cfat_ token support, suppress expected 403 log noise, add sending status badge and docs

Author: ChrispyBacon-dev

dockflare/app/core/cloudflare_api.py

@@ -32,7 +32,7 @@
 
 dns_semaphore = threading.Semaphore(config.MAX_CONCURRENT_DNS_OPS)
 
-def cf_api_request(method, endpoint, json_data=None, params=None):
+def cf_api_request(method, endpoint, json_data=None, params=None, log_errors=True):
 
     url = f"{config.CF_API_BASE_URL}{endpoint}"
     error_msg = None
@@ -75,9 +75,10 @@ def cf_api_request(method, endpoint, json_data=None, params=None):
                         error_code = cf_errors[0].get('code')
                     else:
                         error_msg = f"API reported failure but no error details provided. Response: {response_data}"
-                    logging.error(f"CF API Request Failed ({method} {url}): {error_msg} - Full Errors: {cf_errors}")
+                    if log_errors:
+                        logging.error(f"CF API Request Failed ({method} {url}): {error_msg} - Full Errors: {cf_errors}")
                     api_exception = requests.exceptions.RequestException(error_msg, response=response)
-                    api_exception.cf_error_code = error_code 
+                    api_exception.cf_error_code = error_code
                     raise api_exception
             else:
                 logging.warning(f"CF API response for {method} {url} was valid JSON but missing 'success' field. Status: {response.status_code}. Body: {str(response_data)[:200]}")
@@ -101,10 +102,12 @@ def cf_api_request(method, endpoint, json_data=None, params=None):
                         log_error_msg += f" - API Details: {cf_errors[0].get('message', 'Unknown error')}"
                     else:
                         log_error_msg += f" - HTTP {e.response.status_code} - Response Text (first 100): {e.response.text[:100]}"
-                    logging.error(f"CF API Error Response Body: {error_data}")
+                    if log_errors:
+                        logging.error(f"CF API Error Response Body: {error_data}")
                 except (ValueError, AttributeError, json.JSONDecodeError):
                     log_error_msg += f" - HTTP {e.response.status_code} - Response Text (first 100): {e.response.text[:100]}"
-            logging.error(log_error_msg)
+            if log_errors:
+                logging.error(log_error_msg)
         raise
 
 def get_zone_id_from_name(zone_name):

dockflare/app/core/email_manager.py

@@ -50,14 +50,16 @@ def check_token_permissions():
 
 def enable_email_routing(zone_id):
     try:
-        return cf_api_request('POST', f'/zones/{zone_id}/email/routing/enable')
+        return cf_api_request('POST', f'/zones/{zone_id}/email/routing/enable', log_errors=False)
     except Exception as e:
-        # 422/conflict means already enabled — safe to continue
         err_str = str(e)
         if '2004' in err_str or 'already enabled' in err_str.lower() or 'Unprocessable' in err_str:
             logging.info(f"Email routing already enabled on zone {zone_id}, continuing")
             return {}
-        logging.error(f"Error enabling email routing: {e}")
+        if '403' in err_str or 'Forbidden' in err_str or '10000' in err_str or 'Authentication' in err_str:
+            logging.info(f"Email routing enable not permitted (zone {zone_id}); CF auto-activates via MX records")
+            return {}
+        logging.warning(f"Could not enable email routing on zone {zone_id}: {e}")
         raise
 
 def enable_email_sending(zone_id, zone_name):
@@ -134,7 +136,7 @@ def _safe_create_dns(zone_id, type, name, content, priority=None):
 
 def setup_email_dns_records(zone_id, zone_name):
     try:
-        res = cf_api_request('GET', f'/zones/{zone_id}/email/routing/dns')
+        res = cf_api_request('GET', f'/zones/{zone_id}/email/routing/dns', log_errors=False)
         required = res.get('result', [])
         for record in required:
             rtype = record.get('type')
@@ -144,13 +146,25 @@ def setup_email_dns_records(zone_id, zone_name):
             if rtype and rname and rcontent:
                 _safe_create_dns(zone_id, rtype, rname, rcontent, priority=rpriority)
     except Exception as e:
-        logging.warning(f"Could not fetch required email routing DNS records from CF API: {e}, falling back to defaults")
+        logging.info(f"Could not fetch email routing DNS from CF API (falling back to defaults): {e}")
         _safe_create_dns(zone_id, 'MX', zone_name, 'route1.mx.cloudflare.net', priority=14)
         _safe_create_dns(zone_id, 'MX', zone_name, 'route2.mx.cloudflare.net', priority=36)
         _safe_create_dns(zone_id, 'MX', zone_name, 'route3.mx.cloudflare.net', priority=88)
         _safe_create_dns(zone_id, 'TXT', zone_name, 'v=spf1 include:_spf.mx.cloudflare.net ~all')
         _safe_create_dns(zone_id, 'TXT', f'_dmarc.{zone_name}', f'v=DMARC1; p=quarantine; rua=mailto:dmarc@{zone_name}')
 
+def get_email_sending_status(zone_id, zone_name):
+    try:
+        res = cf_api_request('GET', f'/zones/{zone_id}/dns_records?type=TXT&search=_domainkey', log_errors=False)
+        records = res.get('result', [])
+        suffix = f'._domainkey.{zone_name}'
+        for r in records:
+            if r.get('name', '').endswith(suffix):
+                return 'configured'
+        return 'not_configured'
+    except Exception:
+        return 'unknown'
+
 def verify_email_dns_records(zone_id, zone_name):
     res = cf_api_request('GET', f'/zones/{zone_id}/dns_records')
     records = res.get('result', [])

dockflare/app/main.py

@@ -217,7 +217,34 @@ def start_core_services():
         if not config.USE_EXTERNAL_CLOUDFLARED and tunnel_state.get("id") and tunnel_state.get("token"):
             logging.info("Checking and reconciling managed cloudflared agent container...")
             start_cloudflared_container()
-    
+
+    if getattr(config, 'EMAIL_CONFIG', {}).get('enabled'):
+        try:
+            container = docker_client.containers.get('dockflare-mail-manager')
+            if container.status == 'running':
+                container.restart()
+                logging.info("Email active: restarted dockflare-mail-manager to sync config.")
+        except Exception as e:
+            logging.debug(f"dockflare-mail-manager not found or could not restart: {e}")
+
+        try:
+            from app.core.email_manager import get_email_sending_status
+            from app.web.email_routes import save_email_config
+            email_cfg = config.EMAIL_CONFIG
+            updated = False
+            for domain, domain_cfg in email_cfg.get('domains', {}).items():
+                if domain_cfg.get('email_sending_status') in (None, 'unknown'):
+                    zone_id = domain_cfg.get('zone_id')
+                    if zone_id:
+                        status = get_email_sending_status(zone_id, domain)
+                        domain_cfg['email_sending_status'] = status
+                        updated = True
+                        logging.info(f"Email sending status for {domain}: {status}")
+            if updated:
+                save_email_config(email_cfg)
+        except Exception as e:
+            logging.debug(f"Could not refresh email sending status on startup: {e}")
+
     run_all_background_tasks()
 
 def perform_initial_setup_and_tasks():

dockflare/app/templates/docs/de/Email-Overview.md

@@ -19,6 +19,22 @@ Das System besteht aus mehreren integrierten Komponenten:
 *   **Ausgehend:** Webmail-UI → Mail Manager API → Outbound Worker → Cloudflare `send_email` → Internet.
 *   **Datensouveränität:** Alle E-Mails werden geparst und in einer lokalen SQLite-Datenbank gespeichert; Anhänge werden im lokalen Dateisystem abgelegt.
 
+## Ausgehende Nachrichten – Tarife & Einschränkungen
+
+Cloudflare Email Sending (Beta) bietet je nach Cloudflare-Tarif zwei Stufen:
+
+| Empfänger | Free-Tarif | Workers Paid Plan (5 $/Monat) |
+| :--- | :--- | :--- |
+| Verifizierte Cloudflare-Adressen (im CF-Konto bestätigte Adressen) | ✅ Erlaubt | ✅ Erlaubt |
+| Beliebige externe Adressen | ❌ Nicht erlaubt | ✅ Erlaubt |
+
+DockFlare richtet die DKIM-Signierschlüssel und die Versandsubdomain (`mail.ihredomain.com`) automatisch während der Domain-Einrichtung ein. **Für den vollständigen externen Versand sind jedoch zwei zusätzliche manuelle Schritte erforderlich:**
+
+1. **Upgrade auf den Cloudflare Workers Paid Plan** – verfügbar für 5 $/Monat in Ihrem Cloudflare-Dashboard.
+2. **CF Email Sending (Beta) aktivieren** – navigieren Sie in Ihrem [Cloudflare-Dashboard → E-Mail → E-Mail-Versand](https://dash.cloudflare.com/) und aktivieren Sie die Funktion für Ihr Konto.
+
+Bis diese Schritte abgeschlossen sind, werden ausgehende E-Mails nur an E-Mail-Adressen zugestellt, die in Ihrem Cloudflare-Konto verifiziert sind. Das Domain-Status-Badge auf der DockFlare E-Mail-Verwaltungsseite zeigt an, ob DKIM konfiguriert ist (`Sending: Active`) oder noch nicht eingerichtet wurde (`Sending: Pending`).
+
 ## Hauptfunktionen
 
 *   **Multi-Domain-Unterstützung:** Hosten Sie E-Mails für beliebig viele Domains, die Sie in Cloudflare verwalten.

dockflare/app/templates/docs/de/Email-Prerequisites.md

@@ -5,8 +5,12 @@ Bevor Sie die E-Mail-Suite aktivieren, stellen Sie sicher, dass Ihre Umgebung un
 ## Cloudflare-Anforderungen
 
 1.  **Domain-Verwaltung:** Ihre Domain muss in Cloudflare aktiv sein.
-2.  **E-Mail-Routing:** Die Domain muss für Cloudflare E-Mail-Routing berechtigt sein (auf den meisten Tarifen verfügbar, einschließlich Free) und für Cloudflare E-Mail-Versand (Beta-Zugang für ausgehende Mails erforderlich).
-3.  **R2-Speicher:** R2 muss in Ihrem Cloudflare-Dashboard aktiviert sein. R2 beinhaltet ein kostenloses Kontingent von 10 GB; zur Aktivierung kann jedoch eine Zahlungsmethode erforderlich sein.
+2.  **E-Mail-Routing (Eingehend):** Cloudflare Email Routing ist auf allen Tarifen verfügbar, einschließlich Free. DockFlare konfiguriert die erforderlichen MX-, SPF- und DMARC-Einträge automatisch.
+3.  **E-Mail-Versand (Ausgehend):** Cloudflare Email Sending befindet sich derzeit in der Beta-Phase. DockFlare konfiguriert die DKIM-Signierschlüssel und die Versandsubdomain automatisch. Für den Versand an externe Adressen ist jedoch Folgendes erforderlich:
+    - Ein **Cloudflare Workers Paid Plan** (5 $/Monat).
+    - Manuelle Aktivierung von **CF Email Sending (Beta)** im Cloudflare-Dashboard unter **E-Mail → E-Mail-Versand**.
+    - Ohne diese Schritte ist der ausgehende Versand auf verifizierte Cloudflare-Adressen beschränkt.
+4.  **R2-Speicher:** R2 muss in Ihrem Cloudflare-Dashboard aktiviert sein. R2 beinhaltet ein kostenloses Kontingent von 10 GB; zur Aktivierung kann jedoch eine Zahlungsmethode erforderlich sein.
 
 ## API-Token-Berechtigungen
 

dockflare/app/templates/docs/en/Email-Overview.md

@@ -19,6 +19,22 @@ The system consists of several integrated components:
 *   **Outbound Flow:** Webmail UI → Mail Manager API → Outbound Worker → Cloudflare `send_email` → Internet.
 *   **Data Sovereignty:** All emails are parsed and stored in a local SQLite database with attachments saved to your local filesystem.
 
+## Outbound Sending — Plans & Limitations
+
+Cloudflare Email Sending (Beta) has two tiers depending on your Cloudflare plan:
+
+| Sending Target | Free Plan | Workers Paid Plan ($5/mo) |
+| :--- | :--- | :--- |
+| Verified Cloudflare addresses (addresses confirmed in your CF account) | ✅ Allowed | ✅ Allowed |
+| Any external address | ❌ Not allowed | ✅ Allowed |
+
+DockFlare sets up the DKIM signing records and the sending subdomain (`mail.yourdomain.com`) automatically during domain setup. However, **full external sending requires two additional manual steps**:
+
+1. **Upgrade to the Cloudflare Workers Paid Plan** — available at $5/month in your Cloudflare dashboard.
+2. **Activate CF Email Sending (Beta)** — navigate to your [Cloudflare Dashboard → Email → Email Sending](https://dash.cloudflare.com/) and enable the feature for your account.
+
+Until these steps are completed, outbound mail from your webmail client will only be delivered to email addresses that have been verified in your Cloudflare account. The domain status badge in DockFlare's Email Management page reflects whether DKIM is configured (`Sending: Active`) or not yet set up (`Sending: Pending`).
+
 ## Key Features
 
 *   **Multi-Domain Support:** Host email for as many domains as you manage in Cloudflare.

dockflare/app/templates/docs/en/Email-Prerequisites.md

@@ -5,8 +5,12 @@ Before enabling the Email Suite, ensure your environment and Cloudflare account
 ## Cloudflare Requirements
 
 1.  **Domain Management:** Your domain must be active on Cloudflare.
-2.  **Email Routing:** The domain must be eligible for Cloudflare Email Routing (available on most plans, including Free) and Cloudflare Email Sending (Beta Access required for outbound mail).
-3.  **R2 Storage:** You must have R2 enabled in your Cloudflare dashboard. R2 includes a free tier of 10 GB, but you may need to add a payment method to your account to activate it.
+2.  **Email Routing (Inbound):** Cloudflare Email Routing is available on all plans, including Free. DockFlare configures the required MX, SPF, and DMARC records automatically.
+3.  **Email Sending (Outbound):** Cloudflare Email Sending is currently in Beta. DockFlare automatically configures the DKIM signing records and sending subdomain. However, sending to external addresses requires:
+    - A **Cloudflare Workers Paid Plan** ($5/month).
+    - Manual activation of **CF Email Sending (Beta)** in the Cloudflare Dashboard under **Email → Email Sending**.
+    - Without these steps, outbound mail is restricted to verified Cloudflare addresses only.
+4.  **R2 Storage:** You must have R2 enabled in your Cloudflare dashboard. R2 includes a free tier of 10 GB, but you may need to add a payment method to your account to activate it.
 
 ## API Token Permissions
 

dockflare/app/templates/docs/es/Email-Overview.md

@@ -19,6 +19,22 @@ El sistema consta de varios componentes integrados:
 *   **Flujo saliente:** Interfaz webmail → API Mail Manager → Outbound Worker → Cloudflare `send_email` → Internet.
 *   **Soberanía de datos:** Todos los correos se analizan y almacenan en una base de datos SQLite local, con los archivos adjuntos guardados en su sistema de archivos local.
 
+## Envío saliente – Planes y limitaciones
+
+Cloudflare Email Sending (Beta) ofrece dos niveles según su plan de Cloudflare:
+
+| Destinatario | Plan gratuito | Workers Paid Plan (5 $/mes) |
+| :--- | :--- | :--- |
+| Direcciones Cloudflare verificadas (confirmadas en su cuenta CF) | ✅ Permitido | ✅ Permitido |
+| Cualquier dirección externa | ❌ No permitido | ✅ Permitido |
+
+DockFlare configura automáticamente los registros de firma DKIM y el subdominio de envío (`mail.sudominio.com`) durante la configuración del dominio. Sin embargo, **el envío externo completo requiere dos pasos manuales adicionales:**
+
+1. **Actualizar al Cloudflare Workers Paid Plan** – disponible por 5 $/mes en su panel de Cloudflare.
+2. **Activar CF Email Sending (Beta)** – navegue a su [Panel de Cloudflare → Email → Email Sending](https://dash.cloudflare.com/) y habilite la función para su cuenta.
+
+Hasta completar estos pasos, el correo saliente desde su cliente webmail solo se entregará a direcciones verificadas en su cuenta de Cloudflare. El badge de estado del dominio en la página de gestión de correo de DockFlare refleja si DKIM está configurado (`Sending: Active`) o aún no está listo (`Sending: Pending`).
+
 ## Características principales
 
 *   **Soporte multi-dominio:** Aloje correo electrónico para tantos dominios como gestione en Cloudflare.

dockflare/app/templates/docs/es/Email-Prerequisites.md

@@ -5,8 +5,12 @@ Antes de activar la Suite de correo electrónico, asegúrese de que su entorno y
 ## Requisitos de Cloudflare
 
 1.  **Gestión de dominio:** Su dominio debe estar activo en Cloudflare.
-2.  **Email Routing:** El dominio debe ser elegible para Cloudflare Email Routing (disponible en la mayoría de los planes, incluido el gratuito) y para Cloudflare Email Sending (se requiere acceso beta para el correo saliente).
-3.  **Almacenamiento R2:** R2 debe estar habilitado en su panel de Cloudflare. R2 incluye un nivel gratuito de 10 GB, pero es posible que deba agregar un método de pago para activarlo.
+2.  **Email Routing (Entrante):** Cloudflare Email Routing está disponible en todos los planes, incluido el gratuito. DockFlare configura automáticamente los registros MX, SPF y DMARC necesarios.
+3.  **Email Sending (Saliente):** Cloudflare Email Sending se encuentra actualmente en Beta. DockFlare configura automáticamente los registros de firma DKIM y el subdominio de envío. Sin embargo, el envío a direcciones externas requiere:
+    - Un **Cloudflare Workers Paid Plan** (5 $/mes).
+    - La activación manual de **CF Email Sending (Beta)** en el Panel de Cloudflare bajo **Email → Email Sending**.
+    - Sin estos pasos, el correo saliente queda restringido a direcciones Cloudflare verificadas.
+4.  **Almacenamiento R2:** R2 debe estar habilitado en su panel de Cloudflare. R2 incluye un nivel gratuito de 10 GB, pero es posible que deba agregar un método de pago para activarlo.
 
 ## Permisos del token API
 

dockflare/app/templates/docs/fr/Email-Overview.md

@@ -19,6 +19,22 @@ Le système se compose de plusieurs composants intégrés :
 *   **Flux sortant :** Interface Webmail → API Mail Manager → Outbound Worker → Cloudflare `send_email` → Internet.
 *   **Souveraineté des données :** Tous les e-mails sont analysés et stockés dans une base de données SQLite locale, avec les pièces jointes sauvegardées sur votre système de fichiers local.
 
+## Envoi sortant – Plans et limitations
+
+Cloudflare Email Sending (Beta) propose deux niveaux selon votre plan Cloudflare :
+
+| Destinataire | Plan gratuit | Workers Paid Plan (5 $/mois) |
+| :--- | :--- | :--- |
+| Adresses Cloudflare vérifiées (confirmées dans votre compte CF) | ✅ Autorisé | ✅ Autorisé |
+| Toute adresse externe | ❌ Non autorisé | ✅ Autorisé |
+
+DockFlare configure automatiquement les enregistrements de signature DKIM et le sous-domaine d'envoi (`mail.votredomaine.com`) lors de la configuration du domaine. Cependant, **l'envoi externe complet nécessite deux étapes manuelles supplémentaires :**
+
+1. **Passer au Cloudflare Workers Paid Plan** – disponible à 5 $/mois dans votre tableau de bord Cloudflare.
+2. **Activer CF Email Sending (Beta)** – accédez à votre [Tableau de bord Cloudflare → Email → Email Sending](https://dash.cloudflare.com/) et activez la fonctionnalité pour votre compte.
+
+Tant que ces étapes ne sont pas effectuées, les e-mails sortants de votre client webmail ne seront délivrés qu'aux adresses vérifiées dans votre compte Cloudflare. Le badge de statut du domaine sur la page de gestion des e-mails de DockFlare indique si DKIM est configuré (`Sending: Active`) ou pas encore mis en place (`Sending: Pending`).
+
 ## Fonctionnalités principales
 
 *   **Support multi-domaine :** Hébergez la messagerie pour autant de domaines que vous en gérez dans Cloudflare.