
-    cachedEmail.from = envelope.mailFrom?.address || email.from || '';
-    cachedEmail.to = envelopeRecipients.length > 0
-      ? envelopeRecipients
-      : Array.isArray(email.to) ? email.to : [];
-    cachedEmail.cc = Array.isArray(email.cc) ? email.cc : [];
-    cachedEmail.bcc = Array.isArray(email.bcc) ? email.bcc : [];
-    cachedEmail.subject = email.subject || '';
-    cachedEmail.rawContent = this.setDcRouterCacheIdHeader(rawMessage.toString('utf8'), cachedEmail.id);
-    cachedEmail.status = 'pending';
-    cachedEmail.nextAttempt = new Date();
-    cachedEmail.routeData = JSON.stringify({
-      acceptedAt: new Date().toISOString(),
-      session: {
-        id: session.id,
-        remoteAddress: session.remoteAddress,
-        clientHostname: session.clientHostname,
-        secure: !!session.secure,
-        authenticated: !!session.authenticated,
-        user: session.user,
-        envelope,
-      },
-    });
-    cachedEmail.updateSenderDomain();
-    await cachedEmail.save();
-    if (context.abortSignal?.aborted) {
-      cachedEmail.markFailed('Message acceptance aborted before SMTP success');
-      await cachedEmail.save();
-      throw new Error('Message acceptance aborted before SMTP success');
-    }
+  
+  /**
+   * Update the unified email configuration
+   * @param config New email configuration
+   */
+  public async updateEmailConfig(config: IUnifiedEmailServerOptions): Promise<void> {
+    await this.queueEmailLifecycleTask(async () => {
+      // Stop existing email components
+      await this.stopUnifiedEmailComponents();
 
-    if (processAfterAccept) {
-      this.runAcceptedEmailSpoolProcessor();
-    } else {
-      cachedEmail.markDelivered();
-      await cachedEmail.save();
-    }
+      // Update configuration
+      this.options.emailConfig = config;
+      this.emailDomainManager?.setBaseEmailDomains(config.domains as IEmailDomainConfig[] | undefined);
+      await this.emailDomainManager?.syncManagedDomainsToRuntime();
 
-    return {
-      accepted: true,
-      smtpCode: 250,
-      smtpMessage: '2.0.0 Message accepted for delivery',
-      continueProcessing: false,
-    };
-  }
+      // Start email handling with new configuration
+      await this.setupUnifiedEmailHandling();
 
-  private setDcRouterCacheIdHeader(rawContent: string, cachedEmailId: string): string {
-    const headerRegex = new RegExp(`^${DCROUTER_CACHE_ID_HEADER}:.*(?:\r?\n[\t ].*)*\r?\n?`, 'gim');
-    const sanitizedContent = rawContent.replace(headerRegex, '');
-    return `${DCROUTER_CACHE_ID_HEADER}: ${cachedEmailId}\r\n${sanitizedContent}`;
+      logger.log('info', 'Unified email configuration updated');
+    });
   }
 
-  private async processAcceptedCachedEmail(
-    cachedEmail: CachedEmail,
-    emailData: Email | plugins.buffer.Buffer,
-    session: IExtendedSmtpSession,
-    emailServer: UnifiedEmailServer,
-  ): Promise<void> {
-    cachedEmail.status = 'processing';
-    cachedEmail.nextAttempt = new Date(Date.now() + ACCEPTED_EMAIL_QUEUE_LEASE_MS);
-    await cachedEmail.save();
-
-    try {
-      await emailServer.processEmailByMode(emailData, session);
-      if (session.matchedRoute?.action.type === 'forward') {
-        cachedEmail.markDelivered();
-      } else {
-        const currentCachedEmail = await CachedEmail.findById(cachedEmail.id) || cachedEmail;
-        if (this.isCachedEmailTerminal(currentCachedEmail)) {
-          return;
-        }
-        currentCachedEmail.status = 'queued';
-        currentCachedEmail.nextAttempt = new Date(Date.now() + ACCEPTED_EMAIL_QUEUE_LEASE_MS);
-        await currentCachedEmail.save();
-        return;
+  public async updateEmailServerSettings(
+    settings: TEmailServerSettingsUpdate,
+    updatedBy = 'system',
+  ): Promise<IEmailServerSettings> {
+    return await this.queueEmailLifecycleTask(async () => {
+      if (!this.emailSettingsManager) {
+        throw new Error('EmailSettingsManager is not initialized');
       }
-      await cachedEmail.save();
-    } catch (error: unknown) {
-      cachedEmail.scheduleRetry(ACCEPTED_EMAIL_RETRY_DELAY_MS);
-      cachedEmail.lastError = (error as Error).message;
-      await cachedEmail.save();
-      logger.log('warn', `Accepted email ${cachedEmail.id} deferred after SmartMTA handoff failure: ${(error as Error).message}`);
-    }
-  }
-
-  private startAcceptedEmailSpoolProcessor(): void {
-    this.clearAcceptedEmailSpoolTimer();
-    this.acceptedEmailSpoolStopping = false;
-    const runProcessor = () => {
-      this.runAcceptedEmailSpoolProcessor();
-    };
-    this.acceptedEmailSpoolTimer = setInterval(
-      runProcessor,
-      ACCEPTED_EMAIL_SPOOL_INTERVAL_MS,
-    ) as ReturnType<typeof setInterval> & { unref?: () => void };
-    this.acceptedEmailSpoolTimer.unref?.();
-    runProcessor();
-  }
-
-  private clearAcceptedEmailSpoolTimer(): void {
-    if (this.acceptedEmailSpoolTimer) {
-      clearInterval(this.acceptedEmailSpoolTimer);
-      this.acceptedEmailSpoolTimer = undefined;
-    }
-  }
 
-  private async stopAcceptedEmailSpoolProcessor(): Promise<void> {
-    this.acceptedEmailSpoolStopping = true;
-    this.clearAcceptedEmailSpoolTimer();
-    const spoolRun = this.acceptedEmailSpoolRun;
-    if (spoolRun) {
-      const settled = await this.waitForPromiseToSettleWithTimeout(
-        spoolRun,
-        ACCEPTED_EMAIL_STOP_DRAIN_TIMEOUT_MS,
-      );
-      if (!settled) {
-        logger.log('warn', 'Timed out waiting for accepted email spool processing to stop');
-      }
-    }
-  }
+      const updatedSettings = await this.emailSettingsManager.updateSettings(settings, updatedBy);
+      this.emailDomainManager?.setBaseEmailDomains(this.options.emailConfig?.domains as IEmailDomainConfig[] | undefined);
+      await this.emailDomainManager?.syncManagedDomainsToRuntime();
+      this.seedEmailRoutes = this.options.emailConfig
+        ? this.emailRouteBuilder.generateEmailRoutes(this.options.emailConfig)
+        : [];
 
-  private runAcceptedEmailSpoolProcessor(): void {
-    if (this.acceptedEmailSpoolRun) {
-      return;
-    }
-    const run = this.processAcceptedEmailSpool().catch((error) => {
-      logger.log('warn', `Accepted email spool processing failed: ${(error as Error).message}`);
-    });
-    this.acceptedEmailSpoolRun = run;
-    void run.finally(() => {
-      if (this.acceptedEmailSpoolRun === run) {
-        this.acceptedEmailSpoolRun = undefined;
+      if (this.routeConfigManager) {
+        await this.routeConfigManager.initialize(
+          this.seedConfigRoutes as import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig[],
+          this.seedEmailRoutes as import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig[],
+          this.seedDnsRoutes as import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig[],
+        );
       }
-    });
-  }
 
-  private async processAcceptedEmailSpool(): Promise<void> {
-    const emailServer = this.emailServer;
-    if (this.acceptedEmailSpoolProcessing || !emailServer || !this.dcRouterDb?.isReady()) {
-      return;
-    }
-    this.acceptedEmailSpoolProcessing = true;
-    try {
-      const cachedEmails = await CachedEmail.findPendingForDelivery(ACCEPTED_EMAIL_SPOOL_BATCH_SIZE);
-      for (const cachedEmail of cachedEmails) {
-        if (this.acceptedEmailSpoolStopping || this.emailServer !== emailServer) {
-          break;
+      if (this.options.emailConfig) {
+        if (this.emailServer) {
+          await this.stopUnifiedEmailComponents();
         }
-        const session = this.buildCachedEmailSession(cachedEmail);
-        const rawMessage = plugins.buffer.Buffer.from(cachedEmail.rawContent || '', 'utf8');
-        await this.processAcceptedCachedEmail(cachedEmail, rawMessage, session, emailServer);
+        await this.setupUnifiedEmailHandling();
+      } else if (this.emailServer) {
+        await this.stopUnifiedEmailComponents();
       }
-    } finally {
-      this.acceptedEmailSpoolProcessing = false;
-    }
-  }
 
-  private buildCachedEmailSession(cachedEmail: CachedEmail): IExtendedSmtpSession {
-    const routeData = this.parseCachedEmailRouteData(cachedEmail);
-    const storedSession = routeData.session || {};
-    const storedEnvelope = storedSession.envelope || {};
-    const storedRcptTo = Array.isArray(storedEnvelope.rcptTo) && storedEnvelope.rcptTo.length > 0
-      ? storedEnvelope.rcptTo
-      : cachedEmail.to.map((address) => ({ address, args: {} }));
-    const rcptTo = storedRcptTo
-      .filter((recipient) => !!recipient.address)
-      .map((recipient) => ({ address: recipient.address, args: recipient.args || {} }));
-    const mailFrom = storedEnvelope.mailFrom
-      ? { address: storedEnvelope.mailFrom.address, args: storedEnvelope.mailFrom.args || {} }
-      : { address: cachedEmail.from || '', args: {} };
-    const session = {
-      id: `${storedSession.id || cachedEmail.id}-replay-${Date.now()}`,
-      state: 'DATA' as unknown as IExtendedSmtpSession['state'],
-      clientHostname: storedSession.clientHostname || '',
-      mailFrom: mailFrom.address,
-      rcptTo: rcptTo.map((recipient) => recipient.address),
-      emailData: cachedEmail.rawContent || '',
-      useTLS: !!storedSession.secure,
-      connectionEnded: false,
-      remoteAddress: storedSession.remoteAddress || '127.0.0.1',
-      secure: !!storedSession.secure,
-      authenticated: !!storedSession.authenticated,
-      envelope: {
-        mailFrom,
-        rcptTo,
-      },
-    } as IExtendedSmtpSession;
-    if (storedSession.user) {
-      session.user = storedSession.user;
-    }
-    return session;
-  }
-
-  private parseCachedEmailRouteData(cachedEmail: CachedEmail): TStoredCachedEmailRouteData {
-    try {
-      return cachedEmail.routeData ? JSON.parse(cachedEmail.routeData) : {};
-    } catch {
-      return {};
-    }
-  }
-
-  private async updateAcceptedEmailFromQueueItem(
-    item: TSmartMtaQueueItemLike,
-    status: 'queued' | 'delivered' | 'failed',
-  ): Promise<void> {
-    const cachedEmailId = this.getCachedEmailIdFromQueueItem(item);
-    if (!cachedEmailId || !this.dcRouterDb?.isReady()) {
-      return;
-    }
-    const cachedEmail = await CachedEmail.findById(cachedEmailId);
-    if (!cachedEmail) {
-      return;
-    }
-    if (this.isCachedEmailTerminal(cachedEmail) && status !== 'delivered') {
-      return;
-    }
-    cachedEmail.attempts = Math.max(cachedEmail.attempts || 0, item.attempts || 0);
-    if (status === 'delivered') {
-      cachedEmail.markDelivered();
-    } else if (status === 'failed') {
-      cachedEmail.markFailed(item.lastError || 'SmartMTA delivery failed');
-    } else {
-      cachedEmail.status = 'queued';
-      cachedEmail.nextAttempt = new Date(Date.now() + ACCEPTED_EMAIL_QUEUE_LEASE_MS);
-    }
-    await cachedEmail.save();
-  }
-
-  private trackAcceptedEmailQueueUpdate(
-    item: TSmartMtaQueueItemLike,
-    status: 'queued' | 'delivered' | 'failed',
-    failureMessage: string,
-  ): void {
-    const updatePromise = this.updateAcceptedEmailFromQueueItem(item, status).catch((error) => {
-      logger.log('warn', `${failureMessage}: ${(error as Error).message}`);
-    });
-    this.acceptedEmailQueueUpdatePromises.add(updatePromise);
-    void updatePromise.finally(() => {
-      this.acceptedEmailQueueUpdatePromises.delete(updatePromise);
-    });
-  }
-
-  private async drainAcceptedEmailQueueUpdates(): Promise<void> {
-    const queueUpdates = [...this.acceptedEmailQueueUpdatePromises];
-    if (queueUpdates.length === 0) {
-      return;
-    }
-    const settled = await this.waitForPromiseToSettleWithTimeout(
-      Promise.allSettled(queueUpdates).then(() => undefined),
-      ACCEPTED_EMAIL_STOP_DRAIN_TIMEOUT_MS,
-    );
-    if (!settled) {
-      for (const queueUpdate of queueUpdates) {
-        this.acceptedEmailQueueUpdatePromises.delete(queueUpdate);
-      }
-      logger.log('warn', `Timed out waiting for ${queueUpdates.length} accepted email queue update(s) to settle`);
-    }
-  }
-
-  private async waitForPromiseToSettleWithTimeout(
-    promise: Promise<unknown>,
-    timeoutMs: number,
-  ): Promise<boolean> {
-    let timeout: (ReturnType<typeof setTimeout> & { unref?: () => void }) | undefined;
-    return await new Promise<boolean>((resolve) => {
-      let settled = false;
-      const settle = (didSettle: boolean) => {
-        if (settled) {
-          return;
-        }
-        settled = true;
-        if (timeout) {
-          clearTimeout(timeout);
-        }
-        resolve(didSettle);
-      };
-      timeout = setTimeout(() => settle(false), timeoutMs) as ReturnType<typeof setTimeout> & { unref?: () => void };
-      timeout.unref?.();
-      promise.then(
-        () => settle(true),
-        () => settle(true),
-      );
-    });
-  }
-
-  private async recoverQueuedAcceptedEmails(): Promise<void> {
-    while (true) {
-      const queuedEmails = await CachedEmail.findQueuedForRecovery(ACCEPTED_EMAIL_SPOOL_BATCH_SIZE);
-      if (queuedEmails.length === 0) {
-        return;
-      }
-      for (const queuedEmail of queuedEmails) {
-        if (this.isCachedEmailTerminal(queuedEmail)) {
-          continue;
-        }
-        queuedEmail.status = 'pending';
-        queuedEmail.nextAttempt = new Date();
-        await queuedEmail.save();
-      }
-      if (queuedEmails.length < ACCEPTED_EMAIL_SPOOL_BATCH_SIZE) {
-        return;
-      }
-    }
-  }
-
-  private isCachedEmailTerminal(cachedEmail: CachedEmail): boolean {
-    return cachedEmail.status === 'delivered' || cachedEmail.status === 'failed';
-  }
-
-  private getCachedEmailIdFromQueueItem(item: TSmartMtaQueueItemLike): string | undefined {
-    return this.getHeaderValue(item.processingResult?.headers, DCROUTER_CACHE_ID_HEADER)
-      || this.getHeaderValue(item.processingResult?.email?.headers, DCROUTER_CACHE_ID_HEADER);
-  }
-
-  private getHeaderValue(headers: Record<string, string> | undefined, headerName: string): string | undefined {
-    if (!headers) {
-      return undefined;
-    }
-    const normalizedHeaderName = headerName.toLowerCase();
-    const matchingHeaderName = Object.keys(headers).find((key) => key.toLowerCase() === normalizedHeaderName);
-    return matchingHeaderName ? headers[matchingHeaderName] : undefined;
-  }
-
-  private removeHeader(headers: Record<string, string>, headerName: string): void {
-    const normalizedHeaderName = headerName.toLowerCase();
-    for (const key of Object.keys(headers)) {
-      if (key.toLowerCase() === normalizedHeaderName) {
-        delete headers[key];
-      }
-    }
-  }
-
-  private throwIfMessageAcceptanceAborted(abortSignal: AbortSignal | undefined): void {
-    if (abortSignal?.aborted) {
-      throw new Error('Message acceptance aborted before SMTP success');
-    }
-  }
-  
-  /**
-   * Update the unified email configuration
-   * @param config New email configuration
-   */
-  public async updateEmailConfig(config: IUnifiedEmailServerOptions): Promise<void> {
-    await this.queueEmailLifecycleTask(async () => {
-      // Stop existing email components
-      await this.stopUnifiedEmailComponents();
-
-      // Update configuration
-      this.options.emailConfig = config;
-      this.emailDomainManager?.setBaseEmailDomains(config.domains as IEmailDomainConfig[] | undefined);
-      await this.emailDomainManager?.syncManagedDomainsToRuntime();
-
-      // Start email handling with new configuration
-      await this.setupUnifiedEmailHandling();
-
-      logger.log('info', 'Unified email configuration updated');
-    });
-  }
-
-  public async updateEmailServerSettings(
-    settings: TEmailServerSettingsUpdate,
-    updatedBy = 'system',
-  ): Promise<IEmailServerSettings> {
-    return await this.queueEmailLifecycleTask(async () => {
-      if (!this.emailSettingsManager) {
-        throw new Error('EmailSettingsManager is not initialized');
-      }
-
-      const updatedSettings = await this.emailSettingsManager.updateSettings(settings, updatedBy);
-      this.emailDomainManager?.setBaseEmailDomains(this.options.emailConfig?.domains as IEmailDomainConfig[] | undefined);
-      await this.emailDomainManager?.syncManagedDomainsToRuntime();
-      this.seedEmailRoutes = this.options.emailConfig
-        ? this.generateEmailRoutes(this.options.emailConfig)
-        : [];
-
-      if (this.routeConfigManager) {
-        await this.routeConfigManager.initialize(
-          this.seedConfigRoutes as import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig[],
-          this.seedEmailRoutes as import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig[],
-          this.seedDnsRoutes as import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig[],
-        );
-      }
-
-      if (this.options.emailConfig) {
-        if (this.emailServer) {
-          await this.stopUnifiedEmailComponents();
-        }
-        await this.setupUnifiedEmailHandling();
-      } else if (this.emailServer) {
-        await this.stopUnifiedEmailComponents();
-      }
-
-      return updatedSettings;
-    });
+      return updatedSettings;
+    });
   }
   
   /**
@@ -2768,13 +1802,12 @@ export class DcRouter {
       if (this.emailServer) {
         const emailServer = this.emailServer;
         this.emailServer = undefined;
-        this.acceptedEmailSpoolStopping = true;
-        this.clearAcceptedEmailSpoolTimer();
+        this.acceptedEmailSpool.beginStop();
         try {
           await emailServer.stop();
         } finally {
-          await this.stopAcceptedEmailSpoolProcessor();
-          await this.drainAcceptedEmailQueueUpdates();
+          await this.acceptedEmailSpool.stop();
+          await this.acceptedEmailSpool.drainQueueUpdates();
           this.clearEmailEventSubscriptions();
         }
         logger.log('info', 'Unified email server stopped');
@@ -2823,497 +1856,6 @@ export class DcRouter {
    * Register DNS records with the DNS server
    * @param records Array of DNS records to register
    */
-  private registerDnsRecords(records: Array<{name: string; type: string; value: string; ttl?: number}>): void {
-    if (!this.dnsServer) return;
-    
-    // Register a separate handler for each record
-    // This ensures multiple records of the same type (like NS records) are all served
-    for (const record of records) {
-      // Register handler for this specific record
-      this.dnsServer.registerHandler(record.name, [record.type], (question) => {
-        // Check if this handler matches the question
-        if (question.name === record.name && question.type === record.type) {
-          return {
-            name: record.name,
-            type: record.type,
-            class: 'IN',
-            ttl: record.ttl || 300,
-            data: this.parseDnsRecordData(record.type, record.value)
-          };
-        }
-        
-        return null;
-      });
-    }
-    
-    logger.log('info', `Registered ${records.length} DNS handlers (one per record)`);
-  }
-  
-  /**
-   * Parse DNS record data based on record type
-   * @param type DNS record type
-   * @param value DNS record value
-   * @returns Parsed data for the DNS response
-   */
-  private parseDnsRecordData(type: string, value: string): any {
-    switch (type) {
-      case 'A':
-        return value; // IP address as string
-      case 'MX':
-        const [priority, exchange] = value.split(' ');
-        return { priority: parseInt(priority), exchange };
-      case 'TXT':
-        return value;
-      case 'NS':
-        return value;
-      case 'SOA':
-        // SOA format: primary-ns admin-email serial refresh retry expire minimum
-        const parts = value.split(' ');
-        return {
-          mname: parts[0],
-          rname: parts[1],
-          serial: parseInt(parts[2]),
-          refresh: parseInt(parts[3]),
-          retry: parseInt(parts[4]),
-          expire: parseInt(parts[5]),
-          minimum: parseInt(parts[6])
-        };
-      default:
-        return value;
-    }
-  }
-  
-  /**
-   * Set up DNS server with socket handler for DoH
-   */
-  private async setupDnsWithSocketHandler(): Promise<void> {
-    if (!this.options.dnsNsDomains || this.options.dnsNsDomains.length === 0) {
-      throw new Error('dnsNsDomains is required for DNS server setup');
-    }
-    
-    if (!this.options.dnsScopes || this.options.dnsScopes.length === 0) {
-      throw new Error('dnsScopes is required for DNS server setup');
-    }
-    
-    const primaryNameserver = this.options.dnsNsDomains[0];
-    logger.log('info', `Setting up DNS server with primary nameserver: ${primaryNameserver}`);
-    
-    // Get VM IP address for UDP binding
-    const networkInterfaces = plugins.os.networkInterfaces() as Record<
-      string,
-      Array<{ internal: boolean; family: string; address: string }> | undefined
-    >;
-    let vmIpAddress = this.options.dnsBindInterface || '0.0.0.0'; // Default to all interfaces
-
-    // Try to find the VM's internal IP address when no explicit bind address is configured.
-    if (!this.options.dnsBindInterface) {
-      interfaceLoop: for (const [_name, interfaces] of Object.entries(networkInterfaces)) {
-        if (interfaces) {
-          for (const iface of interfaces) {
-            if (!iface.internal && iface.family === 'IPv4') {
-              vmIpAddress = iface.address;
-              break interfaceLoop;
-            }
-          }
-        }
-      }
-    }
-    
-    // Create DNS server instance with manual HTTPS mode
-    this.dnsServer = new plugins.smartdns.dnsServerMod.DnsServer({
-      udpPort: 53,
-      udpBindInterface: vmIpAddress,
-      httpsPort: 443, // Required but won't bind due to manual mode
-      manualHttpsMode: true, // Enable manual HTTPS socket handling
-      dnssecZone: primaryNameserver,
-      primaryNameserver: primaryNameserver, // Automatically generates correct SOA records
-      // For now, use self-signed cert until we integrate with Let's Encrypt
-      httpsKey: '',
-      httpsCert: ''
-    });
-    
-    // Start the DNS server (UDP only)
-    await this.dnsServer.start();
-    logger.log('info', `DNS server started on UDP ${vmIpAddress}:53`);
-
-    // Wire DNS query events to MetricsManager and logger with adaptive rate limiting
-    if (this.metricsManager && this.dnsServer) {
-      const flushDnsBatch = () => {
-        if (this.dnsBatchCount > 0) {
-          logger.log('info', `DNS: ${this.dnsBatchCount} queries processed (rate limited)`, { zone: 'dns' });
-          this.dnsBatchCount = 0;
-        }
-        this.dnsBatchTimer = null;
-      };
-
-      this.dnsServer.on('query', (event: plugins.smartdns.dnsServerMod.IDnsQueryCompletedEvent) => {
-        // Metrics tracking
-        for (const question of event.questions) {
-          this.metricsManager?.trackDnsQuery(
-            question.type,
-            question.name,
-            false,
-            event.responseTimeMs,
-            event.answered,
-          );
-        }
-
-        // Adaptive logging: individual logs up to 2/sec, then batch
-        const nowSec = Math.floor(Date.now() / 1000);
-        if (nowSec !== this.dnsLogWindowSecond) {
-          this.dnsLogWindowSecond = nowSec;
-          this.dnsLogWindowCount = 0;
-        }
-
-        if (this.dnsLogWindowCount < 2) {
-          this.dnsLogWindowCount++;
-          const summary = event.questions.map(q => `${q.type} ${q.name}`).join(', ');
-          logger.log('info', `DNS query: ${summary} (${event.responseTimeMs}ms, ${event.answered ? 'answered' : 'unanswered'})`, { zone: 'dns' });
-        } else {
-          this.dnsBatchCount++;
-          if (!this.dnsBatchTimer) {
-            this.dnsBatchTimer = setTimeout(flushDnsBatch, 5000);
-          }
-        }
-      });
-    }
-    
-    // Validate DNS configuration
-    await this.validateDnsConfiguration();
-    
-    // Generate and register authoritative records
-    const authoritativeRecords = await this.generateAuthoritativeRecords();
-    
-     // Generate email DNS records
-     const emailDnsRecords = await this.generateEmailDnsRecords();
-     
-     // Ensure DKIM keys exist for internal-dns domains before generating records.
-     await this.initializeDkimForEmailDomains();
-     
-      // Generate DKIM records directly from smartmta.
-      const dkimRecords = await this.loadDkimRecords();
-    
-    // Combine all records: authoritative, email, DKIM, and user-defined
-    const allRecords = [...authoritativeRecords, ...emailDnsRecords, ...dkimRecords];
-    if (this.options.dnsRecords && this.options.dnsRecords.length > 0) {
-      allRecords.push(...this.options.dnsRecords);
-    }
-    
-    // Apply proxy IP replacement if configured
-    await this.applyProxyIpReplacement(allRecords);
-    
-    // Register all DNS records
-    if (allRecords.length > 0) {
-      this.registerDnsRecords(allRecords);
-      logger.log('info', `Registered ${allRecords.length} DNS records (${authoritativeRecords.length} authoritative, ${emailDnsRecords.length} email, ${dkimRecords.length} DKIM, ${this.options.dnsRecords?.length || 0} user-defined)`);
-    }
-
-    // Hand the DnsServer to DnsManager so DB-backed local records on
-    // dcrouter-hosted domains get registered too.
-    if (this.dnsManager && this.dnsServer) {
-      await this.dnsManager.attachDnsServer(this.dnsServer);
-    }
-  }
-
-  /**
-   * Create DNS socket handler for DoH
-   */
-  private createDnsSocketHandler(): (socket: plugins.net.Socket) => Promise<void> {
-    return async (socket: plugins.net.Socket) => {
-      if (!this.dnsServer) {
-        logger.log('error', 'DNS socket handler called but DNS server not initialized');
-        socket.end();
-        return;
-      }
-      
-      // Prevent uncaught exception from socket 'error' events
-      socket.on('error', (err) => {
-        logger.log('error', `DNS socket error: ${err.message}`);
-        if (!socket.destroyed) {
-          socket.destroy();
-        }
-      });
-
-      logger.log('debug', 'DNS socket handler: passing socket to DnsServer');
-
-      try {
-        // Use the built-in socket handler from smartdns
-        // This handles HTTP/2, DoH protocol, etc.
-        await (this.dnsServer as any).handleHttpsSocket(socket);
-      } catch (error: unknown) {
-        logger.log('error', `DNS socket handler error: ${(error as Error).message}`);
-        if (!socket.destroyed) {
-          socket.destroy();
-        }
-      }
-    };
-  }
-  
-  /**
-   * Validate DNS configuration
-   */
-  private async validateDnsConfiguration(): Promise<void> {
-    if (!this.options.dnsNsDomains || !this.options.dnsScopes) {
-      return;
-    }
-    
-    logger.log('info', 'Validating DNS configuration...');
-    
-    // Check if email domains with internal-dns are in dnsScopes
-    if (this.options.emailConfig?.domains) {
-      for (const domainConfig of this.options.emailConfig.domains) {
-        if (domainConfig.dnsMode === 'internal-dns' && 
-            !this.options.dnsScopes.includes(domainConfig.domain)) {
-          logger.log('warn', `Email domain '${domainConfig.domain}' with internal-dns mode is not in dnsScopes. It should be added to dnsScopes.`);
-        }
-      }
-    }
-    
-    // Validate user-provided DNS records are within scopes
-    if (this.options.dnsRecords) {
-      for (const record of this.options.dnsRecords) {
-        const recordDomain = this.extractDomain(record.name);
-        const isInScope = this.options.dnsScopes.some(scope => 
-          recordDomain === scope || recordDomain.endsWith(`.${scope}`)
-        );
-        
-        if (!isInScope) {
-          logger.log('warn', `DNS record for '${record.name}' is outside defined scopes [${this.options.dnsScopes.join(', ')}]`);
-        }
-      }
-    }
-  }
-  
-  /**
-   * Generate email DNS records for domains with internal-dns mode
-   */
-  private async generateEmailDnsRecords(): Promise<Array<{name: string; type: string; value: string; ttl?: number}>> {
-    const records: Array<{name: string; type: string; value: string; ttl?: number}> = [];
-    
-    if (!this.options.emailConfig?.domains) {
-      return records;
-    }
-    
-    // Filter domains with internal-dns mode
-    const internalDnsDomains = this.options.emailConfig.domains.filter(
-      domain => domain.dnsMode === 'internal-dns'
-    );
-    
-    for (const domainConfig of internalDnsDomains) {
-      const domain = domainConfig.domain;
-      const ttl = domainConfig.dns?.internal?.ttl || 3600;
-      const requiredRecords = buildEmailDnsRecords({
-        domain,
-        hostname: this.options.emailConfig.hostname,
-        mxPriority: domainConfig.dns?.internal?.mxPriority,
-      }).filter((record) => !record.name.includes('._domainkey.'));
-
-      for (const record of requiredRecords) {
-        records.push({
-          name: record.name,
-          type: record.type,
-          value: record.value,
-          ttl,
-        });
-      }
-    }
-    
-    logger.log('info', `Generated ${records.length} email DNS records for ${internalDnsDomains.length} internal-dns domains`);
-    return records;
-  }
-  
-  /**
-   * Generate DKIM DNS records for internal-dns domains from smartmta's selector-aware DKIM state.
-   */
-  private async loadDkimRecords(): Promise<Array<{name: string; type: string; value: string; ttl?: number}>> {
-    const records: Array<{name: string; type: string; value: string; ttl?: number}> = [];
-    if (!this.options.emailConfig?.domains || !this.emailServer?.dkimCreator) {
-      return records;
-    }
-
-    for (const domainConfig of this.options.emailConfig.domains) {
-      if (domainConfig.dnsMode !== 'internal-dns') {
-        continue;
-      }
-      const selector = domainConfig.dkim?.selector || 'default';
-      try {
-        const dkimRecord = await this.emailServer.dkimCreator.getDNSRecordForDomain(domainConfig.domain, selector);
-        records.push({
-          name: dkimRecord.name,
-          type: 'TXT',
-          value: dkimRecord.value,
-          ttl: domainConfig.dns?.internal?.ttl || 3600,
-        });
-      } catch (error: unknown) {
-        logger.log('error', `Failed to generate DKIM record for ${domainConfig.domain}: ${(error as Error).message}`);
-      }
-    }
-
-    return records;
-  }
-  
-  /**
-   * Initialize DKIM keys for all configured email domains
-   * This ensures DKIM records are available immediately at startup
-   */
-  private async initializeDkimForEmailDomains(): Promise<void> {
-    if (!this.options.emailConfig?.domains || !this.emailServer) {
-      return;
-    }
-    
-    logger.log('info', 'Initializing DKIM keys for email domains...');
-    
-    // Get DKIMCreator instance from email server (public in smartmta)
-    const dkimCreator = this.emailServer.dkimCreator;
-    if (!dkimCreator) {
-      logger.log('warn', 'DKIMCreator not available, skipping DKIM initialization');
-      return;
-    }
-    
-    // Ensure necessary directories exist
-    paths.ensureDataDirectories(this.resolvedPaths);
-    
-    // Generate DKIM keys for each internal-dns email domain using the configured selector.
-    for (const domainConfig of this.options.emailConfig.domains) {
-      if (domainConfig.dnsMode !== 'internal-dns') {
-        continue;
-      }
-      try {
-        await dkimCreator.handleDKIMKeysForSelector(
-          domainConfig.domain,
-          domainConfig.dkim?.selector || 'default',
-          domainConfig.dkim?.keySize || 2048,
-        );
-        logger.log('info', `DKIM keys initialized for ${domainConfig.domain}`);
-      } catch (error: unknown) {
-        logger.log('error', `Failed to initialize DKIM for ${domainConfig.domain}: ${(error as Error).message}`);
-      }
-    }
-
-    logger.log('info', 'DKIM initialization complete');
-  }
-  
-  /**
-   * Generate authoritative DNS records (NS only) for all domains in dnsScopes
-   * SOA records are now automatically generated by smartdns with primaryNameserver setting
-   */
-  private async generateAuthoritativeRecords(): Promise<Array<{name: string; type: string; value: string; ttl?: number}>> {
-    const records: Array<{name: string; type: string; value: string; ttl?: number}> = [];
-    
-    if (!this.options.dnsNsDomains || !this.options.dnsScopes) {
-      return records;
-    }
-    
-    // Determine the public IP for nameserver A records
-    let publicIp: string | null = null;
-    
-    // Use proxy IPs if configured (these should be public IPs)
-    if (this.options.proxyIps && this.options.proxyIps.length > 0) {
-      publicIp = this.options.proxyIps[0]; // Use first proxy IP
-      logger.log('info', `Using proxy IP for nameserver A records: ${publicIp}`);
-    } else if (this.options.publicIp) {
-      // Use explicitly configured public IP
-      publicIp = this.options.publicIp;
-      this.detectedPublicIp = publicIp;
-      logger.log('info', `Using configured public IP for nameserver A records: ${publicIp}`);
-    } else {
-      // Auto-discover public IP using smartnetwork
-      try {
-        logger.log('info', 'Auto-discovering public IP address...');
-        const smartNetwork = new plugins.smartnetwork.SmartNetwork();
-        const publicIps = await smartNetwork.getPublicIps();
-        
-        if (publicIps.v4) {
-          publicIp = publicIps.v4;
-          this.detectedPublicIp = publicIp;
-          logger.log('info', `Auto-discovered public IPv4: ${publicIp}`);
-        } else {
-          logger.log('warn', 'Could not auto-discover public IPv4 address');
-        }
-      } catch (error: unknown) {
-        logger.log('error', `Failed to auto-discover public IP: ${(error as Error).message}`);
-      }
-
-      if (!publicIp) {
-        logger.log('warn', 'No public IP available. Nameserver A records require either proxyIps, publicIp, or successful auto-discovery.');
-      }
-    }
-    
-    // Generate A records for nameservers if we have a public IP
-    if (publicIp) {
-      for (const nsDomain of this.options.dnsNsDomains) {
-        records.push({
-          name: nsDomain,
-          type: 'A',
-          value: publicIp,
-          ttl: 3600
-        });
-      }
-      logger.log('info', `Generated A records for ${this.options.dnsNsDomains.length} nameservers`);
-    }
-    
-    // Generate NS records for each domain in scopes
-    for (const domain of this.options.dnsScopes) {
-      // Add NS records for all nameservers
-      for (const nsDomain of this.options.dnsNsDomains) {
-        records.push({
-          name: domain,
-          type: 'NS',
-          value: nsDomain,
-          ttl: 3600
-        });
-      }
-      
-      // SOA records are now automatically generated by smartdns DnsServer
-      // with the primaryNameserver configuration option
-    }
-    
-    logger.log('info', `Generated ${records.length} total records (A + NS) for ${this.options.dnsScopes.length} domains`);
-    return records;
-  }
-  
-  /**
-   * Extract the base domain from a DNS record name
-   */
-  private extractDomain(recordName: string): string {
-    // Handle wildcards
-    if (recordName.startsWith('*.')) {
-      recordName = recordName.substring(2);
-    }
-    return recordName;
-  }
-  
-  /**
-   * Apply proxy IP replacement logic to DNS records
-   */
-  private async applyProxyIpReplacement(records: Array<{name: string; type: string; value: string; ttl?: number; useIngressProxy?: boolean}>): Promise<void> {
-    if (!this.options.proxyIps || this.options.proxyIps.length === 0) {
-      return; // No proxy IPs configured, skip replacement
-    }
-    
-    // Get server's public IP
-    const serverIp = await this.detectServerPublicIp();
-    if (!serverIp) {
-      logger.log('warn', 'Could not detect server public IP, skipping proxy IP replacement');
-      return;
-    }
-    
-    logger.log('info', `Applying proxy IP replacement. Server IP: ${serverIp}, Proxy IPs: ${this.options.proxyIps.join(', ')}`);
-    
-    let proxyIndex = 0;
-    for (const record of records) {
-      if (record.type === 'A' && 
-          record.value === serverIp && 
-          record.useIngressProxy !== false) {
-        // Round-robin through proxy IPs
-        const proxyIp = this.options.proxyIps[proxyIndex % this.options.proxyIps.length];
-        logger.log('info', `Replacing A record for ${record.name}: ${record.value} → ${proxyIp}`);
-        record.value = proxyIp;
-        proxyIndex++;
-      }
-    }
-  }
-
   private addEmailEventSubscription(
     emitter: {
       on(eventName: string, listener: (...args: any[]) => void): void;
@@ -3333,88 +1875,10 @@ export class DcRouter {
     this.emailEventSubscriptions = [];
   }
   
-  /**
-   * Detect the server's public IP address
-   */
-  private async detectServerPublicIp(): Promise<string | null> {
-    try {
-      const smartNetwork = new plugins.smartnetwork.SmartNetwork();
-      const publicIps = await smartNetwork.getPublicIps();
-      
-      if (publicIps.v4) {
-        return publicIps.v4;
-      }
-      
-      return null;
-    } catch (error: unknown) {
-      logger.log('warn', `Failed to detect public IP: ${(error as Error).message}`);
-      return null;
-    }
-  }
   
   /**
    * Set up Remote Ingress hub for edge tunnel connections
    */
-  private async setupRemoteIngress(): Promise<void> {
-    const remoteIngressManager = this.remoteIngressManager;
-    if (!remoteIngressManager) {
-      return;
-    }
-
-    const hubSettings = remoteIngressManager.getHubSettings();
-    if (!hubSettings.enabled) {
-      logger.log('info', 'Remote Ingress hub is disabled in DB settings');
-      return;
-    }
-
-    logger.log('info', 'Setting up Remote Ingress hub...');
-    this.remoteIngressHubStopping = false;
-    const generation = ++this.remoteIngressHubGeneration;
-
-    const firewallConfig = await this.securityPolicyManager?.compileRemoteIngressFirewall();
-    if (!this.isRemoteIngressHubGenerationCurrent(generation, remoteIngressManager)) {
-      return;
-    }
-    remoteIngressManager.setFirewallConfig(firewallConfig);
-
-    // Pass current bootstrap routes so the manager can derive edge ports initially.
-    // Once RouteConfigManager applies the full DB set, the onRoutesApplied callback
-    // will push the complete merged routes here.
-    const bootstrapRoutes = [...this.seedConfigRoutes, ...this.seedEmailRoutes, ...this.runtimeDnsRoutes];
-    remoteIngressManager.setRoutes(bootstrapRoutes as any[]);
-
-    // If ConfigManagers finished before us, re-apply routes
-    // so the callback delivers the full DB set to our newly-created remoteIngressManager.
-    if (this.routeConfigManager) {
-      await this.routeConfigManager.applyRoutes();
-    }
-    if (!this.isRemoteIngressHubGenerationCurrent(generation, remoteIngressManager)) {
-      return;
-    }
-
-    await this.queueRemoteIngressHubTask(async () => {
-      await this.startRemoteIngressTunnelHubLocked(generation);
-    });
-    if (!this.isRemoteIngressHubGenerationCurrent(generation, remoteIngressManager)) {
-      return;
-    }
-
-    const edgeCount = remoteIngressManager.getAllEdges().length;
-    logger.log('info', `Remote Ingress hub started on port ${hubSettings.tunnelPort} with ${edgeCount} registered edge(s)`);
-  }
-
-  private isRemoteIngressHubGenerationCurrent(generation: number, manager: RemoteIngressManager): boolean {
-    return !this.remoteIngressHubStopping
-      && generation === this.remoteIngressHubGeneration
-      && this.remoteIngressManager === manager;
-  }
-
-  private queueRemoteIngressHubTask<T>(task: () => Promise<T>): Promise<T> {
-    const run = this.remoteIngressHubLifecycleChain.then(task);
-    this.remoteIngressHubLifecycleChain = run.then(() => undefined, () => undefined);
-    return run;
-  }
-
   private queueSmartProxyLifecycleTask<T>(task: () => Promise<T>): Promise<T> {
     const run = this.smartProxyLifecycleChain.then(task);
     this.smartProxyLifecycleChain = run.then(() => undefined, () => undefined);
@@ -3427,85 +1891,23 @@ export class DcRouter {
     return run;
   }
 
-  private async stopRemoteIngress(): Promise<void> {
-    this.remoteIngressHubStopping = true;
-    this.remoteIngressHubGeneration++;
-    await this.queueRemoteIngressHubTask(async () => {
-      const currentTunnelManager = this.tunnelManager;
-      if (currentTunnelManager) {
-        await currentTunnelManager.stop();
-        if (this.tunnelManager === currentTunnelManager) {
-          this.tunnelManager = undefined;
-        }
-      }
-    });
-  }
-
+  /** Serialized edge mutation on the RemoteIngress hub (delegates to the hub lifecycle). */
   public async mutateRemoteIngressEdges<T>(
     mutation: (manager: RemoteIngressManager) => Promise<T>,
     syncAllowedEdges = true,
   ): Promise<T> {
-    return await this.queueRemoteIngressHubTask(async () => {
-      if (this.remoteIngressHubStopping) {
-        throw new Error('RemoteIngress is stopping');
-      }
-      const manager = this.remoteIngressManager;
-      if (!manager) {
-        throw new Error('RemoteIngress not configured');
-      }
-      const result = await mutation(manager);
-      if (syncAllowedEdges && this.tunnelManager) {
-        await this.tunnelManager.syncAllowedEdges();
-      }
-      return result;
-    });
-  }
-
-  private async updateRemoteIngressRoutes(routes: IDcRouterRouteConfig[]): Promise<void> {
-    await this.queueRemoteIngressHubTask(async () => {
-      if (this.remoteIngressHubStopping) return;
-      if (this.remoteIngressManager) {
-        this.remoteIngressManager.setRoutes(routes);
-      }
-      if (this.tunnelManager) {
-        await this.tunnelManager.syncAllowedEdges();
-      }
-    });
+    return await this.remoteIngressHubLifecycle.mutateEdges(mutation, syncAllowedEdges);
   }
 
   public async updateRemoteIngressHubSettings(
     updates: TRemoteIngressHubSettingsUpdate,
     updatedBy: string,
   ): Promise<IRemoteIngressHubSettings> {
-    const manager = this.remoteIngressManager;
-    if (!manager) {
-      throw new Error('RemoteIngress is not configured');
-    }
-
-    const previousSettings = manager.getHubSettings();
-    const settings = await manager.updateHubSettings(updates, updatedBy);
-    const enabledChanged = previousSettings.enabled !== settings.enabled;
-
-    if (!settings.enabled) {
-      await this.queueRemoteIngressHubTask(async () => {
-        await this.stopRemoteIngressTunnelHubLocked();
-      });
-    }
-
-    if (enabledChanged) {
-      await this.restartSmartProxyForRemoteIngressSettings();
-    }
-
-    if (settings.enabled) {
-      await this.queueRemoteIngressHubTask(async () => {
-        await this.restartRemoteIngressTunnelHubLocked();
-      });
-    }
-
-    return settings;
+    return await this.remoteIngressHubLifecycle.updateHubSettings(updates, updatedBy);
   }
 
-  private async restartSmartProxyForRemoteIngressSettings(): Promise<void> {
+  /** Restart SmartProxy after RemoteIngress hub settings changed listener wiring. Called by RemoteIngressHubLifecycle. */
+  public async restartSmartProxyForRemoteIngressSettings(): Promise<void> {
     await this.queueSmartProxyLifecycleTask(async () => {
       const restartSmartProxy = async () => {
         try {
@@ -3518,7 +1920,7 @@ export class DcRouter {
             }
           }
         } finally {
-          await this.stopSmartAcme();
+          await this.smartAcmeLifecycle.stop();
         }
         await this.setupSmartProxy();
       };
@@ -3540,144 +1942,14 @@ export class DcRouter {
     });
   }
 
-  private async stopRemoteIngressTunnelHubLocked(): Promise<void> {
-    this.remoteIngressHubGeneration++;
-    const currentTunnelManager = this.tunnelManager;
-    if (currentTunnelManager) {
-      await currentTunnelManager.stop();
-      if (this.tunnelManager === currentTunnelManager) {
-        this.tunnelManager = undefined;
-      }
-    }
-  }
-
-  private async restartRemoteIngressTunnelHubLocked(): Promise<void> {
-    const generation = ++this.remoteIngressHubGeneration;
-    const hubSettings = this.remoteIngressManager?.getHubSettings();
-    if (!this.remoteIngressManager || !hubSettings?.enabled || this.remoteIngressHubStopping) {
-      return;
-    }
-
-    const currentTunnelManager = this.tunnelManager;
-    if (currentTunnelManager) {
-      await currentTunnelManager.stop();
-      if (this.tunnelManager === currentTunnelManager) {
-        this.tunnelManager = undefined;
-      }
-    }
-
-    if (this.remoteIngressHubStopping || generation !== this.remoteIngressHubGeneration) {
-      return;
-    }
-    await this.startRemoteIngressTunnelHubLocked(generation);
-  }
-
-  private async startRemoteIngressTunnelHubLocked(generation: number): Promise<void> {
-    const manager = this.remoteIngressManager;
-    const hubSettings = manager?.getHubSettings();
-    if (!manager || !hubSettings?.enabled || this.remoteIngressHubStopping || generation !== this.remoteIngressHubGeneration) {
-      return;
-    }
-
-    const firewallConfig = await this.securityPolicyManager?.compileRemoteIngressFirewall();
-    if (this.remoteIngressHubStopping || generation !== this.remoteIngressHubGeneration || this.remoteIngressManager !== manager) {
-      return;
-    }
-    manager.setFirewallConfig(firewallConfig);
-
-    const tlsConfig = await this.resolveRemoteIngressTlsConfig(hubSettings.hubDomain);
-    if (this.remoteIngressHubStopping || generation !== this.remoteIngressHubGeneration || this.remoteIngressManager !== manager) {
-      return;
-    }
-
-    const tunnelManager = new TunnelManager(manager, {
-      tunnelPort: hubSettings.tunnelPort,
-      targetHost: '127.0.0.1',
-      tls: tlsConfig,
-      performance: manager.getHubPerformanceConfig(),
-    });
-    try {
-      await tunnelManager.start();
-    } catch (err) {
-      await tunnelManager.stop().catch(() => {});
-      throw err;
-    }
-
-    if (this.remoteIngressHubStopping || generation !== this.remoteIngressHubGeneration || this.remoteIngressManager !== manager) {
-      await tunnelManager.stop().catch((err) => {
-        logger.log('warn', `Failed to stop stale RemoteIngress tunnel hub: ${(err as Error).message}`);
-      });
-      return;
-    }
-    this.tunnelManager = tunnelManager;
-  }
-
-  private async resolveRemoteIngressTlsConfig(
-    hubDomain?: string,
-  ): Promise<{ certPem: string; keyPem: string } | undefined> {
-    // Resolve TLS certs for tunnel: explicit paths > ACME for hubDomain > self-signed (Rust default)
-    let tlsConfig: { certPem: string; keyPem: string } | undefined;
-
-    // Priority 1: Explicit cert/key file paths
-    const explicitTls = this.options.remoteIngressConfig?.tls;
-    if (explicitTls?.certPath && explicitTls?.keyPath) {
-      try {
-        const certPem = plugins.fs.readFileSync(explicitTls.certPath, 'utf8');
-        const keyPem = plugins.fs.readFileSync(explicitTls.keyPath, 'utf8');
-        tlsConfig = { certPem, keyPem };
-        logger.log('info', 'Using explicit TLS cert/key for RemoteIngress tunnel');
-      } catch (err: unknown) {
-        logger.log('warn', `Failed to read RemoteIngress TLS cert/key files: ${(err as Error).message}`);
-      }
-    }
-
-    // Priority 2: Existing cert from SmartProxy cert store for hubDomain
-    if (!tlsConfig && hubDomain) {
-      try {
-        const stored = await ProxyCertDoc.findByDomain(hubDomain);
-        if (stored?.publicKey && stored?.privateKey) {
-          tlsConfig = { certPem: stored.publicKey, keyPem: stored.privateKey };
-          logger.log('info', `Using stored ACME cert for RemoteIngress tunnel TLS: ${hubDomain}`);
-        }
-      } catch { /* no stored cert, fall through */ }
-    }
-
-    if (!tlsConfig) {
-      logger.log('info', 'No TLS cert configured for RemoteIngress tunnel — using auto-generated self-signed');
-    }
-
-    return tlsConfig;
+  /** Bootstrap routes the RemoteIngress hub uses to derive edge ports before the DB route set is applied. */
+  public getRemoteIngressBootstrapRoutes(): plugins.smartproxy.IRouteConfig[] {
+    return [...this.seedConfigRoutes, ...this.seedEmailRoutes, ...this.runtimeDnsRoutes];
   }
 
   /**
    * Set up VPN server for VPN-based route access control.
    */
-  private createVpnClientAccessResolver(): ((
-    route: import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig,
-    routeId?: string,
-  ) => TVpnClientAllowEntry[]) | undefined {
-    if (!this.options.vpnConfig?.enabled) {
-      return undefined;
-    }
-
-    return (
-      route: import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig,
-      routeId?: string,
-    ) => {
-      if (!this.vpnManager || !this.targetProfileManager) {
-        // VPN not ready yet — deny all until re-apply after VPN starts.
-        return [];
-      }
-
-      return this.targetProfileManager.getMatchingVpnClients(
-        route,
-        routeId,
-        this.vpnManager.listClients(),
-        this.routeConfigManager?.getRoutes() || new Map(),
-      );
-    };
-  }
-
   private async setupVpnServer(): Promise<void> {
     if (!this.options.vpnConfig?.enabled) {
       return;
@@ -3719,38 +1991,8 @@ export class DcRouter {
         if (!this.targetProfileManager) return [];
         return this.targetProfileManager.getDirectTargetIps(targetProfileIds);
       },
-      getClientAllowedIPs: async (targetProfileIds: string[], clientId?: string, _sourceIp?: string) => {
-        const subnet = this.options.vpnConfig?.subnet || '10.8.0.0/24';
-        const ips = new Set<string>([subnet]);
-
-        if (!this.targetProfileManager) return [...ips];
-
-        const allRoutes = this.routeConfigManager?.getRoutes() || new Map();
-
-        const { domains, targetIps } = this.targetProfileManager.getClientAccessSpec(
-          targetProfileIds,
-          allRoutes,
-        );
-
-        // Add target IPs directly
-        for (const ip of targetIps) {
-          ips.add(`${ip}/32`);
-        }
-
-        // Resolve DNS A records for matched domains (with caching)
-        for (const domain of domains) {
-          if (this.isWildcardVpnDomain(domain)) {
-            this.logSkippedWildcardAllowedIp(domain);
-            continue;
-          }
-          const resolvedIps = await this.resolveVpnDomainIPs(domain);
-          for (const ip of resolvedIps) {
-            ips.add(`${ip}/32`);
-          }
-        }
-
-        return [...ips];
-      },
+      getClientAllowedIPs: async (targetProfileIds: string[], _clientId?: string, _sourceIp?: string) =>
+        await this.vpnAccessResolver.getClientAllowedIPs(targetProfileIds),
     });
 
     await this.vpnManager.start();
@@ -3760,48 +2002,6 @@ export class DcRouter {
     await this.routeConfigManager?.applyRoutes();
   }
 
-  /** Cache for DNS-resolved IPs of VPN-gated domains. TTL: 5 minutes. */
-  private vpnDomainIpCache = new Map<string, { ips: string[]; expiresAt: number }>();
-  /** Deduplicate wildcard-resolution warnings for WireGuard AllowedIPs generation. */
-  private warnedWildcardVpnDomains = new Set<string>();
-
-  /**
-   * Resolve a domain's A record(s) for VPN AllowedIPs, with a 5-minute cache.
-   */
-  private async resolveVpnDomainIPs(domain: string): Promise<string[]> {
-    const cached = this.vpnDomainIpCache.get(domain);
-    if (cached && cached.expiresAt > Date.now()) {
-      return cached.ips;
-    }
-    try {
-      const { promises: dnsPromises } = await import('dns');
-      const ips = await dnsPromises.resolve4(domain);
-      this.vpnDomainIpCache.set(domain, { ips, expiresAt: Date.now() + 5 * 60 * 1000 });
-      // Evict oldest entries if cache exceeds 1000 entries
-      if (this.vpnDomainIpCache.size > 1000) {
-        const firstKey = this.vpnDomainIpCache.keys().next().value;
-        if (firstKey) this.vpnDomainIpCache.delete(firstKey);
-      }
-      return ips;
-    } catch (err) {
-      logger.log('warn', `VPN: Failed to resolve ${domain} for AllowedIPs: ${(err as Error).message}`);
-      return cached?.ips || []; // Return stale cache on failure, or empty
-    }
-  }
-
-  private isWildcardVpnDomain(domain: string): boolean {
-    return domain.includes('*');
-  }
-
-  private logSkippedWildcardAllowedIp(domain: string): void {
-    if (this.warnedWildcardVpnDomains.has(domain)) return;
-    this.warnedWildcardVpnDomains.add(domain);
-    logger.log(
-      'warn',
-      `VPN: Skipping wildcard domain '${domain}' for WireGuard AllowedIPs; wildcard patterns must be resolved to concrete hostnames by matching routes.`,
-    );
-  }
-
   // VPN security injection is now handled dynamically by RouteConfigManager.applyRoutes()
   // via the getVpnAllowList callback — no longer a separate method here.
 
@@ -3850,9 +2050,8 @@ export class DcRouter {
     }
 
     this.options.vpnConfig = config;
-    this.vpnDomainIpCache.clear();
-    this.warnedWildcardVpnDomains.clear();
-    this.routeConfigManager?.setVpnClientAccessResolver(this.createVpnClientAccessResolver());
+    this.vpnAccessResolver.reset();
+    this.routeConfigManager?.setVpnClientAccessResolver(this.vpnAccessResolver.createRouteAllowResolver());
 
     if (this.options.vpnConfig?.enabled) {
       await this.setupVpnServer();