2Package store implements storage for accounts, their mailboxes, IMAP
 
3subscriptions and messages, and broadcasts updates (e.g. mail delivery) to
 
4interested sessions (e.g. IMAP connections).
 
6Layout of storage for accounts:
 
8	<DataDir>/accounts/<name>/index.db
 
9	<DataDir>/accounts/<name>/msg/[a-zA-Z0-9_-]+/<id>
 
11Index.db holds tables for user information, mailboxes, and messages. Messages
 
12are stored in the msg/ subdirectory, each in their own file. The on-disk message
 
13does not contain headers generated during an incoming SMTP transaction, such as
 
14Received and Authentication-Results headers. Those are in the database to
 
15prevent having to rewrite incoming messages (e.g. Authentication-Result for DKIM
 
16signatures can only be determined after having read the message). Messages must
 
17be read through MsgReader, which transparently adds the prefix from the
 
22// todo: make up a function naming scheme that indicates whether caller should broadcast changes.
 
27	cryptorand "crypto/rand"
 
47	"golang.org/x/crypto/bcrypt"
 
48	"golang.org/x/text/secure/precis"
 
49	"golang.org/x/text/unicode/norm"
 
51	"github.com/mjl-/bstore"
 
53	"github.com/mjl-/mox/config"
 
54	"github.com/mjl-/mox/dns"
 
55	"github.com/mjl-/mox/message"
 
56	"github.com/mjl-/mox/metrics"
 
57	"github.com/mjl-/mox/mlog"
 
58	"github.com/mjl-/mox/mox-"
 
59	"github.com/mjl-/mox/moxio"
 
60	"github.com/mjl-/mox/publicsuffix"
 
61	"github.com/mjl-/mox/scram"
 
62	"github.com/mjl-/mox/smtp"
 
65// If true, each time an account is closed its database file is checked for
 
66// consistency. If an inconsistency is found, panic is called. Set by default
 
67// because of all the packages with tests, the mox main function sets it to
 
69var CheckConsistencyOnClose = true
 
72	ErrUnknownMailbox     = errors.New("no such mailbox")
 
73	ErrUnknownCredentials = errors.New("credentials not found")
 
74	ErrAccountUnknown     = errors.New("no such account")
 
75	ErrOverQuota          = errors.New("account over quota")
 
78var DefaultInitialMailboxes = config.InitialMailboxes{
 
79	SpecialUse: config.SpecialUseMailboxes{
 
94// CRAMMD5 holds HMAC ipad and opad hashes that are initialized with the first
 
95// block with (a derivation of) the key/password, so we don't store the password in plain
 
102// BinaryMarshal is used by bstore to store the ipad/opad hash states.
 
103func (c CRAMMD5) MarshalBinary() ([]byte, error) {
 
104	if c.Ipad == nil || c.Opad == nil {
 
108	ipad, err := c.Ipad.(encoding.BinaryMarshaler).MarshalBinary()
 
110		return nil, fmt.Errorf("marshal ipad: %v", err)
 
112	opad, err := c.Opad.(encoding.BinaryMarshaler).MarshalBinary()
 
114		return nil, fmt.Errorf("marshal opad: %v", err)
 
116	buf := make([]byte, 2+len(ipad)+len(opad))
 
117	ipadlen := uint16(len(ipad))
 
118	buf[0] = byte(ipadlen >> 8)
 
119	buf[1] = byte(ipadlen >> 0)
 
121	copy(buf[2+len(ipad):], opad)
 
125// BinaryUnmarshal is used by bstore to restore the ipad/opad hash states.
 
126func (c *CRAMMD5) UnmarshalBinary(buf []byte) error {
 
132		return fmt.Errorf("short buffer")
 
134	ipadlen := int(uint16(buf[0])<<8 | uint16(buf[1])<<0)
 
135	if len(buf) < 2+ipadlen {
 
136		return fmt.Errorf("buffer too short for ipadlen")
 
140	if err := ipad.(encoding.BinaryUnmarshaler).UnmarshalBinary(buf[2 : 2+ipadlen]); err != nil {
 
141		return fmt.Errorf("unmarshal ipad: %v", err)
 
143	if err := opad.(encoding.BinaryUnmarshaler).UnmarshalBinary(buf[2+ipadlen:]); err != nil {
 
144		return fmt.Errorf("unmarshal opad: %v", err)
 
146	*c = CRAMMD5{ipad, opad}
 
150// Password holds credentials in various forms, for logging in with SMTP/IMAP.
 
151type Password struct {
 
152	Hash        string  // bcrypt hash for IMAP LOGIN, SASL PLAIN and HTTP basic authentication.
 
153	CRAMMD5     CRAMMD5 // For SASL CRAM-MD5.
 
154	SCRAMSHA1   SCRAM   // For SASL SCRAM-SHA-1.
 
155	SCRAMSHA256 SCRAM   // For SASL SCRAM-SHA-256.
 
158// Subjectpass holds the secret key used to sign subjectpass tokens.
 
159type Subjectpass struct {
 
160	Email string // Our destination address (canonical, with catchall localpart stripped).
 
164// NextUIDValidity is a singleton record in the database with the next UIDValidity
 
165// to use for the next mailbox.
 
166type NextUIDValidity struct {
 
167	ID   int // Just a single record with ID 1.
 
171// SyncState track ModSeqs.
 
172type SyncState struct {
 
173	ID int // Just a single record with ID 1.
 
175	// Last used, next assigned will be one higher. The first value we hand out is 2.
 
176	// That's because 0 (the default value for old existing messages, from before the
 
177	// Message.ModSeq field) is special in IMAP, so we return it as 1.
 
178	LastModSeq ModSeq `bstore:"nonzero"`
 
180	// Highest ModSeq of expunged record that we deleted. When a clients synchronizes
 
181	// and requests changes based on a modseq before this one, we don't have the
 
182	// history to provide information about deletions. We normally keep these expunged
 
183	// records around, but we may periodically truly delete them to reclaim storage
 
184	// space. Initially set to -1 because we don't want to match with any ModSeq in the
 
185	// database, which can be zero values.
 
186	HighestDeletedModSeq ModSeq
 
189// Mailbox is collection of messages, e.g. Inbox or Sent.
 
193	// "Inbox" is the name for the special IMAP "INBOX". Slash separated
 
195	Name string `bstore:"nonzero,unique"`
 
197	// If UIDs are invalidated, e.g. when renaming a mailbox to a previously existing
 
198	// name, UIDValidity must be changed. Used by IMAP for synchronization.
 
201	// UID likely to be assigned to next message. Used by IMAP to detect messages
 
202	// delivered to a mailbox.
 
207	// Keywords as used in messages. Storing a non-system keyword for a message
 
208	// automatically adds it to this list. Used in the IMAP FLAGS response. Only
 
209	// "atoms" are allowed (IMAP syntax), keywords are case-insensitive, only stored in
 
210	// lower case (for JMAP), sorted.
 
213	HaveCounts    bool // Whether MailboxCounts have been initialized.
 
214	MailboxCounts      // Statistics about messages, kept up to date whenever a change happens.
 
217// MailboxCounts tracks statistics about messages for a mailbox.
 
218type MailboxCounts struct {
 
219	Total   int64 // Total number of messages, excluding \Deleted. For JMAP.
 
220	Deleted int64 // Number of messages with \Deleted flag. Used for IMAP message count that includes messages with \Deleted.
 
221	Unread  int64 // Messages without \Seen, excluding those with \Deleted, for JMAP.
 
222	Unseen  int64 // Messages without \Seen, including those with \Deleted, for IMAP.
 
223	Size    int64 // Number of bytes for all messages.
 
226func (mc MailboxCounts) String() string {
 
227	return fmt.Sprintf("%d total, %d deleted, %d unread, %d unseen, size %d bytes", mc.Total, mc.Deleted, mc.Unread, mc.Unseen, mc.Size)
 
230// Add increases mailbox counts mc with those of delta.
 
231func (mc *MailboxCounts) Add(delta MailboxCounts) {
 
232	mc.Total += delta.Total
 
233	mc.Deleted += delta.Deleted
 
234	mc.Unread += delta.Unread
 
235	mc.Unseen += delta.Unseen
 
236	mc.Size += delta.Size
 
239// Add decreases mailbox counts mc with those of delta.
 
240func (mc *MailboxCounts) Sub(delta MailboxCounts) {
 
241	mc.Total -= delta.Total
 
242	mc.Deleted -= delta.Deleted
 
243	mc.Unread -= delta.Unread
 
244	mc.Unseen -= delta.Unseen
 
245	mc.Size -= delta.Size
 
248// SpecialUse identifies a specific role for a mailbox, used by clients to
 
249// understand where messages should go.
 
250type SpecialUse struct {
 
258// CalculateCounts calculates the full current counts for messages in the mailbox.
 
259func (mb *Mailbox) CalculateCounts(tx *bstore.Tx) (mc MailboxCounts, err error) {
 
260	q := bstore.QueryTx[Message](tx)
 
261	q.FilterNonzero(Message{MailboxID: mb.ID})
 
262	q.FilterEqual("Expunged", false)
 
263	err = q.ForEach(func(m Message) error {
 
264		mc.Add(m.MailboxCounts())
 
270// ChangeSpecialUse returns a change for special-use flags, for broadcasting to
 
272func (mb Mailbox) ChangeSpecialUse() ChangeMailboxSpecialUse {
 
273	return ChangeMailboxSpecialUse{mb.ID, mb.Name, mb.SpecialUse}
 
276// ChangeKeywords returns a change with new keywords for a mailbox (e.g. after
 
277// setting a new keyword on a message in the mailbox), for broadcasting to other
 
279func (mb Mailbox) ChangeKeywords() ChangeMailboxKeywords {
 
280	return ChangeMailboxKeywords{mb.ID, mb.Name, mb.Keywords}
 
283// KeywordsChanged returns whether the keywords in a mailbox have changed.
 
284func (mb Mailbox) KeywordsChanged(origmb Mailbox) bool {
 
285	if len(mb.Keywords) != len(origmb.Keywords) {
 
288	// Keywords are stored sorted.
 
289	for i, kw := range mb.Keywords {
 
290		if origmb.Keywords[i] != kw {
 
297// CountsChange returns a change with mailbox counts.
 
298func (mb Mailbox) ChangeCounts() ChangeMailboxCounts {
 
299	return ChangeMailboxCounts{mb.ID, mb.Name, mb.MailboxCounts}
 
302// Subscriptions are separate from existence of mailboxes.
 
303type Subscription struct {
 
307// Flags for a mail message.
 
321// FlagsAll is all flags set, for use as mask.
 
322var FlagsAll = Flags{true, true, true, true, true, true, true, true, true, true}
 
324// Validation of "message From" domain.
 
328	ValidationUnknown   Validation = 0
 
329	ValidationStrict    Validation = 1 // Like DMARC, with strict policies.
 
330	ValidationDMARC     Validation = 2 // Actual DMARC policy.
 
331	ValidationRelaxed   Validation = 3 // Like DMARC, with relaxed policies.
 
332	ValidationPass      Validation = 4 // For SPF.
 
333	ValidationNeutral   Validation = 5 // For SPF.
 
334	ValidationTemperror Validation = 6
 
335	ValidationPermerror Validation = 7
 
336	ValidationFail      Validation = 8
 
337	ValidationSoftfail  Validation = 9  // For SPF.
 
338	ValidationNone      Validation = 10 // E.g. No records.
 
341// Message stored in database and per-message file on disk.
 
343// Contents are always the combined data from MsgPrefix and the on-disk file named
 
346// Messages always have a header section, even if empty. Incoming messages without
 
347// header section must get an empty header section added before inserting.
 
349	// ID, unchanged over lifetime, determines path to on-disk msg file.
 
350	// Set during deliver.
 
353	UID       UID   `bstore:"nonzero"` // UID, for IMAP. Set during deliver.
 
354	MailboxID int64 `bstore:"nonzero,unique MailboxID+UID,index MailboxID+Received,index MailboxID+ModSeq,ref Mailbox"`
 
356	// Modification sequence, for faster syncing with IMAP QRESYNC and JMAP.
 
357	// ModSeq is the last modification. CreateSeq is the Seq the message was inserted,
 
358	// always <= ModSeq. If Expunged is set, the message has been removed and should not
 
359	// be returned to the user. In this case, ModSeq is the Seq where the message is
 
360	// removed, and will never be changed again.
 
361	// We have an index on both ModSeq (for JMAP that synchronizes per account) and
 
362	// MailboxID+ModSeq (for IMAP that synchronizes per mailbox).
 
363	// The index on CreateSeq helps efficiently finding created messages for JMAP.
 
364	// The value of ModSeq is special for IMAP. Messages that existed before ModSeq was
 
365	// added have 0 as value. But modseq 0 in IMAP is special, so we return it as 1. If
 
366	// we get modseq 1 from a client, the IMAP server will translate it to 0. When we
 
367	// return modseq to clients, we turn 0 into 1.
 
368	ModSeq    ModSeq `bstore:"index"`
 
369	CreateSeq ModSeq `bstore:"index"`
 
372	// If set, this message was delivered to a Rejects mailbox. When it is moved to a
 
373	// different mailbox, its MailboxOrigID is set to the destination mailbox and this
 
377	// If set, this is a forwarded message (through a ruleset with IsForward). This
 
378	// causes fields used during junk analysis to be moved to their Orig variants, and
 
379	// masked IP fields cleared, so they aren't used in junk classifications for
 
380	// incoming messages. This ensures the forwarded messages don't cause negative
 
381	// reputation for the forwarding mail server, which may also be sending regular
 
385	// MailboxOrigID is the mailbox the message was originally delivered to. Typically
 
386	// Inbox or Rejects, but can also be a mailbox configured in a Ruleset, or
 
387	// Postmaster, TLS/DMARC reporting addresses. MailboxOrigID is not changed when the
 
388	// message is moved to another mailbox, e.g. Archive/Trash/Junk. Used for
 
389	// per-mailbox reputation.
 
391	// MailboxDestinedID is normally 0, but when a message is delivered to the Rejects
 
392	// mailbox, it is set to the intended mailbox according to delivery rules,
 
393	// typically that of Inbox. When such a message is moved out of Rejects, the
 
394	// MailboxOrigID is corrected by setting it to MailboxDestinedID. This ensures the
 
395	// message is used for reputation calculation for future deliveries to that
 
398	// These are not bstore references to prevent having to update all messages in a
 
399	// mailbox when the original mailbox is removed. Use of these fields requires
 
400	// checking if the mailbox still exists.
 
402	MailboxDestinedID int64
 
404	Received time.Time `bstore:"default now,index"`
 
406	// Full IP address of remote SMTP server. Empty if not delivered over SMTP. The
 
407	// masked IPs are used to classify incoming messages. They are left empty for
 
408	// messages matching a ruleset for forwarded messages.
 
410	RemoteIPMasked1 string `bstore:"index RemoteIPMasked1+Received"` // For IPv4 /32, for IPv6 /64, for reputation.
 
411	RemoteIPMasked2 string `bstore:"index RemoteIPMasked2+Received"` // For IPv4 /26, for IPv6 /48.
 
412	RemoteIPMasked3 string `bstore:"index RemoteIPMasked3+Received"` // For IPv4 /21, for IPv6 /32.
 
414	// Only set if present and not an IP address. Unicode string. Empty for forwarded
 
416	EHLODomain        string         `bstore:"index EHLODomain+Received"`
 
417	MailFrom          string         // With localpart and domain. Can be empty.
 
418	MailFromLocalpart smtp.Localpart // SMTP "MAIL FROM", can be empty.
 
419	// Only set if it is a domain, not an IP. Unicode string. Empty for forwarded
 
420	// messages, but see OrigMailFromDomain.
 
421	MailFromDomain  string         `bstore:"index MailFromDomain+Received"`
 
422	RcptToLocalpart smtp.Localpart // SMTP "RCPT TO", can be empty.
 
423	RcptToDomain    string         // Unicode string.
 
425	// Parsed "From" message header, used for reputation along with domain validation.
 
426	MsgFromLocalpart smtp.Localpart
 
427	MsgFromDomain    string `bstore:"index MsgFromDomain+Received"`    // Unicode string.
 
428	MsgFromOrgDomain string `bstore:"index MsgFromOrgDomain+Received"` // Unicode string.
 
430	// Simplified statements of the Validation fields below, used for incoming messages
 
431	// to check reputation.
 
433	MailFromValidated bool
 
434	MsgFromValidated  bool
 
436	EHLOValidation     Validation // Validation can also take reverse IP lookup into account, not only SPF.
 
437	MailFromValidation Validation // Can have SPF-specific validations like ValidationSoftfail.
 
438	MsgFromValidation  Validation // Desirable validations: Strict, DMARC, Relaxed. Will not be just Pass.
 
440	// Domains with verified DKIM signatures. Unicode string. For forwarded messages, a
 
441	// DKIM domain that matched a ruleset's verified domain is left out, but included
 
442	// in OrigDKIMDomains.
 
443	DKIMDomains []string `bstore:"index DKIMDomains+Received"`
 
445	// For forwarded messages,
 
446	OrigEHLODomain  string
 
447	OrigDKIMDomains []string
 
449	// Canonicalized Message-Id, always lower-case and normalized quoting, without
 
450	// <>'s. Empty if missing. Used for matching message threads, and to prevent
 
451	// duplicate reject delivery.
 
452	MessageID string `bstore:"index"`
 
455	// For matching threads in case there is no References/In-Reply-To header. It is
 
456	// lower-cased, white-space collapsed, mailing list tags and re/fwd tags removed.
 
457	SubjectBase string `bstore:"index"`
 
460	// Hash of message. For rejects delivery in case there is no Message-ID, only set
 
461	// when delivered as reject.
 
464	// ID of message starting this thread.
 
465	ThreadID int64 `bstore:"index"`
 
466	// IDs of parent messages, from closest parent to the root message. Parent messages
 
467	// may be in a different mailbox, or may no longer exist. ThreadParentIDs must
 
468	// never contain the message id itself (a cycle), and parent messages must
 
469	// reference the same ancestors.
 
470	ThreadParentIDs []int64
 
471	// ThreadMissingLink is true if there is no match with a direct parent. E.g. first
 
472	// ID in ThreadParentIDs is not the direct ancestor (an intermediate message may
 
473	// have been deleted), or subject-based matching was done.
 
474	ThreadMissingLink bool
 
475	// If set, newly delivered child messages are automatically marked as read. This
 
476	// field is copied to new child messages. Changes are propagated to the webmail
 
479	// If set, this (sub)thread is collapsed in the webmail client, for threading mode
 
480	// "on" (mode "unread" ignores it). This field is copied to new child message.
 
481	// Changes are propagated to the webmail client.
 
484	// If received message was known to match a mailing list rule (with modified junk
 
488	// If this message is a DSN, generated by us or received. For DSNs, we don't look
 
489	// at the subject when matching threads.
 
492	ReceivedTLSVersion     uint16 // 0 if unknown, 1 if plaintext/no TLS, otherwise TLS cipher suite.
 
493	ReceivedTLSCipherSuite uint16
 
494	ReceivedRequireTLS     bool // Whether RequireTLS was known to be used for incoming delivery.
 
497	// For keywords other than system flags or the basic well-known $-flags. Only in
 
498	// "atom" syntax (IMAP), they are case-insensitive, always stored in lower-case
 
499	// (for JMAP), sorted.
 
500	Keywords    []string `bstore:"index"`
 
502	TrainedJunk *bool  // If nil, no training done yet. Otherwise, true is trained as junk, false trained as nonjunk.
 
503	MsgPrefix   []byte // Typically holds received headers and/or header separator.
 
505	// ParsedBuf message structure. Currently saved as JSON of message.Part because bstore
 
506	// cannot yet store recursive types. Created when first needed, and saved in the
 
508	// todo: once replaced with non-json storage, remove date fixup in ../message/part.go.
 
512// MailboxCounts returns the delta to counts this message means for its
 
514func (m Message) MailboxCounts() (mc MailboxCounts) {
 
533func (m Message) ChangeAddUID() ChangeAddUID {
 
534	return ChangeAddUID{m.MailboxID, m.UID, m.ModSeq, m.Flags, m.Keywords}
 
537func (m Message) ChangeFlags(orig Flags) ChangeFlags {
 
538	mask := m.Flags.Changed(orig)
 
539	return ChangeFlags{MailboxID: m.MailboxID, UID: m.UID, ModSeq: m.ModSeq, Mask: mask, Flags: m.Flags, Keywords: m.Keywords}
 
542func (m Message) ChangeThread() ChangeThread {
 
543	return ChangeThread{[]int64{m.ID}, m.ThreadMuted, m.ThreadCollapsed}
 
546// ModSeq represents a modseq as stored in the database. ModSeq 0 in the
 
547// database is sent to the client as 1, because modseq 0 is special in IMAP.
 
548// ModSeq coming from the client are of type int64.
 
551func (ms ModSeq) Client() int64 {
 
558// ModSeqFromClient converts a modseq from a client to a modseq for internal
 
559// use, e.g. in a database query.
 
560// ModSeq 1 is turned into 0 (the Go zero value for ModSeq).
 
561func ModSeqFromClient(modseq int64) ModSeq {
 
565	return ModSeq(modseq)
 
568// PrepareExpunge clears fields that are no longer needed after an expunge, so
 
569// almost all fields. Does not change ModSeq, but does set Expunged.
 
570func (m *Message) PrepareExpunge() {
 
574		MailboxID: m.MailboxID,
 
575		CreateSeq: m.CreateSeq,
 
578		ThreadID:  m.ThreadID,
 
582// PrepareThreading sets MessageID, SubjectBase and DSN (used in threading) based
 
584func (m *Message) PrepareThreading(log mlog.Log, part *message.Part) {
 
587	if part.Envelope == nil {
 
590	messageID, raw, err := message.MessageIDCanonical(part.Envelope.MessageID)
 
592		log.Debugx("parsing message-id, ignoring", err, slog.String("messageid", part.Envelope.MessageID))
 
594		log.Debug("could not parse message-id as address, continuing with raw value", slog.String("messageid", part.Envelope.MessageID))
 
596	m.MessageID = messageID
 
597	m.SubjectBase, _ = message.ThreadSubject(part.Envelope.Subject, false)
 
600// LoadPart returns a message.Part by reading from m.ParsedBuf.
 
601func (m Message) LoadPart(r io.ReaderAt) (message.Part, error) {
 
602	if m.ParsedBuf == nil {
 
603		return message.Part{}, fmt.Errorf("message not parsed")
 
606	err := json.Unmarshal(m.ParsedBuf, &p)
 
608		return p, fmt.Errorf("unmarshal message part")
 
614// NeedsTraining returns whether message needs a training update, based on
 
615// TrainedJunk (current training status) and new Junk/Notjunk flags.
 
616func (m Message) NeedsTraining() bool {
 
617	untrain := m.TrainedJunk != nil
 
618	untrainJunk := untrain && *m.TrainedJunk
 
619	train := m.Junk || m.Notjunk && !(m.Junk && m.Notjunk)
 
621	return untrain != train || untrain && train && untrainJunk != trainJunk
 
624// JunkFlagsForMailbox sets Junk and Notjunk flags based on mailbox name if configured. Often
 
625// used when delivering/moving/copying messages to a mailbox. Mail clients are not
 
626// very helpful with setting junk/notjunk flags. But clients can move/copy messages
 
627// to other mailboxes. So we set flags when clients move a message.
 
628func (m *Message) JunkFlagsForMailbox(mb Mailbox, conf config.Account) {
 
635	if !conf.AutomaticJunkFlags.Enabled {
 
639	lmailbox := strings.ToLower(mb.Name)
 
641	if conf.JunkMailbox != nil && conf.JunkMailbox.MatchString(lmailbox) {
 
644	} else if conf.NeutralMailbox != nil && conf.NeutralMailbox.MatchString(lmailbox) {
 
647	} else if conf.NotJunkMailbox != nil && conf.NotJunkMailbox.MatchString(lmailbox) {
 
650	} else if conf.JunkMailbox == nil && conf.NeutralMailbox != nil && conf.NotJunkMailbox != nil {
 
653	} else if conf.JunkMailbox != nil && conf.NeutralMailbox == nil && conf.NotJunkMailbox != nil {
 
656	} else if conf.JunkMailbox != nil && conf.NeutralMailbox != nil && conf.NotJunkMailbox == nil {
 
662// Recipient represents the recipient of a message. It is tracked to allow
 
663// first-time incoming replies from users this account has sent messages to. When a
 
664// mailbox is added to the Sent mailbox the message is parsed and recipients are
 
665// inserted as recipient. Recipients are never removed other than for removing the
 
666// message. On move/copy of a message, recipients aren't modified either. For IMAP,
 
667// this assumes a client simply appends messages to the Sent mailbox (as opposed to
 
668// copying messages from some place).
 
669type Recipient struct {
 
671	MessageID int64     `bstore:"nonzero,ref Message"`            // Ref gives it its own index, useful for fast removal as well.
 
672	Localpart string    `bstore:"nonzero"`                        // Encoded localpart.
 
673	Domain    string    `bstore:"nonzero,index Domain+Localpart"` // Unicode string.
 
674	OrgDomain string    `bstore:"nonzero,index"`                  // Unicode string.
 
675	Sent      time.Time `bstore:"nonzero"`
 
678// Outgoing is a message submitted for delivery from the queue. Used to enforce
 
679// maximum outgoing messages.
 
680type Outgoing struct {
 
682	Recipient string    `bstore:"nonzero,index"` // Canonical international address with utf8 domain.
 
683	Submitted time.Time `bstore:"nonzero,default now"`
 
686// RecipientDomainTLS stores TLS capabilities of a recipient domain as encountered
 
687// during most recent connection (delivery attempt).
 
688type RecipientDomainTLS struct {
 
689	Domain     string    // Unicode.
 
690	Updated    time.Time `bstore:"default now"`
 
691	STARTTLS   bool      // Supports STARTTLS.
 
692	RequireTLS bool      // Supports RequireTLS SMTP extension.
 
695// DiskUsage tracks quota use.
 
696type DiskUsage struct {
 
697	ID          int64 // Always one record with ID 1.
 
698	MessageSize int64 // Sum of all messages, for quota accounting.
 
701// SessionToken and CSRFToken are types to prevent mixing them up.
 
702// Base64 raw url encoded.
 
703type SessionToken string
 
706// LoginSession represents a login session. We keep a limited number of sessions
 
707// for a user, removing the oldest session when a new one is created.
 
708type LoginSession struct {
 
710	Created            time.Time `bstore:"nonzero,default now"` // Of original login.
 
711	Expires            time.Time `bstore:"nonzero"`             // Extended each time it is used.
 
712	SessionTokenBinary [16]byte  `bstore:"nonzero"`             // Stored in cookie, like "webmailsession" or "webaccountsession".
 
713	CSRFTokenBinary    [16]byte  // For API requests, in "x-mox-csrf" header.
 
714	AccountName        string    `bstore:"nonzero"`
 
715	LoginAddress       string    `bstore:"nonzero"`
 
717	// Set when loading from database.
 
718	sessionToken SessionToken
 
722// Quoting is a setting for how to quote in replies/forwards.
 
726	Default Quoting = "" // Bottom-quote if text is selected, top-quote otherwise.
 
727	Bottom  Quoting = "bottom"
 
731// Settings are webmail client settings.
 
732type Settings struct {
 
733	ID uint8 // Singleton ID 1.
 
738	// Whether to show the bars underneath the address input fields indicating
 
739	// starttls/dnssec/dane/mtasts/requiretls support by address.
 
740	ShowAddressSecurity bool
 
742	// Show HTML version of message by default, instead of plain text.
 
746// ViewMode how a message should be viewed: its text parts, html parts, or html
 
747// with loading external resources.
 
751	ModeText    ViewMode = "text"
 
752	ModeHTML    ViewMode = "html"
 
753	ModeHTMLExt ViewMode = "htmlext" // HTML with external resources.
 
756// FromAddressSettings are webmail client settings per "From" address.
 
757type FromAddressSettings struct {
 
758	FromAddress string // Unicode.
 
762// RulesetNoListID records a user "no" response to the question of
 
763// creating/removing a ruleset after moving a message with list-id header from/to
 
765type RulesetNoListID struct {
 
767	RcptToAddress string `bstore:"nonzero"`
 
768	ListID        string `bstore:"nonzero"`
 
769	ToInbox       bool   // Otherwise from Inbox to other mailbox.
 
772// RulesetNoMsgFrom records a user "no" response to the question of
 
773// creating/moveing a ruleset after moving a mesage with message "from" address
 
775type RulesetNoMsgFrom struct {
 
777	RcptToAddress  string `bstore:"nonzero"`
 
778	MsgFromAddress string `bstore:"nonzero"` // Unicode.
 
779	ToInbox        bool   // Otherwise from Inbox to other mailbox.
 
782// RulesetNoMailbox represents a "never from/to this mailbox" response to the
 
783// question of adding/removing a ruleset after moving a message.
 
784type RulesetNoMailbox struct {
 
787	// The mailbox from/to which the move has happened.
 
788	// Not a references, if mailbox is deleted, an entry becomes ineffective.
 
789	MailboxID int64 `bstore:"nonzero"`
 
790	ToMailbox bool  // Whether MailboxID is the destination of the move (instead of source).
 
793// Types stored in DB.
 
805	RecipientDomainTLS{},
 
809	FromAddressSettings{},
 
815// Account holds the information about a user, includings mailboxes, messages, imap subscriptions.
 
817	Name   string     // Name, according to configuration.
 
818	Dir    string     // Directory where account files, including the database, bloom filter, and mail messages, are stored for this account.
 
819	DBPath string     // Path to database with mailboxes, messages, etc.
 
820	DB     *bstore.DB // Open database connection.
 
822	// Channel that is closed if/when account has/gets "threads" accounting (see
 
824	threadsCompleted chan struct{}
 
825	// If threads upgrade completed with error, this is set. Used for warning during
 
826	// delivery, or aborting when importing.
 
829	// Write lock must be held for account/mailbox modifications including message delivery.
 
830	// Read lock for reading mailboxes/messages.
 
831	// When making changes to mailboxes/messages, changes must be broadcasted before
 
832	// releasing the lock to ensure proper UID ordering.
 
835	nused int // Reference count, while >0, this account is alive and shared.
 
840	Threads byte // 0: None, 1: Adding MessageID's completed, 2: Adding ThreadID's completed.
 
843// InitialUIDValidity returns a UIDValidity used for initializing an account.
 
844// It can be replaced during tests with a predictable value.
 
845var InitialUIDValidity = func() uint32 {
 
846	return uint32(time.Now().Unix() >> 1) // A 2-second resolution will get us far enough beyond 2038.
 
849var openAccounts = struct {
 
850	names map[string]*Account
 
853	names: map[string]*Account{},
 
856func closeAccount(acc *Account) (rerr error) {
 
859	defer openAccounts.Unlock()
 
861		// threadsCompleted must be closed now because it increased nused.
 
862		rerr = acc.DB.Close()
 
864		delete(openAccounts.names, acc.Name)
 
869// OpenAccount opens an account by name.
 
871// No additional data path prefix or ".db" suffix should be added to the name.
 
872// A single shared account exists per name.
 
873func OpenAccount(log mlog.Log, name string) (*Account, error) {
 
875	defer openAccounts.Unlock()
 
876	if acc, ok := openAccounts.names[name]; ok {
 
881	if _, ok := mox.Conf.Account(name); !ok {
 
882		return nil, ErrAccountUnknown
 
885	acc, err := openAccount(log, name)
 
889	openAccounts.names[name] = acc
 
893// openAccount opens an existing account, or creates it if it is missing.
 
894func openAccount(log mlog.Log, name string) (a *Account, rerr error) {
 
895	dir := filepath.Join(mox.DataDirPath("accounts"), name)
 
896	return OpenAccountDB(log, dir, name)
 
899// OpenAccountDB opens an account database file and returns an initialized account
 
900// or error. Only exported for use by subcommands that verify the database file.
 
901// Almost all account opens must go through OpenAccount/OpenEmail/OpenEmailAuth.
 
902func OpenAccountDB(log mlog.Log, accountDir, accountName string) (a *Account, rerr error) {
 
903	dbpath := filepath.Join(accountDir, "index.db")
 
905	// Create account if it doesn't exist yet.
 
907	if _, err := os.Stat(dbpath); err != nil && os.IsNotExist(err) {
 
909		os.MkdirAll(accountDir, 0770)
 
912	opts := bstore.Options{Timeout: 5 * time.Second, Perm: 0660, RegisterLogger: log.Logger}
 
913	db, err := bstore.Open(context.TODO(), dbpath, &opts, DBTypes...)
 
933		threadsCompleted: make(chan struct{}),
 
937		if err := initAccount(db); err != nil {
 
938			return nil, fmt.Errorf("initializing account: %v", err)
 
940		close(acc.threadsCompleted)
 
944	// Ensure singletons are present. Mailbox counts and total message size, Settings.
 
946	err = db.Write(context.TODO(), func(tx *bstore.Tx) error {
 
947		if tx.Get(&Settings{ID: 1}) == bstore.ErrAbsent {
 
948			if err := tx.Insert(&Settings{ID: 1, ShowAddressSecurity: true}); err != nil {
 
953		err := bstore.QueryTx[Mailbox](tx).FilterEqual("HaveCounts", false).ForEach(func(mb Mailbox) error {
 
956				log.Info("first calculation of mailbox counts for account", slog.String("account", accountName))
 
958			mc, err := mb.CalculateCounts(tx)
 
963			mb.MailboxCounts = mc
 
964			return tx.Update(&mb)
 
970		du := DiskUsage{ID: 1}
 
972		if err == nil || !errors.Is(err, bstore.ErrAbsent) {
 
975		// No DiskUsage record yet, calculate total size and insert.
 
976		err = bstore.QueryTx[Mailbox](tx).ForEach(func(mb Mailbox) error {
 
977			du.MessageSize += mb.Size
 
983		return tx.Insert(&du)
 
986		return nil, fmt.Errorf("calculating counts for mailbox or inserting settings: %v", err)
 
989	// Start adding threading if needed.
 
991	err = db.Write(context.TODO(), func(tx *bstore.Tx) error {
 
993		if err == bstore.ErrAbsent {
 
994			if err := tx.Insert(&up); err != nil {
 
995				return fmt.Errorf("inserting initial upgrade record: %v", err)
 
1002		return nil, fmt.Errorf("checking message threading: %v", err)
 
1004	if up.Threads == 2 {
 
1005		close(acc.threadsCompleted)
 
1009	// Increase account use before holding on to account in background.
 
1010	// Caller holds the lock. The goroutine below decreases nused by calling
 
1014	// Ensure all messages have a MessageID and SubjectBase, which are needed when
 
1015	// matching threads.
 
1016	// Then assign messages to threads, in the same way we do during imports.
 
1017	log.Info("upgrading account for threading, in background", slog.String("account", acc.Name))
 
1020			err := closeAccount(acc)
 
1021			log.Check(err, "closing use of account after upgrading account storage for threads", slog.String("account", a.Name))
 
1023			// Mark that upgrade has finished, possibly error is indicated in threadsErr.
 
1024			close(acc.threadsCompleted)
 
1028			x := recover() // Should not happen, but don't take program down if it does.
 
1030				log.Error("upgradeThreads panic", slog.Any("err", x))
 
1032				metrics.PanicInc(metrics.Upgradethreads)
 
1033				acc.threadsErr = fmt.Errorf("panic during upgradeThreads: %v", x)
 
1037		err := upgradeThreads(mox.Shutdown, log, acc, &up)
 
1040			log.Errorx("upgrading account for threading, aborted", err, slog.String("account", a.Name))
 
1042			log.Info("upgrading account for threading, completed", slog.String("account", a.Name))
 
1048// ThreadingWait blocks until the one-time account threading upgrade for the
 
1049// account has completed, and returns an error if not successful.
 
1051// To be used before starting an import of messages.
 
1052func (a *Account) ThreadingWait(log mlog.Log) error {
 
1054	case <-a.threadsCompleted:
 
1058	log.Debug("waiting for account upgrade to complete")
 
1060	<-a.threadsCompleted
 
1064func initAccount(db *bstore.DB) error {
 
1065	return db.Write(context.TODO(), func(tx *bstore.Tx) error {
 
1066		uidvalidity := InitialUIDValidity()
 
1068		if err := tx.Insert(&Upgrade{ID: 1, Threads: 2}); err != nil {
 
1071		if err := tx.Insert(&DiskUsage{ID: 1}); err != nil {
 
1074		if err := tx.Insert(&Settings{ID: 1}); err != nil {
 
1078		if len(mox.Conf.Static.DefaultMailboxes) > 0 {
 
1079			// Deprecated in favor of InitialMailboxes.
 
1080			defaultMailboxes := mox.Conf.Static.DefaultMailboxes
 
1081			mailboxes := []string{"Inbox"}
 
1082			for _, name := range defaultMailboxes {
 
1083				if strings.EqualFold(name, "Inbox") {
 
1086				mailboxes = append(mailboxes, name)
 
1088			for _, name := range mailboxes {
 
1089				mb := Mailbox{Name: name, UIDValidity: uidvalidity, UIDNext: 1, HaveCounts: true}
 
1090				if strings.HasPrefix(name, "Archive") {
 
1092				} else if strings.HasPrefix(name, "Drafts") {
 
1094				} else if strings.HasPrefix(name, "Junk") {
 
1096				} else if strings.HasPrefix(name, "Sent") {
 
1098				} else if strings.HasPrefix(name, "Trash") {
 
1101				if err := tx.Insert(&mb); err != nil {
 
1102					return fmt.Errorf("creating mailbox: %w", err)
 
1104				if err := tx.Insert(&Subscription{name}); err != nil {
 
1105					return fmt.Errorf("adding subscription: %w", err)
 
1109			mailboxes := mox.Conf.Static.InitialMailboxes
 
1110			var zerouse config.SpecialUseMailboxes
 
1111			if mailboxes.SpecialUse == zerouse && len(mailboxes.Regular) == 0 {
 
1112				mailboxes = DefaultInitialMailboxes
 
1115			add := func(name string, use SpecialUse) error {
 
1116				mb := Mailbox{Name: name, UIDValidity: uidvalidity, UIDNext: 1, SpecialUse: use, HaveCounts: true}
 
1117				if err := tx.Insert(&mb); err != nil {
 
1118					return fmt.Errorf("creating mailbox: %w", err)
 
1120				if err := tx.Insert(&Subscription{name}); err != nil {
 
1121					return fmt.Errorf("adding subscription: %w", err)
 
1125			addSpecialOpt := func(nameOpt string, use SpecialUse) error {
 
1129				return add(nameOpt, use)
 
1135				{"Inbox", SpecialUse{}},
 
1136				{mailboxes.SpecialUse.Archive, SpecialUse{Archive: true}},
 
1137				{mailboxes.SpecialUse.Draft, SpecialUse{Draft: true}},
 
1138				{mailboxes.SpecialUse.Junk, SpecialUse{Junk: true}},
 
1139				{mailboxes.SpecialUse.Sent, SpecialUse{Sent: true}},
 
1140				{mailboxes.SpecialUse.Trash, SpecialUse{Trash: true}},
 
1142			for _, e := range l {
 
1143				if err := addSpecialOpt(e.nameOpt, e.use); err != nil {
 
1147			for _, name := range mailboxes.Regular {
 
1148				if err := add(name, SpecialUse{}); err != nil {
 
1155		if err := tx.Insert(&NextUIDValidity{1, uidvalidity}); err != nil {
 
1156			return fmt.Errorf("inserting nextuidvalidity: %w", err)
 
1162// CheckClosed asserts that the account has a zero reference count. For use in tests.
 
1163func (a *Account) CheckClosed() {
 
1165	defer openAccounts.Unlock()
 
1167		panic(fmt.Sprintf("account still in use, %d refs", a.nused))
 
1171// Close reduces the reference count, and closes the database connection when
 
1172// it was the last user.
 
1173func (a *Account) Close() error {
 
1174	if CheckConsistencyOnClose {
 
1175		xerr := a.CheckConsistency()
 
1176		err := closeAccount(a)
 
1182	return closeAccount(a)
 
1185// CheckConsistency checks the consistency of the database and returns a non-nil
 
1186// error for these cases:
 
1188// - Missing on-disk file for message.
 
1189// - Mismatch between message size and length of MsgPrefix and on-disk file.
 
1190// - Missing HaveCounts.
 
1191// - Incorrect mailbox counts.
 
1192// - Incorrect total message size.
 
1193// - Message with UID >= mailbox uid next.
 
1194// - Mailbox uidvalidity >= account uid validity.
 
1195// - ModSeq > 0, CreateSeq > 0, CreateSeq <= ModSeq.
 
1196// - All messages have a nonzero ThreadID, and no cycles in ThreadParentID, and parent messages the same ThreadParentIDs tail.
 
1197func (a *Account) CheckConsistency() error {
 
1198	var uidErrors []string            // With a limit, could be many.
 
1199	var modseqErrors []string         // With limit.
 
1200	var fileErrors []string           // With limit.
 
1201	var threadidErrors []string       // With limit.
 
1202	var threadParentErrors []string   // With limit.
 
1203	var threadAncestorErrors []string // With limit.
 
1206	err := a.DB.Read(context.Background(), func(tx *bstore.Tx) error {
 
1207		nuv := NextUIDValidity{ID: 1}
 
1210			return fmt.Errorf("fetching next uid validity: %v", err)
 
1213		mailboxes := map[int64]Mailbox{}
 
1214		err = bstore.QueryTx[Mailbox](tx).ForEach(func(mb Mailbox) error {
 
1215			mailboxes[mb.ID] = mb
 
1217			if mb.UIDValidity >= nuv.Next {
 
1218				errmsg := fmt.Sprintf("mailbox %q (id %d) has uidvalidity %d >= account next uidvalidity %d", mb.Name, mb.ID, mb.UIDValidity, nuv.Next)
 
1219				errors = append(errors, errmsg)
 
1224			return fmt.Errorf("listing mailboxes: %v", err)
 
1227		counts := map[int64]MailboxCounts{}
 
1228		err = bstore.QueryTx[Message](tx).ForEach(func(m Message) error {
 
1229			mc := counts[m.MailboxID]
 
1230			mc.Add(m.MailboxCounts())
 
1231			counts[m.MailboxID] = mc
 
1233			mb := mailboxes[m.MailboxID]
 
1235			if (m.ModSeq == 0 || m.CreateSeq == 0 || m.CreateSeq > m.ModSeq) && len(modseqErrors) < 20 {
 
1236				modseqerr := fmt.Sprintf("message %d in mailbox %q (id %d) has invalid modseq %d or createseq %d, both must be > 0 and createseq <= modseq", m.ID, mb.Name, mb.ID, m.ModSeq, m.CreateSeq)
 
1237				modseqErrors = append(modseqErrors, modseqerr)
 
1239			if m.UID >= mb.UIDNext && len(uidErrors) < 20 {
 
1240				uiderr := fmt.Sprintf("message %d in mailbox %q (id %d) has uid %d >= mailbox uidnext %d", m.ID, mb.Name, mb.ID, m.UID, mb.UIDNext)
 
1241				uidErrors = append(uidErrors, uiderr)
 
1246			p := a.MessagePath(m.ID)
 
1247			st, err := os.Stat(p)
 
1249				existserr := fmt.Sprintf("message %d in mailbox %q (id %d) on-disk file %s: %v", m.ID, mb.Name, mb.ID, p, err)
 
1250				fileErrors = append(fileErrors, existserr)
 
1251			} else if len(fileErrors) < 20 && m.Size != int64(len(m.MsgPrefix))+st.Size() {
 
1252				sizeerr := fmt.Sprintf("message %d in mailbox %q (id %d) has size %d != len msgprefix %d + on-disk file size %d = %d", m.ID, mb.Name, mb.ID, m.Size, len(m.MsgPrefix), st.Size(), int64(len(m.MsgPrefix))+st.Size())
 
1253				fileErrors = append(fileErrors, sizeerr)
 
1256			if m.ThreadID <= 0 && len(threadidErrors) < 20 {
 
1257				err := fmt.Sprintf("message %d in mailbox %q (id %d) has threadid 0", m.ID, mb.Name, mb.ID)
 
1258				threadidErrors = append(threadidErrors, err)
 
1260			if slices.Contains(m.ThreadParentIDs, m.ID) && len(threadParentErrors) < 20 {
 
1261				err := fmt.Sprintf("message %d in mailbox %q (id %d) references itself in threadparentids", m.ID, mb.Name, mb.ID)
 
1262				threadParentErrors = append(threadParentErrors, err)
 
1264			for i, pid := range m.ThreadParentIDs {
 
1265				am := Message{ID: pid}
 
1266				if err := tx.Get(&am); err == bstore.ErrAbsent {
 
1268				} else if err != nil {
 
1269					return fmt.Errorf("get ancestor message: %v", err)
 
1270				} else if !slices.Equal(m.ThreadParentIDs[i+1:], am.ThreadParentIDs) && len(threadAncestorErrors) < 20 {
 
1271					err := fmt.Sprintf("message %d, thread %d has ancestor ids %v, and ancestor at index %d with id %d should have the same tail but has %v\n", m.ID, m.ThreadID, m.ThreadParentIDs, i, am.ID, am.ThreadParentIDs)
 
1272					threadAncestorErrors = append(threadAncestorErrors, err)
 
1280			return fmt.Errorf("reading messages: %v", err)
 
1284		for _, mb := range mailboxes {
 
1285			totalSize += mb.Size
 
1287				errmsg := fmt.Sprintf("mailbox %q (id %d) does not have counts, should be %#v", mb.Name, mb.ID, counts[mb.ID])
 
1288				errors = append(errors, errmsg)
 
1289			} else if mb.MailboxCounts != counts[mb.ID] {
 
1290				mbcounterr := fmt.Sprintf("mailbox %q (id %d) has wrong counts %s, should be %s", mb.Name, mb.ID, mb.MailboxCounts, counts[mb.ID])
 
1291				errors = append(errors, mbcounterr)
 
1295		du := DiskUsage{ID: 1}
 
1296		if err := tx.Get(&du); err != nil {
 
1297			return fmt.Errorf("get diskusage")
 
1299		if du.MessageSize != totalSize {
 
1300			errmsg := fmt.Sprintf("total message size in database is %d, sum of mailbox message sizes is %d", du.MessageSize, totalSize)
 
1301			errors = append(errors, errmsg)
 
1309	errors = append(errors, uidErrors...)
 
1310	errors = append(errors, modseqErrors...)
 
1311	errors = append(errors, fileErrors...)
 
1312	errors = append(errors, threadidErrors...)
 
1313	errors = append(errors, threadParentErrors...)
 
1314	errors = append(errors, threadAncestorErrors...)
 
1315	if len(errors) > 0 {
 
1316		return fmt.Errorf("%s", strings.Join(errors, "; "))
 
1321// Conf returns the configuration for this account if it still exists. During
 
1322// an SMTP session, a configuration update may drop an account.
 
1323func (a *Account) Conf() (config.Account, bool) {
 
1324	return mox.Conf.Account(a.Name)
 
1327// NextUIDValidity returns the next new/unique uidvalidity to use for this account.
 
1328func (a *Account) NextUIDValidity(tx *bstore.Tx) (uint32, error) {
 
1329	nuv := NextUIDValidity{ID: 1}
 
1330	if err := tx.Get(&nuv); err != nil {
 
1335	if err := tx.Update(&nuv); err != nil {
 
1341// NextModSeq returns the next modification sequence, which is global per account,
 
1343func (a *Account) NextModSeq(tx *bstore.Tx) (ModSeq, error) {
 
1344	v := SyncState{ID: 1}
 
1345	if err := tx.Get(&v); err == bstore.ErrAbsent {
 
1346		// We start assigning from modseq 2. Modseq 0 is not usable, so returned as 1, so
 
1348		// HighestDeletedModSeq is -1 so comparison against the default ModSeq zero value
 
1350		v = SyncState{1, 2, -1}
 
1351		return v.LastModSeq, tx.Insert(&v)
 
1352	} else if err != nil {
 
1356	return v.LastModSeq, tx.Update(&v)
 
1359func (a *Account) HighestDeletedModSeq(tx *bstore.Tx) (ModSeq, error) {
 
1360	v := SyncState{ID: 1}
 
1362	if err == bstore.ErrAbsent {
 
1365	return v.HighestDeletedModSeq, err
 
1368// WithWLock runs fn with account writelock held. Necessary for account/mailbox
 
1369// modification. For message delivery, a read lock is required.
 
1370func (a *Account) WithWLock(fn func()) {
 
1376// WithRLock runs fn with account read lock held. Needed for message delivery.
 
1377func (a *Account) WithRLock(fn func()) {
 
1383// DeliverMessage delivers a mail message to the account.
 
1385// The message, with msg.MsgPrefix and msgFile combined, must have a header
 
1386// section. The caller is responsible for adding a header separator to
 
1387// msg.MsgPrefix if missing from an incoming message.
 
1389// If the destination mailbox has the Sent special-use flag, the message is parsed
 
1390// for its recipients (to/cc/bcc). Their domains are added to Recipients for use in
 
1393// If sync is true, the message file and its directory are synced. Should be true
 
1394// for regular mail delivery, but can be false when importing many messages.
 
1396// If updateDiskUsage is true, the account total message size (for quota) is
 
1397// updated. Callers must check if a message can be added within quota before
 
1398// calling DeliverMessage.
 
1400// If CreateSeq/ModSeq is not set, it is assigned automatically.
 
1402// Must be called with account rlock or wlock.
 
1404// Caller must broadcast new message.
 
1406// Caller must update mailbox counts.
 
1407func (a *Account) DeliverMessage(log mlog.Log, tx *bstore.Tx, m *Message, msgFile *os.File, sync, notrain, nothreads, updateDiskUsage bool) error {
 
1409		return fmt.Errorf("cannot deliver expunged message")
 
1412	mb := Mailbox{ID: m.MailboxID}
 
1413	if err := tx.Get(&mb); err != nil {
 
1414		return fmt.Errorf("get mailbox: %w", err)
 
1418	if err := tx.Update(&mb); err != nil {
 
1419		return fmt.Errorf("updating mailbox nextuid: %w", err)
 
1422	if updateDiskUsage {
 
1423		du := DiskUsage{ID: 1}
 
1424		if err := tx.Get(&du); err != nil {
 
1425			return fmt.Errorf("get disk usage: %v", err)
 
1427		du.MessageSize += m.Size
 
1428		if err := tx.Update(&du); err != nil {
 
1429			return fmt.Errorf("update disk usage: %v", err)
 
1434	m.JunkFlagsForMailbox(mb, conf)
 
1436	mr := FileMsgReader(m.MsgPrefix, msgFile) // We don't close, it would close the msgFile.
 
1437	var part *message.Part
 
1438	if m.ParsedBuf == nil {
 
1439		p, err := message.EnsurePart(log.Logger, false, mr, m.Size)
 
1441			log.Infox("parsing delivered message", err, slog.String("parse", ""), slog.Int64("message", m.ID))
 
1442			// We continue, p is still valid.
 
1445		buf, err := json.Marshal(part)
 
1447			return fmt.Errorf("marshal parsed message: %w", err)
 
1452		if err := json.Unmarshal(m.ParsedBuf, &p); err != nil {
 
1453			log.Errorx("unmarshal parsed message, continuing", err, slog.String("parse", ""))
 
1459	// If we are delivering to the originally intended mailbox, no need to store the mailbox ID again.
 
1460	if m.MailboxDestinedID != 0 && m.MailboxDestinedID == m.MailboxOrigID {
 
1461		m.MailboxDestinedID = 0
 
1463	if m.CreateSeq == 0 || m.ModSeq == 0 {
 
1464		modseq, err := a.NextModSeq(tx)
 
1466			return fmt.Errorf("assigning next modseq: %w", err)
 
1468		m.CreateSeq = modseq
 
1472	if part != nil && m.MessageID == "" && m.SubjectBase == "" {
 
1473		m.PrepareThreading(log, part)
 
1476	// Assign to thread (if upgrade has completed).
 
1477	noThreadID := nothreads
 
1478	if m.ThreadID == 0 && !nothreads && part != nil {
 
1480		case <-a.threadsCompleted:
 
1481			if a.threadsErr != nil {
 
1482				log.Info("not assigning threads for new delivery, upgrading to threads failed")
 
1485				if err := assignThread(log, tx, m, part); err != nil {
 
1486					return fmt.Errorf("assigning thread: %w", err)
 
1490			// note: since we have a write transaction to get here, we can't wait for the
 
1491			// thread upgrade to finish.
 
1492			// If we don't assign a threadid the upgrade process will do it.
 
1493			log.Info("not assigning threads for new delivery, upgrading to threads in progress which will assign this message")
 
1498	if err := tx.Insert(m); err != nil {
 
1499		return fmt.Errorf("inserting message: %w", err)
 
1501	if !noThreadID && m.ThreadID == 0 {
 
1503		if err := tx.Update(m); err != nil {
 
1504			return fmt.Errorf("updating message for its own thread id: %w", err)
 
1508	// todo: perhaps we should match the recipients based on smtp submission and a matching message-id? we now miss the addresses in bcc's if the mail client doesn't save a message that includes the bcc header in the sent mailbox.
 
1509	if mb.Sent && part != nil && part.Envelope != nil {
 
1518		addrs := append(append(e.To, e.CC...), e.BCC...)
 
1519		for _, addr := range addrs {
 
1520			if addr.User == "" {
 
1521				// Would trigger error because Recipient.Localpart must be nonzero. todo: we could allow empty localpart in db, and filter by not using FilterNonzero.
 
1522				log.Info("to/cc/bcc address with empty localpart, not inserting as recipient", slog.Any("address", addr))
 
1525			d, err := dns.ParseDomain(addr.Host)
 
1527				log.Debugx("parsing domain in to/cc/bcc address", err, slog.Any("address", addr))
 
1530			lp, err := smtp.ParseLocalpart(addr.User)
 
1532				log.Debugx("parsing localpart in to/cc/bcc address", err, slog.Any("address", addr))
 
1537				Localpart: lp.String(),
 
1539				OrgDomain: publicsuffix.Lookup(context.TODO(), log.Logger, d).Name(),
 
1542			if err := tx.Insert(&mr); err != nil {
 
1543				return fmt.Errorf("inserting sent message recipients: %w", err)
 
1548	msgPath := a.MessagePath(m.ID)
 
1549	msgDir := filepath.Dir(msgPath)
 
1550	os.MkdirAll(msgDir, 0770)
 
1552	// Sync file data to disk.
 
1554		if err := msgFile.Sync(); err != nil {
 
1555			return fmt.Errorf("fsync message file: %w", err)
 
1559	if err := moxio.LinkOrCopy(log, msgPath, msgFile.Name(), &moxio.AtReader{R: msgFile}, true); err != nil {
 
1560		return fmt.Errorf("linking/copying message to new file: %w", err)
 
1564		if err := moxio.SyncDir(log, msgDir); err != nil {
 
1565			xerr := os.Remove(msgPath)
 
1566			log.Check(xerr, "removing message after syncdir error", slog.String("path", msgPath))
 
1567			return fmt.Errorf("sync directory: %w", err)
 
1571	if !notrain && m.NeedsTraining() {
 
1573		if err := a.RetrainMessages(context.TODO(), log, tx, l, false); err != nil {
 
1574			xerr := os.Remove(msgPath)
 
1575			log.Check(xerr, "removing message after syncdir error", slog.String("path", msgPath))
 
1576			return fmt.Errorf("training junkfilter: %w", err)
 
1584// SetPassword saves a new password for this account. This password is used for
 
1585// IMAP, SMTP (submission) sessions and the HTTP account web page.
 
1586func (a *Account) SetPassword(log mlog.Log, password string) error {
 
1587	password, err := precis.OpaqueString.String(password)
 
1589		return fmt.Errorf(`password not allowed by "precis"`)
 
1592	if len(password) < 8 {
 
1593		// We actually check for bytes...
 
1594		return fmt.Errorf("password must be at least 8 characters long")
 
1597	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
 
1599		return fmt.Errorf("generating password hash: %w", err)
 
1602	err = a.DB.Write(context.TODO(), func(tx *bstore.Tx) error {
 
1603		if _, err := bstore.QueryTx[Password](tx).Delete(); err != nil {
 
1604			return fmt.Errorf("deleting existing password: %v", err)
 
1607		pw.Hash = string(hash)
 
1609		// CRAM-MD5 calculates an HMAC-MD5, with the password as key, over a per-attempt
 
1610		// unique text that includes a timestamp. HMAC performs two hashes. Both times, the
 
1611		// first block is based on the key/password. We hash those first blocks now, and
 
1612		// store the hash state in the database. When we actually authenticate, we'll
 
1613		// complete the HMAC by hashing only the text. We cannot store crypto/hmac's hash,
 
1614		// because it does not expose its internal state and isn't a BinaryMarshaler.
 
1616		pw.CRAMMD5.Ipad = md5.New()
 
1617		pw.CRAMMD5.Opad = md5.New()
 
1618		key := []byte(password)
 
1623		ipad := make([]byte, md5.BlockSize)
 
1624		opad := make([]byte, md5.BlockSize)
 
1627		for i := range ipad {
 
1631		pw.CRAMMD5.Ipad.Write(ipad)
 
1632		pw.CRAMMD5.Opad.Write(opad)
 
1634		pw.SCRAMSHA1.Salt = scram.MakeRandom()
 
1635		pw.SCRAMSHA1.Iterations = 2 * 4096
 
1636		pw.SCRAMSHA1.SaltedPassword = scram.SaltPassword(sha1.New, password, pw.SCRAMSHA1.Salt, pw.SCRAMSHA1.Iterations)
 
1638		pw.SCRAMSHA256.Salt = scram.MakeRandom()
 
1639		pw.SCRAMSHA256.Iterations = 4096
 
1640		pw.SCRAMSHA256.SaltedPassword = scram.SaltPassword(sha256.New, password, pw.SCRAMSHA256.Salt, pw.SCRAMSHA256.Iterations)
 
1642		if err := tx.Insert(&pw); err != nil {
 
1643			return fmt.Errorf("inserting new password: %v", err)
 
1646		return sessionRemoveAll(context.TODO(), log, tx, a.Name)
 
1649		log.Info("new password set for account", slog.String("account", a.Name))
 
1654// Subjectpass returns the signing key for use with subjectpass for the given
 
1655// email address with canonical localpart.
 
1656func (a *Account) Subjectpass(email string) (key string, err error) {
 
1657	return key, a.DB.Write(context.TODO(), func(tx *bstore.Tx) error {
 
1658		v := Subjectpass{Email: email}
 
1664		if !errors.Is(err, bstore.ErrAbsent) {
 
1665			return fmt.Errorf("get subjectpass key from accounts database: %w", err)
 
1668		const chars = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
 
1669		buf := make([]byte, 16)
 
1670		if _, err := cryptorand.Read(buf); err != nil {
 
1673		for _, b := range buf {
 
1674			key += string(chars[int(b)%len(chars)])
 
1677		return tx.Insert(&v)
 
1681// Ensure mailbox is present in database, adding records for the mailbox and its
 
1682// parents if they aren't present.
 
1684// If subscribe is true, any mailboxes that were created will also be subscribed to.
 
1685// Caller must hold account wlock.
 
1686// Caller must propagate changes if any.
 
1687func (a *Account) MailboxEnsure(tx *bstore.Tx, name string, subscribe bool) (mb Mailbox, changes []Change, rerr error) {
 
1688	if norm.NFC.String(name) != name {
 
1689		return Mailbox{}, nil, fmt.Errorf("mailbox name not normalized")
 
1692	// Quick sanity check.
 
1693	if strings.EqualFold(name, "inbox") && name != "Inbox" {
 
1694		return Mailbox{}, nil, fmt.Errorf("bad casing for inbox")
 
1697	elems := strings.Split(name, "/")
 
1698	q := bstore.QueryTx[Mailbox](tx)
 
1699	q.FilterFn(func(mb Mailbox) bool {
 
1700		return mb.Name == elems[0] || strings.HasPrefix(mb.Name, elems[0]+"/")
 
1704		return Mailbox{}, nil, fmt.Errorf("list mailboxes: %v", err)
 
1707	mailboxes := map[string]Mailbox{}
 
1708	for _, xmb := range l {
 
1709		mailboxes[xmb.Name] = xmb
 
1713	for _, elem := range elems {
 
1719		mb, ok = mailboxes[p]
 
1723		uidval, err := a.NextUIDValidity(tx)
 
1725			return Mailbox{}, nil, fmt.Errorf("next uid validity: %v", err)
 
1729			UIDValidity: uidval,
 
1733		err = tx.Insert(&mb)
 
1735			return Mailbox{}, nil, fmt.Errorf("creating new mailbox: %v", err)
 
1740			if tx.Get(&Subscription{p}) != nil {
 
1741				err := tx.Insert(&Subscription{p})
 
1743					return Mailbox{}, nil, fmt.Errorf("subscribing to mailbox: %v", err)
 
1746			flags = []string{`\Subscribed`}
 
1748		changes = append(changes, ChangeAddMailbox{mb, flags})
 
1750	return mb, changes, nil
 
1753// MailboxExists checks if mailbox exists.
 
1754// Caller must hold account rlock.
 
1755func (a *Account) MailboxExists(tx *bstore.Tx, name string) (bool, error) {
 
1756	q := bstore.QueryTx[Mailbox](tx)
 
1757	q.FilterEqual("Name", name)
 
1761// MailboxFind finds a mailbox by name, returning a nil mailbox and nil error if mailbox does not exist.
 
1762func (a *Account) MailboxFind(tx *bstore.Tx, name string) (*Mailbox, error) {
 
1763	q := bstore.QueryTx[Mailbox](tx)
 
1764	q.FilterEqual("Name", name)
 
1766	if err == bstore.ErrAbsent {
 
1770		return nil, fmt.Errorf("looking up mailbox: %w", err)
 
1775// SubscriptionEnsure ensures a subscription for name exists. The mailbox does not
 
1776// have to exist. Any parents are not automatically subscribed.
 
1777// Changes are returned and must be broadcasted by the caller.
 
1778func (a *Account) SubscriptionEnsure(tx *bstore.Tx, name string) ([]Change, error) {
 
1779	if err := tx.Get(&Subscription{name}); err == nil {
 
1783	if err := tx.Insert(&Subscription{name}); err != nil {
 
1784		return nil, fmt.Errorf("inserting subscription: %w", err)
 
1787	q := bstore.QueryTx[Mailbox](tx)
 
1788	q.FilterEqual("Name", name)
 
1791		return []Change{ChangeAddSubscription{name, nil}}, nil
 
1792	} else if err != bstore.ErrAbsent {
 
1793		return nil, fmt.Errorf("looking up mailbox for subscription: %w", err)
 
1795	return []Change{ChangeAddSubscription{name, []string{`\NonExistent`}}}, nil
 
1798// MessageRuleset returns the first ruleset (if any) that matches the message
 
1799// represented by msgPrefix and msgFile, with smtp and validation fields from m.
 
1800func MessageRuleset(log mlog.Log, dest config.Destination, m *Message, msgPrefix []byte, msgFile *os.File) *config.Ruleset {
 
1801	if len(dest.Rulesets) == 0 {
 
1805	mr := FileMsgReader(msgPrefix, msgFile) // We don't close, it would close the msgFile.
 
1806	p, err := message.Parse(log.Logger, false, mr)
 
1808		log.Errorx("parsing message for evaluating rulesets, continuing with headers", err, slog.String("parse", ""))
 
1809		// note: part is still set.
 
1811	// todo optimize: only parse header if needed for rulesets. and probably reuse an earlier parsing.
 
1812	header, err := p.Header()
 
1814		log.Errorx("parsing message headers for evaluating rulesets, delivering to default mailbox", err, slog.String("parse", ""))
 
1815		// todo: reject message?
 
1820	for _, rs := range dest.Rulesets {
 
1821		if rs.SMTPMailFromRegexpCompiled != nil {
 
1822			if !rs.SMTPMailFromRegexpCompiled.MatchString(m.MailFrom) {
 
1826		if rs.MsgFromRegexpCompiled != nil {
 
1827			if m.MsgFromLocalpart == "" && m.MsgFromDomain == "" || !rs.MsgFromRegexpCompiled.MatchString(m.MsgFromLocalpart.String()+"@"+m.MsgFromDomain) {
 
1832		if !rs.VerifiedDNSDomain.IsZero() {
 
1833			d := rs.VerifiedDNSDomain.Name()
 
1835			matchDomain := func(s string) bool {
 
1836				return s == d || strings.HasSuffix(s, suffix)
 
1839			if m.EHLOValidated && matchDomain(m.EHLODomain) {
 
1842			if m.MailFromValidated && matchDomain(m.MailFromDomain) {
 
1845			for _, d := range m.DKIMDomains {
 
1857		for _, t := range rs.HeadersRegexpCompiled {
 
1858			for k, vl := range header {
 
1859				k = strings.ToLower(k)
 
1860				if !t[0].MatchString(k) {
 
1863				for _, v := range vl {
 
1864					v = strings.ToLower(strings.TrimSpace(v))
 
1865					if t[1].MatchString(v) {
 
1877// MessagePath returns the file system path of a message.
 
1878func (a *Account) MessagePath(messageID int64) string {
 
1879	return strings.Join(append([]string{a.Dir, "msg"}, messagePathElems(messageID)...), string(filepath.Separator))
 
1882// MessageReader opens a message for reading, transparently combining the
 
1883// message prefix with the original incoming message.
 
1884func (a *Account) MessageReader(m Message) *MsgReader {
 
1885	return &MsgReader{prefix: m.MsgPrefix, path: a.MessagePath(m.ID), size: m.Size}
 
1888// DeliverDestination delivers an email to dest, based on the configured rulesets.
 
1890// Returns ErrOverQuota when account would be over quota after adding message.
 
1892// Caller must hold account wlock (mailbox may be created).
 
1893// Message delivery, possible mailbox creation, and updated mailbox counts are
 
1895func (a *Account) DeliverDestination(log mlog.Log, dest config.Destination, m *Message, msgFile *os.File) error {
 
1897	rs := MessageRuleset(log, dest, m, m.MsgPrefix, msgFile)
 
1899		mailbox = rs.Mailbox
 
1900	} else if dest.Mailbox == "" {
 
1903		mailbox = dest.Mailbox
 
1905	return a.DeliverMailbox(log, mailbox, m, msgFile)
 
1908// DeliverMailbox delivers an email to the specified mailbox.
 
1910// Returns ErrOverQuota when account would be over quota after adding message.
 
1912// Caller must hold account wlock (mailbox may be created).
 
1913// Message delivery, possible mailbox creation, and updated mailbox counts are
 
1915func (a *Account) DeliverMailbox(log mlog.Log, mailbox string, m *Message, msgFile *os.File) error {
 
1916	var changes []Change
 
1917	err := a.DB.Write(context.TODO(), func(tx *bstore.Tx) error {
 
1918		if ok, _, err := a.CanAddMessageSize(tx, m.Size); err != nil {
 
1924		mb, chl, err := a.MailboxEnsure(tx, mailbox, true)
 
1926			return fmt.Errorf("ensuring mailbox: %w", err)
 
1929		m.MailboxOrigID = mb.ID
 
1931		// Update count early, DeliverMessage will update mb too and we don't want to fetch
 
1932		// it again before updating.
 
1933		mb.MailboxCounts.Add(m.MailboxCounts())
 
1934		if err := tx.Update(&mb); err != nil {
 
1935			return fmt.Errorf("updating mailbox for delivery: %w", err)
 
1938		if err := a.DeliverMessage(log, tx, m, msgFile, true, false, false, true); err != nil {
 
1942		changes = append(changes, chl...)
 
1943		changes = append(changes, m.ChangeAddUID(), mb.ChangeCounts())
 
1946	// todo: if rename succeeded but transaction failed, we should remove the file.
 
1951	BroadcastChanges(a, changes)
 
1955// TidyRejectsMailbox removes old reject emails, and returns whether there is space for a new delivery.
 
1957// Caller most hold account wlock.
 
1958// Changes are broadcasted.
 
1959func (a *Account) TidyRejectsMailbox(log mlog.Log, rejectsMailbox string) (hasSpace bool, rerr error) {
 
1960	var changes []Change
 
1962	var remove []Message
 
1964		for _, m := range remove {
 
1965			p := a.MessagePath(m.ID)
 
1967			log.Check(err, "removing rejects message file", slog.String("path", p))
 
1971	err := a.DB.Write(context.TODO(), func(tx *bstore.Tx) error {
 
1972		mb, err := a.MailboxFind(tx, rejectsMailbox)
 
1974			return fmt.Errorf("finding mailbox: %w", err)
 
1977			// No messages have been delivered yet.
 
1982		// Gather old messages to remove.
 
1983		old := time.Now().Add(-14 * 24 * time.Hour)
 
1984		qdel := bstore.QueryTx[Message](tx)
 
1985		qdel.FilterNonzero(Message{MailboxID: mb.ID})
 
1986		qdel.FilterEqual("Expunged", false)
 
1987		qdel.FilterLess("Received", old)
 
1988		remove, err = qdel.List()
 
1990			return fmt.Errorf("listing old messages: %w", err)
 
1993		changes, err = a.rejectsRemoveMessages(context.TODO(), log, tx, mb, remove)
 
1995			return fmt.Errorf("removing messages: %w", err)
 
1998		// We allow up to n messages.
 
1999		qcount := bstore.QueryTx[Message](tx)
 
2000		qcount.FilterNonzero(Message{MailboxID: mb.ID})
 
2001		qcount.FilterEqual("Expunged", false)
 
2003		n, err := qcount.Count()
 
2005			return fmt.Errorf("counting rejects: %w", err)
 
2012		remove = nil // Don't remove files on failure.
 
2016	BroadcastChanges(a, changes)
 
2018	return hasSpace, nil
 
2021func (a *Account) rejectsRemoveMessages(ctx context.Context, log mlog.Log, tx *bstore.Tx, mb *Mailbox, l []Message) ([]Change, error) {
 
2025	ids := make([]int64, len(l))
 
2026	anyids := make([]any, len(l))
 
2027	for i, m := range l {
 
2032	// Remove any message recipients. Should not happen, but a user can move messages
 
2033	// from a Sent mailbox to the rejects mailbox...
 
2034	qdmr := bstore.QueryTx[Recipient](tx)
 
2035	qdmr.FilterEqual("MessageID", anyids...)
 
2036	if _, err := qdmr.Delete(); err != nil {
 
2037		return nil, fmt.Errorf("deleting from message recipient: %w", err)
 
2040	// Assign new modseq.
 
2041	modseq, err := a.NextModSeq(tx)
 
2043		return nil, fmt.Errorf("assign next modseq: %w", err)
 
2046	// Expunge the messages.
 
2047	qx := bstore.QueryTx[Message](tx)
 
2049	var expunged []Message
 
2050	qx.Gather(&expunged)
 
2051	if _, err := qx.UpdateNonzero(Message{ModSeq: modseq, Expunged: true}); err != nil {
 
2052		return nil, fmt.Errorf("expunging messages: %w", err)
 
2056	for _, m := range expunged {
 
2057		m.Expunged = false // Was set by update, but would cause wrong count.
 
2058		mb.MailboxCounts.Sub(m.MailboxCounts())
 
2061	if err := tx.Update(mb); err != nil {
 
2062		return nil, fmt.Errorf("updating mailbox counts: %w", err)
 
2064	if err := a.AddMessageSize(log, tx, -totalSize); err != nil {
 
2065		return nil, fmt.Errorf("updating disk usage: %w", err)
 
2068	// Mark as neutral and train so junk filter gets untrained with these (junk) messages.
 
2069	for i := range expunged {
 
2070		expunged[i].Junk = false
 
2071		expunged[i].Notjunk = false
 
2073	if err := a.RetrainMessages(ctx, log, tx, expunged, true); err != nil {
 
2074		return nil, fmt.Errorf("retraining expunged messages: %w", err)
 
2077	changes := make([]Change, len(l), len(l)+1)
 
2078	for i, m := range l {
 
2079		changes[i] = ChangeRemoveUIDs{mb.ID, []UID{m.UID}, modseq}
 
2081	changes = append(changes, mb.ChangeCounts())
 
2085// RejectsRemove removes a message from the rejects mailbox if present.
 
2086// Caller most hold account wlock.
 
2087// Changes are broadcasted.
 
2088func (a *Account) RejectsRemove(log mlog.Log, rejectsMailbox, messageID string) error {
 
2089	var changes []Change
 
2091	var remove []Message
 
2093		for _, m := range remove {
 
2094			p := a.MessagePath(m.ID)
 
2096			log.Check(err, "removing rejects message file", slog.String("path", p))
 
2100	err := a.DB.Write(context.TODO(), func(tx *bstore.Tx) error {
 
2101		mb, err := a.MailboxFind(tx, rejectsMailbox)
 
2103			return fmt.Errorf("finding mailbox: %w", err)
 
2109		q := bstore.QueryTx[Message](tx)
 
2110		q.FilterNonzero(Message{MailboxID: mb.ID, MessageID: messageID})
 
2111		q.FilterEqual("Expunged", false)
 
2112		remove, err = q.List()
 
2114			return fmt.Errorf("listing messages to remove: %w", err)
 
2117		changes, err = a.rejectsRemoveMessages(context.TODO(), log, tx, mb, remove)
 
2119			return fmt.Errorf("removing messages: %w", err)
 
2125		remove = nil // Don't remove files on failure.
 
2129	BroadcastChanges(a, changes)
 
2134// AddMessageSize adjusts the DiskUsage.MessageSize by size.
 
2135func (a *Account) AddMessageSize(log mlog.Log, tx *bstore.Tx, size int64) error {
 
2136	du := DiskUsage{ID: 1}
 
2137	if err := tx.Get(&du); err != nil {
 
2138		return fmt.Errorf("get diskusage: %v", err)
 
2140	du.MessageSize += size
 
2141	if du.MessageSize < 0 {
 
2142		log.Error("negative total message size", slog.Int64("delta", size), slog.Int64("newtotalsize", du.MessageSize))
 
2144	if err := tx.Update(&du); err != nil {
 
2145		return fmt.Errorf("update total message size: %v", err)
 
2150// QuotaMessageSize returns the effective maximum total message size for an
 
2151// account. Returns 0 if there is no maximum.
 
2152func (a *Account) QuotaMessageSize() int64 {
 
2154	size := conf.QuotaMessageSize
 
2156		size = mox.Conf.Static.QuotaMessageSize
 
2164// CanAddMessageSize checks if a message of size bytes can be added, depending on
 
2165// total message size and configured quota for account.
 
2166func (a *Account) CanAddMessageSize(tx *bstore.Tx, size int64) (ok bool, maxSize int64, err error) {
 
2167	maxSize = a.QuotaMessageSize()
 
2172	du := DiskUsage{ID: 1}
 
2173	if err := tx.Get(&du); err != nil {
 
2174		return false, maxSize, fmt.Errorf("get diskusage: %v", err)
 
2176	return du.MessageSize+size <= maxSize, maxSize, nil
 
2179// We keep a cache of recent successful authentications, so we don't have to bcrypt successful calls each time.
 
2180var authCache = struct {
 
2182	success map[authKey]string
 
2184	success: map[authKey]string{},
 
2187type authKey struct {
 
2191// StartAuthCache starts a goroutine that regularly clears the auth cache.
 
2192func StartAuthCache() {
 
2193	go manageAuthCache()
 
2196func manageAuthCache() {
 
2199		authCache.success = map[authKey]string{}
 
2201		time.Sleep(15 * time.Minute)
 
2205// OpenEmailAuth opens an account given an email address and password.
 
2207// The email address may contain a catchall separator.
 
2208func OpenEmailAuth(log mlog.Log, email string, password string) (acc *Account, rerr error) {
 
2209	password, err := precis.OpaqueString.String(password)
 
2211		return nil, ErrUnknownCredentials
 
2214	acc, _, rerr = OpenEmail(log, email)
 
2220		if rerr != nil && acc != nil {
 
2222			log.Check(err, "closing account after open auth failure")
 
2227	pw, err := bstore.QueryDB[Password](context.TODO(), acc.DB).Get()
 
2229		if err == bstore.ErrAbsent {
 
2230			return acc, ErrUnknownCredentials
 
2232		return acc, fmt.Errorf("looking up password: %v", err)
 
2235	ok := len(password) >= 8 && authCache.success[authKey{email, pw.Hash}] == password
 
2240	if err := bcrypt.CompareHashAndPassword([]byte(pw.Hash), []byte(password)); err != nil {
 
2241		rerr = ErrUnknownCredentials
 
2244		authCache.success[authKey{email, pw.Hash}] = password
 
2250// OpenEmail opens an account given an email address.
 
2252// The email address may contain a catchall separator.
 
2253func OpenEmail(log mlog.Log, email string) (*Account, config.Destination, error) {
 
2254	addr, err := smtp.ParseAddress(email)
 
2256		return nil, config.Destination{}, fmt.Errorf("%w: %v", ErrUnknownCredentials, err)
 
2258	accountName, _, _, dest, err := mox.LookupAddress(addr.Localpart, addr.Domain, false, false)
 
2259	if err != nil && (errors.Is(err, mox.ErrAddressNotFound) || errors.Is(err, mox.ErrDomainNotFound)) {
 
2260		return nil, config.Destination{}, ErrUnknownCredentials
 
2261	} else if err != nil {
 
2262		return nil, config.Destination{}, fmt.Errorf("looking up address: %v", err)
 
2264	acc, err := OpenAccount(log, accountName)
 
2266		return nil, config.Destination{}, err
 
2268	return acc, dest, nil
 
2271// 64 characters, must be power of 2 for MessagePath
 
2272const msgDirChars = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ-_"
 
2274// MessagePath returns the filename of the on-disk filename, relative to the
 
2275// containing directory such as <account>/msg or queue.
 
2276// Returns names like "AB/1".
 
2277func MessagePath(messageID int64) string {
 
2278	return strings.Join(messagePathElems(messageID), string(filepath.Separator))
 
2281// messagePathElems returns the elems, for a single join without intermediate
 
2282// string allocations.
 
2283func messagePathElems(messageID int64) []string {
 
2284	v := messageID >> 13 // 8k files per directory.
 
2287		dir += string(msgDirChars[int(v)&(len(msgDirChars)-1)])
 
2293	return []string{dir, strconv.FormatInt(messageID, 10)}
 
2296// Set returns a copy of f, with each flag that is true in mask set to the
 
2298func (f Flags) Set(mask, flags Flags) Flags {
 
2299	set := func(d *bool, m, v bool) {
 
2305	set(&r.Seen, mask.Seen, flags.Seen)
 
2306	set(&r.Answered, mask.Answered, flags.Answered)
 
2307	set(&r.Flagged, mask.Flagged, flags.Flagged)
 
2308	set(&r.Forwarded, mask.Forwarded, flags.Forwarded)
 
2309	set(&r.Junk, mask.Junk, flags.Junk)
 
2310	set(&r.Notjunk, mask.Notjunk, flags.Notjunk)
 
2311	set(&r.Deleted, mask.Deleted, flags.Deleted)
 
2312	set(&r.Draft, mask.Draft, flags.Draft)
 
2313	set(&r.Phishing, mask.Phishing, flags.Phishing)
 
2314	set(&r.MDNSent, mask.MDNSent, flags.MDNSent)
 
2318// Changed returns a mask of flags that have been between f and other.
 
2319func (f Flags) Changed(other Flags) (mask Flags) {
 
2320	mask.Seen = f.Seen != other.Seen
 
2321	mask.Answered = f.Answered != other.Answered
 
2322	mask.Flagged = f.Flagged != other.Flagged
 
2323	mask.Forwarded = f.Forwarded != other.Forwarded
 
2324	mask.Junk = f.Junk != other.Junk
 
2325	mask.Notjunk = f.Notjunk != other.Notjunk
 
2326	mask.Deleted = f.Deleted != other.Deleted
 
2327	mask.Draft = f.Draft != other.Draft
 
2328	mask.Phishing = f.Phishing != other.Phishing
 
2329	mask.MDNSent = f.MDNSent != other.MDNSent
 
2333// Strings returns the flags that are set in their string form.
 
2334func (f Flags) Strings() []string {
 
2335	fields := []struct {
 
2339		{`$forwarded`, f.Forwarded},
 
2341		{`$mdnsent`, f.MDNSent},
 
2342		{`$notjunk`, f.Notjunk},
 
2343		{`$phishing`, f.Phishing},
 
2344		{`\answered`, f.Answered},
 
2345		{`\deleted`, f.Deleted},
 
2346		{`\draft`, f.Draft},
 
2347		{`\flagged`, f.Flagged},
 
2351	for _, fh := range fields {
 
2353			l = append(l, fh.word)
 
2359var systemWellKnownFlags = map[string]bool{
 
2372// ParseFlagsKeywords parses a list of textual flags into system/known flags, and
 
2373// other keywords. Keywords are lower-cased and sorted and check for valid syntax.
 
2374func ParseFlagsKeywords(l []string) (flags Flags, keywords []string, rerr error) {
 
2375	fields := map[string]*bool{
 
2376		`\answered`:  &flags.Answered,
 
2377		`\flagged`:   &flags.Flagged,
 
2378		`\deleted`:   &flags.Deleted,
 
2379		`\seen`:      &flags.Seen,
 
2380		`\draft`:     &flags.Draft,
 
2381		`$junk`:      &flags.Junk,
 
2382		`$notjunk`:   &flags.Notjunk,
 
2383		`$forwarded`: &flags.Forwarded,
 
2384		`$phishing`:  &flags.Phishing,
 
2385		`$mdnsent`:   &flags.MDNSent,
 
2387	seen := map[string]bool{}
 
2388	for _, f := range l {
 
2389		f = strings.ToLower(f)
 
2390		if field, ok := fields[f]; ok {
 
2394				return Flags{}, nil, fmt.Errorf("duplicate keyword %s", f)
 
2397			if err := CheckKeyword(f); err != nil {
 
2398				return Flags{}, nil, fmt.Errorf("invalid keyword %s", f)
 
2400			keywords = append(keywords, f)
 
2404	sort.Strings(keywords)
 
2405	return flags, keywords, nil
 
2408// RemoveKeywords removes keywords from l, returning whether any modifications were
 
2409// made, and a slice, a new slice in case of modifications. Keywords must have been
 
2410// validated earlier, e.g. through ParseFlagKeywords or CheckKeyword. Should only
 
2411// be used with valid keywords, not with system flags like \Seen.
 
2412func RemoveKeywords(l, remove []string) ([]string, bool) {
 
2415	for _, k := range remove {
 
2416		if i := slices.Index(l, k); i >= 0 {
 
2418				l = append([]string{}, l...)
 
2421			copy(l[i:], l[i+1:])
 
2429// MergeKeywords adds keywords from add into l, returning whether it added any
 
2430// keyword, and the slice with keywords, a new slice if modifications were made.
 
2431// Keywords are only added if they aren't already present. Should only be used with
 
2432// keywords, not with system flags like \Seen.
 
2433func MergeKeywords(l, add []string) ([]string, bool) {
 
2436	for _, k := range add {
 
2437		if !slices.Contains(l, k) {
 
2439				l = append([]string{}, l...)
 
2452// CheckKeyword returns an error if kw is not a valid keyword. Kw should
 
2453// already be in lower-case.
 
2454func CheckKeyword(kw string) error {
 
2456		return fmt.Errorf("keyword cannot be empty")
 
2458	if systemWellKnownFlags[kw] {
 
2459		return fmt.Errorf("cannot use well-known flag as keyword")
 
2461	for _, c := range kw {
 
2463		if c <= ' ' || c > 0x7e || c >= 'A' && c <= 'Z' || strings.ContainsRune(`(){%*"\]`, c) {
 
2464			return errors.New(`not a valid keyword, must be lower-case ascii without spaces and without any of these characters: (){%*"\]`)
 
2470// SendLimitReached checks whether sending a message to recipients would reach
 
2471// the limit of outgoing messages for the account. If so, the message should
 
2472// not be sent. If the returned numbers are >= 0, the limit was reached and the
 
2473// values are the configured limits.
 
2475// To limit damage to the internet and our reputation in case of account
 
2476// compromise, we limit the max number of messages sent in a 24 hour window, both
 
2477// total number of messages and number of first-time recipients.
 
2478func (a *Account) SendLimitReached(tx *bstore.Tx, recipients []smtp.Path) (msglimit, rcptlimit int, rerr error) {
 
2480	msgmax := conf.MaxOutgoingMessagesPerDay
 
2482		// For human senders, 1000 recipients in a day is quite a lot.
 
2485	rcptmax := conf.MaxFirstTimeRecipientsPerDay
 
2487		// Human senders may address a new human-sized list of people once in a while. In
 
2488		// case of a compromise, a spammer will probably try to send to many new addresses.
 
2492	rcpts := map[string]time.Time{}
 
2494	err := bstore.QueryTx[Outgoing](tx).FilterGreater("Submitted", time.Now().Add(-24*time.Hour)).ForEach(func(o Outgoing) error {
 
2496		if rcpts[o.Recipient].IsZero() || o.Submitted.Before(rcpts[o.Recipient]) {
 
2497			rcpts[o.Recipient] = o.Submitted
 
2502		return -1, -1, fmt.Errorf("querying message recipients in past 24h: %w", err)
 
2504	if n+len(recipients) > msgmax {
 
2505		return msgmax, -1, nil
 
2508	// Only check if max first-time recipients is reached if there are enough messages
 
2509	// to trigger the limit.
 
2510	if n+len(recipients) < rcptmax {
 
2514	isFirstTime := func(rcpt string, before time.Time) (bool, error) {
 
2515		exists, err := bstore.QueryTx[Outgoing](tx).FilterNonzero(Outgoing{Recipient: rcpt}).FilterLess("Submitted", before).Exists()
 
2521	for _, r := range recipients {
 
2522		if first, err := isFirstTime(r.XString(true), now); err != nil {
 
2523			return -1, -1, fmt.Errorf("checking whether recipient is first-time: %v", err)
 
2528	for r, t := range rcpts {
 
2529		if first, err := isFirstTime(r, t); err != nil {
 
2530			return -1, -1, fmt.Errorf("checking whether recipient is first-time: %v", err)
 
2535	if firsttime > rcptmax {
 
2536		return -1, rcptmax, nil
 
2541// MailboxCreate creates a new mailbox, including any missing parent mailboxes,
 
2542// the total list of created mailboxes is returned in created. On success, if
 
2543// exists is false and rerr nil, the changes must be broadcasted by the caller.
 
2545// Name must be in normalized form.
 
2546func (a *Account) MailboxCreate(tx *bstore.Tx, name string) (changes []Change, created []string, exists bool, rerr error) {
 
2547	elems := strings.Split(name, "/")
 
2549	for i, elem := range elems {
 
2554		exists, err := a.MailboxExists(tx, p)
 
2556			return nil, nil, false, fmt.Errorf("checking if mailbox exists")
 
2559			if i == len(elems)-1 {
 
2560				return nil, nil, true, fmt.Errorf("mailbox already exists")
 
2564		_, nchanges, err := a.MailboxEnsure(tx, p, true)
 
2566			return nil, nil, false, fmt.Errorf("ensuring mailbox exists")
 
2568		changes = append(changes, nchanges...)
 
2569		created = append(created, p)
 
2571	return changes, created, false, nil
 
2574// MailboxRename renames mailbox mbsrc to dst, and any missing parents for the
 
2575// destination, and any children of mbsrc and the destination.
 
2577// Names must be normalized and cannot be Inbox.
 
2578func (a *Account) MailboxRename(tx *bstore.Tx, mbsrc Mailbox, dst string) (changes []Change, isInbox, notExists, alreadyExists bool, rerr error) {
 
2579	if mbsrc.Name == "Inbox" || dst == "Inbox" {
 
2580		return nil, true, false, false, fmt.Errorf("inbox cannot be renamed")
 
2583	// We gather existing mailboxes that we need for deciding what to create/delete/update.
 
2584	q := bstore.QueryTx[Mailbox](tx)
 
2585	srcPrefix := mbsrc.Name + "/"
 
2586	dstRoot := strings.SplitN(dst, "/", 2)[0]
 
2587	dstRootPrefix := dstRoot + "/"
 
2588	q.FilterFn(func(mb Mailbox) bool {
 
2589		return mb.Name == mbsrc.Name || strings.HasPrefix(mb.Name, srcPrefix) || mb.Name == dstRoot || strings.HasPrefix(mb.Name, dstRootPrefix)
 
2591	q.SortAsc("Name") // We'll rename the parents before children.
 
2594		return nil, false, false, false, fmt.Errorf("listing relevant mailboxes: %v", err)
 
2597	mailboxes := map[string]Mailbox{}
 
2598	for _, mb := range l {
 
2599		mailboxes[mb.Name] = mb
 
2602	if _, ok := mailboxes[mbsrc.Name]; !ok {
 
2603		return nil, false, true, false, fmt.Errorf("mailbox does not exist")
 
2606	uidval, err := a.NextUIDValidity(tx)
 
2608		return nil, false, false, false, fmt.Errorf("next uid validity: %v", err)
 
2611	// Ensure parent mailboxes for the destination paths exist.
 
2613	dstElems := strings.Split(dst, "/")
 
2614	for i, elem := range dstElems[:len(dstElems)-1] {
 
2620		mb, ok := mailboxes[parent]
 
2628			UIDValidity: uidval,
 
2632		if err := tx.Insert(&mb); err != nil {
 
2633			return nil, false, false, false, fmt.Errorf("creating parent mailbox %q: %v", mb.Name, err)
 
2635		if err := tx.Get(&Subscription{Name: parent}); err != nil {
 
2636			if err := tx.Insert(&Subscription{Name: parent}); err != nil {
 
2637				return nil, false, false, false, fmt.Errorf("creating subscription for %q: %v", parent, err)
 
2640		changes = append(changes, ChangeAddMailbox{Mailbox: mb, Flags: []string{`\Subscribed`}})
 
2643	// Process src mailboxes, renaming them to dst.
 
2644	for _, srcmb := range l {
 
2645		if srcmb.Name != mbsrc.Name && !strings.HasPrefix(srcmb.Name, srcPrefix) {
 
2648		srcName := srcmb.Name
 
2649		dstName := dst + srcmb.Name[len(mbsrc.Name):]
 
2650		if _, ok := mailboxes[dstName]; ok {
 
2651			return nil, false, false, true, fmt.Errorf("destination mailbox %q already exists", dstName)
 
2654		srcmb.Name = dstName
 
2655		srcmb.UIDValidity = uidval
 
2656		if err := tx.Update(&srcmb); err != nil {
 
2657			return nil, false, false, false, fmt.Errorf("renaming mailbox: %v", err)
 
2660		var dstFlags []string
 
2661		if tx.Get(&Subscription{Name: dstName}) == nil {
 
2662			dstFlags = []string{`\Subscribed`}
 
2664		changes = append(changes, ChangeRenameMailbox{MailboxID: srcmb.ID, OldName: srcName, NewName: dstName, Flags: dstFlags})
 
2667	// If we renamed e.g. a/b to a/b/c/d, and a/b/c to a/b/c/d/c, we'll have to recreate a/b and a/b/c.
 
2668	srcElems := strings.Split(mbsrc.Name, "/")
 
2670	for i := 0; i < len(dstElems) && strings.HasPrefix(dst, xsrc+"/"); i++ {
 
2672			UIDValidity: uidval,
 
2677		if err := tx.Insert(&mb); err != nil {
 
2678			return nil, false, false, false, fmt.Errorf("creating mailbox at old path %q: %v", mb.Name, err)
 
2680		xsrc += "/" + dstElems[len(srcElems)+i]
 
2682	return changes, false, false, false, nil
 
2685// MailboxDelete deletes a mailbox by ID. If it has children, the return value
 
2686// indicates that and an error is returned.
 
2688// Caller should broadcast the changes and remove files for the removed message IDs.
 
2689func (a *Account) MailboxDelete(ctx context.Context, log mlog.Log, tx *bstore.Tx, mailbox Mailbox) (changes []Change, removeMessageIDs []int64, hasChildren bool, rerr error) {
 
2690	// Look for existence of child mailboxes. There is a lot of text in the IMAP RFCs about
 
2691	// NoInferior and NoSelect. We just require only leaf mailboxes are deleted.
 
2692	qmb := bstore.QueryTx[Mailbox](tx)
 
2693	mbprefix := mailbox.Name + "/"
 
2694	qmb.FilterFn(func(mb Mailbox) bool {
 
2695		return strings.HasPrefix(mb.Name, mbprefix)
 
2697	if childExists, err := qmb.Exists(); err != nil {
 
2698		return nil, nil, false, fmt.Errorf("checking if mailbox has child: %v", err)
 
2699	} else if childExists {
 
2700		return nil, nil, true, fmt.Errorf("mailbox has a child, only leaf mailboxes can be deleted")
 
2703	// todo jmap: instead of completely deleting a mailbox and its messages, we need to mark them all as expunged.
 
2705	qm := bstore.QueryTx[Message](tx)
 
2706	qm.FilterNonzero(Message{MailboxID: mailbox.ID})
 
2707	remove, err := qm.List()
 
2709		return nil, nil, false, fmt.Errorf("listing messages to remove: %v", err)
 
2712	if len(remove) > 0 {
 
2713		removeIDs := make([]any, len(remove))
 
2714		for i, m := range remove {
 
2717		qmr := bstore.QueryTx[Recipient](tx)
 
2718		qmr.FilterEqual("MessageID", removeIDs...)
 
2719		if _, err = qmr.Delete(); err != nil {
 
2720			return nil, nil, false, fmt.Errorf("removing message recipients for messages: %v", err)
 
2723		qm = bstore.QueryTx[Message](tx)
 
2724		qm.FilterNonzero(Message{MailboxID: mailbox.ID})
 
2725		if _, err := qm.Delete(); err != nil {
 
2726			return nil, nil, false, fmt.Errorf("removing messages: %v", err)
 
2730		for _, m := range remove {
 
2732				removeMessageIDs = append(removeMessageIDs, m.ID)
 
2736		if err := a.AddMessageSize(log, tx, -totalSize); err != nil {
 
2737			return nil, nil, false, fmt.Errorf("updating disk usage: %v", err)
 
2740		// Mark messages as not needing training. Then retrain them, so they are untrained if they were.
 
2743		for _, m := range remove {
 
2746				remove[o].Junk = false
 
2747				remove[o].Notjunk = false
 
2752		if err := a.RetrainMessages(ctx, log, tx, remove, true); err != nil {
 
2753			return nil, nil, false, fmt.Errorf("untraining deleted messages: %v", err)
 
2757	if err := tx.Delete(&Mailbox{ID: mailbox.ID}); err != nil {
 
2758		return nil, nil, false, fmt.Errorf("removing mailbox: %v", err)
 
2760	return []Change{ChangeRemoveMailbox{MailboxID: mailbox.ID, Name: mailbox.Name}}, removeMessageIDs, false, nil
 
2763// CheckMailboxName checks if name is valid, returning an INBOX-normalized name.
 
2764// I.e. it changes various casings of INBOX and INBOX/* to Inbox and Inbox/*.
 
2765// Name is invalid if it contains leading/trailing/double slashes, or when it isn't
 
2766// unicode-normalized, or when empty or has special characters.
 
2768// If name is the inbox, and allowInbox is false, this is indicated with the isInbox return parameter.
 
2769// For that case, and for other invalid names, an error is returned.
 
2770func CheckMailboxName(name string, allowInbox bool) (normalizedName string, isInbox bool, rerr error) {
 
2771	first := strings.SplitN(name, "/", 2)[0]
 
2772	if strings.EqualFold(first, "inbox") {
 
2773		if len(name) == len("inbox") && !allowInbox {
 
2774			return "", true, fmt.Errorf("special mailbox name Inbox not allowed")
 
2776		name = "Inbox" + name[len("Inbox"):]
 
2779	if norm.NFC.String(name) != name {
 
2780		return "", false, errors.New("non-unicode-normalized mailbox names not allowed")
 
2784		return "", false, errors.New("empty mailbox name")
 
2786	if strings.HasPrefix(name, "/") || strings.HasSuffix(name, "/") || strings.Contains(name, "//") {
 
2787		return "", false, errors.New("bad slashes in mailbox name")
 
2790	// "%" and "*" are difficult to use with the IMAP LIST command, but we allow mostly
 
2792	if strings.HasPrefix(name, "#") {
 
2793		return "", false, errors.New("mailbox name cannot start with hash due to conflict with imap namespaces")
 
2796	// "#" and "&" are special in IMAP mailbox names. "#" for namespaces, "&" for
 
2799	for _, c := range name {
 
2801		if c <= 0x1f || c >= 0x7f && c <= 0x9f || c == 0x2028 || c == 0x2029 {
 
2802			return "", false, errors.New("control characters not allowed in mailbox name")
 
2805	return name, false, nil