hotfixes around inbound CF worker

Author: ChrispyBacon-dev

CHANGELOG.md

@@ -38,6 +38,17 @@ All notable changes to this project will be documented in this file.
 ### Fixed
 - **Webmail - Dark Mode:** Placeholder text in the reply composer and input backgrounds in the settings panel were broken in dark mode due to a Vue scoped CSS compilation issue. Fixed throughout.
 
+### Hotfixes (post-release)
+- **Inbound - R2 Cron Delivery:** Emails buffered in R2 were not delivered when the EML `To:` header differed from the SMTP envelope recipient (e.g. GitHub mailing list addresses). Mail manager now falls back through payload `resolved_mailbox`, EML delivery headers (`X-GitHub-Recipient-Address`, `Delivered-To`), and the `Received: for <addr>` header.
+- **Inbound - Worker `list()` Metadata:** Cloudflare R2 `list()` does not return `customMetadata` unless explicitly requested. Added `include: ['customMetadata']` to the cron sweep so envelope metadata is available on retry.
+- **Inbound - R2 Delete Error Handling:** A transient R2 delete failure in the success path caused a false HTTP 500 response despite the message being delivered. Now try/except with a warning log; cron cleans up any orphaned object.
+- **Inbound - Empty Message-ID:** Emails with no `Message-ID` header produced an empty string, causing a UNIQUE constraint collision. A UUID fallback is now generated.
+- **Inbound - Attachment Filename Safety:** Filenames with path traversal components (`..`) are now stripped via `os.path.basename`. Duplicate filenames within the same message get a numeric suffix instead of overwriting each other on disk.
+- **Worker - KV Availability Guard:** Alias KV lookups in the `email()` handler now check `typeof env.QUOTA_KV !== 'undefined'` before use, matching the pattern already applied to quota checks. A missing KV binding previously caused all alias mail to be silently rejected.
+- **Worker - Subject Metadata Truncation:** Subject stored in R2 `customMetadata` is now capped at 500 characters to stay within Cloudflare's 2 KB per-object metadata limit.
+- **Worker - R2 Object TTL:** The cron sweep now expires and deletes `temp_cache/` objects older than 7 days to prevent unbounded accumulation during persistent misconfigurations.
+- **Inbound - Multi-Domain Header Requirement:** When multiple domains are configured, an inbound webhook without the `X-DockFlare-Domain` header now returns 400 instead of silently using a non-deterministic domain config.
+
 ## [v3.1.0] - 2026-04-16
 
 > **Cloudflare Context:** Cloudflare's Email Service entered public beta today — the same `send_email` Workers binding that powers DockFlare Mail's outbound relay is now generally available. Read the announcement: [Email for Agents](https://blog.cloudflare.com/email-for-agents/)

dockflare/app/core/worker_templates/inbound_worker.js

@@ -45,9 +45,11 @@ export default {
         const allowedRecipients = JSON.parse(env.ALLOWED_RECIPIENTS || '[]');
         if (!allowedRecipients.includes(message.to)) {
           let aliasRecord = null;
-          try {
-            aliasRecord = await env.QUOTA_KV.get('alias::' + message.to, 'json');
-          } catch (_) {}
+          if (typeof env.QUOTA_KV !== 'undefined') {
+            try {
+              aliasRecord = await env.QUOTA_KV.get('alias::' + message.to, 'json');
+            } catch (_) {}
+          }
 
           if (!aliasRecord) {
             message.setReject("Recipient not allowed");
@@ -81,7 +83,7 @@ export default {
           to: message.to,
           resolved_mailbox: resolvedMailbox || message.to,
           via_alias: resolvedMailbox ? "1" : "0",
-          subject: message.headers.get("subject") || "",
+          subject: (message.headers.get("subject") || "").slice(0, 500),
           receivedAt: receivedAt
         }
       });
@@ -121,6 +123,8 @@ export default {
   async scheduled(event, env, ctx) {
     console.log("Cron: scanning R2 temp_cache for buffered emails...");
 
+    const MAX_AGE_MS = 7 * 24 * 60 * 60 * 1000;
+    const now = Date.now();
     let cursor;
     let processed = 0;
     let failed = 0;
@@ -129,11 +133,19 @@ export default {
       const list = await env.EMAIL_BUCKET.list({
         prefix: "temp_cache/",
         limit: 100,
-        cursor: cursor
+        cursor: cursor,
+        include: ['customMetadata']
       });
 
       for (const object of list.objects) {
         const r2Key = object.key;
+
+        if (object.uploaded && (now - object.uploaded.getTime()) > MAX_AGE_MS) {
+          console.warn(`Cron: expiring ${r2Key} (age > 7d)`);
+          try { await env.EMAIL_BUCKET.delete(r2Key); } catch (_) {}
+          failed++;
+          continue;
+        }
         const meta = object.customMetadata || {};
         const messageId = r2Key.replace("temp_cache/", "").replace(".eml", "");
 

mail-manager/app/api/webhook.py

@@ -184,10 +184,14 @@ def inbound():
             return jsonify({"error": "unknown domain"}), 401
         secret = domain_cfg['webhook_secret']
     else:
-        cur = get_db().execute("SELECT webhook_secret FROM domain_configs LIMIT 1")
-        row = cur.fetchone()
-        secret = row['webhook_secret'] if row else config.WEBHOOK_SECRET
-        domain_cfg = None
+        db = get_db()
+        count = db.execute("SELECT COUNT(*) FROM domain_configs").fetchone()[0]
+        if count > 1:
+            log.warning("Inbound webhook: X-DockFlare-Domain header missing with %d domains configured", count)
+            return jsonify({"error": "domain header required"}), 400
+        row = db.execute("SELECT * FROM domain_configs LIMIT 1").fetchone()
+        domain_cfg = row if row else None
+        secret = domain_cfg['webhook_secret'] if domain_cfg else config.WEBHOOK_SECRET
 
     if not _verify_signature(request, secret):
         return jsonify({"error": "invalid signature"}), 401
@@ -218,6 +222,11 @@ def inbound():
                 to_address = addr
                 break
 
+        if not to_address:
+            raw_resolved = data.get('resolved_mailbox') or data.get('to', '')
+            if raw_resolved and db.execute("SELECT 1 FROM mailboxes WHERE address=?", (raw_resolved,)).fetchone():
+                to_address = raw_resolved
+
         if not to_address:
             via_alias = data.get('via_alias', False)
             raw_resolved = data.get('resolved_mailbox', '')
@@ -252,6 +261,12 @@ def inbound():
                         )
                         break
 
+        if not to_address:
+            for addr in parsed.get('delivered_to_addresses', []):
+                if db.execute("SELECT 1 FROM mailboxes WHERE address=?", (addr,)).fetchone():
+                    to_address = addr
+                    break
+
         if not to_address and domain_cfg and domain_cfg['catch_all_mailbox']:
             catch_all = domain_cfg['catch_all_mailbox']
             if db.execute("SELECT 1 FROM mailboxes WHERE address=?", (catch_all,)).fetchone():
@@ -298,10 +313,21 @@ def inbound():
         ))
         msg_id = cur.lastrowid
 
+        used_filenames = set()
         for att in parsed['attachments']:
             att_dir = os.path.join(config.ATTACHMENTS_PATH, str(msg_id))
             os.makedirs(att_dir, exist_ok=True)
-            safe_filename = att['filename'].replace('/', '_').replace('\\', '_')
+            raw_name = os.path.basename(att['filename'] or '').replace('/', '_').replace('\\', '_').strip('. ')
+            safe_filename = raw_name or 'unnamed_attachment'
+            if safe_filename in used_filenames:
+                stem, sep, ext = safe_filename.rpartition('.')
+                base = stem if sep else safe_filename
+                tail = (sep + ext) if sep else ''
+                counter = 2
+                while f"{base}_{counter}{tail}" in used_filenames:
+                    counter += 1
+                safe_filename = f"{base}_{counter}{tail}"
+            used_filenames.add(safe_filename)
             att_path = os.path.join(att_dir, safe_filename)
             with open(att_path, 'wb') as f:
                 f.write(att['data'])
@@ -432,7 +458,10 @@ def inbound():
         })
         _check_and_send_auto_reply(db, to_address, parsed, domain_cfg)
 
-        delete_from_r2(r2_key, domain_cfg)
+        try:
+            delete_from_r2(r2_key, domain_cfg)
+        except Exception:
+            log.warning("Inbound: R2 delete failed for %s — will clean on next cron", r2_key)
 
         log.info("Inbound delivered: message=%s to=%s db_id=%s",
                  msg_uuid, to_address, msg_id)

mail-manager/app/core/mime_parser.py

@@ -1,6 +1,8 @@
 import email
 import email.policy
 import email.utils
+import re
+import uuid
 from datetime import datetime, timezone
 import nh3
 
@@ -21,12 +23,13 @@
 def parse_eml(eml_bytes):
     msg = email.message_from_bytes(eml_bytes, policy=email.policy.default)
     parsed = {
-        'message_id': msg.get('Message-ID', '').strip('<>'),
+        'message_id': msg.get('Message-ID', '').strip('<>') or str(uuid.uuid4()),
         'from_address': '',
         'from_name': '',
         'to_addresses': [],
         'cc_addresses': [],
         'bcc_addresses': [],
+        'delivered_to_addresses': [],
         'subject': msg.get('Subject', ''),
         'date': msg.get('Date'),
         'in_reply_to': msg.get('In-Reply-To', '').strip('<>'),
@@ -54,6 +57,20 @@ def parse_eml(eml_bytes):
                 addr for _, addr in pairs if addr
             ]
 
+    for delivery_header in ['Delivered-To', 'X-Original-To', 'X-Forwarded-To', 'X-GitHub-Recipient-Address', 'destinations']:
+        for val in msg.get_all(delivery_header) or []:
+            _, addr = email.utils.parseaddr(str(val))
+            if addr and addr not in parsed['delivered_to_addresses']:
+                parsed['delivered_to_addresses'].append(addr)
+
+    for received in msg.get_all('Received') or []:
+        m = re.search(r'\bfor\s+<([^>]+)>', str(received))
+        if m:
+            addr = m.group(1).strip()
+            if addr and addr not in parsed['delivered_to_addresses']:
+                parsed['delivered_to_addresses'].append(addr)
+            break
+
     try:
         if parsed['date']:
             dt = email.utils.parsedate_to_datetime(parsed['date'])