@serve.zone/dcrouter 15.3.0 → 15.4.0

package/ts/email/classes.workapp-mail-manager.ts

@@ -1,7 +1,10 @@
 import type {
   IEmailRoute,
+  IMessageAcceptanceContext,
+  IMessageAcceptanceDecision,
   IUnifiedEmailServerOptions,
 } from '@push.rocks/smartmta';
+import type { Buffer } from 'node:buffer';
 import * as plugins from '../plugins.js';
 import type * as interfaces from '../../ts_interfaces/index.js';
 
@@ -21,10 +24,28 @@ type TMailAddressBinding = plugins.servezoneInterfaces.data.IMailAddressBinding;
 type TMailAddressBindingSync = plugins.servezoneInterfaces.requests.mail.TMailAddressBindingSync;
 type TMailAddressBindingSyncResponse = plugins.servezoneInterfaces.requests.mail.IReq_SyncMailAddressBinding['response'];
 type TMailAddressBindingDeleteResponse = plugins.servezoneInterfaces.requests.mail.IReq_DeleteMailAddressBinding['response'];
+type TMailCredentialRotateResponse = plugins.servezoneInterfaces.requests.mail.IReq_RotateMailCredential['response'];
 type TWorkAppMailBinding = plugins.servezoneInterfaces.data.IWorkAppMailBinding;
 
-interface IStoredWorkAppMailIdentity extends interfaces.data.IWorkAppMailIdentity {
+interface IStoredWorkAppMailIdentity {
+  id: string;
+  externalKey: string;
+  ownership: interfaces.data.IWorkAppMailOwnership;
+  address: string;
+  localPart: string;
+  domain: string;
+  enabled: boolean;
+  displayName?: string;
+  inbound?: interfaces.data.IWorkAppMailInboundRoute;
+  smtp: {
+    enabled: boolean;
+    username: string;
+  };
+  createdAt: number;
+  updatedAt: number;
+  createdBy: string;
   smtpPassword: string;
+  smtpLastRotatedAt?: number;
 }
 
 interface IStoredWorkAppMailState {
@@ -34,6 +55,7 @@ interface IStoredWorkAppMailState {
 
 export class WorkAppMailManager {
   private readonly storageKey = '/workhosters/mail-identities.json';
+  private identityMutationPromise: Promise<unknown> = Promise.resolve();
 
   constructor(private dcRouterRef: any) {}
 
@@ -49,6 +71,21 @@ export class WorkAppMailManager {
   public async syncMailIdentity(
     request: TSyncRequest,
     createdBy: string,
+  ): Promise<interfaces.data.IWorkAppMailIdentitySyncResult> {
+    return await this.runIdentityMutationExclusive(async () => {
+      return await this.syncMailIdentityInner(request, createdBy);
+    });
+  }
+
+  private async runIdentityMutationExclusive<T>(actionArg: () => Promise<T>): Promise<T> {
+    const actionPromise = this.identityMutationPromise.catch(() => undefined).then(actionArg);
+    this.identityMutationPromise = actionPromise.then(() => undefined, () => undefined);
+    return await actionPromise;
+  }
+
+  private async syncMailIdentityInner(
+    request: TSyncRequest,
+    createdBy: string,
   ): Promise<interfaces.data.IWorkAppMailIdentitySyncResult> {
     if (!this.dcRouterRef.options.emailConfig) {
       return { success: false, message: 'Email server is not configured' };
@@ -80,9 +117,10 @@ export class WorkAppMailManager {
 
     const existingIdentity = existingIndex >= 0 ? identities[existingIndex] : undefined;
     const now = Date.now();
-    const smtpPassword = existingIdentity && !request.resetSmtpPassword
-      ? existingIdentity.smtpPassword
-      : this.generateSmtpPassword();
+    const shouldRotateSmtpPassword = !existingIdentity || request.resetSmtpPassword;
+    const smtpPassword = shouldRotateSmtpPassword
+      ? this.generateSmtpPassword()
+      : existingIdentity.smtpPassword;
     const identity: IStoredWorkAppMailIdentity = {
       id: existingIdentity?.id || plugins.smartunique.shortId(),
       externalKey,
@@ -101,6 +139,9 @@ export class WorkAppMailManager {
       updatedAt: now,
       createdBy: existingIdentity?.createdBy || createdBy,
       smtpPassword,
+      smtpLastRotatedAt: shouldRotateSmtpPassword
+        ? now
+        : existingIdentity?.smtpLastRotatedAt || existingIdentity?.createdAt || now,
     };
 
     if (existingIndex >= 0) {
@@ -162,32 +203,135 @@ export class WorkAppMailManager {
     binding: TMailAddressBindingSync,
     createdBy: string,
   ): Promise<TMailAddressBindingSyncResponse> {
-    const ownership = this.normalizeMailResourceOwner(binding.owner);
-    const { localPart, domain } = this.normalizeMailAddressParts(binding);
-    const syncRequest: TSyncRequest = {
-      ownership,
-      localPart,
-      domain,
-      inbound: this.toLegacyInboundRoute(binding.inboundTarget),
-      enabled: binding.enabled,
-    };
+    return await this.runIdentityMutationExclusive(async () => {
+      const ownership = this.normalizeMailResourceOwner(binding.owner);
+      const { localPart, domain } = this.normalizeMailAddressParts(binding);
+      const syncRequest: TSyncRequest = {
+        ownership,
+        localPart,
+        domain,
+        inbound: this.toLegacyInboundRoute(binding.inboundTarget),
+        enabled: binding.enabled,
+      };
+
+      if (binding.outboundEnabled !== undefined) {
+        syncRequest.smtpEnabled = binding.outboundEnabled;
+      } else if (binding.outboundIdentityId !== undefined) {
+        syncRequest.smtpEnabled = Boolean(binding.outboundIdentityId);
+      }
+
+      const result = await this.syncMailIdentityInner(syncRequest, createdBy);
+      const storedIdentity = result.identity
+        ? (await this.readStoredIdentities()).find((identity) => identity.id === result.identity!.id)
+        : undefined;
+
+      return {
+        success: result.success,
+        binding: storedIdentity ? this.toMailAddressBinding(storedIdentity) : undefined,
+        message: result.message,
+      };
+    });
+  }
+
+  public async rotateMailCredential(
+    credentialId: string,
+    createdBy: string,
+    owner?: Partial<TMailResourceOwner>,
+  ): Promise<TMailCredentialRotateResponse> {
+    return await this.runIdentityMutationExclusive(async () => {
+      return await this.rotateMailCredentialInner(credentialId, createdBy, owner);
+    });
+  }
+
+  private async rotateMailCredentialInner(
+    credentialId: string,
+    createdBy: string,
+    owner?: Partial<TMailResourceOwner>,
+  ): Promise<TMailCredentialRotateResponse> {
+    if (!this.dcRouterRef.options.emailConfig) {
+      return { success: false, message: 'Email server is not configured' };
+    }
 
-    if (binding.outboundIdentityId !== undefined) {
-      syncRequest.smtpEnabled = Boolean(binding.outboundIdentityId);
+    const normalizedCredentialId = credentialId?.trim();
+    if (!normalizedCredentialId) {
+      return { success: false, message: 'credentialId is required' };
     }
 
-    const result = await this.syncMailIdentity(syncRequest, createdBy);
+    const identities = await this.readStoredIdentities();
+    const identityIndex = identities.findIndex((identityArg) => {
+      return this.matchesMailOwner(this.toMailOwner(identityArg.ownership), owner)
+        && (
+          identityArg.id === normalizedCredentialId
+          || identityArg.externalKey === normalizedCredentialId
+          || identityArg.smtp.username === normalizedCredentialId
+        );
+    });
+    if (identityIndex < 0) {
+      return { success: false, message: 'Mail credential not found' };
+    }
+
+    const identity = identities[identityIndex];
+    if (!identity.enabled || !identity.smtp.enabled) {
+      return { success: false, message: 'Mail credential is disabled' };
+    }
+
+    const now = Date.now();
+    identities[identityIndex] = {
+      ...identity,
+      smtpPassword: this.generateSmtpPassword(),
+      smtpLastRotatedAt: now,
+      updatedAt: now,
+    };
+
+    await this.writeStoredIdentities(identities);
+    await this.applyStoredIdentitiesToRuntime(identities);
 
     return {
-      success: result.success,
-      binding: result.identity ? this.toMailAddressBinding(result.identity) : undefined,
-      message: result.message,
+      success: true,
+      credential: this.toMailCredentialSecret(identities[identityIndex]),
     };
   }
 
+  public async enforceManagedSmtpSender(
+    context: IMessageAcceptanceContext,
+  ): Promise<IMessageAcceptanceDecision | undefined> {
+    const username = context.session.user?.username;
+    if (!username || !this.isManagedSmtpUsername(username)) {
+      return undefined;
+    }
+
+    const identities = await this.readStoredIdentities();
+    const identity = identities.find((identityArg) => identityArg.smtp.username === username);
+    if (!identity || !identity.enabled || !identity.smtp.enabled) {
+      return this.rejectSenderAuthorization('Managed SMTP credential is not active');
+    }
+
+    const envelopeFrom = this.normalizeMailboxAddress(
+      context.session.envelope?.mailFrom?.address || context.session.mailFrom || '',
+    );
+    const headerFrom = this.extractSingleHeaderFromAddress(context.rawMessage, context.email.from);
+    if (!envelopeFrom || !headerFrom) {
+      return this.rejectSenderAuthorization('Managed SMTP sender must use exactly one From address');
+    }
+    if (envelopeFrom !== identity.address || headerFrom !== identity.address) {
+      return this.rejectSenderAuthorization('Managed SMTP sender is not authorized for this From address');
+    }
+
+    return undefined;
+  }
+
   public async deleteMailAddressBinding(
     id: string,
     createdBy: string,
+  ): Promise<TMailAddressBindingDeleteResponse> {
+    return await this.runIdentityMutationExclusive(async () => {
+      return await this.deleteMailAddressBindingInner(id, createdBy);
+    });
+  }
+
+  private async deleteMailAddressBindingInner(
+    id: string,
+    createdBy: string,
   ): Promise<TMailAddressBindingDeleteResponse> {
     const identities = await this.readStoredIdentities();
     const identity = identities.find((storedIdentity) => storedIdentity.id === id || storedIdentity.externalKey === id);
@@ -195,7 +339,7 @@ export class WorkAppMailManager {
       return { success: true };
     }
 
-    const result = await this.syncMailIdentity({
+    const result = await this.syncMailIdentityInner({
       ownership: identity.ownership,
       localPart: identity.localPart,
       domain: identity.domain,
@@ -255,6 +399,9 @@ export class WorkAppMailManager {
     const generatedRoutes = identities
       .filter((identity) => identity.enabled && identity.inbound?.enabled)
       .map((identity) => this.buildInboundRoute(identity));
+    const generatedOutboundRoutes = identities
+      .filter((identity) => identity.enabled && identity.smtp.enabled)
+      .map((identity) => this.buildOutboundRoute(identity));
     const configuredRoutes = (emailConfig.routes || [])
       .filter((route) => !this.isManagedMailRouteName(route.name));
     const generatedUsers = identities
@@ -268,7 +415,7 @@ export class WorkAppMailManager {
 
     return {
       ...emailConfig,
-      routes: [...configuredRoutes, ...generatedRoutes],
+      routes: [...configuredRoutes, ...generatedRoutes, ...generatedOutboundRoutes],
       auth: {
         ...(emailConfig.auth || {}),
         users: [...configuredUsers, ...generatedUsers],
@@ -301,6 +448,34 @@ export class WorkAppMailManager {
     };
   }
 
+  private buildOutboundRoute(identity: IStoredWorkAppMailIdentity): IEmailRoute {
+    return {
+      name: this.buildOutboundRouteName(identity.externalKey),
+      priority: 900,
+      match: {
+        authenticated: true,
+        senders: identity.address,
+      },
+      action: {
+        type: 'process',
+        allowRelay: true,
+        process: {
+          dkim: true,
+          queue: 'normal',
+        },
+        options: {
+          mtaOptions: {
+            dkimSign: true,
+            dkimOptions: {
+              domainName: identity.domain,
+              keySelector: 'default',
+            },
+          },
+        },
+      },
+    };
+  }
+
   private async ensureEmailDomainConfigured(domain: string): Promise<void> {
     const emailConfig = this.dcRouterRef.options.emailConfig as IUnifiedEmailServerOptions | undefined;
     if (emailConfig?.domains?.some((domainConfig) => domainConfig.domain.toLowerCase() === domain)) {
@@ -359,6 +534,53 @@ export class WorkAppMailManager {
     return `${this.normalizeLocalPart(localPart)}@${this.normalizeDomain(domain)}`;
   }
 
+  private normalizeMailboxAddress(addressArg: string): string | undefined {
+    const trimmed = addressArg?.trim();
+    if (!trimmed || trimmed === '<>') return undefined;
+    const angleMatch = trimmed.match(/<([^<>]+)>/);
+    const candidate = (angleMatch ? angleMatch[1] : trimmed).replace(/^mailto:/i, '').trim();
+    try {
+      return this.normalizeAddress(candidate);
+    } catch {
+      return undefined;
+    }
+  }
+
+  private extractSingleHeaderFromAddress(rawMessageArg: Buffer, parsedFromArg: string): string | undefined {
+    const headerSlice = rawMessageArg.subarray(0, 64 * 1024);
+    const crlfHeaderEnd = headerSlice.indexOf('\r\n\r\n');
+    const lfHeaderEnd = headerSlice.indexOf('\n\n');
+    const headerEnd = crlfHeaderEnd >= 0
+      ? crlfHeaderEnd
+      : lfHeaderEnd >= 0
+        ? lfHeaderEnd
+        : headerSlice.length;
+    const headersText = headerSlice.subarray(0, headerEnd).toString('utf8');
+    const unfoldedLines: string[] = [];
+    for (const line of headersText.split(/\r?\n/)) {
+      if (/^[\t ]/.test(line) && unfoldedLines.length > 0) {
+        unfoldedLines[unfoldedLines.length - 1] += ` ${line.trim()}`;
+      } else {
+        unfoldedLines.push(line);
+      }
+    }
+    const fromHeaders = unfoldedLines.filter((line) => /^from\s*:/i.test(line));
+    if (fromHeaders.length > 1) return undefined;
+    const headerValue = fromHeaders.length === 1
+      ? fromHeaders[0].replace(/^from\s*:/i, '').trim()
+      : parsedFromArg;
+    if (!headerValue || headerValue.includes(',')) return undefined;
+    return this.normalizeMailboxAddress(headerValue);
+  }
+
+  private rejectSenderAuthorization(messageArg: string): IMessageAcceptanceDecision {
+    return {
+      accepted: false,
+      smtpCode: 553,
+      smtpMessage: messageArg,
+    };
+  }
+
   private normalizeMailResourceOwner(owner: TMailResourceOwner): interfaces.data.IWorkAppMailOwnership {
     const gatewayClientType = owner.gatewayClientType;
     const gatewayClientId = owner.gatewayClientId?.trim();
@@ -477,6 +699,10 @@ export class WorkAppMailManager {
     return `workapp-mail-${this.hashExternalKey(externalKey).slice(0, 32)}`;
   }
 
+  private buildOutboundRouteName(externalKey: string): string {
+    return `workapp-mail-outbound-${this.hashExternalKey(externalKey).slice(0, 32)}`;
+  }
+
   private hashExternalKey(externalKey: string): string {
     return plugins.crypto.createHash('sha256').update(externalKey).digest('hex');
   }
@@ -509,6 +735,31 @@ export class WorkAppMailManager {
     };
   }
 
+  private toMailCredentialPublic(
+    identity: IStoredWorkAppMailIdentity,
+  ): plugins.servezoneInterfaces.data.IMailCredentialPublic {
+    return {
+      id: identity.smtp.username,
+      type: 'smtp',
+      status: identity.enabled && identity.smtp.enabled ? 'active' : 'disabled',
+      username: identity.smtp.username,
+      scopes: [`from:${identity.address}`],
+      createdAt: identity.createdAt,
+      updatedAt: identity.updatedAt,
+      lastRotatedAt: identity.smtpLastRotatedAt || identity.createdAt,
+    };
+  }
+
+  private toMailCredentialSecret(
+    identity: IStoredWorkAppMailIdentity,
+  ): plugins.servezoneInterfaces.data.IMailCredentialOneTimeSecret {
+    return {
+      credential: this.toMailCredentialPublic(identity),
+      secret: identity.smtpPassword,
+      secretShownOnce: true,
+    };
+  }
+
   private toMailOwner(ownership: interfaces.data.IWorkAppMailOwnership): TMailResourceOwner & { appInstanceId: string } {
     return {
       gatewayClientType: ownership.workHosterType,
@@ -545,6 +796,9 @@ export class WorkAppMailManager {
       status: identity.enabled ? 'active' : 'disabled',
       inboundTarget: this.toMailInboundTarget(identity.inbound),
       outboundIdentityId: identity.smtp.enabled ? identity.smtp.username : undefined,
+      ...(identity.smtp.enabled ? {
+        outboundCredential: this.toMailCredentialPublic(identity as IStoredWorkAppMailIdentity),
+      } : {}),
       recipientPolicy: {
         mode: 'staticList',
         staticRecipients: [identity.address],
@@ -552,7 +806,7 @@ export class WorkAppMailManager {
       createdAt: identity.createdAt,
       updatedAt: identity.updatedAt,
       createdBy: identity.createdBy,
-    };
+    } as TMailAddressBinding;
   }
 
   private toWorkAppMailBinding(
@@ -581,7 +835,7 @@ export class WorkAppMailManager {
   private toPublicIdentity(
     identity: IStoredWorkAppMailIdentity,
   ): interfaces.data.IWorkAppMailIdentity {
-    const { smtpPassword, ...publicIdentity } = identity;
+    const { smtpPassword, smtpLastRotatedAt, ...publicIdentity } = identity;
     return publicIdentity;
   }
 }

package/ts/opsserver/handlers/gatewayclient.handler.ts

@@ -211,12 +211,13 @@ export class GatewayClientHandler {
           const auth = await this.requireAuth(dataArg.auth || {}, 'gateway-clients:read');
           const manager = this.opsServerRef.dcRouterRef.workAppMailManager;
           if (!manager) return { bindings: [] };
+          const bindings = await manager.listMailAddressBindings({
+            owner: this.resolveMailOwnerFilter(auth, dataArg.owner),
+            domain: dataArg.domain,
+            address: dataArg.address,
+          });
           return {
-            bindings: await manager.listMailAddressBindings({
-              owner: this.resolveMailOwnerFilter(auth, dataArg.owner),
-              domain: dataArg.domain,
-              address: dataArg.address,
-            }),
+            bindings: this.filterMailBindingsAllowed(auth, bindings),
           };
         },
       ),
@@ -237,6 +238,7 @@ export class GatewayClientHandler {
               ...dataArg.binding,
               owner: this.resolveMailOwner(auth, dataArg.binding.owner),
             };
+            this.assertMailAddressAllowed(auth, binding.address, binding.domain);
             this.assertMailForwardTargetAllowed(auth, binding.inboundTarget);
             return await manager.syncMailAddressBinding(binding, auth.userId);
           } catch (error) {
@@ -257,9 +259,9 @@ export class GatewayClientHandler {
             return { success: false, message: 'WorkApp mail manager not initialized' };
           }
           if (auth.token?.policy?.role === 'gatewayClient') {
-            const bindings = await manager.listMailAddressBindings({
+            const bindings = this.filterMailBindingsAllowed(auth, await manager.listMailAddressBindings({
               owner: this.resolveMailOwnerFilter(auth),
-            });
+            }));
             const binding = bindings.find((candidate) => candidate.id === dataArg.id);
             if (!binding) return { success: true };
             return await manager.deleteMailAddressBinding(binding.id, auth.userId);
@@ -276,7 +278,39 @@ export class GatewayClientHandler {
           const auth = await this.requireAuth(dataArg.auth || {}, 'gateway-clients:read');
           const manager = this.opsServerRef.dcRouterRef.workAppMailManager;
           if (!manager) return { bindings: [] };
-          return { bindings: await manager.listWorkAppMailBindings(this.resolveMailOwnerFilter(auth, dataArg.owner)) };
+          const owner = this.resolveMailOwnerFilter(auth, dataArg.owner);
+          const bindings = await manager.listWorkAppMailBindings(owner);
+          return { bindings: await this.filterWorkAppMailBindingsAllowed(auth, manager, owner, bindings) };
+        },
+      ),
+    );
+
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<plugins.servezoneInterfaces.requests.mail.IReq_RotateMailCredential>(
+        'rotateMailCredential',
+        async (dataArg) => {
+          const auth = await this.requireAuth(dataArg.auth || {}, 'gateway-clients:write');
+          this.assertCapability(auth, 'syncRoutes');
+          const manager = this.opsServerRef.dcRouterRef.workAppMailManager;
+          if (!manager) {
+            return { success: false, message: 'WorkApp mail manager not initialized' };
+          }
+          const owner = this.resolveMailOwnerFilter(auth);
+          if (auth.token?.policy?.role === 'gatewayClient') {
+            const credentialId = dataArg.credentialId?.trim();
+            const bindings = this.filterMailBindingsAllowed(auth, await manager.listMailAddressBindings({ owner }));
+            const binding = bindings.find((bindingArg) => bindingArg.outboundIdentityId === credentialId
+              || bindingArg.outboundCredential?.id === credentialId
+              || bindingArg.outboundCredential?.username === credentialId);
+            if (!binding) {
+              return { success: false, message: 'Mail credential not found' };
+            }
+          }
+          return await manager.rotateMailCredential(
+            dataArg.credentialId,
+            auth.userId,
+            owner,
+          );
         },
       ),
     );
@@ -456,20 +490,101 @@ export class GatewayClientHandler {
     auth: TAuthContext,
     target?: plugins.servezoneInterfaces.data.IMailInboundTarget,
   ): void {
-    const policy = auth.token?.policy;
-    if (!policy || policy.role !== 'gatewayClient' || !target?.smtpForward) return;
-    const allowedTargets = policy.allowedRouteTargets || [];
-    if (allowedTargets.length === 0) {
+    if (this.isMailForwardTargetAllowed(auth, target)) return;
+    const targetDescription = target?.smtpForward
+      ? `${target.smtpForward.host.trim().toLowerCase()}:${Number(target.smtpForward.port)}`
+      : 'unknown';
+    if ((auth.token?.policy?.allowedRouteTargets || []).length === 0) {
       throw new plugins.typedrequest.TypedResponseError('gateway client token has no allowed route targets');
     }
+    throw new plugins.typedrequest.TypedResponseError(`mail target is outside token policy: ${targetDescription}`);
+  }
+
+  private isMailForwardTargetAllowed(
+    auth: TAuthContext,
+    target?: plugins.servezoneInterfaces.data.IMailInboundTarget,
+  ): boolean {
+    const policy = auth.token?.policy;
+    if (!policy || policy.role !== 'gatewayClient' || !target?.smtpForward) return true;
+    const allowedTargets = policy.allowedRouteTargets || [];
+    if (allowedTargets.length === 0) return false;
     const host = target.smtpForward.host.trim().toLowerCase();
     const port = Number(target.smtpForward.port);
-    const allowed = allowedTargets.some((allowedTarget) => {
+    return allowedTargets.some((allowedTarget) => {
       return allowedTarget.host.trim().toLowerCase() === host && allowedTarget.ports.includes(port);
     });
-    if (!allowed) {
-      throw new plugins.typedrequest.TypedResponseError(`mail target is outside token policy: ${host}:${port}`);
+  }
+
+  private assertMailAddressAllowed(
+    auth: TAuthContext,
+    addressArg: string,
+    domainArg: string,
+  ): void {
+    if (this.isMailAddressAllowed(auth, addressArg, domainArg)) return;
+    throw new plugins.typedrequest.TypedResponseError('mail domain is outside token policy');
+  }
+
+  private filterMailBindingsAllowed(
+    auth: TAuthContext,
+    bindingsArg: plugins.servezoneInterfaces.data.IMailAddressBinding[],
+  ): plugins.servezoneInterfaces.data.IMailAddressBinding[] {
+    return bindingsArg.filter((bindingArg) => {
+      try {
+        return this.isMailAddressAllowed(auth, bindingArg.address, bindingArg.domain)
+          && this.isMailForwardTargetAllowed(auth, bindingArg.inboundTarget);
+      } catch {
+        return false;
+      }
+    });
+  }
+
+  private async filterWorkAppMailBindingsAllowed(
+    auth: TAuthContext,
+    managerArg: any,
+    ownerArg: Partial<plugins.servezoneInterfaces.data.IMailResourceOwner> | undefined,
+    bindingsArg: plugins.servezoneInterfaces.data.IWorkAppMailBinding[],
+  ): Promise<plugins.servezoneInterfaces.data.IWorkAppMailBinding[]> {
+    if (auth.token?.policy?.role !== 'gatewayClient') return bindingsArg;
+    const allowedAddressBindings = this.filterMailBindingsAllowed(
+      auth,
+      await managerArg.listMailAddressBindings({ owner: ownerArg }),
+    );
+    const allowedAddressIds = new Set(allowedAddressBindings.map((bindingArg) => bindingArg.id));
+    return bindingsArg
+      .map((bindingArg) => {
+        const addressBindingIds = (bindingArg.addressBindingIds || []).filter((idArg) => allowedAddressIds.has(idArg));
+        const allowedForBinding = allowedAddressBindings.filter((addressBindingArg) => addressBindingIds.includes(addressBindingArg.id));
+        const allowedOutboundIds = new Set(allowedForBinding
+          .map((addressBindingArg) => addressBindingArg.outboundIdentityId)
+          .filter((identityIdArg): identityIdArg is string => Boolean(identityIdArg)));
+        const defaultFrom = allowedForBinding.find((addressBindingArg) => allowedOutboundIds.has(addressBindingArg.outboundIdentityId || ''))?.address
+          || allowedForBinding[0]?.address;
+        return {
+          ...bindingArg,
+          addressBindingIds,
+          outboundIdentityIds: (bindingArg.outboundIdentityIds || []).filter((idArg) => allowedOutboundIds.has(idArg)),
+          defaultFrom,
+          inboundTarget: undefined,
+        };
+      })
+      .filter((bindingArg) => (bindingArg.addressBindingIds || []).length > 0);
+  }
+
+  private isMailAddressAllowed(
+    auth: TAuthContext,
+    addressArg: string,
+    domainArg: string,
+  ): boolean {
+    const policy = auth.token?.policy;
+    if (!policy || policy.role !== 'gatewayClient') return true;
+    const normalizedDomain = domainArg.trim().toLowerCase();
+    const normalizedAddress = addressArg.trim().toLowerCase();
+    if (!normalizedAddress.endsWith(`@${normalizedDomain}`)) {
+      throw new plugins.typedrequest.TypedResponseError('mail address does not match domain');
     }
+    const patterns = policy.hostnamePatterns || [];
+    return this.matchesHostnamePatterns(normalizedDomain, patterns)
+      || patterns.some((patternArg) => patternArg.trim().toLowerCase() === `*.${normalizedDomain}`);
   }
 
   private matchesHostnamePatterns(hostname: string, patterns: string[]): boolean {

package/ts/readme.md

@@ -56,7 +56,7 @@ await router.start();
 ## What `DcRouter` Manages
 
 - SmartProxy for HTTP/HTTPS/TCP routes
-- `UnifiedEmailServer` for SMTP ingress and delivery when `emailConfig` is present
+- `UnifiedEmailServer` for SMTP ingress, delivery, managed app address bindings, and outbound SMTP submission when `emailConfig` is present
 - DB-backed managers for routes, API tokens, target profiles, domains, records, ACME config, and email domains when the DB is enabled
 - embedded authoritative DNS and DoH route generation from `dnsNsDomains` and `dnsScopes`
 - VPN, RADIUS, and remote ingress services when their config blocks are enabled
@@ -68,6 +68,7 @@ await router.start();
 - The DB is enabled by default and uses an embedded local database when no external MongoDB URL is provided.
 - System routes from config, email, and DNS are persisted with stable ownership and are toggle-only.
 - API-created routes are the only routes intended for full CRUD from the dashboard or client SDK.
+- Gateway-client mail bindings can create inbound `smtpForward` routes and managed SMTP users. Managed users are restricted to their exact claimed address for envelope and header `From`.
 - Qualifying HTTPS forward routes on port `443` get HTTP/3 augmentation by default.
 - The published package exposes the `dcrouter` npm bin through `./cli.js`; `runCli()` is the supported code-level bootstrap entrypoint.
 

package/ts_web/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '15.3.0',
+  version: '15.4.0',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }