1// Package webapisrv implements the server-side of the webapi.
 
4// In a separate package from webapi, so webapi.Client can be used and imported
 
5// without including all mox internals. Documentation for the functions is in
 
11	cryptorand "crypto/rand"
 
16	htmltemplate "html/template"
 
29	"github.com/prometheus/client_golang/prometheus"
 
30	"github.com/prometheus/client_golang/prometheus/promauto"
 
32	"github.com/mjl-/bstore"
 
34	"github.com/mjl-/mox/dkim"
 
35	"github.com/mjl-/mox/dns"
 
36	"github.com/mjl-/mox/message"
 
37	"github.com/mjl-/mox/metrics"
 
38	"github.com/mjl-/mox/mlog"
 
39	"github.com/mjl-/mox/mox-"
 
40	"github.com/mjl-/mox/moxio"
 
41	"github.com/mjl-/mox/moxvar"
 
42	"github.com/mjl-/mox/queue"
 
43	"github.com/mjl-/mox/smtp"
 
44	"github.com/mjl-/mox/store"
 
45	"github.com/mjl-/mox/webapi"
 
46	"github.com/mjl-/mox/webauth"
 
47	"github.com/mjl-/mox/webops"
 
50var pkglog = mlog.New("webapi", nil)
 
53	// Similar between ../webmail/webmail.go:/metricSubmission and ../smtpserver/server.go:/metricSubmission and ../webapisrv/server.go:/metricSubmission
 
54	metricSubmission = promauto.NewCounterVec(
 
55		prometheus.CounterOpts{
 
56			Name: "mox_webapi_submission_total",
 
57			Help: "Webapi message submission results, known values (those ending with error are server errors): ok, badfrom, messagelimiterror, recipientlimiterror, queueerror, storesenterror.",
 
63	metricServerErrors = promauto.NewCounterVec(
 
64		prometheus.CounterOpts{
 
65			Name: "mox_webapi_errors_total",
 
66			Help: "Webapi server errors, known values: dkimsign, submit.",
 
72	metricResults = promauto.NewCounterVec(
 
73		prometheus.CounterOpts{
 
74			Name: "mox_webapi_results_total",
 
75			Help: "HTTP webapi results by method and result.",
 
77		[]string{"method", "result"}, // result: "badauth", "ok", or error code
 
79	metricDuration = promauto.NewHistogramVec(
 
80		prometheus.HistogramOpts{
 
81			Name:    "mox_webapi_duration_seconds",
 
82			Help:    "HTTP webhook call duration.",
 
83			Buckets: []float64{0.01, 0.05, 0.1, 0.5, 1, 5, 10, 20, 30},
 
89// We pass the request to the handler so the TLS info can be used for
 
90// the Received header in submitted messages. Most API calls need just the
 
94var requestInfoCtxKey ctxKey = "requestInfo"
 
96type requestInfo struct {
 
99	Account      *store.Account
 
100	Response     http.ResponseWriter // For setting headers for non-JSON responses.
 
101	Request      *http.Request       // For Proto and TLS connection state during message submit.
 
104// todo: show a curl invocation on the method pages
 
106var docsMethodTemplate = htmltemplate.Must(htmltemplate.New("method").Parse(`<!doctype html>
 
108		<meta charset="utf-8" />
 
109		<meta name="robots" content="noindex,nofollow" />
 
110		<title>Method {{ .Method }} - WebAPI - Mox</title>
 
112body, html { padding: 1em; font-size: 16px; }
 
113* { font-size: inherit; font-family: ubuntu, lato, sans-serif; margin: 0; padding: 0; box-sizing: border-box; }
 
114h1, h2, h3, h4 { margin-bottom: 1ex; }
 
115h1 { font-size: 1.2rem; }
 
116h2 { font-size: 1.1rem; }
 
117h3, h4 { font-size: 1rem; }
 
118ul { padding-left: 1rem; }
 
119p { margin-bottom: 1em; max-width: 50em; }
 
120[title] { text-decoration: underline; text-decoration-style: dotted; }
 
121fieldset { border: 0; }
 
122textarea { width: 100%; max-width: 50em; }
 
126		<h1><a href="../">WebAPI</a> - Method {{ .Method }}</h1>
 
127		<form id="webapicall" method="POST">
 
128			<fieldset id="webapifieldset">
 
129				<h2>Request JSON</h2>
 
130				<div><textarea id="webapirequest" name="request" required rows="20">{{ .Request }}</textarea></div>
 
133					<button type="reset">Reset</button>
 
134					<button type="submit">Call</button>
 
137{{ if .ReturnsBytes }}
 
138				<p>Method has a non-JSON response.</p>
 
140				<h2>Response JSON</h2>
 
141				<div><textarea id="webapiresponse" rows="20">{{ .Response }}</textarea></div>
 
146window.addEventListener('load', () => {
 
147	window.webapicall.addEventListener('submit', async (e) => {
 
155			req = JSON.parse(window.webapirequest.value)
 
157			window.alert('Error parsing request: ' + err.message)
 
162			window.alert('Empty request')
 
167		if ({{ .ReturnsBytes }}) {
 
168			// Just POST to this URL.
 
173		// Do call ourselves, get response and put it in the response textarea.
 
174		window.webapifieldset.disabled = true
 
175		let data = new window.FormData()
 
176		data.append("request", window.webapirequest.value)
 
178			const response = await fetch("{{ .Method }}", {body: data, method: "POST"})
 
179			const text = await response.text()
 
181				window.webapiresponse.value = JSON.stringify(JSON.parse(text), undefined, '\t')
 
183				window.webapiresponse.value = text
 
186			window.alert('Error: ' + err.message)
 
188			window.webapifieldset.disabled = false
 
201	mt := reflect.TypeFor[webapi.Methods]()
 
203	for i := 0; i < n; i++ {
 
204		methods = append(methods, mt.Method(i).Name)
 
206	docsIndexTmpl := htmltemplate.Must(htmltemplate.New("index").Parse(`<!doctype html>
 
209		<meta charset="utf-8" />
 
210		<meta name="robots" content="noindex,nofollow" />
 
211		<title>Webapi - Mox</title>
 
213body, html { padding: 1em; font-size: 16px; }
 
214* { font-size: inherit; font-family: ubuntu, lato, sans-serif; margin: 0; padding: 0; box-sizing: border-box; }
 
215h1, h2, h3, h4 { margin-bottom: 1ex; }
 
216h1 { font-size: 1.2rem; }
 
217h2 { font-size: 1.1rem; }
 
218h3, h4 { font-size: 1rem; }
 
219ul { padding-left: 1rem; }
 
220p { margin-bottom: 1em; max-width: 50em; }
 
221[title] { text-decoration: underline; text-decoration-style: dotted; }
 
222fieldset { border: 0; }
 
226		<h1>Webapi and webhooks</h1>
 
227		<p>The mox webapi is a simple HTTP/JSON-based API for sending messages and processing incoming messages.</p>
 
228		<p>Configure webhooks in mox to receive notifications about outgoing delivery event, and/or incoming deliveries of messages.</p>
 
229		<p>Documentation and examples:</p>
 
230		<p><a href="{{ .WebapiDocsURL }}">{{ .WebapiDocsURL }}</a></p>
 
232		<p>The methods below are available in this version of mox. Follow a link for an example request/response JSON, and a button to make an API call.</p>
 
234{{ range $i, $method := .Methods }}
 
235			<li><a href="{{ $method }}">{{ $method }}</a></li>
 
241	webapiDocsURL := "https://pkg.go.dev/github.com/mjl-/mox@" + moxvar.VersionBare + "/webapi/"
 
242	webhookDocsURL := "https://pkg.go.dev/github.com/mjl-/mox@" + moxvar.VersionBare + "/webhook/"
 
243	indexArgs := struct {
 
245		WebhookDocsURL string
 
247	}{webapiDocsURL, webhookDocsURL, methods}
 
249	err := docsIndexTmpl.Execute(&b, indexArgs)
 
251		panic("executing api docs index template: " + err.Error())
 
253	docsIndex = b.Bytes()
 
255	mox.NewWebapiHandler = func(maxMsgSize int64, basePath string, isForwarded bool) http.Handler {
 
256		return NewServer(maxMsgSize, basePath, isForwarded)
 
260// NewServer returns a new http.Handler for a webapi server.
 
261func NewServer(maxMsgSize int64, path string, isForwarded bool) http.Handler {
 
262	return server{maxMsgSize, path, isForwarded}
 
265// server implements the webapi methods.
 
267	maxMsgSize  int64  // Of outgoing messages.
 
268	path        string // Path webapi is configured under, typically /webapi/, with methods at /webapi/v0/<method>.
 
269	isForwarded bool   // Whether incoming requests are reverse-proxied. Used for getting remote IPs for rate limiting.
 
272var _ webapi.Methods = server{}
 
274// ServeHTTP implements http.Handler.
 
275func (s server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
276	log := pkglog.WithContext(r.Context()) // Take cid from webserver.
 
278	// Send requests to /webapi/ to /webapi/v0/.
 
279	if r.URL.Path == "/" {
 
280		if r.Method != "GET" {
 
281			http.Error(w, "405 - method not allow", http.StatusMethodNotAllowed)
 
284		http.Redirect(w, r, s.path+"v0/", http.StatusSeeOther)
 
287	// Serve short introduction and list to methods at /webapi/v0/.
 
288	if r.URL.Path == "/v0/" {
 
289		w.Header().Set("Content-Type", "text/html; charset=utf-8")
 
294	// Anything else must be a method endpoint.
 
295	if !strings.HasPrefix(r.URL.Path, "/v0/") {
 
299	fn := r.URL.Path[len("/v0/"):]
 
300	log = log.With(slog.String("method", fn))
 
301	rfn := reflect.ValueOf(s).MethodByName(fn)
 
302	var zero reflect.Value
 
303	if rfn == zero || rfn.Type().NumIn() != 2 || rfn.Type().NumOut() != 2 {
 
304		log.Debug("unknown webapi method")
 
309	// GET on method returns an example request JSON, a button to call the method,
 
310	// which either fills a textarea with the response (in case of JSON) or posts to
 
311	// the URL letting the browser handle the response (e.g. raw message or part).
 
312	if r.Method == "GET" {
 
313		formatJSON := func(v any) (string, error) {
 
315			enc := json.NewEncoder(&b)
 
316			enc.SetIndent("", "\t")
 
317			enc.SetEscapeHTML(false)
 
319			return string(b.String()), err
 
322		req, err := formatJSON(mox.FillExample(nil, reflect.New(rfn.Type().In(1))).Interface())
 
324			log.Errorx("formatting request as json", err)
 
325			http.Error(w, "500 - internal server error - marshal request: "+err.Error(), http.StatusInternalServerError)
 
328		// todo: could check for io.ReadCloser, but we don't return other interfaces than that one.
 
329		returnsBytes := rfn.Type().Out(0).Kind() == reflect.Interface
 
332			resp, err = formatJSON(mox.FillExample(nil, reflect.New(rfn.Type().Out(0))).Interface())
 
334				log.Errorx("formatting response as json", err)
 
335				http.Error(w, "500 - internal server error - marshal response: "+err.Error(), http.StatusInternalServerError)
 
344		}{fn, req, resp, returnsBytes}
 
345		w.Header().Set("Content-Type", "text/html; charset=utf-8")
 
346		err = docsMethodTemplate.Execute(w, args)
 
347		log.Check(err, "executing webapi method template")
 
349	} else if r.Method != "POST" {
 
350		http.Error(w, "405 - method not allowed - use get or post", http.StatusMethodNotAllowed)
 
354	// Account is available during call, but we close it before we start writing a
 
355	// response, to prevent slow readers from holding a reference for a long time.
 
356	var acc *store.Account
 
357	closeAccount := func() {
 
360			log.Check(err, "closing account")
 
366	email, password, aok := r.BasicAuth()
 
368		metricResults.WithLabelValues(fn, "badauth").Inc()
 
369		log.Debug("missing http basic authentication credentials")
 
370		w.Header().Set("WWW-Authenticate", "Basic realm=webapi")
 
371		http.Error(w, "401 - unauthorized - use http basic auth with email address as username", http.StatusUnauthorized)
 
374	log = log.With(slog.String("username", email))
 
378	// If remote IP/network resulted in too many authentication failures, refuse to serve.
 
379	remoteIP := webauth.RemoteIP(log, s.isForwarded, r)
 
381		metricResults.WithLabelValues(fn, "internal").Inc()
 
382		log.Debug("cannot find remote ip for rate limiter")
 
383		http.Error(w, "500 - internal server error - cannot find remote ip", http.StatusInternalServerError)
 
386	if !mox.LimiterFailedAuth.CanAdd(remoteIP, t0, 1) {
 
387		metrics.AuthenticationRatelimitedInc("webapi")
 
388		log.Debug("refusing connection due to many auth failures", slog.Any("remoteip", remoteIP))
 
389		http.Error(w, "429 - too many auth attempts", http.StatusTooManyRequests)
 
393	writeError := func(err webapi.Error) {
 
395		metricResults.WithLabelValues(fn, err.Code).Inc()
 
397		if err.Code == "server" {
 
398			log.Errorx("webapi call result", err, slog.String("resultcode", err.Code))
 
400			log.Infox("webapi call result", err, slog.String("resultcode", err.Code))
 
403		w.Header().Set("Content-Type", "application/json; charset=utf-8")
 
404		w.WriteHeader(http.StatusBadRequest)
 
405		enc := json.NewEncoder(w)
 
406		enc.SetEscapeHTML(false)
 
407		werr := enc.Encode(err)
 
408		if werr != nil && !moxio.IsClosed(werr) {
 
409			log.Infox("writing error response", werr)
 
413	// Called for all successful JSON responses, not non-JSON responses.
 
414	writeResponse := func(resp any) {
 
416		metricResults.WithLabelValues(fn, "ok").Inc()
 
417		log.Debug("webapi call result", slog.String("resultcode", "ok"))
 
418		w.Header().Set("Content-Type", "application/json; charset=utf-8")
 
419		enc := json.NewEncoder(w)
 
420		enc.SetEscapeHTML(false)
 
421		werr := enc.Encode(resp)
 
422		if werr != nil && !moxio.IsClosed(werr) {
 
423			log.Infox("writing error response", werr)
 
427	authResult := "error"
 
429		metricDuration.WithLabelValues(fn).Observe(float64(time.Since(t0)) / float64(time.Second))
 
430		metrics.AuthenticationInc("webapi", "httpbasic", authResult)
 
434	acc, err = store.OpenEmailAuth(log, email, password)
 
436		mox.LimiterFailedAuth.Add(remoteIP, t0, 1)
 
437		if errors.Is(err, mox.ErrDomainNotFound) || errors.Is(err, mox.ErrAddressNotFound) || errors.Is(err, store.ErrUnknownCredentials) {
 
438			log.Debug("bad http basic authentication credentials")
 
439			metricResults.WithLabelValues(fn, "badauth").Inc()
 
440			authResult = "badcreds"
 
441			w.Header().Set("WWW-Authenticate", "Basic realm=webapi")
 
442			http.Error(w, "401 - unauthorized - use http basic auth with email address as username", http.StatusUnauthorized)
 
445		writeError(webapi.Error{Code: "server", Message: "error verifying credentials"})
 
449	mox.LimiterFailedAuth.Reset(remoteIP, t0)
 
451	ct := r.Header.Get("Content-Type")
 
452	ct, _, err = mime.ParseMediaType(ct)
 
454		writeError(webapi.Error{Code: "protocol", Message: "unknown content-type " + r.Header.Get("Content-Type")})
 
457	if ct == "multipart/form-data" {
 
458		err = r.ParseMultipartForm(200 * 1024)
 
463		writeError(webapi.Error{Code: "protocol", Message: "parsing form: " + err.Error()})
 
467	reqstr := r.PostFormValue("request")
 
469		writeError(webapi.Error{Code: "protocol", Message: "missing/empty request"})
 
478		if err, eok := x.(webapi.Error); eok {
 
482		log.Error("unhandled panic in webapi call", slog.Any("x", x), slog.String("resultcode", "server"))
 
483		metrics.PanicInc(metrics.Webapi)
 
485		writeError(webapi.Error{Code: "server", Message: "unhandled error"})
 
487	req := reflect.New(rfn.Type().In(1))
 
488	dec := json.NewDecoder(strings.NewReader(reqstr))
 
489	dec.DisallowUnknownFields()
 
490	if err := dec.Decode(req.Interface()); err != nil {
 
491		writeError(webapi.Error{Code: "protocol", Message: fmt.Sprintf("parsing request: %s", err)})
 
495	reqInfo := requestInfo{log, email, acc, w, r}
 
496	nctx := context.WithValue(r.Context(), requestInfoCtxKey, reqInfo)
 
497	resp := rfn.Call([]reflect.Value{reflect.ValueOf(nctx), req.Elem()})
 
498	if !resp[1].IsZero() {
 
500		err := resp[1].Interface().(error)
 
501		if x, eok := err.(webapi.Error); eok {
 
504			e = webapi.Error{Code: "error", Message: err.Error()}
 
509	rc, ok := resp[0].Interface().(io.ReadCloser)
 
511		rv, _ := mox.FillNil(resp[0])
 
512		writeResponse(rv.Interface())
 
516	log.Debug("webapi call result", slog.String("resultcode", "ok"))
 
517	metricResults.WithLabelValues(fn, "ok").Inc()
 
519	if _, err := io.Copy(w, rc); err != nil && !moxio.IsClosed(err) {
 
520		log.Errorx("writing response to client", err)
 
524func xcheckf(err error, format string, args ...any) {
 
526		msg := fmt.Sprintf(format, args...)
 
527		panic(webapi.Error{Code: "server", Message: fmt.Sprintf("%s: %s", msg, err)})
 
531func xcheckuserf(err error, format string, args ...any) {
 
533		msg := fmt.Sprintf(format, args...)
 
534		panic(webapi.Error{Code: "user", Message: fmt.Sprintf("%s: %s", msg, err)})
 
538func xdbwrite(ctx context.Context, acc *store.Account, fn func(tx *bstore.Tx)) {
 
539	err := acc.DB.Write(ctx, func(tx *bstore.Tx) error {
 
543	xcheckf(err, "transaction")
 
546func xdbread(ctx context.Context, acc *store.Account, fn func(tx *bstore.Tx)) {
 
547	err := acc.DB.Read(ctx, func(tx *bstore.Tx) error {
 
551	xcheckf(err, "transaction")
 
554func xcheckcontrol(s string) {
 
555	for _, c := range s {
 
557			xcheckuserf(errors.New("control characters not allowed"), "checking header values")
 
562func xparseAddress(addr string) smtp.Address {
 
563	a, err := smtp.ParseAddress(addr)
 
565		panic(webapi.Error{Code: "badAddress", Message: fmt.Sprintf("parsing address %q: %s", addr, err)})
 
570func xparseAddresses(l []webapi.NameAddress) ([]message.NameAddress, []smtp.Path) {
 
571	r := make([]message.NameAddress, len(l))
 
572	paths := make([]smtp.Path, len(l))
 
573	for i, a := range l {
 
574		xcheckcontrol(a.Name)
 
575		addr := xparseAddress(a.Address)
 
576		r[i] = message.NameAddress{DisplayName: a.Name, Address: addr}
 
577		paths[i] = addr.Path()
 
582func xrandomID(n int) string {
 
583	return base64.RawURLEncoding.EncodeToString(xrandom(n))
 
586func xrandom(n int) []byte {
 
587	buf := make([]byte, n)
 
588	x, err := cryptorand.Read(buf)
 
592		panic("short random read")
 
597func (s server) Send(ctx context.Context, req webapi.SendRequest) (resp webapi.SendResult, err error) {
 
598	// Similar between ../smtpserver/server.go:/submit\( and ../webmail/api.go:/MessageSubmit\( and ../webapisrv/server.go:/Send\(
 
600	reqInfo := ctx.Value(requestInfoCtxKey).(requestInfo)
 
602	acc := reqInfo.Account
 
606	accConf, _ := acc.Conf()
 
608	if m.Text == "" && m.HTML == "" {
 
609		return resp, webapi.Error{Code: "missingBody", Message: "at least text or html body required"}
 
612	if len(m.From) == 0 {
 
613		m.From = []webapi.NameAddress{{Name: accConf.FullName, Address: reqInfo.LoginAddress}}
 
614	} else if len(m.From) > 1 {
 
615		return resp, webapi.Error{Code: "multipleFrom", Message: "multiple from-addresses not allowed"}
 
617	froms, fromPaths := xparseAddresses(m.From)
 
618	from, fromPath := froms[0], fromPaths[0]
 
619	to, toPaths := xparseAddresses(m.To)
 
620	cc, ccPaths := xparseAddresses(m.CC)
 
621	bcc, bccPaths := xparseAddresses(m.BCC)
 
623	recipients := append(append(toPaths, ccPaths...), bccPaths...)
 
624	addresses := append(append(m.To, m.CC...), m.BCC...)
 
626	// Check if from address is allowed for account.
 
627	if !mox.AllowMsgFrom(acc.Name, from.Address) {
 
628		metricSubmission.WithLabelValues("badfrom").Inc()
 
629		return resp, webapi.Error{Code: "badFrom", Message: "from-address not configured for account"}
 
632	if len(recipients) == 0 {
 
633		return resp, webapi.Error{Code: "noRecipients", Message: "no recipients"}
 
636	// Check outgoing message rate limit.
 
637	xdbread(ctx, acc, func(tx *bstore.Tx) {
 
638		msglimit, rcptlimit, err := acc.SendLimitReached(tx, recipients)
 
640			metricSubmission.WithLabelValues("messagelimiterror").Inc()
 
641			panic(webapi.Error{Code: "messageLimitReached", Message: "outgoing message rate limit reached"})
 
642		} else if rcptlimit >= 0 {
 
643			metricSubmission.WithLabelValues("recipientlimiterror").Inc()
 
644			panic(webapi.Error{Code: "recipientLimitReached", Message: "outgoing new recipient rate limit reached"})
 
646		xcheckf(err, "checking send limit")
 
649	// If we have a non-ascii localpart, we will be sending with smtputf8. We'll go
 
651	intl := func(l []smtp.Path) bool {
 
652		for _, p := range l {
 
653			if p.Localpart.IsInternational() {
 
659	smtputf8 := intl([]smtp.Path{fromPath}) || intl(toPaths) || intl(ccPaths) || intl(bccPaths)
 
661	replyTos, replyToPaths := xparseAddresses(m.ReplyTo)
 
662	for _, rt := range replyToPaths {
 
663		if rt.Localpart.IsInternational() {
 
668	// Create file to compose message into.
 
669	dataFile, err := store.CreateMessageTemp(log, "webapi-submit")
 
670	xcheckf(err, "creating temporary file for message")
 
671	defer store.CloseRemoveTempFile(log, dataFile, "message to submit")
 
673	// If writing to the message file fails, we abort immediately.
 
674	xc := message.NewComposer(dataFile, s.maxMsgSize, smtputf8)
 
680		if err, ok := x.(error); ok && errors.Is(err, message.ErrMessageSize) {
 
681			panic(webapi.Error{Code: "messageTooLarge", Message: "message too large"})
 
682		} else if ok && errors.Is(err, message.ErrCompose) {
 
683			xcheckf(err, "making message")
 
688	// Each queued message gets a Received header.
 
689	// We cannot use VIA, because there is no registered method. We would like to use
 
690	// it to add the ascii domain name in case of smtputf8 and IDNA host name.
 
691	// We don't add the IP address of the submitter. Exposing likely not desirable.
 
692	recvFrom := message.HeaderCommentDomain(mox.Conf.Static.HostnameDomain, smtputf8)
 
693	recvBy := mox.Conf.Static.HostnameDomain.XName(smtputf8)
 
694	recvID := mox.ReceivedID(mox.CidFromCtx(ctx))
 
695	recvHdrFor := func(rcptTo string) string {
 
696		recvHdr := &message.HeaderWriter{}
 
697		// For additional Received-header clauses, see:
 
698		// https://www.iana.org/assignments/mail-parameters/mail-parameters.xhtml#table-mail-parameters-8
 
699		// Note: we don't have "via" or "with", there is no registered for webmail.
 
700		recvHdr.Add(" ", "Received:", "from", recvFrom, "by", recvBy, "id", recvID) // 
../rfc/5321:3158 
701		if reqInfo.Request.TLS != nil {
 
702			recvHdr.Add(" ", mox.TLSReceivedComment(log, *reqInfo.Request.TLS)...)
 
704		recvHdr.Add(" ", "for", "<"+rcptTo+">;", time.Now().Format(message.RFC5322Z))
 
705		return recvHdr.String()
 
708	// Outer message headers.
 
709	xc.HeaderAddrs("From", []message.NameAddress{from})
 
710	if len(replyTos) > 0 {
 
711		xc.HeaderAddrs("Reply-To", replyTos)
 
713	xc.HeaderAddrs("To", to)
 
714	xc.HeaderAddrs("Cc", cc)
 
715	// We prepend Bcc headers to the message when adding to the Sent mailbox.
 
717		xcheckcontrol(m.Subject)
 
718		xc.Subject(m.Subject)
 
727	xc.Header("Date", date.Format(message.RFC5322Z))
 
729	if m.MessageID == "" {
 
730		m.MessageID = fmt.Sprintf("<%s>", mox.MessageIDGen(smtputf8))
 
731	} else if !strings.HasPrefix(m.MessageID, "<") || !strings.HasSuffix(m.MessageID, ">") {
 
732		return resp, webapi.Error{Code: "malformedMessageID", Message: "missing <> in message-id"}
 
734	xcheckcontrol(m.MessageID)
 
735	xc.Header("Message-Id", m.MessageID)
 
737	if len(m.References) > 0 {
 
738		for _, ref := range m.References {
 
740			// We don't check for <>'s. If caller just puts in what they got, we don't want to
 
741			// reject the message.
 
743		xc.Header("References", strings.Join(m.References, "\r\n\t"))
 
744		xc.Header("In-Reply-To", m.References[len(m.References)-1])
 
746	xc.Header("MIME-Version", "1.0")
 
748	var haveUserAgent bool
 
749	for _, kv := range req.Headers {
 
752		xc.Header(kv[0], kv[1])
 
753		if strings.EqualFold(kv[0], "User-Agent") || strings.EqualFold(kv[0], "X-Mailer") {
 
758		xc.Header("User-Agent", "mox/"+moxvar.Version)
 
761	// Whether we have additional separately alternative/inline/attached file(s).
 
762	mpf := reqInfo.Request.MultipartForm
 
763	formAlternative := mpf != nil && len(mpf.File["alternativefile"]) > 0
 
764	formInline := mpf != nil && len(mpf.File["inlinefile"]) > 0
 
765	formAttachment := mpf != nil && len(mpf.File["attachedfile"]) > 0
 
767	// MIME structure we'll build:
 
768	// - multipart/mixed (in case of attached files)
 
769	//   - multipart/related (in case of inline files, we assume they are relevant both text and html part if present)
 
770	//     - multipart/alternative (in case we have both text and html bodies)
 
771	//       - text/plain (optional)
 
772	//       - text/html (optional)
 
773	//       - alternative file, ...
 
774	//     - inline file, ...
 
775	//   - attached file, ...
 
777	// We keep track of cur, which is where we add new parts to, whether the text or
 
778	// html part, or the inline or attached files.
 
779	var cur, mixed, related, alternative *multipart.Writer
 
780	xcreateMultipart := func(subtype string) *multipart.Writer {
 
781		mp := multipart.NewWriter(xc)
 
783			xc.Header("Content-Type", fmt.Sprintf(`multipart/%s; boundary="%s"`, subtype, mp.Boundary()))
 
786			_, err := cur.CreatePart(textproto.MIMEHeader{"Content-Type": []string{fmt.Sprintf(`multipart/%s; boundary="%s"`, subtype, mp.Boundary())}})
 
787			xcheckf(err, "adding multipart")
 
791	xcreatePart := func(header textproto.MIMEHeader) io.Writer {
 
793			for k, vl := range header {
 
794				for _, v := range vl {
 
801		p, err := cur.CreatePart(header)
 
802		xcheckf(err, "adding part")
 
805	// We create multiparts from outer structure to inner. Then for each we add its
 
806	// inner parts and close the multipart.
 
807	if len(req.AttachedFiles) > 0 || formAttachment {
 
808		mixed = xcreateMultipart("mixed")
 
811	if len(req.InlineFiles) > 0 || formInline {
 
812		related = xcreateMultipart("related")
 
815	if m.Text != "" && m.HTML != "" || len(req.AlternativeFiles) > 0 || formAlternative {
 
816		alternative = xcreateMultipart("alternative")
 
820		textBody, ct, cte := xc.TextPart("plain", m.Text)
 
821		tp := xcreatePart(textproto.MIMEHeader{"Content-Type": []string{ct}, "Content-Transfer-Encoding": []string{cte}})
 
822		_, err := tp.Write([]byte(textBody))
 
823		xcheckf(err, "write text part")
 
826		htmlBody, ct, cte := xc.TextPart("html", m.HTML)
 
827		tp := xcreatePart(textproto.MIMEHeader{"Content-Type": []string{ct}, "Content-Transfer-Encoding": []string{cte}})
 
828		_, err := tp.Write([]byte(htmlBody))
 
829		xcheckf(err, "write html part")
 
832	xaddFileBase64 := func(ct string, inline bool, filename string, cid string, base64Data string) {
 
833		h := textproto.MIMEHeader{}
 
838		cd := mime.FormatMediaType(disp, map[string]string{"filename": filename})
 
840		h.Set("Content-Type", ct)
 
841		h.Set("Content-Disposition", cd)
 
843			h.Set("Content-ID", cid)
 
845		h.Set("Content-Transfer-Encoding", "base64")
 
848		for len(base64Data) > 0 {
 
854			line, base64Data = base64Data[:n], base64Data[n:]
 
855			_, err := p.Write([]byte(line))
 
856			xcheckf(err, "writing attachment")
 
857			_, err = p.Write([]byte("\r\n"))
 
858			xcheckf(err, "writing attachment")
 
861	xaddJSONFiles := func(l []webapi.File, inline bool) {
 
862		for _, f := range l {
 
863			if f.ContentType == "" {
 
864				buf, _ := io.ReadAll(io.LimitReader(base64.NewDecoder(base64.StdEncoding, strings.NewReader(f.Data)), 512))
 
865				f.ContentType = http.DetectContentType(buf)
 
866				if f.ContentType == "application/octet-stream" {
 
871			// Ensure base64 is valid, then we'll write the original string.
 
872			_, err := io.Copy(io.Discard, base64.NewDecoder(base64.StdEncoding, strings.NewReader(f.Data)))
 
873			xcheckuserf(err, "parsing attachment as base64")
 
875			xaddFileBase64(f.ContentType, inline, f.Name, f.ContentID, f.Data)
 
878	xaddFile := func(fh *multipart.FileHeader, inline bool) {
 
880		xcheckf(err, "open uploaded file")
 
883			log.Check(err, "closing uploaded file")
 
886		ct := fh.Header.Get("Content-Type")
 
888			buf, err := io.ReadAll(io.LimitReader(f, 512))
 
890				ct = http.DetectContentType(buf)
 
892			_, err = f.Seek(0, 0)
 
893			xcheckf(err, "rewind uploaded file after content-detection")
 
894			if ct == "application/octet-stream" {
 
899		h := textproto.MIMEHeader{}
 
904		cd := mime.FormatMediaType(disp, map[string]string{"filename": fh.Filename})
 
907			h.Set("Content-Type", ct)
 
909		h.Set("Content-Disposition", cd)
 
910		cid := fh.Header.Get("Content-ID")
 
912			h.Set("Content-ID", cid)
 
914		h.Set("Content-Transfer-Encoding", "base64")
 
916		bw := moxio.Base64Writer(p)
 
917		_, err = io.Copy(bw, f)
 
918		xcheckf(err, "adding uploaded file")
 
920		xcheckf(err, "flushing uploaded file")
 
924	xaddJSONFiles(req.AlternativeFiles, true)
 
926		for _, fh := range mpf.File["alternativefile"] {
 
930	if alternative != nil {
 
936	xaddJSONFiles(req.InlineFiles, true)
 
938		for _, fh := range mpf.File["inlinefile"] {
 
947	xaddJSONFiles(req.AttachedFiles, false)
 
949		for _, fh := range mpf.File["attachedfile"] {
 
960	// Add DKIM-Signature headers.
 
962	fd := from.Address.Domain
 
963	confDom, _ := mox.Conf.Domain(fd)
 
964	selectors := mox.DKIMSelectors(confDom.DKIM)
 
965	if len(selectors) > 0 {
 
966		dkimHeaders, err := dkim.Sign(ctx, log.Logger, from.Address.Localpart, fd, selectors, smtputf8, dataFile)
 
968			metricServerErrors.WithLabelValues("dkimsign").Inc()
 
970		xcheckf(err, "sign dkim")
 
972		msgPrefix = dkimHeaders
 
975	loginAddr, err := smtp.ParseAddress(reqInfo.LoginAddress)
 
976	xcheckf(err, "parsing login address")
 
977	useFromID := slices.Contains(accConf.ParsedFromIDLoginAddresses, loginAddr)
 
978	var localpartBase string
 
980		if confDom.LocalpartCatchallSeparator == "" {
 
981			xcheckuserf(errors.New(`localpart catchall separator must be configured for domain`), `composing unique "from" address`)
 
983		localpartBase = strings.SplitN(string(fromPath.Localpart), confDom.LocalpartCatchallSeparator, 2)[0]
 
985	fromIDs := make([]string, len(recipients))
 
986	qml := make([]queue.Msg, len(recipients))
 
988	for i, rcpt := range recipients {
 
991			fromIDs[i] = xrandomID(16)
 
992			fp.Localpart = smtp.Localpart(localpartBase + confDom.LocalpartCatchallSeparator + fromIDs[i])
 
995		// Don't use per-recipient unique message prefix when multiple recipients are
 
996		// present, we want to keep the message identical.
 
998		if len(recipients) == 1 {
 
999			recvRcpt = rcpt.XString(smtputf8)
 
1001		rcptMsgPrefix := recvHdrFor(recvRcpt) + msgPrefix
 
1002		msgSize := int64(len(rcptMsgPrefix)) + xc.Size
 
1003		qm := queue.MakeMsg(fp, rcpt, xc.Has8bit, xc.SMTPUTF8, msgSize, m.MessageID, []byte(rcptMsgPrefix), req.RequireTLS, now, m.Subject)
 
1004		qm.FromID = fromIDs[i]
 
1005		qm.Extra = req.Extra
 
1006		if req.FutureRelease != nil {
 
1007			ival := time.Until(*req.FutureRelease)
 
1008			if ival > queue.FutureReleaseIntervalMax {
 
1009				xcheckuserf(fmt.Errorf("date/time can not be further than %v in the future", queue.FutureReleaseIntervalMax), "scheduling delivery")
 
1011			qm.NextAttempt = *req.FutureRelease
 
1012			qm.FutureReleaseRequest = "until;" + req.FutureRelease.Format(time.RFC3339)
 
1013			// todo: possibly add a header to the message stored in the Sent mailbox to indicate it was scheduled for later delivery.
 
1017	err = queue.Add(ctx, log, acc.Name, dataFile, qml...)
 
1019		metricSubmission.WithLabelValues("queueerror").Inc()
 
1021	xcheckf(err, "adding messages to the delivery queue")
 
1022	metricSubmission.WithLabelValues("ok").Inc()
 
1025		// Append message to Sent mailbox and mark original messages as answered/forwarded.
 
1026		acc.WithRLock(func() {
 
1027			var changes []store.Change
 
1031				if x := recover(); x != nil {
 
1033						metricServerErrors.WithLabelValues("submit").Inc()
 
1038			xdbwrite(ctx, reqInfo.Account, func(tx *bstore.Tx) {
 
1039				sentmb, err := bstore.QueryTx[store.Mailbox](tx).FilterEqual("Sent", true).Get()
 
1040				if err == bstore.ErrAbsent {
 
1041					// There is no mailbox designated as Sent mailbox, so we're done.
 
1044				xcheckf(err, "message submitted to queue, adding to Sent mailbox")
 
1046				modseq, err := acc.NextModSeq(tx)
 
1047				xcheckf(err, "next modseq")
 
1049				// If there were bcc headers, prepend those to the stored message only, before the
 
1050				// DKIM signature. The DKIM-signature oversigns the bcc header, so this stored message
 
1051				// won't validate with DKIM anymore, which is fine.
 
1053					var sb strings.Builder
 
1054					xbcc := message.NewComposer(&sb, 100*1024, smtputf8)
 
1055					xbcc.HeaderAddrs("Bcc", bcc)
 
1057					msgPrefix = sb.String() + msgPrefix
 
1060				sentm := store.Message{
 
1063					MailboxID:     sentmb.ID,
 
1064					MailboxOrigID: sentmb.ID,
 
1065					Flags:         store.Flags{Notjunk: true, Seen: true},
 
1066					Size:          int64(len(msgPrefix)) + xc.Size,
 
1067					MsgPrefix:     []byte(msgPrefix),
 
1070				if ok, maxSize, err := acc.CanAddMessageSize(tx, sentm.Size); err != nil {
 
1071					xcheckf(err, "checking quota")
 
1073					panic(webapi.Error{Code: "sentOverQuota", Message: fmt.Sprintf("message was sent, but not stored in sent mailbox due to quota of total %d bytes reached", maxSize)})
 
1076				// Update mailbox before delivery, which changes uidnext.
 
1077				sentmb.Add(sentm.MailboxCounts())
 
1078				err = tx.Update(&sentmb)
 
1079				xcheckf(err, "updating sent mailbox for counts")
 
1081				err = acc.DeliverMessage(log, tx, &sentm, dataFile, true, false, false, true)
 
1083					metricSubmission.WithLabelValues("storesenterror").Inc()
 
1086				xcheckf(err, "message submitted to queue, appending message to Sent mailbox")
 
1088				changes = append(changes, sentm.ChangeAddUID(), sentmb.ChangeCounts())
 
1091			store.BroadcastChanges(acc, changes)
 
1095	submissions := make([]webapi.Submission, len(qml))
 
1096	for i, qm := range qml {
 
1097		submissions[i] = webapi.Submission{
 
1098			Address:    addresses[i].Address,
 
1103	resp = webapi.SendResult{
 
1104		MessageID:   m.MessageID,
 
1105		Submissions: submissions,
 
1110func (s server) SuppressionList(ctx context.Context, req webapi.SuppressionListRequest) (resp webapi.SuppressionListResult, err error) {
 
1111	reqInfo := ctx.Value(requestInfoCtxKey).(requestInfo)
 
1112	resp.Suppressions, err = queue.SuppressionList(ctx, reqInfo.Account.Name)
 
1116func (s server) SuppressionAdd(ctx context.Context, req webapi.SuppressionAddRequest) (resp webapi.SuppressionAddResult, err error) {
 
1117	reqInfo := ctx.Value(requestInfoCtxKey).(requestInfo)
 
1118	addr := xparseAddress(req.EmailAddress)
 
1119	sup := webapi.Suppression{
 
1120		Account: reqInfo.Account.Name,
 
1124	err = queue.SuppressionAdd(ctx, addr.Path(), &sup)
 
1128func (s server) SuppressionRemove(ctx context.Context, req webapi.SuppressionRemoveRequest) (resp webapi.SuppressionRemoveResult, err error) {
 
1129	reqInfo := ctx.Value(requestInfoCtxKey).(requestInfo)
 
1130	addr := xparseAddress(req.EmailAddress)
 
1131	err = queue.SuppressionRemove(ctx, reqInfo.Account.Name, addr.Path())
 
1135func (s server) SuppressionPresent(ctx context.Context, req webapi.SuppressionPresentRequest) (resp webapi.SuppressionPresentResult, err error) {
 
1136	reqInfo := ctx.Value(requestInfoCtxKey).(requestInfo)
 
1137	addr := xparseAddress(req.EmailAddress)
 
1138	xcheckuserf(err, "parsing address %q", req.EmailAddress)
 
1139	sup, err := queue.SuppressionLookup(ctx, reqInfo.Account.Name, addr.Path())
 
1146func xwebapiAddresses(l []message.Address) (r []webapi.NameAddress) {
 
1147	r = make([]webapi.NameAddress, len(l))
 
1148	for i, ma := range l {
 
1149		dom, err := dns.ParseDomain(ma.Host)
 
1150		xcheckf(err, "parsing host %q for address", ma.Host)
 
1151		lp, err := smtp.ParseLocalpart(ma.User)
 
1152		xcheckf(err, "parsing localpart %q for address", ma.User)
 
1153		path := smtp.Path{Localpart: lp, IPDomain: dns.IPDomain{Domain: dom}}
 
1154		r[i] = webapi.NameAddress{Name: ma.Name, Address: path.XString(true)}
 
1159// caller should hold account lock.
 
1160func xmessageGet(ctx context.Context, acc *store.Account, msgID int64) (store.Message, store.Mailbox) {
 
1161	m := store.Message{ID: msgID}
 
1162	var mb store.Mailbox
 
1163	err := acc.DB.Read(ctx, func(tx *bstore.Tx) error {
 
1164		if err := tx.Get(&m); err == bstore.ErrAbsent || err == nil && m.Expunged {
 
1165			panic(webapi.Error{Code: "messageNotFound", Message: "message not found"})
 
1167		mb = store.Mailbox{ID: m.MailboxID}
 
1170	xcheckf(err, "get message")
 
1174func (s server) MessageGet(ctx context.Context, req webapi.MessageGetRequest) (resp webapi.MessageGetResult, err error) {
 
1175	reqInfo := ctx.Value(requestInfoCtxKey).(requestInfo)
 
1177	acc := reqInfo.Account
 
1180	var mb store.Mailbox
 
1181	var msgr *store.MsgReader
 
1182	acc.WithRLock(func() {
 
1183		m, mb = xmessageGet(ctx, acc, req.MsgID)
 
1184		msgr = acc.MessageReader(m)
 
1192	p, err := m.LoadPart(msgr)
 
1193	xcheckf(err, "load parsed message")
 
1195	var env message.Envelope
 
1196	if p.Envelope != nil {
 
1199	text, html, _, err := webops.ReadableParts(p, 1*1024*1024)
 
1201		log.Debugx("looking for text and html content in message", err)
 
1208	// Parse References message header.
 
1209	h, err := p.Header()
 
1211		log.Debugx("parsing headers for References", err)
 
1214	for _, s := range h.Values("References") {
 
1215		s = strings.ReplaceAll(s, "\t", " ")
 
1216		for _, w := range strings.Split(s, " ") {
 
1218				refs = append(refs, w)
 
1222	if env.InReplyTo != "" && !slices.Contains(refs, env.InReplyTo) {
 
1223		// References are ordered, most recent first. In-Reply-To is less powerful/older.
 
1224		// So if both are present, give References preference, prepending the In-Reply-To
 
1226		refs = append([]string{env.InReplyTo}, refs...)
 
1229	msg := webapi.Message{
 
1230		From:       xwebapiAddresses(env.From),
 
1231		To:         xwebapiAddresses(env.To),
 
1232		CC:         xwebapiAddresses(env.CC),
 
1233		BCC:        xwebapiAddresses(env.BCC),
 
1234		ReplyTo:    xwebapiAddresses(env.ReplyTo),
 
1235		MessageID:  env.MessageID,
 
1238		Subject:    env.Subject,
 
1239		Text:       strings.ReplaceAll(text, "\r\n", "\n"),
 
1240		HTML:       strings.ReplaceAll(html, "\r\n", "\n"),
 
1244	if d, err := dns.ParseDomain(m.MsgFromDomain); err == nil {
 
1245		msgFrom = smtp.NewAddress(m.MsgFromLocalpart, d).Pack(true)
 
1248	if m.RcptToDomain != "" {
 
1249		rcptTo = m.RcptToLocalpart.String() + "@" + m.RcptToDomain
 
1251	meta := webapi.MessageMeta{
 
1254		Flags:               append(m.Flags.Strings(), m.Keywords...),
 
1255		MailFrom:            m.MailFrom,
 
1256		MailFromValidated:   m.MailFromValidated,
 
1259		MsgFromValidated:    m.MsgFromValidated,
 
1260		DKIMVerifiedDomains: m.DKIMDomains,
 
1261		RemoteIP:            m.RemoteIP,
 
1262		MailboxName:         mb.Name,
 
1265	structure, err := queue.PartStructure(log, &p)
 
1266	xcheckf(err, "parsing structure")
 
1268	result := webapi.MessageGetResult{
 
1270		Structure: structure,
 
1276func (s server) MessageRawGet(ctx context.Context, req webapi.MessageRawGetRequest) (resp io.ReadCloser, err error) {
 
1277	reqInfo := ctx.Value(requestInfoCtxKey).(requestInfo)
 
1278	acc := reqInfo.Account
 
1281	var msgr *store.MsgReader
 
1282	acc.WithRLock(func() {
 
1283		m, _ = xmessageGet(ctx, acc, req.MsgID)
 
1284		msgr = acc.MessageReader(m)
 
1287	reqInfo.Response.Header().Set("Content-Type", "text/plain")
 
1291func (s server) MessagePartGet(ctx context.Context, req webapi.MessagePartGetRequest) (resp io.ReadCloser, err error) {
 
1292	reqInfo := ctx.Value(requestInfoCtxKey).(requestInfo)
 
1293	acc := reqInfo.Account
 
1296	var msgr *store.MsgReader
 
1297	acc.WithRLock(func() {
 
1298		m, _ = xmessageGet(ctx, acc, req.MsgID)
 
1299		msgr = acc.MessageReader(m)
 
1307	p, err := m.LoadPart(msgr)
 
1308	xcheckf(err, "load parsed message")
 
1310	for i, index := range req.PartPath {
 
1311		if index < 0 || index >= len(p.Parts) {
 
1312			return nil, webapi.Error{Code: "partNotFound", Message: fmt.Sprintf("part %d at index %d not found", index, i)}
 
1319	}{Reader: p.Reader(), Closer: msgr}, nil
 
1322var xops = webops.XOps{
 
1324	Checkf: func(ctx context.Context, err error, format string, args ...any) {
 
1325		xcheckf(err, format, args...)
 
1327	Checkuserf: func(ctx context.Context, err error, format string, args ...any) {
 
1328		if err != nil && errors.Is(err, webops.ErrMessageNotFound) {
 
1329			msg := fmt.Sprintf("%s: %s", fmt.Sprintf(format, args...), err)
 
1330			panic(webapi.Error{Code: "messageNotFound", Message: msg})
 
1332		xcheckuserf(err, format, args...)
 
1336func (s server) MessageDelete(ctx context.Context, req webapi.MessageDeleteRequest) (resp webapi.MessageDeleteResult, err error) {
 
1337	reqInfo := ctx.Value(requestInfoCtxKey).(requestInfo)
 
1338	xops.MessageDelete(ctx, reqInfo.Log, reqInfo.Account, []int64{req.MsgID})
 
1342func (s server) MessageFlagsAdd(ctx context.Context, req webapi.MessageFlagsAddRequest) (resp webapi.MessageFlagsAddResult, err error) {
 
1343	reqInfo := ctx.Value(requestInfoCtxKey).(requestInfo)
 
1344	xops.MessageFlagsAdd(ctx, reqInfo.Log, reqInfo.Account, []int64{req.MsgID}, req.Flags)
 
1348func (s server) MessageFlagsRemove(ctx context.Context, req webapi.MessageFlagsRemoveRequest) (resp webapi.MessageFlagsRemoveResult, err error) {
 
1349	reqInfo := ctx.Value(requestInfoCtxKey).(requestInfo)
 
1350	xops.MessageFlagsClear(ctx, reqInfo.Log, reqInfo.Account, []int64{req.MsgID}, req.Flags)
 
1354func (s server) MessageMove(ctx context.Context, req webapi.MessageMoveRequest) (resp webapi.MessageMoveResult, err error) {
 
1355	reqInfo := ctx.Value(requestInfoCtxKey).(requestInfo)
 
1356	xops.MessageMove(ctx, reqInfo.Log, reqInfo.Account, []int64{req.MsgID}, req.DestMailboxName, 0)