deltachat/
mimefactory.rs

1//! # MIME message production.
2
3use std::collections::{BTreeSet, HashSet};
4use std::io::Cursor;
5
6use anyhow::{Context as _, Result, bail, ensure};
7use base64::Engine as _;
8use data_encoding::BASE32_NOPAD;
9use deltachat_contact_tools::sanitize_bidi_characters;
10use iroh_gossip::proto::TopicId;
11use mail_builder::headers::HeaderType;
12use mail_builder::headers::address::{Address, EmailAddress};
13use mail_builder::mime::MimePart;
14use tokio::fs;
15
16use crate::aheader::{Aheader, EncryptPreference};
17use crate::blob::BlobObject;
18use crate::chat::{self, Chat};
19use crate::config::Config;
20use crate::constants::ASM_SUBJECT;
21use crate::constants::{Chattype, DC_FROM_HANDSHAKE};
22use crate::contact::{Contact, ContactId, Origin};
23use crate::context::Context;
24use crate::e2ee::EncryptHelper;
25use crate::ensure_and_debug_assert;
26use crate::ephemeral::Timer as EphemeralTimer;
27use crate::headerdef::HeaderDef;
28use crate::key::{DcKey, SignedPublicKey, self_fingerprint};
29use crate::location;
30use crate::log::{info, warn};
31use crate::message::{Message, MsgId, Viewtype};
32use crate::mimeparser::{SystemMessage, is_hidden};
33use crate::param::Param;
34use crate::peer_channels::{create_iroh_header, get_iroh_topic_for_msg};
35use crate::simplify::escape_message_footer_marks;
36use crate::stock_str;
37use crate::tools::{
38    IsNoneOrEmpty, create_outgoing_rfc724_mid, create_smeared_timestamp, remove_subject_prefix,
39    time,
40};
41use crate::webxdc::StatusUpdateSerial;
42
43// attachments of 25 mb brutto should work on the majority of providers
44// (brutto examples: web.de=50, 1&1=40, t-online.de=32, gmail=25, posteo=50, yahoo=25, all-inkl=100).
45// to get the netto sizes, we subtract 1 mb header-overhead and the base64-overhead.
46pub const RECOMMENDED_FILE_SIZE: u64 = 24 * 1024 * 1024 / 4 * 3;
47
48#[derive(Debug, Clone)]
49#[expect(clippy::large_enum_variant)]
50pub enum Loaded {
51    Message {
52        chat: Chat,
53        msg: Message,
54    },
55    Mdn {
56        rfc724_mid: String,
57        additional_msg_ids: Vec<String>,
58    },
59}
60
61/// Helper to construct mime messages.
62#[derive(Debug, Clone)]
63pub struct MimeFactory {
64    from_addr: String,
65    from_displayname: String,
66
67    /// Goes to the `Sender:`-header, if set.
68    /// For overridden names, `sender_displayname` is set to the
69    /// config-name while `from_displayname` is set to the overridden name.
70    /// From the perspective of the receiver,
71    /// a set `Sender:`-header is used as an indicator that the name is overridden;
72    /// names are alsways read from the `From:`-header.
73    sender_displayname: Option<String>,
74
75    selfstatus: String,
76
77    /// Vector of actual recipient addresses.
78    ///
79    /// This is the list of addresses the message should be sent to.
80    /// It is not the same as the `To` header,
81    /// because in case of "member removed" message
82    /// removed member is in the recipient list,
83    /// but not in the `To` header.
84    /// In case of broadcast channels there are multiple recipients,
85    /// but the `To` header has no members.
86    ///
87    /// If `bcc_self` configuration is enabled,
88    /// this list will be extended with own address later,
89    /// but `MimeFactory` is not responsible for this.
90    recipients: Vec<String>,
91
92    /// Vector of pairs of recipient
93    /// addresses and OpenPGP keys
94    /// to use for encryption.
95    ///
96    /// `None` if the message is not encrypted.
97    encryption_keys: Option<Vec<(String, SignedPublicKey)>>,
98
99    /// Vector of pairs of recipient name and address that goes into the `To` field.
100    ///
101    /// The list of actual message recipient addresses may be different,
102    /// e.g. if members are hidden for broadcast channels
103    /// or if the keys for some recipients are missing
104    /// and encrypted message cannot be sent to them.
105    to: Vec<(String, String)>,
106
107    /// Vector of pairs of past group member names and addresses.
108    past_members: Vec<(String, String)>,
109
110    /// Fingerprints of the members in the same order as in the `to`
111    /// followed by `past_members`.
112    ///
113    /// If this is not empty, its length
114    /// should be the sum of `to` and `past_members` length.
115    member_fingerprints: Vec<String>,
116
117    /// Timestamps of the members in the same order as in the `to`
118    /// followed by `past_members`.
119    ///
120    /// If this is not empty, its length
121    /// should be the sum of `to` and `past_members` length.
122    member_timestamps: Vec<i64>,
123
124    timestamp: i64,
125    loaded: Loaded,
126    in_reply_to: String,
127
128    /// List of Message-IDs for `References` header.
129    references: Vec<String>,
130
131    /// True if the message requests Message Disposition Notification
132    /// using `Chat-Disposition-Notification-To` header.
133    req_mdn: bool,
134
135    last_added_location_id: Option<u32>,
136
137    /// If the created mime-structure contains sync-items,
138    /// the IDs of these items are listed here.
139    /// The IDs are returned via `RenderedEmail`
140    /// and must be deleted if the message is actually queued for sending.
141    sync_ids_to_delete: Option<String>,
142
143    /// True if the avatar should be attached.
144    pub attach_selfavatar: bool,
145
146    /// This field is used to sustain the topic id of webxdcs needed for peer channels.
147    webxdc_topic: Option<TopicId>,
148}
149
150/// Result of rendering a message, ready to be submitted to a send job.
151#[derive(Debug, Clone)]
152pub struct RenderedEmail {
153    pub message: String,
154    // pub envelope: Envelope,
155    pub is_encrypted: bool,
156    pub last_added_location_id: Option<u32>,
157
158    /// A comma-separated string of sync-IDs that are used by the rendered email and must be deleted
159    /// from `multi_device_sync` once the message is actually queued for sending.
160    pub sync_ids_to_delete: Option<String>,
161
162    /// Message ID (Message in the sense of Email)
163    pub rfc724_mid: String,
164
165    /// Message subject.
166    pub subject: String,
167}
168
169fn new_address_with_name(name: &str, address: String) -> Address<'static> {
170    Address::new_address(
171        if name == address || name.is_empty() {
172            None
173        } else {
174            Some(name.to_string())
175        },
176        address,
177    )
178}
179
180impl MimeFactory {
181    pub async fn from_msg(context: &Context, msg: Message) -> Result<MimeFactory> {
182        let now = time();
183        let chat = Chat::load_from_db(context, msg.chat_id).await?;
184        let attach_profile_data = Self::should_attach_profile_data(&msg);
185        let undisclosed_recipients = chat.typ == Chattype::OutBroadcast;
186
187        let from_addr = context.get_primary_self_addr().await?;
188        let config_displayname = context
189            .get_config(Config::Displayname)
190            .await?
191            .unwrap_or_default();
192        let (from_displayname, sender_displayname) =
193            if let Some(override_name) = msg.param.get(Param::OverrideSenderDisplayname) {
194                (override_name.to_string(), Some(config_displayname))
195            } else {
196                let name = match attach_profile_data {
197                    true => config_displayname,
198                    false => "".to_string(),
199                };
200                (name, None)
201            };
202
203        let mut recipients = Vec::new();
204        let mut to = Vec::new();
205        let mut past_members = Vec::new();
206        let mut member_fingerprints = Vec::new();
207        let mut member_timestamps = Vec::new();
208        let mut recipient_ids = HashSet::new();
209        let mut req_mdn = false;
210
211        let encryption_keys;
212
213        let self_fingerprint = self_fingerprint(context).await?;
214
215        if chat.is_self_talk() {
216            to.push((from_displayname.to_string(), from_addr.to_string()));
217
218            encryption_keys = if msg.param.get_bool(Param::ForcePlaintext).unwrap_or(false) {
219                None
220            } else {
221                // Encrypt, but only to self.
222                Some(Vec::new())
223            };
224        } else if chat.is_mailing_list() {
225            let list_post = chat
226                .param
227                .get(Param::ListPost)
228                .context("Can't write to mailinglist without ListPost param")?;
229            to.push(("".to_string(), list_post.to_string()));
230            recipients.push(list_post.to_string());
231
232            // Do not encrypt messages to mailing lists.
233            encryption_keys = None;
234        } else {
235            let email_to_remove = if msg.param.get_cmd() == SystemMessage::MemberRemovedFromGroup {
236                msg.param.get(Param::Arg)
237            } else {
238                None
239            };
240
241            let is_encrypted = if msg
242                .param
243                .get_bool(Param::ForcePlaintext)
244                .unwrap_or_default()
245            {
246                false
247            } else {
248                msg.param.get_bool(Param::GuaranteeE2ee).unwrap_or_default()
249                    || chat.is_encrypted(context).await?
250            };
251
252            let mut keys = Vec::new();
253            let mut missing_key_addresses = BTreeSet::new();
254            context
255                .sql
256                // Sort recipients by `add_timestamp DESC` so that if the group is large and there
257                // are multiple SMTP messages, a newly added member receives the member addition
258                // message earlier and has gossiped keys of other members (otherwise the new member
259                // may receive messages from other members earlier and fail to verify them).
260                .query_map(
261                    "SELECT
262                     c.authname,
263                     c.addr,
264                     c.fingerprint,
265                     c.id,
266                     cc.add_timestamp,
267                     cc.remove_timestamp,
268                     k.public_key
269                     FROM chats_contacts cc
270                     LEFT JOIN contacts c ON cc.contact_id=c.id
271                     LEFT JOIN public_keys k ON k.fingerprint=c.fingerprint
272                     WHERE cc.chat_id=?
273                     AND (cc.contact_id>9 OR (cc.contact_id=1 AND ?))
274                     ORDER BY cc.add_timestamp DESC",
275                    (msg.chat_id, chat.typ == Chattype::Group),
276                    |row| {
277                        let authname: String = row.get(0)?;
278                        let addr: String = row.get(1)?;
279                        let fingerprint: String = row.get(2)?;
280                        let id: ContactId = row.get(3)?;
281                        let add_timestamp: i64 = row.get(4)?;
282                        let remove_timestamp: i64 = row.get(5)?;
283                        let public_key_bytes_opt: Option<Vec<u8>> = row.get(6)?;
284                        Ok((authname, addr, fingerprint, id, add_timestamp, remove_timestamp, public_key_bytes_opt))
285                    },
286                    |rows| {
287                        let mut past_member_timestamps = Vec::new();
288                        let mut past_member_fingerprints = Vec::new();
289
290                        for row in rows {
291                            let (authname, addr, fingerprint, id, add_timestamp, remove_timestamp, public_key_bytes_opt) = row?;
292
293                            let public_key_opt = if let Some(public_key_bytes) = &public_key_bytes_opt {
294                                Some(SignedPublicKey::from_slice(public_key_bytes)?)
295                            } else {
296                                None
297                            };
298
299                            let addr = if id == ContactId::SELF {
300                                from_addr.to_string()
301                            } else {
302                                addr
303                            };
304                            let name = match attach_profile_data {
305                                true => authname,
306                                false => "".to_string(),
307                            };
308                            if add_timestamp >= remove_timestamp {
309                                if !recipients_contain_addr(&to, &addr) {
310                                    if id != ContactId::SELF {
311                                        recipients.push(addr.clone());
312                                    }
313                                    if !undisclosed_recipients {
314                                        to.push((name, addr.clone()));
315
316                                        if is_encrypted {
317                                            if !fingerprint.is_empty() {
318                                                member_fingerprints.push(fingerprint);
319                                            } else if id == ContactId::SELF {
320                                                member_fingerprints.push(self_fingerprint.to_string());
321                                            } else {
322                                                ensure_and_debug_assert!(member_fingerprints.is_empty(), "If some past member is a key-contact, all other past members should be key-contacts too");
323                                            }
324                                        }
325                                        member_timestamps.push(add_timestamp);
326                                    }
327                                }
328                                recipient_ids.insert(id);
329
330                                if let Some(public_key) = public_key_opt {
331                                    keys.push((addr.clone(), public_key))
332                                } else if id != ContactId::SELF {
333                                    missing_key_addresses.insert(addr.clone());
334                                    if is_encrypted {
335                                        warn!(context, "Missing key for {addr}");
336                                    }
337                                }
338                            } else if remove_timestamp.saturating_add(60 * 24 * 3600) > now {
339                                // Row is a tombstone,
340                                // member is not actually part of the group.
341                                if !recipients_contain_addr(&past_members, &addr) {
342                                    if let Some(email_to_remove) = email_to_remove {
343                                        if email_to_remove == addr {
344                                            // This is a "member removed" message,
345                                            // we need to notify removed member
346                                            // that it was removed.
347                                            if id != ContactId::SELF {
348                                                recipients.push(addr.clone());
349                                            }
350
351                                            if let Some(public_key) = public_key_opt {
352                                                keys.push((addr.clone(), public_key))
353                                            } else if id != ContactId::SELF {
354                                                missing_key_addresses.insert(addr.clone());
355                                                if is_encrypted {
356                                                    warn!(context, "Missing key for {addr}");
357                                                }
358                                            }
359                                        }
360                                    }
361                                    if !undisclosed_recipients {
362                                        past_members.push((name, addr.clone()));
363                                        past_member_timestamps.push(remove_timestamp);
364
365                                        if is_encrypted {
366                                            if !fingerprint.is_empty() {
367                                                past_member_fingerprints.push(fingerprint);
368                                            } else if id == ContactId::SELF {
369                                                // It's fine to have self in past members
370                                                // if we are leaving the group.
371                                                past_member_fingerprints.push(self_fingerprint.to_string());
372                                            } else {
373                                                ensure_and_debug_assert!(past_member_fingerprints.is_empty(), "If some past member is a key-contact, all other past members should be key-contacts too");
374                                            }
375                                        }
376                                    }
377                                }
378                            }
379                        }
380
381                        ensure_and_debug_assert!(
382                            member_timestamps.len() >= to.len(),
383                            "member_timestamps.len() ({}) < to.len() ({})",
384                            member_timestamps.len(), to.len());
385                        ensure_and_debug_assert!(
386                            member_fingerprints.is_empty() || member_fingerprints.len() >= to.len(),
387                            "member_fingerprints.len() ({}) < to.len() ({})",
388                            member_fingerprints.len(), to.len());
389
390                        if to.len() > 1 {
391                            if let Some(position) = to.iter().position(|(_, x)| x == &from_addr) {
392                                to.remove(position);
393                                member_timestamps.remove(position);
394                                if is_encrypted {
395                                    member_fingerprints.remove(position);
396                                }
397                            }
398                        }
399
400                        member_timestamps.extend(past_member_timestamps);
401                        if is_encrypted {
402                            member_fingerprints.extend(past_member_fingerprints);
403                        }
404                        Ok(())
405                    },
406                )
407                .await?;
408            let recipient_ids: Vec<_> = recipient_ids.into_iter().collect();
409            ContactId::scaleup_origin(context, &recipient_ids, Origin::OutgoingTo).await?;
410
411            if !msg.is_system_message()
412                && msg.param.get_int(Param::Reaction).unwrap_or_default() == 0
413                && context.should_request_mdns().await?
414            {
415                req_mdn = true;
416            }
417
418            encryption_keys = if !is_encrypted {
419                None
420            } else {
421                if keys.is_empty() && !recipients.is_empty() {
422                    bail!("No recipient keys are available, cannot encrypt to {recipients:?}.");
423                }
424
425                // Remove recipients for which the key is missing.
426                if !missing_key_addresses.is_empty() {
427                    recipients.retain(|addr| !missing_key_addresses.contains(addr));
428                }
429
430                Some(keys)
431            };
432        }
433
434        let (in_reply_to, references) = context
435            .sql
436            .query_row(
437                "SELECT mime_in_reply_to, IFNULL(mime_references, '')
438                 FROM msgs WHERE id=?",
439                (msg.id,),
440                |row| {
441                    let in_reply_to: String = row.get(0)?;
442                    let references: String = row.get(1)?;
443
444                    Ok((in_reply_to, references))
445                },
446            )
447            .await?;
448        let references: Vec<String> = references
449            .trim()
450            .split_ascii_whitespace()
451            .map(|s| s.trim_start_matches('<').trim_end_matches('>').to_string())
452            .collect();
453        let selfstatus = match attach_profile_data {
454            true => context
455                .get_config(Config::Selfstatus)
456                .await?
457                .unwrap_or_default(),
458            false => "".to_string(),
459        };
460        let attach_selfavatar = Self::should_attach_selfavatar(context, &msg).await;
461
462        ensure_and_debug_assert!(
463            member_timestamps.is_empty()
464                || to.len() + past_members.len() == member_timestamps.len(),
465            "to.len() ({}) + past_members.len() ({}) != member_timestamps.len() ({})",
466            to.len(),
467            past_members.len(),
468            member_timestamps.len(),
469        );
470        let webxdc_topic = get_iroh_topic_for_msg(context, msg.id).await?;
471        let factory = MimeFactory {
472            from_addr,
473            from_displayname,
474            sender_displayname,
475            selfstatus,
476            recipients,
477            encryption_keys,
478            to,
479            past_members,
480            member_fingerprints,
481            member_timestamps,
482            timestamp: msg.timestamp_sort,
483            loaded: Loaded::Message { msg, chat },
484            in_reply_to,
485            references,
486            req_mdn,
487            last_added_location_id: None,
488            sync_ids_to_delete: None,
489            attach_selfavatar,
490            webxdc_topic,
491        };
492        Ok(factory)
493    }
494
495    pub async fn from_mdn(
496        context: &Context,
497        from_id: ContactId,
498        rfc724_mid: String,
499        additional_msg_ids: Vec<String>,
500    ) -> Result<MimeFactory> {
501        let contact = Contact::get_by_id(context, from_id).await?;
502        let from_addr = context.get_primary_self_addr().await?;
503        let timestamp = create_smeared_timestamp(context);
504
505        let addr = contact.get_addr().to_string();
506        let encryption_keys = if contact.is_key_contact() {
507            if let Some(key) = contact.public_key(context).await? {
508                Some(vec![(addr.clone(), key)])
509            } else {
510                Some(Vec::new())
511            }
512        } else {
513            None
514        };
515
516        let res = MimeFactory {
517            from_addr,
518            from_displayname: "".to_string(),
519            sender_displayname: None,
520            selfstatus: "".to_string(),
521            recipients: vec![addr],
522            encryption_keys,
523            to: vec![("".to_string(), contact.get_addr().to_string())],
524            past_members: vec![],
525            member_fingerprints: vec![],
526            member_timestamps: vec![],
527            timestamp,
528            loaded: Loaded::Mdn {
529                rfc724_mid,
530                additional_msg_ids,
531            },
532            in_reply_to: String::default(),
533            references: Vec::new(),
534            req_mdn: false,
535            last_added_location_id: None,
536            sync_ids_to_delete: None,
537            attach_selfavatar: false,
538            webxdc_topic: None,
539        };
540
541        Ok(res)
542    }
543
544    fn should_skip_autocrypt(&self) -> bool {
545        match &self.loaded {
546            Loaded::Message { msg, .. } => {
547                msg.param.get_bool(Param::SkipAutocrypt).unwrap_or_default()
548            }
549            Loaded::Mdn { .. } => true,
550        }
551    }
552
553    fn should_attach_profile_data(msg: &Message) -> bool {
554        msg.param.get_cmd() != SystemMessage::SecurejoinMessage || {
555            let step = msg.param.get(Param::Arg).unwrap_or_default();
556            // Don't attach profile data at the earlier SecureJoin steps:
557            // - The corresponding messages, i.e. "v{c,g}-request" and "v{c,g}-auth-required" are
558            //   deleted right after processing, so other devices won't see the avatar etc.
559            // - It's also good for privacy because the contact isn't yet verified and these
560            //   messages are auto-sent unlike usual unencrypted messages.
561            step == "vg-request-with-auth"
562                || step == "vc-request-with-auth"
563                || step == "vg-member-added"
564                || step == "vc-contact-confirm"
565        }
566    }
567
568    async fn should_attach_selfavatar(context: &Context, msg: &Message) -> bool {
569        Self::should_attach_profile_data(msg)
570            && match chat::shall_attach_selfavatar(context, msg.chat_id).await {
571                Ok(should) => should,
572                Err(err) => {
573                    warn!(
574                        context,
575                        "should_attach_selfavatar: cannot get selfavatar state: {err:#}."
576                    );
577                    false
578                }
579            }
580    }
581
582    fn grpimage(&self) -> Option<String> {
583        match &self.loaded {
584            Loaded::Message { chat, msg } => {
585                let cmd = msg.param.get_cmd();
586
587                match cmd {
588                    SystemMessage::MemberAddedToGroup => {
589                        return chat.param.get(Param::ProfileImage).map(Into::into);
590                    }
591                    SystemMessage::GroupImageChanged => {
592                        return msg.param.get(Param::Arg).map(Into::into);
593                    }
594                    _ => {}
595                }
596
597                if msg
598                    .param
599                    .get_bool(Param::AttachGroupImage)
600                    .unwrap_or_default()
601                {
602                    return chat.param.get(Param::ProfileImage).map(Into::into);
603                }
604
605                None
606            }
607            Loaded::Mdn { .. } => None,
608        }
609    }
610
611    async fn subject_str(&self, context: &Context) -> Result<String> {
612        let subject = match &self.loaded {
613            Loaded::Message { chat, msg } => {
614                let quoted_msg_subject = msg.quoted_message(context).await?.map(|m| m.subject);
615
616                if !msg.subject.is_empty() {
617                    return Ok(msg.subject.clone());
618                }
619
620                if (chat.typ == Chattype::Group || chat.typ == Chattype::OutBroadcast)
621                    && quoted_msg_subject.is_none_or_empty()
622                {
623                    let re = if self.in_reply_to.is_empty() {
624                        ""
625                    } else {
626                        "Re: "
627                    };
628                    return Ok(format!("{}{}", re, chat.name));
629                }
630
631                let parent_subject = if quoted_msg_subject.is_none_or_empty() {
632                    chat.param.get(Param::LastSubject)
633                } else {
634                    quoted_msg_subject.as_deref()
635                };
636                if let Some(last_subject) = parent_subject {
637                    return Ok(format!("Re: {}", remove_subject_prefix(last_subject)));
638                }
639
640                let self_name = match Self::should_attach_profile_data(msg) {
641                    true => context.get_config(Config::Displayname).await?,
642                    false => None,
643                };
644                let self_name = &match self_name {
645                    Some(name) => name,
646                    None => context.get_config(Config::Addr).await?.unwrap_or_default(),
647                };
648                stock_str::subject_for_new_contact(context, self_name).await
649            }
650            Loaded::Mdn { .. } => "Receipt Notification".to_string(), // untranslated to no reveal sender's language
651        };
652
653        Ok(subject)
654    }
655
656    pub fn recipients(&self) -> Vec<String> {
657        self.recipients.clone()
658    }
659
660    /// Consumes a `MimeFactory` and renders it into a message which is then stored in
661    /// `smtp`-table to be used by the SMTP loop
662    pub async fn render(mut self, context: &Context) -> Result<RenderedEmail> {
663        let mut headers = Vec::<(&'static str, HeaderType<'static>)>::new();
664
665        let from = new_address_with_name(&self.from_displayname, self.from_addr.clone());
666
667        let mut to: Vec<Address<'static>> = Vec::new();
668        for (name, addr) in &self.to {
669            to.push(Address::new_address(
670                if name.is_empty() {
671                    None
672                } else {
673                    Some(name.to_string())
674                },
675                addr.clone(),
676            ));
677        }
678
679        let mut past_members: Vec<Address<'static>> = Vec::new(); // Contents of `Chat-Group-Past-Members` header.
680        for (name, addr) in &self.past_members {
681            past_members.push(Address::new_address(
682                if name.is_empty() {
683                    None
684                } else {
685                    Some(name.to_string())
686                },
687                addr.clone(),
688            ));
689        }
690
691        ensure_and_debug_assert!(
692            self.member_timestamps.is_empty()
693                || to.len() + past_members.len() == self.member_timestamps.len(),
694            "to.len() ({}) + past_members.len() ({}) != self.member_timestamps.len() ({})",
695            to.len(),
696            past_members.len(),
697            self.member_timestamps.len(),
698        );
699        if to.is_empty() {
700            to.push(hidden_recipients());
701        }
702
703        // Start with Internet Message Format headers in the order of the standard example
704        // <https://datatracker.ietf.org/doc/html/rfc5322#appendix-A.1.1>.
705        headers.push(("From", from.into()));
706
707        if let Some(sender_displayname) = &self.sender_displayname {
708            let sender = new_address_with_name(sender_displayname, self.from_addr.clone());
709            headers.push(("Sender", sender.into()));
710        }
711        headers.push((
712            "To",
713            mail_builder::headers::address::Address::new_list(to.clone()).into(),
714        ));
715        if !past_members.is_empty() {
716            headers.push((
717                "Chat-Group-Past-Members",
718                mail_builder::headers::address::Address::new_list(past_members.clone()).into(),
719            ));
720        }
721
722        if let Loaded::Message { chat, .. } = &self.loaded {
723            if chat.typ == Chattype::Group {
724                if !self.member_timestamps.is_empty() && !chat.member_list_is_stale(context).await?
725                {
726                    headers.push((
727                        "Chat-Group-Member-Timestamps",
728                        mail_builder::headers::raw::Raw::new(
729                            self.member_timestamps
730                                .iter()
731                                .map(|ts| ts.to_string())
732                                .collect::<Vec<String>>()
733                                .join(" "),
734                        )
735                        .into(),
736                    ));
737                }
738
739                if !self.member_fingerprints.is_empty() {
740                    headers.push((
741                        "Chat-Group-Member-Fpr",
742                        mail_builder::headers::raw::Raw::new(
743                            self.member_fingerprints
744                                .iter()
745                                .map(|fp| fp.to_string())
746                                .collect::<Vec<String>>()
747                                .join(" "),
748                        )
749                        .into(),
750                    ));
751                }
752            }
753        }
754
755        let subject_str = self.subject_str(context).await?;
756        headers.push((
757            "Subject",
758            mail_builder::headers::text::Text::new(subject_str.to_string()).into(),
759        ));
760
761        let date = chrono::DateTime::<chrono::Utc>::from_timestamp(self.timestamp, 0)
762            .unwrap()
763            .to_rfc2822();
764        headers.push(("Date", mail_builder::headers::raw::Raw::new(date).into()));
765
766        let rfc724_mid = match &self.loaded {
767            Loaded::Message { msg, .. } => msg.rfc724_mid.clone(),
768            Loaded::Mdn { .. } => create_outgoing_rfc724_mid(),
769        };
770        headers.push((
771            "Message-ID",
772            mail_builder::headers::message_id::MessageId::new(rfc724_mid.clone()).into(),
773        ));
774
775        // Reply headers as in <https://datatracker.ietf.org/doc/html/rfc5322#appendix-A.2>.
776        if !self.in_reply_to.is_empty() {
777            headers.push((
778                "In-Reply-To",
779                mail_builder::headers::message_id::MessageId::new(self.in_reply_to.clone()).into(),
780            ));
781        }
782        if !self.references.is_empty() {
783            headers.push((
784                "References",
785                mail_builder::headers::message_id::MessageId::<'static>::new_list(
786                    self.references.iter().map(|s| s.to_string()),
787                )
788                .into(),
789            ));
790        }
791
792        // Automatic Response headers <https://www.rfc-editor.org/rfc/rfc3834>
793        if let Loaded::Mdn { .. } = self.loaded {
794            headers.push((
795                "Auto-Submitted",
796                mail_builder::headers::raw::Raw::new("auto-replied".to_string()).into(),
797            ));
798        } else if context.get_config_bool(Config::Bot).await? {
799            headers.push((
800                "Auto-Submitted",
801                mail_builder::headers::raw::Raw::new("auto-generated".to_string()).into(),
802            ));
803        } else if let Loaded::Message { msg, .. } = &self.loaded {
804            if msg.param.get_cmd() == SystemMessage::SecurejoinMessage {
805                let step = msg.param.get(Param::Arg).unwrap_or_default();
806                if step != "vg-request" && step != "vc-request" {
807                    headers.push((
808                        "Auto-Submitted",
809                        mail_builder::headers::raw::Raw::new("auto-replied".to_string()).into(),
810                    ));
811                }
812            }
813        }
814
815        if let Loaded::Message { chat, .. } = &self.loaded {
816            if chat.typ == Chattype::OutBroadcast || chat.typ == Chattype::InBroadcast {
817                headers.push((
818                    "List-ID",
819                    mail_builder::headers::text::Text::new(format!(
820                        "{} <{}>",
821                        chat.name, chat.grpid
822                    ))
823                    .into(),
824                ));
825            }
826        }
827
828        if let Loaded::Message { msg, .. } = &self.loaded {
829            if let Some(original_rfc724_mid) = msg.param.get(Param::TextEditFor) {
830                headers.push((
831                    "Chat-Edit",
832                    mail_builder::headers::message_id::MessageId::new(
833                        original_rfc724_mid.to_string(),
834                    )
835                    .into(),
836                ));
837            } else if let Some(rfc724_mid_list) = msg.param.get(Param::DeleteRequestFor) {
838                headers.push((
839                    "Chat-Delete",
840                    mail_builder::headers::message_id::MessageId::new(rfc724_mid_list.to_string())
841                        .into(),
842                ));
843            }
844        }
845
846        // Non-standard headers.
847        headers.push((
848            "Chat-Version",
849            mail_builder::headers::raw::Raw::new("1.0").into(),
850        ));
851
852        if self.req_mdn {
853            // we use "Chat-Disposition-Notification-To"
854            // because replies to "Disposition-Notification-To" are weird in many cases
855            // eg. are just freetext and/or do not follow any standard.
856            headers.push((
857                "Chat-Disposition-Notification-To",
858                mail_builder::headers::raw::Raw::new(self.from_addr.clone()).into(),
859            ));
860        }
861
862        let grpimage = self.grpimage();
863        let skip_autocrypt = self.should_skip_autocrypt();
864        let encrypt_helper = EncryptHelper::new(context).await?;
865
866        if !skip_autocrypt {
867            // unless determined otherwise we add the Autocrypt header
868            let aheader = encrypt_helper.get_aheader().to_string();
869            headers.push((
870                "Autocrypt",
871                mail_builder::headers::raw::Raw::new(aheader).into(),
872            ));
873        }
874
875        let is_encrypted = self.encryption_keys.is_some();
876
877        // Add ephemeral timer for non-MDN messages.
878        // For MDNs it does not matter because they are not visible
879        // and ignored by the receiver.
880        if let Loaded::Message { msg, .. } = &self.loaded {
881            let ephemeral_timer = msg.chat_id.get_ephemeral_timer(context).await?;
882            if let EphemeralTimer::Enabled { duration } = ephemeral_timer {
883                headers.push((
884                    "Ephemeral-Timer",
885                    mail_builder::headers::raw::Raw::new(duration.to_string()).into(),
886                ));
887            }
888        }
889
890        let is_securejoin_message = if let Loaded::Message { msg, .. } = &self.loaded {
891            msg.param.get_cmd() == SystemMessage::SecurejoinMessage
892        } else {
893            false
894        };
895
896        let message: MimePart<'static> = match &self.loaded {
897            Loaded::Message { msg, .. } => {
898                let msg = msg.clone();
899                let (main_part, mut parts) = self
900                    .render_message(context, &mut headers, &grpimage, is_encrypted)
901                    .await?;
902                if parts.is_empty() {
903                    // Single part, render as regular message.
904                    main_part
905                } else {
906                    parts.insert(0, main_part);
907
908                    // Multiple parts, render as multipart.
909                    if msg.param.get_cmd() == SystemMessage::MultiDeviceSync {
910                        MimePart::new("multipart/report; report-type=multi-device-sync", parts)
911                    } else if msg.param.get_cmd() == SystemMessage::WebxdcStatusUpdate {
912                        MimePart::new("multipart/report; report-type=status-update", parts)
913                    } else {
914                        MimePart::new("multipart/mixed", parts)
915                    }
916                }
917            }
918            Loaded::Mdn { .. } => self.render_mdn()?,
919        };
920
921        // Split headers based on header confidentiality policy.
922
923        // Headers that must go into IMF header section.
924        //
925        // These are standard headers such as Date, In-Reply-To, References, which cannot be placed
926        // anywhere else according to the standard. Placing headers here also allows them to be fetched
927        // individually over IMAP without downloading the message body. This is why Chat-Version is
928        // placed here.
929        let mut unprotected_headers: Vec<(&'static str, HeaderType<'static>)> = Vec::new();
930
931        // Headers that MUST NOT (only) go into IMF header section:
932        // - Large headers which may hit the header section size limit on the server, such as
933        //   Chat-User-Avatar with a base64-encoded image inside.
934        // - Headers duplicated here that servers mess up with in the IMF header section, like
935        //   Message-ID.
936        // - Nonstandard headers that should be DKIM-protected because e.g. OpenDKIM only signs
937        //   known headers.
938        //
939        // The header should be hidden from MTA
940        // by moving it either into protected part
941        // in case of encrypted mails
942        // or unprotected MIME preamble in case of unencrypted mails.
943        let mut hidden_headers: Vec<(&'static str, HeaderType<'static>)> = Vec::new();
944
945        // Opportunistically protected headers.
946        //
947        // These headers are placed into encrypted part *if* the message is encrypted. Place headers
948        // which are not needed before decryption (e.g. Chat-Group-Name) or are not interesting if the
949        // message cannot be decrypted (e.g. Chat-Disposition-Notification-To) here.
950        //
951        // If the message is not encrypted, these headers are placed into IMF header section, so make
952        // sure that the message will be encrypted if you place any sensitive information here.
953        let mut protected_headers: Vec<(&'static str, HeaderType<'static>)> = Vec::new();
954
955        // MIME header <https://datatracker.ietf.org/doc/html/rfc2045>.
956        unprotected_headers.push((
957            "MIME-Version",
958            mail_builder::headers::raw::Raw::new("1.0").into(),
959        ));
960        for header @ (original_header_name, _header_value) in &headers {
961            let header_name = original_header_name.to_lowercase();
962            if header_name == "message-id" {
963                unprotected_headers.push(header.clone());
964                hidden_headers.push(header.clone());
965            } else if is_hidden(&header_name) {
966                hidden_headers.push(header.clone());
967            } else if header_name == "from" {
968                // Unencrypted securejoin messages should _not_ include the display name:
969                if is_encrypted || !is_securejoin_message {
970                    protected_headers.push(header.clone());
971                }
972
973                unprotected_headers.push((
974                    original_header_name,
975                    Address::new_address(None::<&'static str>, self.from_addr.clone()).into(),
976                ));
977            } else if header_name == "to" {
978                protected_headers.push(header.clone());
979                if is_encrypted {
980                    let mut to_without_names = to
981                        .clone()
982                        .into_iter()
983                        .filter_map(|header| match header {
984                            Address::Address(mb) => Some(Address::Address(EmailAddress {
985                                name: None,
986                                email: mb.email,
987                            })),
988                            _ => None,
989                        })
990                        .collect::<Vec<_>>();
991                    if to_without_names.is_empty() {
992                        to_without_names.push(hidden_recipients());
993                    }
994                    unprotected_headers.push((
995                        original_header_name,
996                        Address::new_list(to_without_names).into(),
997                    ));
998                } else {
999                    unprotected_headers.push(header.clone());
1000                }
1001            } else if is_encrypted && header_name == "date" {
1002                protected_headers.push(header.clone());
1003
1004                // Randomized date goes to unprotected header.
1005                //
1006                // We cannot just send "Thu, 01 Jan 1970 00:00:00 +0000"
1007                // or omit the header because GMX then fails with
1008                //
1009                // host mx00.emig.gmx.net[212.227.15.9] said:
1010                // 554-Transaction failed
1011                // 554-Reject due to policy restrictions.
1012                // 554 For explanation visit https://postmaster.gmx.net/en/case?...
1013                // (in reply to end of DATA command)
1014                //
1015                // and the explanation page says
1016                // "The time information deviates too much from the actual time".
1017                let timestamp_offset = rand::random_range(0..1000000);
1018                let protected_timestamp = self.timestamp.saturating_sub(timestamp_offset);
1019                let unprotected_date =
1020                    chrono::DateTime::<chrono::Utc>::from_timestamp(protected_timestamp, 0)
1021                        .unwrap()
1022                        .to_rfc2822();
1023                unprotected_headers.push((
1024                    "Date",
1025                    mail_builder::headers::raw::Raw::new(unprotected_date).into(),
1026                ));
1027            } else if is_encrypted {
1028                protected_headers.push(header.clone());
1029
1030                match header_name.as_str() {
1031                    "subject" => {
1032                        unprotected_headers.push((
1033                            "Subject",
1034                            mail_builder::headers::raw::Raw::new("[...]").into(),
1035                        ));
1036                    }
1037                    "in-reply-to"
1038                    | "references"
1039                    | "auto-submitted"
1040                    | "chat-version"
1041                    | "autocrypt-setup-message" => {
1042                        unprotected_headers.push(header.clone());
1043                    }
1044                    _ => {
1045                        // Other headers are removed from unprotected part.
1046                    }
1047                }
1048            } else {
1049                // Copy the header to the protected headers
1050                // in case of signed-only message.
1051                // If the message is not signed, this value will not be used.
1052                protected_headers.push(header.clone());
1053                unprotected_headers.push(header.clone())
1054            }
1055        }
1056
1057        let outer_message = if let Some(encryption_keys) = self.encryption_keys {
1058            // Store protected headers in the inner message.
1059            let message = protected_headers
1060                .into_iter()
1061                .fold(message, |message, (header, value)| {
1062                    message.header(header, value)
1063                });
1064
1065            // Add hidden headers to encrypted payload.
1066            let mut message: MimePart<'static> = hidden_headers
1067                .into_iter()
1068                .fold(message, |message, (header, value)| {
1069                    message.header(header, value)
1070                });
1071
1072            // Add gossip headers in chats with multiple recipients
1073            let multiple_recipients =
1074                encryption_keys.len() > 1 || context.get_config_bool(Config::BccSelf).await?;
1075
1076            let gossip_period = context.get_config_i64(Config::GossipPeriod).await?;
1077            let now = time();
1078
1079            match &self.loaded {
1080                Loaded::Message { chat, msg } => {
1081                    if chat.typ != Chattype::OutBroadcast {
1082                        for (addr, key) in &encryption_keys {
1083                            let fingerprint = key.dc_fingerprint().hex();
1084                            let cmd = msg.param.get_cmd();
1085                            let should_do_gossip = cmd == SystemMessage::MemberAddedToGroup
1086                                || cmd == SystemMessage::SecurejoinMessage
1087                                || multiple_recipients && {
1088                                    let gossiped_timestamp: Option<i64> = context
1089                                        .sql
1090                                        .query_get_value(
1091                                            "SELECT timestamp
1092                                         FROM gossip_timestamp
1093                                         WHERE chat_id=? AND fingerprint=?",
1094                                            (chat.id, &fingerprint),
1095                                        )
1096                                        .await?;
1097
1098                                    // `gossip_period == 0` is a special case for testing,
1099                                    // enabling gossip in every message.
1100                                    //
1101                                    // If current time is in the past compared to
1102                                    // `gossiped_timestamp`, we also gossip because
1103                                    // either the `gossiped_timestamp` or clock is wrong.
1104                                    gossip_period == 0
1105                                        || gossiped_timestamp
1106                                            .is_none_or(|ts| now >= ts + gossip_period || now < ts)
1107                                };
1108
1109                            let verifier_id: Option<u32> = context
1110                                .sql
1111                                .query_get_value(
1112                                    "SELECT verifier FROM contacts WHERE fingerprint=?",
1113                                    (&fingerprint,),
1114                                )
1115                                .await?;
1116
1117                            let is_verified =
1118                                verifier_id.is_some_and(|verifier_id| verifier_id != 0);
1119
1120                            if !should_do_gossip {
1121                                continue;
1122                            }
1123
1124                            let header = Aheader {
1125                                addr: addr.clone(),
1126                                public_key: key.clone(),
1127                                // Autocrypt 1.1.0 specification says that
1128                                // `prefer-encrypt` attribute SHOULD NOT be included.
1129                                prefer_encrypt: EncryptPreference::NoPreference,
1130                                verified: is_verified,
1131                            }
1132                            .to_string();
1133
1134                            message = message.header(
1135                                "Autocrypt-Gossip",
1136                                mail_builder::headers::raw::Raw::new(header),
1137                            );
1138
1139                            context
1140                                .sql
1141                                .execute(
1142                                    "INSERT INTO gossip_timestamp (chat_id, fingerprint, timestamp)
1143                                     VALUES                       (?, ?, ?)
1144                                     ON CONFLICT                  (chat_id, fingerprint)
1145                                     DO UPDATE SET timestamp=excluded.timestamp",
1146                                    (chat.id, &fingerprint, now),
1147                                )
1148                                .await?;
1149                        }
1150                    }
1151                }
1152                Loaded::Mdn { .. } => {
1153                    // Never gossip in MDNs.
1154                }
1155            }
1156
1157            // Set the appropriate Content-Type for the inner message.
1158            for (h, v) in &mut message.headers {
1159                if h == "Content-Type" {
1160                    if let mail_builder::headers::HeaderType::ContentType(ct) = v {
1161                        *ct = ct.clone().attribute("protected-headers", "v1");
1162                    }
1163                }
1164            }
1165
1166            // Disable compression for SecureJoin to ensure
1167            // there are no compression side channels
1168            // leaking information about the tokens.
1169            let compress = match &self.loaded {
1170                Loaded::Message { msg, .. } => {
1171                    msg.param.get_cmd() != SystemMessage::SecurejoinMessage
1172                }
1173                Loaded::Mdn { .. } => true,
1174            };
1175
1176            // Encrypt to self unconditionally,
1177            // even for a single-device setup.
1178            let mut encryption_keyring = vec![encrypt_helper.public_key.clone()];
1179            encryption_keyring.extend(encryption_keys.iter().map(|(_addr, key)| (*key).clone()));
1180
1181            // XXX: additional newline is needed
1182            // to pass filtermail at
1183            // <https://github.com/deltachat/chatmail/blob/4d915f9800435bf13057d41af8d708abd34dbfa8/chatmaild/src/chatmaild/filtermail.py#L84-L86>
1184            let encrypted = encrypt_helper
1185                .encrypt(context, encryption_keyring, message, compress)
1186                .await?
1187                + "\n";
1188
1189            // Set the appropriate Content-Type for the outer message
1190            MimePart::new(
1191                "multipart/encrypted; protocol=\"application/pgp-encrypted\"",
1192                vec![
1193                    // Autocrypt part 1
1194                    MimePart::new("application/pgp-encrypted", "Version: 1\r\n").header(
1195                        "Content-Description",
1196                        mail_builder::headers::raw::Raw::new("PGP/MIME version identification"),
1197                    ),
1198                    // Autocrypt part 2
1199                    MimePart::new(
1200                        "application/octet-stream; name=\"encrypted.asc\"",
1201                        encrypted,
1202                    )
1203                    .header(
1204                        "Content-Description",
1205                        mail_builder::headers::raw::Raw::new("OpenPGP encrypted message"),
1206                    )
1207                    .header(
1208                        "Content-Disposition",
1209                        mail_builder::headers::raw::Raw::new("inline; filename=\"encrypted.asc\";"),
1210                    ),
1211                ],
1212            )
1213        } else if matches!(self.loaded, Loaded::Mdn { .. }) {
1214            // Never add outer multipart/mixed wrapper to MDN
1215            // as multipart/report Content-Type is used to recognize MDNs
1216            // by Delta Chat receiver and Chatmail servers
1217            // allowing them to be unencrypted and not contain Autocrypt header
1218            // without resetting Autocrypt encryption or triggering Chatmail filter
1219            // that normally only allows encrypted mails.
1220
1221            // Hidden headers are dropped.
1222            message
1223        } else {
1224            let message = hidden_headers
1225                .into_iter()
1226                .fold(message, |message, (header, value)| {
1227                    message.header(header, value)
1228                });
1229            let message = MimePart::new("multipart/mixed", vec![message]);
1230            let mut message = protected_headers
1231                .iter()
1232                .fold(message, |message, (header, value)| {
1233                    message.header(*header, value.clone())
1234                });
1235
1236            if skip_autocrypt || !context.get_config_bool(Config::SignUnencrypted).await? {
1237                // Deduplicate unprotected headers that also are in the protected headers:
1238                let protected: HashSet<&str> =
1239                    HashSet::from_iter(protected_headers.iter().map(|(header, _value)| *header));
1240                unprotected_headers.retain(|(header, _value)| !protected.contains(header));
1241
1242                message
1243            } else {
1244                for (h, v) in &mut message.headers {
1245                    if h == "Content-Type" {
1246                        if let mail_builder::headers::HeaderType::ContentType(ct) = v {
1247                            *ct = ct.clone().attribute("protected-headers", "v1");
1248                        }
1249                    }
1250                }
1251
1252                let signature = encrypt_helper.sign(context, &message).await?;
1253                MimePart::new(
1254                    "multipart/signed; protocol=\"application/pgp-signature\"; protected",
1255                    vec![
1256                        message,
1257                        MimePart::new(
1258                            "application/pgp-signature; name=\"signature.asc\"",
1259                            signature,
1260                        )
1261                        .header(
1262                            "Content-Description",
1263                            mail_builder::headers::raw::Raw::<'static>::new(
1264                                "OpenPGP digital signature",
1265                            ),
1266                        )
1267                        .attachment("signature"),
1268                    ],
1269                )
1270            }
1271        };
1272
1273        // Store the unprotected headers on the outer message.
1274        let outer_message = unprotected_headers
1275            .into_iter()
1276            .fold(outer_message, |message, (header, value)| {
1277                message.header(header, value)
1278            });
1279
1280        let MimeFactory {
1281            last_added_location_id,
1282            ..
1283        } = self;
1284
1285        let mut buffer = Vec::new();
1286        let cursor = Cursor::new(&mut buffer);
1287        outer_message.clone().write_part(cursor).ok();
1288        let message = String::from_utf8_lossy(&buffer).to_string();
1289
1290        Ok(RenderedEmail {
1291            message,
1292            // envelope: Envelope::new,
1293            is_encrypted,
1294            last_added_location_id,
1295            sync_ids_to_delete: self.sync_ids_to_delete,
1296            rfc724_mid,
1297            subject: subject_str,
1298        })
1299    }
1300
1301    /// Returns MIME part with a `message.kml` attachment.
1302    fn get_message_kml_part(&self) -> Option<MimePart<'static>> {
1303        let Loaded::Message { msg, .. } = &self.loaded else {
1304            return None;
1305        };
1306
1307        let latitude = msg.param.get_float(Param::SetLatitude)?;
1308        let longitude = msg.param.get_float(Param::SetLongitude)?;
1309
1310        let kml_file = location::get_message_kml(msg.timestamp_sort, latitude, longitude);
1311        let part = MimePart::new("application/vnd.google-earth.kml+xml", kml_file)
1312            .attachment("message.kml");
1313        Some(part)
1314    }
1315
1316    /// Returns MIME part with a `location.kml` attachment.
1317    async fn get_location_kml_part(
1318        &mut self,
1319        context: &Context,
1320    ) -> Result<Option<MimePart<'static>>> {
1321        let Loaded::Message { msg, .. } = &self.loaded else {
1322            return Ok(None);
1323        };
1324
1325        let Some((kml_content, last_added_location_id)) =
1326            location::get_kml(context, msg.chat_id).await?
1327        else {
1328            return Ok(None);
1329        };
1330
1331        let part = MimePart::new("application/vnd.google-earth.kml+xml", kml_content)
1332            .attachment("location.kml");
1333        if !msg.param.exists(Param::SetLatitude) {
1334            // otherwise, the independent location is already filed
1335            self.last_added_location_id = Some(last_added_location_id);
1336        }
1337        Ok(Some(part))
1338    }
1339
1340    async fn render_message(
1341        &mut self,
1342        context: &Context,
1343        headers: &mut Vec<(&'static str, HeaderType<'static>)>,
1344        grpimage: &Option<String>,
1345        is_encrypted: bool,
1346    ) -> Result<(MimePart<'static>, Vec<MimePart<'static>>)> {
1347        let Loaded::Message { chat, msg } = &self.loaded else {
1348            bail!("Attempt to render MDN as a message");
1349        };
1350        let chat = chat.clone();
1351        let msg = msg.clone();
1352        let command = msg.param.get_cmd();
1353        let mut placeholdertext = None;
1354
1355        let send_verified_headers = match chat.typ {
1356            Chattype::Single => true,
1357            Chattype::Group => true,
1358            // Mailinglists and broadcast channels can actually never be verified:
1359            Chattype::Mailinglist => false,
1360            Chattype::OutBroadcast | Chattype::InBroadcast => false,
1361        };
1362
1363        if send_verified_headers {
1364            let was_protected: bool = context
1365                .sql
1366                .query_get_value("SELECT protected FROM chats WHERE id=?", (chat.id,))
1367                .await?
1368                .unwrap_or_default();
1369
1370            if was_protected {
1371                let unverified_member_exists = context
1372                    .sql
1373                    .exists(
1374                        "SELECT COUNT(*)
1375                        FROM contacts, chats_contacts
1376                        WHERE chats_contacts.contact_id=contacts.id AND chats_contacts.chat_id=?
1377                        AND contacts.id>9
1378                        AND contacts.verifier=0",
1379                        (chat.id,),
1380                    )
1381                    .await?;
1382
1383                if !unverified_member_exists {
1384                    headers.push((
1385                        "Chat-Verified",
1386                        mail_builder::headers::raw::Raw::new("1").into(),
1387                    ));
1388                }
1389            }
1390        }
1391
1392        if chat.typ == Chattype::Group {
1393            // Send group ID unless it is an ad hoc group that has no ID.
1394            if !chat.grpid.is_empty() {
1395                headers.push((
1396                    "Chat-Group-ID",
1397                    mail_builder::headers::raw::Raw::new(chat.grpid.clone()).into(),
1398                ));
1399            }
1400        }
1401
1402        if chat.typ == Chattype::Group
1403            || chat.typ == Chattype::OutBroadcast
1404            || chat.typ == Chattype::InBroadcast
1405        {
1406            headers.push((
1407                "Chat-Group-Name",
1408                mail_builder::headers::text::Text::new(chat.name.to_string()).into(),
1409            ));
1410            if let Some(ts) = chat.param.get_i64(Param::GroupNameTimestamp) {
1411                headers.push((
1412                    "Chat-Group-Name-Timestamp",
1413                    mail_builder::headers::text::Text::new(ts.to_string()).into(),
1414                ));
1415            }
1416
1417            match command {
1418                SystemMessage::MemberRemovedFromGroup => {
1419                    ensure!(chat.typ != Chattype::OutBroadcast);
1420                    let email_to_remove = msg.param.get(Param::Arg).unwrap_or_default();
1421
1422                    if email_to_remove
1423                        == context
1424                            .get_config(Config::ConfiguredAddr)
1425                            .await?
1426                            .unwrap_or_default()
1427                    {
1428                        placeholdertext = Some(stock_str::msg_group_left_remote(context).await);
1429                    } else {
1430                        placeholdertext =
1431                            Some(stock_str::msg_del_member_remote(context, email_to_remove).await);
1432                    };
1433
1434                    if !email_to_remove.is_empty() {
1435                        headers.push((
1436                            "Chat-Group-Member-Removed",
1437                            mail_builder::headers::raw::Raw::new(email_to_remove.to_string())
1438                                .into(),
1439                        ));
1440                    }
1441                }
1442                SystemMessage::MemberAddedToGroup => {
1443                    ensure!(chat.typ != Chattype::OutBroadcast);
1444                    // TODO: lookup the contact by ID rather than email address.
1445                    // We are adding key-contacts, the cannot be looked up by address.
1446                    let email_to_add = msg.param.get(Param::Arg).unwrap_or_default();
1447                    placeholdertext =
1448                        Some(stock_str::msg_add_member_remote(context, email_to_add).await);
1449
1450                    if !email_to_add.is_empty() {
1451                        headers.push((
1452                            "Chat-Group-Member-Added",
1453                            mail_builder::headers::raw::Raw::new(email_to_add.to_string()).into(),
1454                        ));
1455                    }
1456                    if 0 != msg.param.get_int(Param::Arg2).unwrap_or_default() & DC_FROM_HANDSHAKE {
1457                        info!(
1458                            context,
1459                            "Sending secure-join message {:?}.", "vg-member-added",
1460                        );
1461                        headers.push((
1462                            "Secure-Join",
1463                            mail_builder::headers::raw::Raw::new("vg-member-added".to_string())
1464                                .into(),
1465                        ));
1466                    }
1467                }
1468                SystemMessage::GroupNameChanged => {
1469                    let old_name = msg.param.get(Param::Arg).unwrap_or_default().to_string();
1470                    headers.push((
1471                        "Chat-Group-Name-Changed",
1472                        mail_builder::headers::text::Text::new(old_name).into(),
1473                    ));
1474                }
1475                SystemMessage::GroupImageChanged => {
1476                    headers.push((
1477                        "Chat-Content",
1478                        mail_builder::headers::text::Text::new("group-avatar-changed").into(),
1479                    ));
1480                    if grpimage.is_none() {
1481                        headers.push((
1482                            "Chat-Group-Avatar",
1483                            mail_builder::headers::raw::Raw::new("0").into(),
1484                        ));
1485                    }
1486                }
1487                _ => {}
1488            }
1489        }
1490
1491        match command {
1492            SystemMessage::LocationStreamingEnabled => {
1493                headers.push((
1494                    "Chat-Content",
1495                    mail_builder::headers::raw::Raw::new("location-streaming-enabled").into(),
1496                ));
1497            }
1498            SystemMessage::EphemeralTimerChanged => {
1499                headers.push((
1500                    "Chat-Content",
1501                    mail_builder::headers::raw::Raw::new("ephemeral-timer-changed").into(),
1502                ));
1503            }
1504            SystemMessage::LocationOnly
1505            | SystemMessage::MultiDeviceSync
1506            | SystemMessage::WebxdcStatusUpdate => {
1507                // This should prevent automatic replies,
1508                // such as non-delivery reports.
1509                //
1510                // See <https://tools.ietf.org/html/rfc3834>
1511                //
1512                // Adding this header without encryption leaks some
1513                // information about the message contents, but it can
1514                // already be easily guessed from message timing and size.
1515                headers.push((
1516                    "Auto-Submitted",
1517                    mail_builder::headers::raw::Raw::new("auto-generated").into(),
1518                ));
1519            }
1520            SystemMessage::AutocryptSetupMessage => {
1521                headers.push((
1522                    "Autocrypt-Setup-Message",
1523                    mail_builder::headers::raw::Raw::new("v1").into(),
1524                ));
1525
1526                placeholdertext = Some(ASM_SUBJECT.to_string());
1527            }
1528            SystemMessage::SecurejoinMessage => {
1529                let step = msg.param.get(Param::Arg).unwrap_or_default();
1530                if !step.is_empty() {
1531                    info!(context, "Sending secure-join message {step:?}.");
1532                    headers.push((
1533                        "Secure-Join",
1534                        mail_builder::headers::raw::Raw::new(step.to_string()).into(),
1535                    ));
1536
1537                    let param2 = msg.param.get(Param::Arg2).unwrap_or_default();
1538                    if !param2.is_empty() {
1539                        headers.push((
1540                            if step == "vg-request-with-auth" || step == "vc-request-with-auth" {
1541                                "Secure-Join-Auth"
1542                            } else {
1543                                "Secure-Join-Invitenumber"
1544                            },
1545                            mail_builder::headers::text::Text::new(param2.to_string()).into(),
1546                        ));
1547                    }
1548
1549                    let fingerprint = msg.param.get(Param::Arg3).unwrap_or_default();
1550                    if !fingerprint.is_empty() {
1551                        headers.push((
1552                            "Secure-Join-Fingerprint",
1553                            mail_builder::headers::raw::Raw::new(fingerprint.to_string()).into(),
1554                        ));
1555                    }
1556                    if let Some(id) = msg.param.get(Param::Arg4) {
1557                        headers.push((
1558                            "Secure-Join-Group",
1559                            mail_builder::headers::raw::Raw::new(id.to_string()).into(),
1560                        ));
1561                    };
1562                }
1563            }
1564            SystemMessage::ChatProtectionEnabled => {
1565                headers.push((
1566                    "Chat-Content",
1567                    mail_builder::headers::raw::Raw::new("protection-enabled").into(),
1568                ));
1569            }
1570            SystemMessage::ChatProtectionDisabled => {
1571                headers.push((
1572                    "Chat-Content",
1573                    mail_builder::headers::raw::Raw::new("protection-disabled").into(),
1574                ));
1575            }
1576            SystemMessage::IrohNodeAddr => {
1577                let node_addr = context
1578                    .get_or_try_init_peer_channel()
1579                    .await?
1580                    .get_node_addr()
1581                    .await?;
1582
1583                // We should not send `null` as relay URL
1584                // as this is the only way to reach the node.
1585                debug_assert!(node_addr.relay_url().is_some());
1586                headers.push((
1587                    HeaderDef::IrohNodeAddr.into(),
1588                    mail_builder::headers::text::Text::new(serde_json::to_string(&node_addr)?)
1589                        .into(),
1590                ));
1591            }
1592            SystemMessage::CallAccepted => {
1593                headers.push((
1594                    "Chat-Content",
1595                    mail_builder::headers::raw::Raw::new("call-accepted").into(),
1596                ));
1597            }
1598            SystemMessage::CallEnded => {
1599                headers.push((
1600                    "Chat-Content",
1601                    mail_builder::headers::raw::Raw::new("call-ended").into(),
1602                ));
1603            }
1604            _ => {}
1605        }
1606
1607        if let Some(grpimage) = grpimage {
1608            info!(context, "setting group image '{}'", grpimage);
1609            let avatar = build_avatar_file(context, grpimage)
1610                .await
1611                .context("Cannot attach group image")?;
1612            headers.push((
1613                "Chat-Group-Avatar",
1614                mail_builder::headers::raw::Raw::new(format!("base64:{avatar}")).into(),
1615            ));
1616        }
1617
1618        if msg.viewtype == Viewtype::Sticker {
1619            headers.push((
1620                "Chat-Content",
1621                mail_builder::headers::raw::Raw::new("sticker").into(),
1622            ));
1623        } else if msg.viewtype == Viewtype::Call {
1624            headers.push((
1625                "Chat-Content",
1626                mail_builder::headers::raw::Raw::new("call").into(),
1627            ));
1628            placeholdertext = Some(
1629                "[This is a 'Call'. The sender uses an experiment not supported on your version yet]".to_string(),
1630            );
1631        }
1632
1633        if let Some(offer) = msg.param.get(Param::WebrtcRoom) {
1634            headers.push((
1635                "Chat-Webrtc-Room",
1636                mail_builder::headers::raw::Raw::new(b_encode(offer)).into(),
1637            ));
1638        } else if let Some(answer) = msg.param.get(Param::WebrtcAccepted) {
1639            headers.push((
1640                "Chat-Webrtc-Accepted",
1641                mail_builder::headers::raw::Raw::new(b_encode(answer)).into(),
1642            ));
1643        }
1644
1645        if msg.viewtype == Viewtype::Voice
1646            || msg.viewtype == Viewtype::Audio
1647            || msg.viewtype == Viewtype::Video
1648        {
1649            if msg.viewtype == Viewtype::Voice {
1650                headers.push((
1651                    "Chat-Voice-Message",
1652                    mail_builder::headers::raw::Raw::new("1").into(),
1653                ));
1654            }
1655            let duration_ms = msg.param.get_int(Param::Duration).unwrap_or_default();
1656            if duration_ms > 0 {
1657                let dur = duration_ms.to_string();
1658                headers.push((
1659                    "Chat-Duration",
1660                    mail_builder::headers::raw::Raw::new(dur).into(),
1661                ));
1662            }
1663        }
1664
1665        // add text part - we even add empty text and force a MIME-multipart-message as:
1666        // - some Apps have problems with Non-text in the main part (eg. "Mail" from stock Android)
1667        // - we can add "forward hints" this way
1668        // - it looks better
1669
1670        let afwd_email = msg.param.exists(Param::Forwarded);
1671        let fwdhint = if afwd_email {
1672            Some(
1673                "---------- Forwarded message ----------\r\n\
1674                 From: Delta Chat\r\n\
1675                 \r\n"
1676                    .to_string(),
1677            )
1678        } else {
1679            None
1680        };
1681
1682        let final_text = placeholdertext.as_deref().unwrap_or(&msg.text);
1683
1684        let mut quoted_text = None;
1685        if let Some(msg_quoted_text) = msg.quoted_text() {
1686            let mut some_quoted_text = String::new();
1687            for quoted_line in msg_quoted_text.split('\n') {
1688                some_quoted_text += "> ";
1689                some_quoted_text += quoted_line;
1690                some_quoted_text += "\r\n";
1691            }
1692            some_quoted_text += "\r\n";
1693            quoted_text = Some(some_quoted_text)
1694        }
1695
1696        if !is_encrypted && msg.param.get_bool(Param::ProtectQuote).unwrap_or_default() {
1697            // Message is not encrypted but quotes encrypted message.
1698            quoted_text = Some("> ...\r\n\r\n".to_string());
1699        }
1700        if quoted_text.is_none() && final_text.starts_with('>') {
1701            // Insert empty line to avoid receiver treating user-sent quote as topquote inserted by
1702            // Delta Chat.
1703            quoted_text = Some("\r\n".to_string());
1704        }
1705
1706        let is_reaction = msg.param.get_int(Param::Reaction).unwrap_or_default() != 0;
1707
1708        let footer = if is_reaction { "" } else { &self.selfstatus };
1709
1710        let message_text = format!(
1711            "{}{}{}{}{}{}",
1712            fwdhint.unwrap_or_default(),
1713            quoted_text.unwrap_or_default(),
1714            escape_message_footer_marks(final_text),
1715            if !final_text.is_empty() && !footer.is_empty() {
1716                "\r\n\r\n"
1717            } else {
1718                ""
1719            },
1720            if !footer.is_empty() { "-- \r\n" } else { "" },
1721            footer
1722        );
1723
1724        let mut main_part = MimePart::new("text/plain", message_text);
1725        if is_reaction {
1726            main_part = main_part.header(
1727                "Content-Disposition",
1728                mail_builder::headers::raw::Raw::new("reaction"),
1729            );
1730        }
1731
1732        let mut parts = Vec::new();
1733
1734        // add HTML-part, this is needed only if a HTML-message from a non-delta-client is forwarded;
1735        // for simplificity and to avoid conversion errors, we're generating the HTML-part from the original message.
1736        if msg.has_html() {
1737            let html = if let Some(orig_msg_id) = msg.param.get_int(Param::Forwarded) {
1738                MsgId::new(orig_msg_id.try_into()?)
1739                    .get_html(context)
1740                    .await?
1741            } else {
1742                msg.param.get(Param::SendHtml).map(|s| s.to_string())
1743            };
1744            if let Some(html) = html {
1745                main_part = MimePart::new(
1746                    "multipart/alternative",
1747                    vec![main_part, MimePart::new("text/html", html)],
1748                )
1749            }
1750        }
1751
1752        // add attachment part
1753        if msg.viewtype.has_file() {
1754            let file_part = build_body_file(context, &msg).await?;
1755            parts.push(file_part);
1756        }
1757
1758        if let Some(msg_kml_part) = self.get_message_kml_part() {
1759            parts.push(msg_kml_part);
1760        }
1761
1762        if location::is_sending_locations_to_chat(context, Some(msg.chat_id)).await? {
1763            if let Some(part) = self.get_location_kml_part(context).await? {
1764                parts.push(part);
1765            }
1766        }
1767
1768        // we do not piggyback sync-files to other self-sent-messages
1769        // to not risk files becoming too larger and being skipped by download-on-demand.
1770        if command == SystemMessage::MultiDeviceSync {
1771            let json = msg.param.get(Param::Arg).unwrap_or_default();
1772            let ids = msg.param.get(Param::Arg2).unwrap_or_default();
1773            parts.push(context.build_sync_part(json.to_string()));
1774            self.sync_ids_to_delete = Some(ids.to_string());
1775        } else if command == SystemMessage::WebxdcStatusUpdate {
1776            let json = msg.param.get(Param::Arg).unwrap_or_default();
1777            parts.push(context.build_status_update_part(json));
1778        } else if msg.viewtype == Viewtype::Webxdc {
1779            let topic = self
1780                .webxdc_topic
1781                .map(|top| BASE32_NOPAD.encode(top.as_bytes()).to_ascii_lowercase())
1782                .unwrap_or(create_iroh_header(context, msg.id).await?);
1783            headers.push((
1784                HeaderDef::IrohGossipTopic.get_headername(),
1785                mail_builder::headers::raw::Raw::new(topic).into(),
1786            ));
1787            if let (Some(json), _) = context
1788                .render_webxdc_status_update_object(
1789                    msg.id,
1790                    StatusUpdateSerial::MIN,
1791                    StatusUpdateSerial::MAX,
1792                    None,
1793                )
1794                .await?
1795            {
1796                parts.push(context.build_status_update_part(&json));
1797            }
1798        }
1799
1800        if self.attach_selfavatar {
1801            match context.get_config(Config::Selfavatar).await? {
1802                Some(path) => match build_avatar_file(context, &path).await {
1803                    Ok(avatar) => headers.push((
1804                        "Chat-User-Avatar",
1805                        mail_builder::headers::raw::Raw::new(format!("base64:{avatar}")).into(),
1806                    )),
1807                    Err(err) => warn!(context, "mimefactory: cannot attach selfavatar: {}", err),
1808                },
1809                None => headers.push((
1810                    "Chat-User-Avatar",
1811                    mail_builder::headers::raw::Raw::new("0").into(),
1812                )),
1813            }
1814        }
1815
1816        Ok((main_part, parts))
1817    }
1818
1819    /// Render an MDN
1820    fn render_mdn(&mut self) -> Result<MimePart<'static>> {
1821        // RFC 6522, this also requires the `report-type` parameter which is equal
1822        // to the MIME subtype of the second body part of the multipart/report
1823        let Loaded::Mdn {
1824            rfc724_mid,
1825            additional_msg_ids,
1826        } = &self.loaded
1827        else {
1828            bail!("Attempt to render a message as MDN");
1829        };
1830
1831        // first body part: always human-readable, always REQUIRED by RFC 6522.
1832        // untranslated to no reveal sender's language.
1833        // moreover, translations in unknown languages are confusing, and clients may not display them at all
1834        let text_part = MimePart::new("text/plain", "This is a receipt notification.");
1835
1836        let mut message = MimePart::new(
1837            "multipart/report; report-type=disposition-notification",
1838            vec![text_part],
1839        );
1840
1841        // second body part: machine-readable, always REQUIRED by RFC 6522
1842        let message_text2 = format!(
1843            "Original-Recipient: rfc822;{}\r\n\
1844             Final-Recipient: rfc822;{}\r\n\
1845             Original-Message-ID: <{}>\r\n\
1846             Disposition: manual-action/MDN-sent-automatically; displayed\r\n",
1847            self.from_addr, self.from_addr, rfc724_mid
1848        );
1849
1850        let extension_fields = if additional_msg_ids.is_empty() {
1851            "".to_string()
1852        } else {
1853            "Additional-Message-IDs: ".to_string()
1854                + &additional_msg_ids
1855                    .iter()
1856                    .map(|mid| render_rfc724_mid(mid))
1857                    .collect::<Vec<String>>()
1858                    .join(" ")
1859                + "\r\n"
1860        };
1861
1862        message.add_part(MimePart::new(
1863            "message/disposition-notification",
1864            message_text2 + &extension_fields,
1865        ));
1866
1867        Ok(message)
1868    }
1869}
1870
1871fn hidden_recipients() -> Address<'static> {
1872    Address::new_group(Some("hidden-recipients".to_string()), Vec::new())
1873}
1874
1875async fn build_body_file(context: &Context, msg: &Message) -> Result<MimePart<'static>> {
1876    let file_name = msg.get_filename().context("msg has no file")?;
1877    let blob = msg
1878        .param
1879        .get_file_blob(context)?
1880        .context("msg has no file")?;
1881    let mimetype = msg
1882        .param
1883        .get(Param::MimeType)
1884        .unwrap_or("application/octet-stream")
1885        .to_string();
1886    let body = fs::read(blob.to_abs_path()).await?;
1887
1888    // create mime part, for Content-Disposition, see RFC 2183.
1889    // `Content-Disposition: attachment` seems not to make a difference to `Content-Disposition: inline`
1890    // at least on tested Thunderbird and Gma'l in 2017.
1891    // But I've heard about problems with inline and outl'k, so we just use the attachment-type until we
1892    // run into other problems ...
1893    let mail = MimePart::new(mimetype, body).attachment(sanitize_bidi_characters(&file_name));
1894
1895    Ok(mail)
1896}
1897
1898async fn build_avatar_file(context: &Context, path: &str) -> Result<String> {
1899    let blob = match path.starts_with("$BLOBDIR/") {
1900        true => BlobObject::from_name(context, path)?,
1901        false => BlobObject::from_path(context, path.as_ref())?,
1902    };
1903    let body = fs::read(blob.to_abs_path()).await?;
1904    let encoded_body = base64::engine::general_purpose::STANDARD
1905        .encode(&body)
1906        .chars()
1907        .enumerate()
1908        .fold(String::new(), |mut res, (i, c)| {
1909            if i % 78 == 77 {
1910                res.push(' ')
1911            }
1912            res.push(c);
1913            res
1914        });
1915    Ok(encoded_body)
1916}
1917
1918fn recipients_contain_addr(recipients: &[(String, String)], addr: &str) -> bool {
1919    let addr_lc = addr.to_lowercase();
1920    recipients
1921        .iter()
1922        .any(|(_, cur)| cur.to_lowercase() == addr_lc)
1923}
1924
1925fn render_rfc724_mid(rfc724_mid: &str) -> String {
1926    let rfc724_mid = rfc724_mid.trim().to_string();
1927
1928    if rfc724_mid.chars().next().unwrap_or_default() == '<' {
1929        rfc724_mid
1930    } else {
1931        format!("<{rfc724_mid}>")
1932    }
1933}
1934
1935/// Encodes UTF-8 string as a single B-encoded-word.
1936///
1937/// We manually encode some headers because as of
1938/// version 0.4.4 mail-builder crate does not encode
1939/// newlines correctly if they appear in a text header.
1940fn b_encode(value: &str) -> String {
1941    format!(
1942        "=?utf-8?B?{}?=",
1943        base64::engine::general_purpose::STANDARD.encode(value)
1944    )
1945}
1946
1947#[cfg(test)]
1948mod mimefactory_tests;