#!/usr/bin/env python3 """Postfix implementation of the incoming email gateway's helper for forwarding emails into Zulip. https://zulip.readthedocs.io/en/latest/production/settings.html#email-gateway The email gateway supports two major modes of operation: An email server (using postfix) where the email address configured in EMAIL_GATEWAY_PATTERN delivers emails directly to Zulip (this) or a cron job that connects to an IMAP inbox (which receives the emails) periodically. Zulip's puppet configuration takes care of configuring postfix to execute this script when emails are received by postfix, piping the email content via standard input (and the destination email address in the ORIGINAL_RECIPIENT environment variable). In Postfix, you can express that via an /etc/aliases entry like this: |/home/zulip/deployments/current/scripts/lib/email-mirror-postfix -r ${original_recipient} To manage DoS issues, this script does very little work (just sending an HTTP request to queue the message for processing) to avoid importing expensive libraries. Also you can use optional keys to configure the script and change default values: -s SHARED_SECRET For adding shared secret key if it is not contained in "/etc/zulip/zulip-secrets.conf". This key is used to authenticate the HTTP requests made by this tool. -d HOST Destination Zulip host for email uploading. Address must contain type of HTTP protocol, i.e "https://example.com". Default value: "https://127.0.0.1". -u URL Destination relative for email uploading. Default value: "/email_mirror_message". -n Disable checking ssl certificate. This option is used for self-signed certificates. Default value: False. -t Disable sending request to the Zulip server. Default value: False. """ import os import ssl import sys import argparse import posix import json from urllib.parse import urljoin, urlencode from urllib.request import Request, urlopen from urllib.error import HTTPError from configparser import RawConfigParser parser = argparse.ArgumentParser() parser.add_argument('-r', '--recipient', dest="recipient", type=str, default='', help="Original recipient.") parser.add_argument('-s', '--shared-secret', dest="shared_secret", type=str, default='', help="Secret access key.") parser.add_argument('-d', '--dst-host', dest="host", type=str, default='https://127.0.0.1', help="Destination server address for uploading email from email mirror. " "Address must contain a HTTP protocol.") parser.add_argument('-u', '--dst-url', dest="url", type=str, default='/email_mirror_message', help="Destination relative url for uploading email from email mirror.") parser.add_argument('-n', '--not-verify-ssl', dest="verify_ssl", action='store_false', default=True, help="Disable ssl certificate verifying for self-signed certificates") parser.add_argument('-t', '--test', dest="test", action='store_true', default=False, help="Test mode.") options = parser.parse_args() MAX_ALLOWED_PAYLOAD = 25 * 1024 * 1024 def process_response_error(e): # type: (HTTPError) -> None if e.code == 400: response_content = e.read() response_data = json.loads(response_content.decode('utf8')) print(response_data['msg']) exit(posix.EX_NOUSER) else: print("4.4.2 Connection dropped: Internal server error.") exit(1) def send_email_mirror(rcpt_to, shared_secret, host, url, test, verify_ssl): # type: (str, str, str, str, bool, bool) -> None if not rcpt_to: print("5.1.1 Bad destination mailbox address: No missed message email address.") exit(posix.EX_NOUSER) msg_text = sys.stdin.read(MAX_ALLOWED_PAYLOAD + 1) if len(msg_text) > MAX_ALLOWED_PAYLOAD: # We're not at EOF, reject large mail. print("5.3.4 Message too big for system: Max size is 25MiB") exit(posix.EX_DATAERR) secrets_file = RawConfigParser() secrets_file.read("/etc/zulip/zulip-secrets.conf") if not shared_secret: shared_secret = secrets_file.get('secrets', 'shared_secret') request_data = { "recipient": rcpt_to, "msg_text": msg_text } if test: exit(0) if host == 'https://127.0.0.1': # Don't try to verify SSL when posting to 127.0.0.1; it won't # work, and connections to 127.0.0.1 are secure without SSL. verify_ssl = False context = None if not verify_ssl: context = ssl.create_default_context() context.check_hostname = False context.verify_mode = ssl.CERT_NONE data = {"data": json.dumps(request_data), "secret": shared_secret} req = Request(url=urljoin(host, url), data=urlencode(data).encode('utf8')) try: urlopen(req, context=context) except HTTPError as err: process_response_error(err) recipient = str(os.environ.get("ORIGINAL_RECIPIENT", options.recipient)) send_email_mirror(recipient, options.shared_secret, options.host, options.url, options.test, options.verify_ssl)