Merge pull request #6 from Lay3rLabs/dkim

DKIM verification

Author: dakom

Cargo.lock

@@ -38,11 +38,17 @@ futures = "0.3.31"
 
 # Email
 imap = {version = "2.4.1", default-features = false}
-imap-proto = "0.16.6"
-mail-parser = "0.11.1"
+mailparse = "0.16.1"
+cfdkim = { git = "https://github.com/Lay3rLabs/dkim-wasi.git", features = ["wasi-resolver"]}
 
 # Security
 zeroize = "1.8.2"
 
 # Misc
 cfg-if = "1.0.4"
+
+# Logging
+sloggers = "2.2.0"
+
+[dev-dependencies]
+tokio = {version = "1.48.0", features = ["full"]}

Cargo.toml

@@ -1,5 +1,7 @@
 # Imap component
 
+This uses DKIM verification from our fork of Cloudflare's DKIM library: https://github.com/Lay3rLabs/dkim-wasi
+
 ## Getting Started
 
 1. Set your credentials

README.md

@@ -1,5 +1,6 @@
 mod auth;
 mod parser;
+pub mod verify;
 
 use futures::StreamExt;
 use imap::Session;
@@ -59,6 +60,6 @@ pub async fn read_next_email() -> AppResult<Option<EmailMessage>> {
         .ok_or(AppError::FailedToFetchEmail(latest_uid))?;
 
     Ok(Some(
-        EmailMessage::parse(&fetch).map_err(AppError::MessageParse)?,
+        EmailMessage::parse(&fetch).map_err(AppError::AnyMessageParse)?,
     ))
 }

src/email.rs

@@ -2,38 +2,64 @@ use std::borrow::Cow;
 
 use anyhow::{Context, Result};
 use imap::{types::Fetch, Session};
-use mail_parser::{HeaderValue, Message, MessageParser};
+use mailparse::*;
+
+use crate::error::AppResult;
 
-#[derive(Debug)]
 pub struct EmailMessage {
-    // 1) “Original sender” best-effort (From / Resent-From / Sender / envelope)
-    original_sender: String,
+    // 1) "Original sender" best-effort (From / Resent-From / Sender / envelope)
+    pub original_sender: String,
     // 2) All DKIM-Signature header values (there can be multiple)
     dkim_signatures: Vec<String>,
     // 3) Subject (decoded)
     subject: Option<String>,
     // 4) Body (best-effort: prefer text/plain part; fall back to full text)
-    body_text: Option<String>,
+    pub body_text: Option<String>,
+    // 5) Raw email bytes (can be parsed on demand)
+    pub raw_bytes: Vec<u8>,
+}
+
+impl std::fmt::Debug for EmailMessage {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.debug_struct("EmailMessage")
+            .field("original_sender", &self.original_sender)
+            .field("dkim_signatures", &self.dkim_signatures)
+            .field("subject", &self.subject)
+            .field(
+                "body_text",
+                &self
+                    .body_text
+                    .as_ref()
+                    .map(|s| Cow::Owned(format!("{}...", &s[..s.len().min(30)])))
+                    .unwrap_or(Cow::Borrowed("None")),
+            )
+            .field("raw_bytes_len", &self.raw_bytes.len())
+            .finish()
+    }
 }
 
 impl EmailMessage {
     pub fn parse(f: &Fetch) -> anyhow::Result<Self> {
-        let msg = MessageParser::new()
-            .parse(f.body().context("Missing email body")?)
-            .ok_or_else(|| anyhow::anyhow!("Failed to parse email message"))?;
+        let body_bytes = f.body().context("Missing email body")?;
+        let msg = parse_mail(body_bytes)
+            .map_err(|e| anyhow::anyhow!("Failed to parse email message: {:?}", e))?;
 
-        let subject = msg.subject();
+        let subject = msg
+            .headers
+            .iter()
+            .find(|h| h.get_key().eq_ignore_ascii_case("Subject"))
+            .map(|h| h.get_value());
 
         // best effort original sender extraction
         let original_sender = msg
-            .header("Resent-From")
-            .or_else(|| msg.header("From"))
-            .or_else(|| msg.header("Sender"))
-            .and_then(|h| match h {
-                HeaderValue::Address(addr) => addr.first().map(|a| a.address()).flatten(),
-                _ => h.as_text(),
+            .headers
+            .iter()
+            .find(|h| {
+                h.get_key().eq_ignore_ascii_case("Resent-From")
+                    || h.get_key().eq_ignore_ascii_case("From")
+                    || h.get_key().eq_ignore_ascii_case("Sender")
             })
-            .map(|s| s.to_string())
+            .map(|h| h.get_value())
             .or_else(|| {
                 f.envelope()
                     .and_then(|env| {
@@ -51,18 +77,26 @@ impl EmailMessage {
 
         // there can be multiple signatures
         let dkim_signatures = msg
-            .header_values("DKIM-Signature")
-            .flat_map(|h| h.as_text())
+            .headers
+            .iter()
+            .filter(|h| h.get_key().eq_ignore_ascii_case("DKIM-Signature"))
+            .map(|h| h.get_value())
             .collect::<Vec<_>>();
 
         // prefer text/plain part; fall back to html text
-        let body_text = msg.body_text(0).or_else(|| msg.body_html(0));
+        let body_text = msg.get_body().ok();
 
         Ok(Self {
             subject: subject.map(|s| s.to_string()),
-            original_sender,
+            original_sender: original_sender.to_string(),
             dkim_signatures: dkim_signatures.into_iter().map(|s| s.to_string()).collect(),
             body_text: body_text.map(|s| s.to_string()),
+            raw_bytes: body_bytes.to_vec(),
         })
     }
+
+    /// Parse the raw email bytes and return a ParsedMail
+    pub fn get_parsed(&self) -> AppResult<ParsedMail> {
+        Ok(parse_mail(&self.raw_bytes)?)
+    }
 }

src/email/parser.rs

@@ -0,0 +1,28 @@
+use std::sync::Arc;
+
+use sloggers::{null::NullLoggerBuilder, Build};
+
+use crate::{
+    email::parser::EmailMessage,
+    error::{AppError, AppResult},
+};
+
+pub async fn verify_email(email: &EmailMessage) -> AppResult<()> {
+    let resolver = cfdkim::dns::wasi::WasiCloudflareLookup {};
+
+    let from_domain = email
+        .original_sender
+        .split('@')
+        .nth(1)
+        .ok_or_else(|| AppError::CannotExtractDomain(email.original_sender.clone()))?;
+
+    cfdkim::verify_email_with_resolver(
+        &NullLoggerBuilder.build()?,
+        from_domain,
+        &email.get_parsed()?,
+        Arc::new(resolver),
+    )
+    .await?;
+
+    Ok(())
+}

src/email/verify.rs

@@ -25,8 +25,23 @@ pub enum AppError {
     FailedToFetchEmail(u32),
 
     #[error("{0:?}")]
-    MessageParse(anyhow::Error),
+    AnyMessageParse(anyhow::Error),
+
+    #[error("{0:?}")]
+    MessageParse(#[from] mailparse::MailParseError),
 
     #[error("Authorization: {0:?}")]
     Auth(anyhow::Error),
+
+    #[error("DKIM: {0:?}")]
+    Dkim(#[from] cfdkim::DKIMError),
+
+    #[error("DKIM Result: {0}")]
+    DkimResult(String),
+
+    #[error("Cannot extract domain: {0}")]
+    CannotExtractDomain(String),
+
+    #[error("slog: {0:?}")]
+    Slog(#[from] sloggers::Error),
 }

src/error.rs

@@ -5,8 +5,9 @@ mod email;
 mod error;
 
 use anyhow::bail;
+use cfdkim::verify_email_with_resolver;
 
-use crate::wavs::operator::input::TriggerData;
+use crate::{email::verify::verify_email, wavs::operator::input::TriggerData};
 
 // this is needed just to make the ide/compiler happy... we're _always_ compiling to wasm32-wasi
 wit_bindgen::generate!({
@@ -41,8 +42,21 @@ async fn inner(trigger_action: TriggerAction) -> anyhow::Result<Option<WasmRespo
             let data = std::str::from_utf8(&data)?;
             match data {
                 "read-mail" => {
-                    let email = email::read_next_email().await?;
+                    let email = match email::read_next_email().await? {
+                        Some(email) => email,
+                        None => {
+                            println!("No new email found.");
+                            return Ok(None);
+                        }
+                    };
+
                     println!("{:#?}", email);
+
+                    let verification_result = verify_email(&email).await;
+                    match verification_result {
+                        Ok(_) => println!("Email verification succeeded."),
+                        Err(e) => println!("Email verification failed: {:?}", e),
+                    }
                 }
                 _ => {
                     bail!("Unknown command: {}", data);